Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5921: How to configure restricted or preferred domain controller lookups for the Centrify Cloud Connector

Centrify Identity Service, App Edition ,  

4 November,16 at 11:42 PM

Applies to: Centrify Identity Service


Question:

Is it possible to manage how the Centrify Cloud Connector will query specific domains or domain controllers?


Answer:

There are two recommended methods to restrict domains or prefer specific domain controllers the connector will 
attempt to query when performing AD user and group enumeration. Use of these configuration settings can
restrict the connector to query only selected domain controllers when searching for AD objects or allow queries
to specific servers before attempting queries to other servers that are not on the preferred list.


Option 1:
  • If an entire domain should be blocked from connector searches, these domains could be blocked via standard firewall rules on the Connector machines.
  • Administrators can choose to block specific DC's using the HOSTS file on the server where the Centrify Connector service is installed.

Option 2:
  • Administrators can also explicitly set which DCs / GCs the cloud connector(s) can use by adding the following registry keys on all connector machines:
    • desiredDomainControllers : This key provides a list of DCs that the connector service should try to connect to first.
    • AD.AllowSearchingNonDiscoverableDomains : This key will stop or allow the connector service from probing for other DCs in the environment.
  • The combination of the two settings will effectively create a whitelist or preferred list of DCs that the connector will use.
  • NOTE: When both of these settings are active, the cloud connector(s) will not be aware of any other DCs outside of the preferred list and will not attempt to connect to them for future look-ups.

To add the registry settings:
  1. Go to the machine(s) where the Cloud Connector is installed and open regedit.exe
     
  2. Navigate to the key at:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\Cloud\
  3. Right-click and create a new "Multi-String Value": desiredDomainControllers
    • ​Enter the FQDNs of the preferred DCs / GCs, making sure to only put one on each line:
      • User-added image

         
  4. Create a new "DWORD (32-bit) Value": AD.AllowSearchingNonDiscoverableDomains
    • Set this value to 0 to disable searching outside the preferred list
    • Set this value to 1 to allow searching outside the preferred list.
      • User-added image
         
  5. Restart the Connector service to allow the new settings to take effect.
    • NOTE: To ensure the environment maintains a constant connection to the Cloud - it is advised to wait approximately 15 minutes after the first Connector is restarted before applying the changes on the next connector host.


For information on restricting look-ups across a Two-Way Trust, please see this article:

For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal/
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.