Applies to: All versions of Centrify DirectControl
What needs to be done for Centrify adclient agent/servers that are currently bound to a domain controller (DC) that has been scheduled to be decommissioned?
The new DC will be on the same AD site.
When a current DC is decommissioned and there are other DCs on the same site, the adclient should automatically failover to the next available DC.
The sequence is as follows:
- Centrify's adclient selects a DC first by site and it knows the correct site to use by doing an LDAP ping to (any) DC.
- It does a DNS SRV query for _ldap._tcp.<site>._sites.<domain> to get list of DCs to try first.
- Then it loops through the list and probes the ports.
- A DC that does not meet the port requirement, is considered not-eligible. (See KB-0029 for the list of required ports)
- Adclient goes through each DC until it finds a good one.
- If the site list is exhausted without finding any usable DCs, it does a DNS SRV query for _ldap._tcp.<domain>, i.e. Every known DC in the domain.
- Adclient will try this list until it finds one to use within a reasonable response time.
- If it cannot find any one to use, then it goes into Disconnected mode.
Run the following steps to verify a few things before decommissioning a DC:
- Make sure adclient is talking to AD/DC, the 'CentrifyDC mode' should show connected
- adcheck will show if there is more than one DC
- Verify in /etc/centrifydc/centrifydc.conf file that there are no hard coded entries pointing to a particular DC
# grep -i dns.dc /etc/centrifydc/centrifydc.conf
If there is a hardcoded entry, remove it and save the file. Run "adreload" to reload the configuration file
- Check /var/centrifydc/kset.domaincontroller for any entries. This file should never be edited by hand, but it can be removed/renamed as Centrify will recreate the file during adjoin and populate it.