Language and Page Formatting Options
2.8. SSSD Clients and Active Directory DNS Site Autodiscovery
Active Directory forests can be very large, with numerous different domain controllers, domains and child domains, and physical sites. Active Directory uses the concept of sites to identify the physical location for its domain controllers. This enables clients to connect to the domain controller that is geographically closest, which increases client performance.
By default, SSSD clients use autodiscovery to find its AD site and connect to the closest domain controller. The process consists of these steps:
- SSSD queries SRV records from the DNS server in the AD forest. The returned records contain the names of DCs in the forest.
- SSSD sends an LDAP ping to each of these DCs. If a DC does not respond within a configured interval, the request times out and SSSD sends the LDAP ping to the next one. If the connection succeeds, the response contains information about the AD site the SSSD client belongs to.
- SSSD then queries SRV records from the DNS server to locate DCs within the site it belongs to, and connects to one of them.
SSSD remembers the AD site it belongs to by default. In this way, SSSD can send the LDAP ping directly to a DC in this site during the autodiscovery process to refresh the site information. Consequently, the procedure of autodiscovery is very fast as no timeouts occur normally.
If the site no longer exists or the client has meanwhile been assigned to a different site, SSSD starts querying for SRV records in the forest and goes through the whole process again.
To override the autodiscovery, specify the AD site to which you want the client to connect by using the
ad_siteoption in the [domain] section of the
- See the sssd-ad(5) man page for details on
- For environments with a trust between Identity Management and Active Directory, see Section 5.6, “Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain”.