Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2084: How to block unreachable DCs/GCs in AD?

Authentication Service ,  

12 April,16 at 11:12 AM

Applies to: All versions of Centrify DirectControl 4.4.x and above on all supported platforms
Is it possible to prevent Centrify agent (adclient) from connecting to unreachable Domain Controllers (DCs) and GCs (Global Catalog) in AD. Essentially 'blacklist' them?
Yes, please use the dns.block parameter in /etc/centrifydc/centrifydc.conf to block unwanted/unreachable DCs and GCs in AD environment. Run the command adreload for changes to go into effect. For more details, please see page 96 of the below URL for more info or the extract
This configuration parameter specifies the list of domain controllers that should be filtered out when resolving the domain controller to contact through DNS. This configuration parameter enables you to prevent the Centrify DirectControl Agent  (adclient) from attempting to contact domain controllers that are known to be inaccessible, for example, because they reside behind a firewall, or domain controllers that shouldn’t be contacted, for  example, because of their physical location or because they are no longer valid domain controllers for the site. 
The parameter value can be one or more fully-qualified domain controller server names. If you are specifying more than one domain controller name, the names can be separated by commas or spaces. 
For example:

OR thru GP
"Computer Configuration" -> Centrify Settings -> DirectControl Settings -> Network and Cache Settings -> Blacklist DNS DC hostnames
If you don’t specify a value for this parameter, access is not blocked for any domain controllers or global catalog controllers.