c0psrul3

join host to Domain Controller

Jul 6th, 2017
317
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!

For further troubleshooting on joining hosts to a Domain:

[[http://atherbeg.com/2017/02/23/error-insufficient-quota-exists-to-complete-the-operation/]]
[[https://technet.microsoft.com/en-us/library/cc961817.aspx]]

RedHat Documentation for joining host to Active Directory Domain:

[[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ch-Configuring_Authentication.html]]
[[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf]]

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Domain Users Cannot Join Workstation or Server to a Domain [[https://support.microsoft.com/en-us/help/251335/domain-users-cannot-join-workstation-or-server-to-a-domain]]

this document describes 3 methods for joining host to a Domain:

  • Method 1: Pre-Create the User's Computer Account

    From the Active Directory Users and Computers snap-in, right-click the container where the account resides.
    Click New, and then click Computer.
    In the Computer name box, type the name of the Windows 2000-based computer that you want to add to the domain.

    Make sure the computer's name is also entered in the Computer name (pre-Windows 2000) box (this should occur automatically).
    Click Change. Select the user or group that will be joining this computer to the domain, and then click OK.
    If you want Windows NT 4.0 and previous operating systems to use this computer name object, click to select the Allow pre-Windows 2000 computers to use this account check box, and then click OK.

  • Method 2: Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User

    From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties.
    Right-click the Computers container, and then click Properties.
    On the Security tab, click Advanced.
    On the Permissions tab, click Authenticated Users, and then click View/Edit.

    NOTE: If the Authenticated Users group is not listed, click Add and add it to the list of permission entries.
    Make sure the This object and all child objects option is displayed in the Apply onto box.
    From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK.

  • Method 3: Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain
    You can override the default limit, using either of the following methods:

    Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000 Resource Kit.
    Use an Active Directory Services Interface (ADSI) script to increase or decrease the value of the Active Directory ms-DS-MachineAccountQuota attribute. To do this:
    Install the Windows 2000 Support tools if they have not already been installed. To install these tools, run Setup.exe from the Support\Tools folder on the Windows 2000 Server or the Windows 2000 Professional CD-ROM.
    Run Adsiedit.msc as an administrator of the domain.
    Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties.
    In the Select which properties to view box, click Both.
    In the Select a property to view box, click ms-DS-MachineAccountQuota.
    In the Edit Attribute box, type a number. This number represents the number of workstations that you want users to be able to maintain concurrently.
    Click Set, and then click OK.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

to join host to a domain:

net ads join -U Administrator

Failed to join domain: failed to join domain 'MY.EXAMPLE.CORP' over rpc: Insufficient quota exists to complete the operation.

Tickect cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MY.EXAMPLE.CORP

Valid starting Expires Service principal
24/11/16 10:18:49 24/11/16 20:18:49 krbgt/MY.EXAMPLE.CORP@MY.EXAMPLE.CORP
renew until 25/11/16 10:18:25

[libdefaults]
default_realm = MY.DOMAIN.CORP

....

[realms]
DOMAIN = {
kdc = SERVER01.MY.DOMAIN.CORP
kdc = SERVER02.MY.DOMAIN.CORP
admin_server = SERVER01.MY.DOMAIN.CORP SERVER.MY.DOMAIN.CORP
default_domain = MY.DOMAIN.CORP
}

....

[domain_realm]
SERVER01.MY.DOMAIN.CORP = MY.DOMAIN.CORP
SERVER02.MY.DOMAIN.CORP = MY.DOMAIN.CORP
.MY.DOMAIN.CORP = MY.DOMAIN.CORP
MY.DOMAIN.CORP = MY.DOMAIN.CORP

[global]
workgroup = MYWORKGROUP
realm = MY.DOMAIN.CORP
security = ADS
encrypt passwords = yes
password server = SERVER01.MY.DOMAIN.CORP SERVER02.MYDOMAIN.CORP
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = true
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = yes
restrict anonymous = 2
winbind offline logon = yes

passwd: compat winbind
group: compat winbind
shadow: compat

Add Comment
Please, Sign In to add comment