17 December,16 at 01:59 AM
Applies to:
Centrify DirectControl 5.3.1 on all platforms
Problem:
The Centrify DirectControl Agent causes a high amount of system CPU usage approximately 30 minutes from system or service start. Restarting the DirectControl Agent is needed to bring CPU usage back to normal.
Cause:
By default every 1800 seconds or 30 minutes the agent will update a list of alternate UPN suffixes at the given interval. The agent will search all available domains to search and build a list of alternative UPN suffixes. If there is an unreachable domain or configured blocked domain, the agent will become stuck in a loop repeatedly trying to contact the unreachable/blocked domain.
Output from logs will show the following four lines repeated:
adclient[4823]: DEBUG <bg:upnUpdate> network.state Domain blocked: acme.com (not in white list)
adclient[4823]: DEBUG <bg:upnUpdate> base.adagent.domaininfo rejecting domain acme.com. Blocked, not in DNS or our domain list
adclient[4823]: DEBUG <bg:upnUpdate> base.osutil Module=Kerberos : No such domain: acme.com (reference base/adagent.cpp:1349 rc: -1765328230)
adclient[4823]: DEBUG <bg:upnUpdate> util.runqueue unhandled exception No such domain: acme.com
Workaround:
Edit the /etc/centrifydc/centrifydc.conf file and change the following parameter:
adclient.altupn.update.interval: 90000000 (9 with 7 zeros)
Run adreload after saving for changes to take effect
This parameter can also be distributed to your systems using Group Policy and is located at:
Computer Configuration -> Policies -> Admin Templates -> Centrify settings -> DirectControl Settings -> Add centrifydc.conf properties.
Resolution:
This will be fixed in Centrify Server Suite 2017.