KB-3410: Setting adclient.server.try.max: 0 does not bring adclient to Disconnected mode as described in Centrify Agent version 5.1.1

Centrify DirectControl ,  

12 April,16 at 11:11 AM

Applies to: Centrify DirectControl 5.1.1 on All Platforms

For Centrify DirectControl agent 5.1.1, in /etc/centrifydc/centrifydc.conf:

# Specify the maximum number of servers Centrify DirectControl Agent should
# try to connect to when the default domain controller is down before
# deciding to run in disconnected mode.
# This policy is used if the agent is unable to connect to its primary domain
# controller. If enabled, adclient will query DNS for a list of other domain
# controllers and try each server in the list up to the maximum number of
# servers you specify. For example, if you have a large number of replica
# domain controllers for a given domain, you may want to use this parameter
# to limit the number of servers for the agent to try to connect to in order
# to limit network traffic and improve performance.
# The value should be a positive integer or 0. Setting the value to 0 forces
# Centrify DirectControl Agent to operate in disconnected mode. The default
# number of servers to attempt to connect to is 0.
# This policy is ignored if you have defined a master domain controller for
# the zone the computer is a member of. If you have specified a master domain
# controller, the computer only connects to that domain controller.
# Note: this parameter was deprecated since 4.4.3 in adclient and resurrected
# in 5.1.0.
# Controlled by group policy under the setting
#      "Computer Configuration"
#      -> "Centrify Settings"
#         -> "DirectControl Settings"
#            -> "Network and Cache Settings"
#               -> "Set maximum server connection attempts"
# adclient.server.try.max: 0

The same is also mentioned in centrify-unix-config-guide.pdf 

From the above, it says "Setting the value to 0 forces Centrify DirectControl Agent to operate in disconnected mode".

However, setting "adclient.server.try.max: 0" does not seem to bring adclient to Disconnected mode, even after restarting adclient.

For example:

[root@RedHat centrifydc]# cat /etc/centrifydc/centrifydc.conf | grep adclient.server.try.max
adclient.server.try.max: 0
[root@RedHat centrifydc]# /usr/share/centrifydc/bin/centrifydc restart
Centrify DirectControl restarted.

[root@RedHat centrifydc]# adinfo
Local host name:   redhat
Joined to domain:  henry.cheung
Joined as:         redhat.henry.cheung
Pre-win2K name:    redhat
Current DC:        win-pufvvl4b9mr.henry.cheung
Preferred site:    testsite
Zone:              henry.cheung/Program Data/Centrify/Zones/Global/FIN
Last password set: 2013-08-12 05:50:10 EDT
CentrifyDC mode:   connected
Licensed Features: Enabled

[root@RedHat centrifydc]# adinfo -c | grep adclient.server.try.max
adclient.server.try.max: 0

There is an error in the documentation and will be corrected in Suite 2014.

In Centrify DirectControl agent 5.1.1, if adclient.server.try.max is set to 0, and adclient loses connection with the primary DC, before switching to Disconnected mode, adclient will try EVERY known DC inside the domain until it finds one to talk to. 

Therefore, if adclient is able to find one live DC to talk to within the domain, it will remain in Connected mode even when adclient.server.try.max is set to 0, instead of going to Disconnected mode as described. The only scenario where adclient will operate in Disconnected mode when adclient.server.try.max is set to 0 is when all DCs in the domain are not able to talk to adclient.

If there is a need to force adclient to go into disconnected mode for testing purposes, please refer to the following KB:

