Enterprise-Class DNS Support

With over 4000 enterprise customers, Centrify has developed the industry's most mature, enterprise-class support for real-world Active Directory environments. While other vendors, including the UNIX and Linux distributions, may claim support for Kerberos, only Centrify provides native support for all the complexity and nuance of Active Directory. The Centrify DirectControl agent has robust support for automatic discovery of the nearest domain controller, the global catalog, one/two-way trusts, multi-site environments, domain controller failover, and disjoint Active Directory-DNS namespaces. But Centrify's agent also includes a wide range of configuration parameters along with self-tuning features that, together, reduce the amount of manual configuration needed, enabling the agent to maintain communication with domain controllers even in environments where DNS is not correctly configured.

Why is this important? In lab environments where administrators may have deployed only a few pristine systems in a small, well managed test domain, many products may pass the baseline "proof of concept" by finding a domain controller and joining Active Directory. However, in many enterprises, DNS in the production environment is a completely different animal. DNS is often not maintained in parallel with Active Directory. When an enterprise changes or retires a domain controller, DNS is frequently not updated, resulting in stale DNS srv records that include non-existent or unhealthy domain controllers. Active Directory integration solutions that worked easily in the test lab can prove unusuable once deployed in production, with symptoms that include long delays in logging in as a system searches for a domain controller, or lockouts when authentication fails. Similar complexities exist for environments with complex trust relationships or disjoint namespaces.

Centrify's Active Directory support, developed and validated through our experience in real-world environments with thousands of servers, make the Centrify Suite by far the most enterprise-ready solution for integrating UNIX, Linux and Mac systems with Active Directory. Here are some of our most advanced features:

• Intelligent Domain Controller Discovery. The Centrify agent validates the domain controllers' health and builds a priority list of domain controllers with a tolerance of stale DNS srv records.
• Dynamic Domain Controller Selection. At join and login time, the highest priority domain controller is examined for health, responsiveness and availability, ensuring a reliable and quick response.
• Dynamic DNS Selection. Similar to Dynamic Domain Controller Selection, at login time any DNS queries are sent to multiple DNS servers, with the quickest server response being used. This enhances login speed and reduces bottlenecks and single points of failure.
• Tolerance of Missing DNS Configuration in resolv.conf. In large, established *NIX environments, DNS might not exist or be configured on all servers. The Centrify agent can now be configured to work in this environment.
• Support for Disjoint Namespaces. In large enterprises, we have frequently found that the DNS namespace is different than the Active Directory domain (for example, centrify.com versus corp.centrify.com). When we join a system to Active Directory, we can add additional aliases so that single sign-on will just work. For example, you can use PuTTY to connect to myserv.centrify.com or myserv.corp.centrify.com and SSO will work as expected.
• Hardened Support for Complex Trusts. When a system is joined to Active Directory, enhanced mapping of trust relationships (forest, domain, one-way, two-way, transitive) ensures that the login experience is seamless.
• Enhanced Network Resiliency. Additional enhancements have been made to ensure quicker response and failover in a variety of environments, including offline access, VPN (PPTP, IPSEC, Cisco), wireless, and remote across a WAN.