3

I remember back in the olden days of Windows NT you could create "blank" computer accounts so that anyone could join a computer of that name to the domain.

I would like to do the same thing with Active Directory. Specifically:

  • create a "blank" computer account for a member or RODC
  • join the computer to the domain without interaction

The problem I'm trying to solve is I have 1,400 samba4 servers that I need to join to the domain as RODCs. I really, really, really don't want to type in the password 1400 times. I want it to be properly automated (puppet/chef/whatever).

Maybe I can solve this using kssh and Kerberos ticket forwarding? Open to ideas.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • What did you [`expect`](http://en.wikipedia.org/wiki/Expect)? Interesting problem, though. – ewwhite Nov 19 '13 at 19:52
  • 2
    You... you're going to create 1400 RODCs? Am I understanding that right? – Ryan Ries Nov 20 '13 at 04:41
  • There are weird behaviors and edge cases that you have to be aware of with 1,400 *Windows* Domain Controllers, nevermind 1,400 samba DCs. If you're asking this question, I'm assuming it's too late to turn back now, but tread very carefully. – MDMarra Nov 21 '13 at 15:11

1 Answers1

7

My first approach to this would be:

  1. Create a new domain user and give it rights to join computers to the domain.
  2. Embed its username and password into your automation tool (puppet, chef, shell script, whatever).
  3. Once all the computers are joined to the domain, you can delete the domain-joining user. If you keep the user, you should change its password or lock the account.
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940