Applies to:

Centrify DirectControl on All Platforms


Problem:

When attempting to join a machine to a zone against a Read-Only Domain Controller (RODC) that exists in Amazon AWS/EC2, it fails.  If joined against a local on-premise RODC, it works just fine.

You may see log entries similar to the following within /var/log/centrifydc.log while ‘addebug’ is set to “on”:

Aug 31 14:19:40 computer.centrify.com adjoin[26093]: INFO base.join User cannot set the computer password: Cannot contact any KDC for requested realm
Aug 31 14:19:41 computer.centrify.com adjoin[26093]: INFO base.join Computer cannot change its own password: Cannot contact any KDC for requested realm
Aug 31 14:19:41 computer.centrify.com adjoin[26093]: INFO cli.adjoin Join to domain 'centrify.com', zone '' failed.
Aug 31 14:19:41 computer.centrify.com adjoin[26093]: INFO lrpc.session process authentication request failed: ipc socket connect: No such file or directory


Cause:

The join operation logic results in the host being looked for by the AWS instance’s CNAME, rather than the actual computer name.


Workaround:

Add the -D <DNSHostName> or --dnsname <DNSHostName> option to your adjoin command. Where DNSHostName is the DNS name for the computer being joined to the zone.

 For example: