Working with domain controllers and DNS servers

Delinea Agents are designed to perform the same set of DNS lookup requests that a typical Windows workstation performs to find the nearest domain controller for the local site. The DNS lookup request enables the Centrify Agent for *NIX to find domain controllers as they become available on the network or as the computer is relocated to another network location where different domain controllers are present. Centrify Agents also use DNS to find the Kerberos service providers and the global catalog service providers for the Active Directory forest.

In a typical Windows environment, the DNS server role is updated dynamically to contain the service locater (SRV) DNS entries for Active Directory’s LDAP, Kerberos, and global catalog services, so this information is available for Centrify Agents to use. However, there are some configurations of DNS that might not provide all of the SRV records for the set of domain controllers that provide Active Directory service to the enterprise. You may also run into problems if DNS for the enterprise runs on UNIX servers that cannot locate your Active Directory domain controllers. The next sections describe how you can adjust DNS or Centrify Agent to ensure they work together properly in your environment.

Related topics

  1. Working with domain controllers and DNS servers

    1. Configuring the DNS server role on Windows
    2. Configuring DNS running on UNIX servers
      1. Checking whether DNS can resolve the domain controller
      2. Resolving issues in locating Active Directory domain controllers
    3. Setting up DNS service on a target domain controller
      1. Adding a DNS server role to an Active Directory domain controller
    4. Configuring UNIX to use DNS service on the target domain controller
    5. Setting the domain controller in the configuration file
    6. Using the fixdns script

Configuring the DNS server role on Windows

One of the most common scenarios for running DNS in an environment with Active Directory is to add the DNS server role to a Windows domain controller or another Windows server.

If you are already using DNS in Active Directory and dynamically publishing DNS service records, no additional configuration should be necessary. If you are using DNS in Active Directory but have disabled dynamic updates, you should change the configuration for the DNS server role to allow dynamic updates. Making this change will allow Centrify Agents to properly locate domain controllers in the site and select an appropriate new domain controller if a connection to its primary domain controller is lost or the managed computer is moved to a new location on the network.

Configuring DNS running on UNIX servers

If your environment is configured to use UNIX-based DNS servers instead of Active Directory-based DNS servers and the UNIX system is configured to use DHCP, the nameserver entry in /etc/resolv.conf file is set automatically to point to a DNS server.

If this DNS server is aware of the Active Directory domain you want to join, no further changes are needed. If the DNS server identified as a nameserver in the /etc/resolv.conf file is not aware of the domain you are trying to join, for example, because you are using a test domain or a separate evaluation environment, you need to either disable DHCP or manually set the location of the Active Directory domain controller in the Centrify configuration file.

Checking whether DNS can resolve the domain controller

In most cases, you can verify whether a UNIX computer can locate the domain controller and related services by running the ping command and verifying connectivity to the correct Active Directory domain controller or by checking the nameserver entry in the /etc/resolv.conf file. This nameserver entry should be the IP address of one of the domain controllers in the domain you want to join.

If the ping command is successful, it indicates the DNS server is aware of the Active Directory domain you want to join and no further changes are needed. If the ping command is not successful, you will need to take further action to resolve the issue.

Resolving issues in locating Active Directory domain controllers

If the UNIX computer cannot find the Active Directory domain controller, there are several ways you can resolve the issue. Depending on your environment and specific situation, you should consider doing one of the following:

Setting up DNS service on a target domain controller

One of the simplest ways to ensure that the UNIX computers can locate the Active Directory domain controller and related services is to use the DNS service on the Active Directory domain controller as a DNS slave to the enterprise DNS servers. You can do this is by configuring the DNS server role on the Active Directory domain controller, then specifying that domain controller in the UNIX computer’s /etc/resolv.conf file. You can then add a forwarder to the local DNS on the domain controller that will pass on all lookups that it cannot satisfy to an enterprise DNS server.

