Applies to:Centrify DirectControl on All Platforms
Problem:When attempting to join a machine to a zone against a Read-Only Domain Controller (RODC) that exists in Amazon AWS/EC2, it fails. If joined against a local on-premise RODC, it works just fine.
You may see log entries similar to the following within /var/log/centrifydc.log while ‘addebug’ is set to “on”:
Aug 31 14:19:40 computer.centrify.com adjoin[26093]: INFO base.join User cannot set the computer password: Cannot contact any KDC for requested realm
Aug 31 14:19:41 computer.centrify.com adjoin[26093]: INFO base.join Computer cannot change its own password: Cannot contact any KDC for requested realm
Aug 31 14:19:41 computer.centrify.com adjoin[26093]: INFO cli.adjoin Join to domain 'centrify.com', zone '' failed.
Aug 31 14:19:41 computer.centrify.com adjoin[26093]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory
Cause:The join operation logic results in the host being looked for by the AWS instance’s CNAME, rather than the actual computer name.
Workaround:Add the -D <DNSHostName> or --dnsname <DNSHostName> option to your adjoin command. Where DNSHostName is the DNS name for the computer being joined to the zone.
For example:
adjoin -S -s RODC.centrify.com -D computer.centrify.com