2.7. SSSD Clients and Active Directory DNS Site Autodiscovery

Active Directory forests can be very large, with numerous different domain controllers, domains and subdomains, and physical sites. Active Directory uses the concept of sites to identify the physical location for its domain controllers. This enables clients to connect to the domain controller that is geographically closest, which increases client performance.
By default, SSSD clients use autodiscovery to find its AD site and connect to the closest domain controller. The process consists of these steps:
  1. SSSD queries SRV records from the DNS server in the AD forest. The returned records contain the names of DCs in the forest.
  2. SSSD sends an LDAP ping to each of these DCs. If a DC does not respond within a configured interval, the request times out and SSSD sends the LDAP ping to the next one. If the connection succeeds, the response contains information about the AD site the SSSD client belongs to.
  3. SSSD then queries SRV records from the DNS server to locate DCs within the site it belongs to, and connects to one of them.

Note

SSSD remembers the AD site it belongs to by default. In this way, SSSD can send the LDAP ping directly to a DC in this site during the autodiscovery process to refresh the site information. Consequently, the procedure of autodiscovery is very fast as no timeouts occur normally.
If the site no longer exists or the client has meanwhile been assigned to a different site, SSSD starts querying for SRV records in the forest and goes through the whole process again.
To override the autodiscovery, specify the AD site to which you want the client to connect by using the ad_site option in the [domain] section of the /etc/sssd/sssd.conf file.

Additional Resources