Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2332: Centrify DirectControl and DNS (addns) went stale

Authentication Service ,   Mac & PC Management Service ,  

21 August,18 at 06:55 PM

Applies to: Centrify DirectControl Version 5.x on all *nix platforms


DNS records for Centrify-joined systems may occasionally become stale because they have not been updated in a while. This can lead to the records becoming scavenged by the DNS server. 


DNS sees the record as stale due to the time stamp not being updated by the client in the past 7 days. 
For Centrify DirectControl agent version 5.0 and higher, the addns command can be run in verbose mode and show the time stamp not updating.


The addns command enables the Centrify agent to dynamically update DNS records in an Active Directory-based DNS server for environments where the DHCP server cannot update DNS records automatically. 
Kerberos credentials are used to establish a security context for updating the DNS records in the DNS server.
As a workaround, a weekly cron job that runs on each server can be setup to force an update via addns.

  • The DNS record itself is not actually updated - it will just delete the record and recreate it. This will put a new time stamp on the DNS record for the server and prevent it from being deleted.
  • In most cases, this command is not needed if the host's IP address is managed by a Windows-based DNS server and the DHCP server updates the DNS record for the host automatically.
  • If a non-Windows-based DNS server is being used, then nsupdate (or a similar command appropriate to the operating environment of the DNS server) should be used instead to update DNS records.
  1. Edit /etc/centrifydc/centrifydc.conf, search for the following parameter and modify:
    • adclient.dynamic.dns.command: "/usr/sbin/addns -Umf"
    • In OS Versions 10.11 & above, the correct command would be adclient.dynamic.dns.command: "/usr/local/sbin/addns -Umf"
      • Reference:
      • -f --force Force an update even if IP has not changed
      • -U Creates or updates the IP address and domain name pointer (PTR) records in the DNS server for the local computer
      • -m Uses the local computer account's AD credentials to establish a security context with the DNS server
        • To see what exactly what this command does, manually run it with the verbose flag:
        • # /usr/sbin/addns -V -Umf
  2. Change the following parameter to '8h' (The default is '0', or "never update")
    • adclient.dynamic.dns.refresh.interval: 8h
      • This tells adclient to invoke "addns -Um" every 8 hours to refresh its own DNS records.
  3. Save the file then run the following to reload the configuration file:
    • # adreload


None as this is not a bug.
This is the default behavior of how Active-Directory-integrated DNS servers scavenge DHCP addresses.

Related Articles

No related Articles