Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4215: Description of the discovery process between different forests

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:07 AM

Applies to: Centrify DirectControl version 5.1.2
 
Question:
 
What is the discovery process between different forests? 
 
Answer:
 
As there have been many changes in this area (updateDomainInfoMap), this KB article is discussing Centrify DirectContol version 5.1.2.
 
adclient on start-up and every 8 hours (krb5.config.update:8) will update domainInfoMap - the trusts information. 
 
When Centrify DirectContol is not configured to operate with local domain only (adclient.ldap.trust.local.domain.only:false), it will first search GC for "(|(objectCategory=trustedDomain)(objectCategory=DomainDNS))" to get all the known trusts. 
 
It then removes the excluded domains ("adclient.excluded.domains: <domaina> <doimainb> ..."). 
 
After that it loops through each remaining domains to locate its DC's.
 
It then ping each one to see if the DC is reachable and usable. 
 
It will then update /etc/krb5.conf with this set of information, and the trusts are cached in /var/centrifydc/kset.trusts. "adinfo -y domain" will dump what adclient understands about the trusts. 
 
adclient will try to create 1 connection to each domain. If the connection is idled for 900 seconds, it will be disconnected. "adinfo -y adagent" shows the connections. 
 
Notes:
 
- adclient also supports white list (adclient.included.domains).
 
- "dns.block" specifies the DC to avoid 
 
- For transitive trust, adclient will try to resolve trusts one more level out, that is, adclient will find out what the trusted domain trusts.