Centrify Identity ServiceQuestion:
Is it possible to manage how the Centrify Cloud Connector will query specific domains or domain controllers?Answer:
There are two recommended methods to restrict domains or prefer specific domain controllers the connector will
attempt to query when performing AD user and group enumeration. Use of these configuration settings can
restrict the connector to query only selected domain controllers when searching for AD objects or allow queries
to specific servers before attempting queries to other servers that are not on the preferred list.Option 1:
- If an entire domain should be blocked from connector searches, these domains could be blocked via standard firewall rules on the Connector machines.
- For additional information on configuring firewall rules with Windows Server, please refer to the following Microsoft article.
- Administrators can choose to block specific DC's using the HOSTS file on the server where the Centrify Connector service is installed.
- For additional information on Host Name Resolution and configuring a HOSTS file, please refer to the following Microsoft article.
- Administrators can also explicitly set which DCs / GCs the cloud connector(s) can use by adding the following registry keys on all connector machines:
- desiredDomainControllers : This key provides a list of DCs that the connector service should try to connect to first.
- AD.AllowSearchingNonDiscoverableDomains : This key will stop or allow the connector service from probing for other DCs in the environment.
- The combination of the two settings will effectively create a whitelist or preferred list of DCs that the connector will use.
- NOTE: When both of these settings are active, the cloud connector(s) will not be aware of any other DCs outside of the preferred list and will not attempt to connect to them for future look-ups.
To add the registry settings:
- Go to the machine(s) where the Cloud Connector is installed and open regedit.exe
- Navigate to the key at:
- Right-click and create a new "Multi-String Value": desiredDomainControllers
- Enter the FQDNs of the preferred DCs / GCs, making sure to only put one on each line:
- Create a new "DWORD (32-bit) Value": AD.AllowSearchingNonDiscoverableDomains
- Set this value to 0 to disable searching outside the preferred list
- Set this value to 1 to allow searching outside the preferred list.
- Restart the Connector service to allow the new settings to take effect.
- NOTE: To ensure the environment maintains a constant connection to the Cloud - it is advised to wait approximately 15 minutes after the first Connector is restarted before applying the changes on the next connector host.
For information on restricting look-ups across a Two-Way Trust, please see this article:
For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/