Applies to: Centrify DirectControl version 5.1.2
Question:
What is the discovery process between different forests?
Answer:
As there have been many changes in this area (updateDomainInfoMap), this KB article is discussing Centrify DirectContol version 5.1.2.
adclient on start-up and every 8 hours (krb5.config.update:8) will update domainInfoMap - the trusts information.
When Centrify DirectContol is not configured to operate with local domain only (adclient.ldap.trust.local.domain.only:false), it will first search GC for "(|(objectCategory=trustedDomain)(objectCategory=DomainDNS))" to get all the known trusts.
It then removes the excluded domains ("adclient.excluded.domains: <domaina> <doimainb> ...").
After that it loops through each remaining domains to locate its DC's.
It then ping each one to see if the DC is reachable and usable.
It will then update /etc/krb5.conf with this set of information, and the trusts are cached in /var/centrifydc/kset.trusts. "adinfo -y domain" will dump what adclient understands about the trusts.
adclient will try to create 1 connection to each domain. If the connection is idled for 900 seconds, it will be disconnected. "adinfo -y adagent" shows the connections.
Notes:
- adclient also supports white list (adclient.included.domains).
- "dns.block" specifies the DC to avoid
- For transitive trust, adclient will try to resolve trusts one more level out, that is, adclient will find out what the trusted domain trusts.