Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-3220: Can the Centrify agent use "TRY_NEXT_CLOSEST_SITE"?

Authentication Service ,  

12 April,16 at 10:57 AM

Applies to: All versions of Centrify DirectControl
Can the Centrify agent use the DC locator TRY_NEXT_CLOSEST_SITE? 
The DC Locator is cost-aware and so can determine another RODC (Read Only Domain Controller) from a failover site in another data center as a next-best DC to contact (NEXT_CLOSEST_SITE). The architecture is that there is only one RODC in the DMZ. 
When the RODC is down for any reason, Centrify systems cannot talk to any RWDC located in the internal network as ports are blocked. The only port it can use with this DC Locator protocol is UDP/LDAP and that it should return another RODC from a mirror site.
The following links provides additional info:
Centrify does not understand "TRY_NEXT_CLOSEST_SITE". The agent tries the site as specified by subnet, then just any other DC.
adclient does not have a Windows API and so needs to use its own algorithm to locate sites and DCs:
  1. Centrify's adclient select a DC first by site. It knows the correct site to use by doing LDAP ping to (any) DC. 
  2. adclient does DNS SRV query for _ldap._tcp.<site>._sites.<domain> to get list of DC's to try first. It then loops through the list of DCs to probe ports.
  3. A DC that does not meet the ports requirement (apart from NTP), is considered not-eligible. adclient then tries the next DC, until it finds a good one.
  4. If the site list is exhausted without finding one usable DC, it then does DNS SRV query for _ldap._tcp.<domain>, which is basically every known DC in the domain. adclient will try this list until it finds one to use within a reasonable response time.
  5. If it cannot find any one to use, then it goes into Disconnected mode. 
  • The specification of dns.dc.<domain> and dns.gc.<domain> in /etc/centrifydc/centrifydc.conf obviates the need to do the SRV query. The list thus provided will take the place of the result of SRV query.
  • In Centrify DirectControl 5.1.0, adclient can be told to limit the number of DCs to try. This is for environments with thousands of DCs.
  • When a connected DC is lost, adclient may be in disconnected mode briefly (~30 seconds) before it initiates the failover process. 
  • Every 30 minutes, adclient will try to return to the preferred DC in the site. This is for cases like if the site's DC suffered a temporary power outage and recovered.
The conclusion is that in this exact configuration, adclient does not support the TRY_NEXT_CLOSEST_SITE; It tries every DC out in the Site (with only one RODC per Site) instead of trying in priority the ones from a Site with low cost links.
It is recommended to use a second RODC for each site.