Is the list of Domain Controllers returned by 'vastool info servers' a list of all the Domain Controllers that a given client can talk to?
All the servers returned from 'vastool info servers' are the servers (Domain Controllers) that Quest Authentication Services (QAS) will try to communicate with. This list is defined by Active Directory (AD) Sites if they are set up and configured correctly. This is under normal operating procedures.
If a site has two domain controllers and they both become unavailable then QAS will search outside the site to locate a Domain Controller that responds and allows for authentication. Otherwise QAS will use the servers (DCs) returned from 'vastool info servers'.
If a domain controller (DC) goes offline QAS will automatically failover to another available DC. When QAS needs to connect to a new DC, it examines the DCs it knows about, and picks a DC as follows:
1. Vas.conf [realms] section after the failed DC.
2. Random in-site DC.
3. Random out of site DC.
Vasd uses cldap ping to find a site, then DNS SRV queries to locate an in-site server, then SRV queries to find all servers if needed. The SRV queries require DNS access. If there is no DNS then QAS cannot function.
If no new DC can be found, QAS goes into disconnected mode, where it will attempt every 30 seconds to find a DC to communicate with.
© 2020 One Identity LLC. ALL RIGHTS RESERVED. Feedback 使用条款 隐私