Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-24357: Can the number of listed Domain Controllers in the krb5.conf file be limited?

Authentication Service ,  

6 December,19 at 08:26 PM

Question:
Can the number of discovered Domain Controllers listed by adclient in krb5.conf be limited without having to blacklist/whitelist?

Answer:
Using the parameter, adclient.server.try.max, in centrifydc.conf the number of Domain Controllers listed can be limited. The default value is 0, meaning that adclient will search for and receive a reply from as many DCs as it can and then list them in the krb5.conf. When a value other than 0 is provided, adclient will only find and list the number given.

(e.g. adclient.server.max.try: 30 adclient will find the closest 30 DCs and list them in the kbr5.conf file.)

This setting can also be set via Group Policy using the policy path below:
      "Computer Configuration"
      -> "Centrify Settings"
         -> "DirectControl Settings"
            -> "Network and Cache Settings"
               -> "Set maximum server connection attempts"

Once the setting is set, the current krb5.conf file will need to be renamed or deleted and adclient will need to be restarted to have a new kbr5.conf file created.

Be aware that this setting also limits the number of DCs that adclient tries to connect to before deciding to run in disconnected mode.