This configuration does not require any changes to the enterprise DNS servers. Any look up request from the domain controller is simply a query from another computer in the enterprise. However, the UNIX computers configured to use this slave DNS service will receive the appropriate Service Location (SRV) records and global catalog updates for the Active Directory domain controller. In addition, the DNS service on the domain controller can be configured to forward requests to the enterprise DNS servers so those requests can be answered when the local DNS service cannot respond.

Adding a DNS server role to an Active Directory domain controller

The specific steps for adding the DNS server role to a domain controller depend on the version of Windows Server you use. In most cases, you can use an administrative tool, such as Server Manager, to add roles. Follow the instructions displayed in the wizard to add the DNS Server server roles, configure the DNS server lookup zones, select the Allow both nonsecure and secure dynamic updates option.

After you have configured the DNS server role on the domain controller, the computer uses the local DNS server as its primary DNS server.

Configuring UNIX to use DNS service on the target domain controller

Once you have configured the DNS service to contain the required Active Directory entries, you simply need to modify the UNIX computer to send all DNS lookup requests to the newly configured DNS server.

To configure the UNIX computer to use the new DNS server:

  1. Open the /etc/resolv.conf file.

  2. Set the IP address of the nameserver entry to the IP address of the DNS server on the Active Directory domain controller you just configured.

Setting the domain controller in the configuration file

If you are not able to use DNS to locate the Active Directory domain controllers on your network, you can manually specify one or more domain controllers in the Centrify configuration file.

To manually specify a domain controller, add the following entry to the Centrify configuration file, /etc/centrifydc/centrifydc.conf:

dns.dc.domain_name: server_name [server_name ...]

For example, if you want to ensure the Centrify Agent uses the domain mylab.test and the domain controller named dc1.mylab.test, you could add the following line to the /etc/centrifydc/centrifydc.conf file:

dns.dc.mylab.test: dc1.mylab.test

You must specify the name of the domain controller, not its IP address. In addition, the domain controller name must be resolvable using either DNS or in the local /etc/hosts file. Therefore, you must add entries to the local /etc/hosts for each domain controller you want to use if you are not using DNS or if the DNS server cannot locate your domain controllers.

To specify multiple servers for a domain, use a space to separate the domain controller server names. For example:

dns.dc.mylab.test: dc1.mylab.test dc2.mylab.test

The Centrify Agent will attempt to connect to the domain controllers in the order specified. For example, if the domain controller dc1.mylab.test cannot be reached, the agent will then attempt to connect to dc2.mylab.test.

If the global catalog for a given domain is on a different domain controller, you can add a separate dns.gc.domain_name entry to the configuration file to specify the location of the global catalog. For example:

dns.gc.mylab.test: dc3.mylab.test

You can add as many domain and domain controller entries to the Centrify configuration file as you need. Because the entries manually specified in the configuration file override any site settings for your domain, you can completely control the Centrify Agent for *NIX’s binding to the domains in your forest through this mechanism.

In most cases, you should use DNS whenever possible to locate your domain controllers. Using DNS ensures that any changes to the domain topology are handled automatically through the DNS lookups. The settings in the configuration file provide a manual alternative to looking up information through DNS for those cases when using DNS is not possible. If you use the manually-defined entries in the configuration file and the domain topology is changed by an Active Directory administrator, you must manually update the location of the domains in each configuration file.

Using the fixdns script

The Centrify Agent includes a fixdns script that you can use to inspect your environment and make the necessary configuration file changes for you.

To run this script, you need to specify the domain controller name and IP address:

fixdns domain_controller_name IP_address

For example if you intend to join the domain mytest.lab and the domain controller for that domain is dc1.mytest.lab and its address is 172.27.20.1, you would run the following command:

fixdns dc1.mytest.lab 127.27.20.1

The fixdns script will then make the necessary changes to the /etc/hosts and the Centrify configuration file.

This script does not update the /etc/resolv.conf file. If the script cannot locate the domain controller using the existing /etc/resolv.conf settings, it will assume that you want to use settings from the configuration file.