3

I remember back in the olden days of Windows NT you could create "blank" computer accounts so that anyone could join a computer of that name to the domain.

I would like to do the same thing with Active Directory. Specifically:

  • create a "blank" computer account for a member or RODC
  • join the computer to the domain without interaction

The problem I'm trying to solve is I have 1,400 samba4 servers that I need to join to the domain as RODCs. I really, really, really don't want to type in the password 1400 times. I want it to be properly automated (puppet/chef/whatever).

Maybe I can solve this using kssh and Kerberos ticket forwarding? Open to ideas.

Improve this question
3
  • What did you expect? Interesting problem, though. Commented Nov 19, 2013 at 19:52
  • 2
    You... you're going to create 1400 RODCs? Am I understanding that right? Commented Nov 20, 2013 at 4:41
  • There are weird behaviors and edge cases that you have to be aware of with 1,400 Windows Domain Controllers, nevermind 1,400 samba DCs. If you're asking this question, I'm assuming it's too late to turn back now, but tread very carefully. Commented Nov 21, 2013 at 15:11

1 Answer 1

Reset to default
7

My first approach to this would be:

  1. Create a new domain user and give it rights to join computers to the domain.
  2. Embed its username and password into your automation tool (puppet, chef, shell script, whatever).
  3. Once all the computers are joined to the domain, you can delete the domain-joining user. If you keep the user, you should change its password or lock the account.
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.