I am a Windows admin who manages our AD infrastructure. Our Linux team have been building some CentOS 7 VMs and configuring them to use SSSD to join the domain.
The initial config was querying a DC in a different site (not domain as previously written), so I asked them to look into using AD Sites with SSSD.
The server now returns the 3 _ldap DC records from DNS. The first it tries is from a different site so it cannot access it. The second works and it retrieves the correct site name. For a period of time (not sure exactly how long) it will use the DC that responded and after that time has passed it will start back getting the 3 _ldap records from DNS.
This causes some delays in logging in which we have been asked to solve. If we set the site name in the config, then it works all the time, but we have to consider that we restore these VMs from a backup to the other site where the set site name would now be wrong.
I don't know much of the config in CentOS but is there a way for this to work correctly or is that what it is already doing?
Best Answer
You'll need to tell SSSD Which site to use.
This will do the following DNS lookup for ldap/kerberos
You can get a list of these sites from AD DNS or Sites and Services
IMHO Microsoft does a really poor job at doing this, pending your change rate you may want to set up a discovery subdomain yourself or use FreeIPA
Sample query
dig SRV +short _ldap._tcp.MyLocalSite._sites.example.comMicrosoft Sites and Services DNS
IPA Locations DNS
IPA will always list all ipa servers when you configure locations, and modify dns SRV record priority based on geoDNS, hopefully Server 2016 will add support for this, I do not have examples on how to use 2016 server to provide local SRV Records.
If you want to MANUALLY create a site under another domain, you can, nothing says you can't.
Example
SSSD.conf
DNS