Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3454: Steps to take when decommissioning a DC (domain controller)

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:13 AM

Applies to: All versions of Centrify DirectControl
 
Question: 
What needs to be done for Centrify adclient agent/servers that are currently bound to a domain controller (DC) that has been scheduled to be decommissioned? 
 
The new DC will be on the same AD site.
 
Answer: 
When a current DC is decommissioned and there are other DCs on the same site, the adclient should automatically failover to the next available DC. 
 
The sequence is as follows:
  • Centrify's adclient selects a DC first by site and it knows the correct site to use by doing an LDAP ping to (any) DC. 
  • It does a DNS SRV query for _ldap._tcp.<site>._sites.<domain> to get list of DCs to try first. 
  • Then it loops through the list and probes the ports. 
  • A DC that does not meet the port requirement, is considered not-eligible. (See KB-0029 for the list of required ports)
  • Adclient goes through each DC until it finds a good one. 
  • If the site list is exhausted without finding any usable DCs, it does a DNS SRV query for _ldap._tcp.<domain>, i.e. Every known DC in the domain. 
  • Adclient will try this list until it finds one to use within a reasonable response time. 
  • If it cannot find any one to use, then it goes into Disconnected mode. 
 
Run the following steps to verify a few things before decommissioning a DC: 
  1. Make sure adclient is talking to AD/DC, the 'CentrifyDC mode' should show connected
    # adinfo
  2. adcheck will show if there is more than one DC 
    # adcheck 
  3. Verify in /etc/centrifydc/centrifydc.conf file that there are no hard coded entries pointing to a particular DC
    # grep -i dns.dc /etc/centrifydc/centrifydc.conf 

    If there is a hardcoded entry, remove it and save the file. Run "adreload" to reload the configuration file
    # adreload
     
  4. Check /var/centrifydc/kset.domaincontroller for any entries. This file should never be edited by hand, but it can be removed/renamed as Centrify will recreate the file during adjoin and populate it.
 

Related Articles

 articleKB-4365: How to change the master domain controller of a zone in ADSI Edit articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-1683: How does Centrify work with Microsoft RODC (Read only Domain Controller) articleKB-4742: SSH login slow after retiring domain controller articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III article[Labs] Setting-up an AWS Test Lab for Centrify articleKB-8942: What are the steps to migrate a RHEL Brightstore cluster to Centrify