Centrify DirectControl Version 5.x on all *nix platformsProblem:
DNS records for Centrify-joined systems may occasionally become stale because they have not been updated in a while. This can lead to the records becoming scavenged by the DNS server. Cause:
DNS sees the record as stale due to the time stamp not being updated by the client in the past 7 days.
For Centrify DirectControl agent version 5.0 and higher, the addns
command can be run in verbose mode and show the time stamp not updating.Workaround:
command enables the Centrify agent to dynamically update DNS records in an Active Directory-based DNS server for environments where the DHCP server cannot update DNS records automatically.
Kerberos credentials are used to establish a security context for updating the DNS records in the DNS server.
As a workaround, a weekly cron job that runs on each server can be setup to force an update via addns
- The DNS record itself is not actually updated - it will just delete the record and recreate it. This will put a new time stamp on the DNS record for the server and prevent it from being deleted.
- In most cases, this command is not needed if the host's IP address is managed by a Windows-based DNS server and the DHCP server updates the DNS record for the host automatically.
- If a non-Windows-based DNS server is being used, then nsupdate (or a similar command appropriate to the operating environment of the DNS server) should be used instead to update DNS records.
- Edit /etc/centrifydc/centrifydc.conf, search for the following parameter and modify:
- adclient.dynamic.dns.command: "/usr/sbin/addns -Umf"
- -f --force Force an update even if IP has not changed
- -U Creates or updates the IP address and domain name pointer (PTR) records in the DNS server for the local computer
- -m Uses the local computer account's AD credentials to establish a security context with the DNS server
- To see what exactly what this command does, manually run it with the verbose flag:
- # /usr/sbin/addns -V -Umf
- Change the following parameter to '8h' (The default is '0', or "never update")
- adclient.dynamic.dns.refresh.interval: 8h
- This tells adclient to invoke "addns -Um" every 8 hours to refresh its own DNS records.
- Save the file then run the following to reload the configuration file:
None as this is not a bug.
This is the default behavior of how Active-Directory-integrated DNS servers scavenge DHCP addresses.