Pre-Staging before using Adjoin on a new machine

When joining a large AD environment, the join procedure can take a very long time - up to dozens of minutes. This becomes a concern in some use cases, such as starting an Amazon EC2 instance that needs to join the domain to provide service.

To speed up the adjoin process, the adjoin --prestage option uses existing cache files instead of populating cache from scratch.

Some preparation is required to take advantage of the --prestage option:

  • Prepare a pre-staged cache directory on a joined machine
  • Copy the cache directory to the new machine

Security requirements

To use the --prestage option, ensure the following:

  • Joined and new machine requirements:

    • The --prestage option can only be used between machines that have the same platform, architecture, and Authentication Service (Centrify DirectControl) release version installed.
    • Adclient cache data encryption feature cannot be enabled on the joined machine. See the adclient.cache.encrypt parameter.

  • Pre-staged cache directory on joined machine requirements:

    • On a joined machine, create or designate a directory for the pre-staging cache files.
    • The directory must be in a safe path. That means all levels of parent directories are owned by system accounts.
    • The directory cannot be either group or world writable.
  • Content for the pre-staged cache directory on the joined machine:

    • Place the cache files (dz.cache, dc.cache, gc.cache,.idx and kset. files) in the specified directory.
    • Ensure the cache files are owned by system accounts.
    • Files cannot be either group or world writable.
    • Symlink is not allowed for the cache files.
  • Zone hierarchy changes are not allowed between the staging directory and the new machine. This includes:

    • zone name change
    • zone GUID change
    • zone schema change

Preparing to use --prestage option

  1. Create a directory on a joined machine. For example, /pre.
  2. Stop adclient on that machine.
  3. Copy the /var/centrifydc/ directory to the pre-staged directory on the joined machine.

    For example:

    Copying the /var/centrifydc/ directory to the pre-staged directory, /pre, places a copy of the required files in /pre/centrifydc/.

  4. Verify the pre-staged directory on the joined machine contains all the .idx, .cache, and kset. files.

  5. Copy the pre-staged directory to the new machine.

    Use a method of your choice, such as scp or sftp.

    This is done so the pre-staged files are available locally on the new machine.

  6. Add the option to the adjoin command when adding the new machine. The syntax is:

    -E | --prestage <directory>

    where directory is the path to the pre-staged directory on the new machine.

    For example, if the pre-staged files are in directory, /pre/centrifydc/, use the following adjoin command.

    adjoin -z <zone> -E /pre/centrifydc <domain>