1

We have a windows AD domain, let's say EXAMPLE.COM. With corresponding DNS domain example.com

I want to have just a normal domain member. Ubuntu 20.04, Samba 4.11.6.

Its DNS name is already established. Let's say it is a.b.example.com.

Forward and reverse DNS is already configured. The commands hostname -s and hostname -f show correct values.

Now I execute:

net ads join --no-dns-updates -U some-admin-account

Everything looks ok, but computer is entered into domain under name a.example.com.

LDAP shows for this computer: dNSHostName: a.example.com.

The generated kerberos keytab has entries like:

host/a@EXAMPLE.COM 
host/a.example.com@EXAMPLE.COM

Is there a way to specify full DNS name during net ads join?

Alexander Lelyakin
  • 11
  • 1

1 Answers1

0

Maybe you are mixing up forward DNS names (like from websites) and ActiveDirectory trusted names (trusted server names, used in kerberos and NTLM authentication).

In the AD world, b.example.com is not the same as exmaple.com. It is a subdomain and (more or less) completely on it's own. The AD can carry a lot of them, nested or not nested. Thats why it is called a "forest". If you want the server "a" be a member of "exmaple.com", it is (and will stay as) "a.example.com".

But you can always add a additional (FQDN) alias for computers (given that DNS resolution is already set):

C:\> netdom computername <computer> /add:<alias>

You can enumerate active alisas of your server by typing

C:\> netdom computername <computer> /enum

And delte them with

C:\> netdom computername <computer> /remove:<alias>

Do not delte the default FQDN, which is also the CN of the object.

bjoster
  • 4,805
  • 5
  • 25
  • 33