Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2218: How to force a Centrify DirectControl agent to only use specified domain controllers

Authentication Service ,  

12 April,16 at 11:14 AM


Is there a way to limit which domain controllers a Centrify DirectControl agent can connect to for DNS and other AD operations? There is a DMZ and it is necessary to restrict a Centrify DirectControl agent to use only a specific list of domain controllers.


The Centrify DirectControl agent can be configured to bypass the local /etc/resolv.conf file and only use a specific domain controller or list of domain controllers (also known as a "white list") when connecting to a particular domain for DNS and other AD actions. This is achieved via the following parameter located in the Centrify DirectControl config file: /etc/centrifydc/centrifydc.conf


This configuration parameter can be used to specify the domain controller host names if the DNS is not configured to use Active Directory. In most cases, it is not recommended to use this configuration parameter in a production environment because Active Directory automatically updates DNS with fail-over and replica servers optimized for the Active Directory site configuration. This configuration parameter is used primarily for configuring an evaluation environment when the DNS server is on a UNIX computer and cannot provide the _ldap service records. 

To set this parameter, the Active Directory domain name must be specified as the last portion of the configuration parameter name, and the parameter value is the host name of the domain controller. For example, if the Active Directory domain is and the domain controller for that domain is 

The name of the domain controller must be specified and not its IP address. In addition, the domain controller name must be resolvable using either DNS or in the local /etc/hosts file. Therefore, add the entries to the local /etc/hosts for each desired domain controller if not using DNS or if the DNS server cannot locate the domain controllers. 

To specify multiple servers for a domain, use a space to separate the domain controller server names. 

For example: 

dns.dc.lab.test: dc1.lab.test dc2.lab.test 

Please review the following resources for more information:

(All external links are provided as a courtesy)