Customers can benefit from the knowledge of how the Active Directory driver for Venafi Trust Protection Platform works in order to have an optimal configuration.
Venafi's AD integration utilizes a mixture of Domain Controllers and Global Catalogs to perform numerous tasks such as Login Authentication, Email look ups, Workflow Approval lookups and so on. Venafi DOES NOT currently utilize AD Sites & Services, nor can it be configured to use domain names to resolve to Domain Controllers or Global Catalogs. During the AD configuration wizard, you are to specify a domain/forest and only at this time does Venafi lookup Domain Controllers/Global Catalog hostnames using a domain/forest name.
[AD Discovery Wizard]
If you have a volatile AD infrastructure, it is recommended that you occasionally re-run the AD wizard to update the list of Domain Controllers and Global Catalogs. Once Venafi has a list of Domain Controllers, it will periodically check the response time of all configured controllers and order them in a list from fastest response time to slowest. If there are slow domain controllers, consider removing them from the list as this can impede start up times for Venafi Consoles and Services as the product tries to order the list of controllers. With the list of Domain Controllers ordered from fastest to slowest, Venafi will connect to one or more of the fastest Domain Controllers for performance reasons. If Venafi gets an error indicating that AD is not responding or can't connect, we move that server to an off-line list, and try again with the next server in the response time sorted list. If the list is exhausted, Venafi will not be able to use any features that rely on Active Directory.
After the initial wizard run selecting the DCs and Catalogs, every 15 minutes Venafi will ping all the DCs and re-sort all the originally selected DCs based on current response time, and move any non-responding DC’s to the off-line list, and check if any servers in the off-line list are now responding again, to recover from any temporary non-responsiveness.
[Stage 500 Certificate Processing Error]
[Authenticating to any console with AD credentials]
Key Take-Aways and recommendations:
- Venafi doesn't use AD Sites & Services
- Domain Controller/Global Catalog list is static once configured
- Venafi chooses the fastest responding controllers to talk to
- Remove slow DCs/GCs for best startup times
- Periodically update DC/GC list if AD environment is volatile