All,
I read with great interest the release notes on a recent sssd release
notes. That terse note had a link to a fuller discussion on the better AD
DC discovery algorithm.
The original sssd AD DC discovery algorithm looked up the SRV records in
DNS for this local AD domain. It randomly picked 5 AD DCs to send the
CLDAP ping. the first AD DC that responded it would query to determine AD
site and thus, preferred servers.
However, if none of these 5 AD DCs respond -- game over!
The new better discovery algorithm implements the same as Windows (& some
commercial AD integration products such as Quest) implement. They do a
CLDAP ping to *all* AD DCs found via SRV DNS lookup. The first AD DC that
responds, it queries to determine AD site and thus, preferred servers.
What is the difference? Quite a lot actually -- in the real world. Lots
of companies when implementing DMZs or other tightly-firewalled segments
(like back-traffic from public cloud) only allow access to 2-3 read-only
DCs. Yet, the DNS SRV lookup will return all the DCs. RW and RO. You
might be back 80 - 90 DCs, of which only 2-3 are truly reachable.
Thus Windows, Quest and new sssd versions work here -- out of the box. Old
sssd version only work if you specifically disable site discovery and
hard-code the specific 2-3 RO DCs.
BTW there is an RFC that documents this new better discovery algorithm.
So -- where is the reference to this new discovery algorithm? And which
recent sssd release implements it? I can't find it now.
I'm stuck administering RHEL6, 7 and 8 servers. So it'll be years before I
can enjoy this new discovery algorithm. But at least I have something to
look forward to -- years from now.
Spike