Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2332: Centrify DirectControl and DNS (addns) went stale

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Applies to: Centrify DirectControl Version 5.x on all *nix platforms

Problem:

DNS records for Centrify-joined systems may occasionally become stale because they have not been updated in a while. This can lead to the records becoming scavenged by the DNS server. 


Cause: 

DNS sees the record as stale due to the time stamp not being updated by the client in the past 7 days. 
For Centrify DirectControl agent version 5.0 and higher, the addns command can be run in verbose mode and show the time stamp not updating.


Workaround:

The addns command enables the Centrify agent to dynamically update DNS records in an Active Directory-based DNS server for environments where the DHCP server cannot update DNS records automatically. 
Kerberos credentials are used to establish a security context for updating the DNS records in the DNS server.
As a workaround, a weekly cron job that runs on each server can be setup to force an update via addns.

Notes:
  • The DNS record itself is not actually updated - it will just delete the record and recreate it. This will put a new time stamp on the DNS record for the server and prevent it from being deleted.
  • In most cases, this command is not needed if the host's IP address is managed by a Windows-based DNS server and the DHCP server updates the DNS record for the host automatically.
  • If a non-Windows-based DNS server is being used, then nsupdate (or a similar command appropriate to the operating environment of the DNS server) should be used instead to update DNS records.
 
  1. Edit /etc/centrifydc/centrifydc.conf, search for the following parameter and modify:
    • adclient.dynamic.dns.command: "/usr/sbin/addns -Umf"
      • Reference:
      • -f --force Force an update even if IP has not changed
      • -U Creates or updates the IP address and domain name pointer (PTR) records in the DNS server for the local computer
      • -m Uses the local computer account's AD credentials to establish a security context with the DNS server
        • To see what exactly what this command does, manually run it with the verbose flag:
        • # /usr/sbin/addns -V -Umf
  2. Change the following parameter to '8h' (The default is '0', or "never update")
    • adclient.dynamic.dns.refresh.interval: 8h
      • This tells adclient to invoke "addns -Um" every 8 hours to refresh its own DNS records.
  3. Save the file then run the following to reload the configuration file:
    • # adreload


Resolution:

None as this is not a bug.
This is the default behavior of how Active-Directory-integrated DNS servers scavenge DHCP addresses.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles