Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-2346: adjoin self-serve fails for precreated computer with hostname > 15 chars, in disjointed DNS with error:Constraint violation : 0000200B:.., Att 9026b (dNSHostName)

Authentication Service ,  

12 April,16 at 11:31 AM

Applies to: Centrify DirectControl console version 5.0.5

The UNIX host is member of DNS '', but it was being joined to Active Directory domain ''.

Prior to join, in the /etc/centrifydc/centrifydc.conf file, the parameter is set as:
adjoin.samaccountname.length: 19

This parameter is set to 19 as the hostname is > 15 characters

From the Centrify DirectControl console, the computer account was pre-created with hostname > 15 characters.
adjoin with self-serve option was run as follows.
#adjoin -V -S -n <computername> <domainname>

The  adjoin self-serve failed with error in the log as:
adjoin[3498]:DIAG  base.bind.ldap update attribute dNSHostName
adjoin[3498]: DIAG  base.bind.ldap update attribute servicePrincipalName
adjoin[3498]: DEBUG base.osutil Module=LDAP : ldap_result2error ldap_modify_ext CN=us12345678901234,OU=UNIX Servers,OU=US,OU=GLOBAL,OU=Unix,DC=US,DC=AJAX,DC=ORG : Constraint violation : 0000200B: AtrErr: DSID-03153EC6, #1:  0: 0000200B: DSID-03153EC6, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9026b (dNSHostName)  (reference base/ldapbind.cpp:572 rc: 19)
adjoin[3498]: DEBUG base.join The computer failed to join the domain "".  Please do one of the following:  -- If the computer's hostname exceeds 19 characters, shorten it and try again, or use --name option to specify a name that is no more than 19 characters long.  -- Configure the computer's primary DNS suffix to match the Active Directory domain DNS name or any other allowed primary DNS suffix.  For the list of the allowed DNS suffixes contact your system administrator.  -- Contact your domain adminis
adjoin[3498]: DEBUG util.except (cims::BadData) : adjoin update failed (reference base/join.cpp:2278 rc: -1)

The adjoin did case sensitive comparison for dnsHostname.  The update of dnsHostname will fail on Win2k3 domain when computer samaccountname > 15 characters

1. Verify if the parameter in /etc/centrifydc/centrifydc.conf is set to:
adjoin.samaccountname.length: 19

Note: run the command 'adreload' when making changes to the config file

2. Clean-up the computer account:
i) From the Centrify DirectControl console, right-click on the computer object and select 'Delete'.
ii) From the Active Directory Users and Computers, right-click on the computer account and select 'Delete'.

3. Pre-create the computer account with DNS name suffix in lower case. In the Prepare Computer -> Specify Computer Information wizard, for the DNS name field, specify the dns suffix in lower case. 

  DNS name: <computername>.<dns suffix> 

4. Run the adjoin to do self-serve join

#adjoin -V -S -n<computername> <domainname>
This is resolved in Suite 2013.3 (5.1.2)