Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-51770: CentrifyDC Getting Disconnected When Using AWS DNS

Authentication Service ,  

26 April,21 at 04:00 PM

Problem: Customers using AWS DNS (route53) may notice that their *nix systems are suddenly getting disconnected from the domain. It has been verified that the domain is reachable and the correct firewall ports are open. Running the adcheck command shows the following output in the DNSCHECK section:


DNSCHECK : Analyze basic health of DNS servers           : Failed
         : No good DNS servers were found.
         : You must fix this issue before continuing.
         : Check the IP addresses in /etc/resolv.conf
         : Alternatively you can use the -s <server> option and
         : place all required system names in /etc/hosts,
         : but this is not recommended.
         :
         : The following table lists the state of all configured
         : DNS servers.
         :  10.52.165.24 (unknown): dead



However, it is found that when running "adcheck -r" then the DNS server is now showing as reachable.


Cause: On Nitro-based EC2 instances, DNS is provided by a component in the AWS Nitro System that communicates with the Route 53 Resolver. DNS provided by the Route 53 Resolver does not support iterative queries. AWS recommends to change customers' DNS queries from iterative to recursive.


Solution: On systems running CentrifyDC version 5.5.1 (Suite 18.8) or higher, the following parameter is available in the /etc/centrifydc/centrifydc.conf file. Please set this value to 'true' and restart the CentrifyDC service.


adclient.dns.cachingserver


This causes adclient to send recursive DNS queries by default rather than iterative queries. This setting was intended to assist customers who are using DNS caching servers. Please be aware that there is a drawback to this setting. If using this setting and the DNS caching server is down, adclient will think all of DNS is down and cause the system to get disconnected from the domain. It is unknown at this time if AWS DNS would be considered a caching server.


More info on this setting is below:

https://docs.centrify.com/Content/config-unix/adclient_dns_cachingserver.htm?Highlight=adclient.dns.cachingserver%3A%20