When you create a directory of type Active Directory (Integrated Windows Authentication), the This Directory supports DNS Service Location option is enabled by default and cannot be changed. When you create a directory of type Active Directory over LDAP, you have the choice of enabling this option. If this option is enabled, DNS Service Location lookup is used to select domain controllers. However, in certain scenarios, using DNS Service Location lookup may not be preferred.
The connector DNS Service Location (SRV) lookup is currently not site aware. If you have a global Active Directory deployment, with multiple domain controllers across different geographical locations for a domain, a non-optimal domain controller might be selected. This can lead to latency, delays, or timeouts when VMware Identity Manager tries to communicate with the domain controller.
For a global Active Directory deployment with multiple domain controllers across different geographical locations, to ensure an optimal configuration, create a domain_krb.properties file to override the SRV lookup and add to it specific domain to host values that take precedence over SRV lookup. Create this file if you are using either Active Directory (Integrated Windows Authentication) or Active Directory over LDAP with the DNS Service Location option enabled.
You must create the domain_krb.properties file before you create the VMware Identity Manager directory.
- Log in to the virtual appliance as the root user.
- Change directories to /usr/local/horizon/conf and create a file called domain_krb.properties.
- Edit the domain_krb.properties file to add the list of the domain to host values.
Use the following format:
Domain names must be in lowercase. Mixed case or uppercase are not allowed.
- Change the owner of the domain_krb.properties file to horizon and group to www using the following command.
chown horizon:www /usr/local/horizon/conf/domain_krb.properties
- Restart the service using the following command.
service horizon-workspace restart