Applies to: DirectManage Access Manager/Console earlier than 2013/5.1
Problem:
Joining to RODC (Read Only Domain Controller) fails after a successful precreate of the computer object using DirectManage Access Manager/Console.
The following command was used to do the join
#usr/share/centrifydc/libexec/adjoin -V -u username -z "Zone name" -s DomainController Domain
Cause:
To do adjoin using RODC,
1) On DirectManage Access Manager/Console, the Unix computer object must first be pre-created on a RWDC (Read Write Domain Controller) first and then flagged to allow selfserve join.
2) On the Unix server, join with -S (--selfserve).
If the join is successful, but the adclient is stuck in "starting mode":
CentrifyDC mode: starting
The reason is /etc/krb5/krb5.keytab is not generated. This can be verified by running #klist -kt on the Unix server and it will come back with no keytab entries.
The problem is the DirectManage 5.0.2 console has a known issue when pre-creating computers where it does not fill in the SPN (service principal name) list.
Using Microsoft's ADSIedit tool, one can examine the attributes of the computer object. The UI did not create the SPNs for the same.
Resolution:
This has been fixed in Suite 2013/5.1.0 console. Clean up everything in AD and then upgrade to Centrify Suite 2013 before doing the self-serve join.