Thanks for getting back to us with this information.
Based on your feedback, this makes a whole lot of sense.
28 days is the default interval for the computer accounts to reset their passwords with Active Directory (this happens silently and in the background) if the system is unable to change its own password (because it can't reach a writable DC) it will fall in disconnected mode and you'll experience "key mismatch". At that point, only users who have logged in will do so with cached credentials; users who have never logged in, will fail.
There are multiple unreachable DCs however the one specified when joining
is accessible.
Based on this, seems like you've been having this issue for a while and have become quite skilful at fixing it (since you seem to be using the --server switch of adjoin); but the reality is that an environment with multiple unreachable DCs is an unhealthy environment.
The first thing to keep in mind is AD's "Sites and Services"; if the unreachable DCs exist within the systems "site"; this means that adclient (CentrifyDC) can't reach the closest DCs based on network topology. This will force it to try and reach to other sites (that could be across a WAN in a sub-optimal network link).
The client does maintain an internal list of a hanful of "elegible" DCs and tries to maintain a telemetry table (basically the list consists of the DC name and it's roundtrip ping), but if the list is populated with unreachable DCs, this is a mute exercise.
My advice is that you identify the reasons why those DCs are unreachable and either fix the root cause or exclude them. Some valid reasons include:
- The DC is in a secure subnet (like a DMZ) - those are great candiates for exclusion (see dns.block on pg. 88 here)
- The DC was decommissioned (but not cleaned properly) - these have to be fixed.
Another part of what you need to do is make sure that the subnet IDs that contain your RHEL AD-joined systems are properly added to a subnet inside AD sites and services.
Bottom-line (to all visitors of this post)
Part of the administrative housekeeping for AD clients (regardless of them being Centrify clients, Microsoft's or any other vendor like BT, Dell or SSSD) is to properly cleanup and maintain DCs, keep AD sites up-to date.
The tools of the trade for you (from Centrify) are adcheck and adinfo.