passwordless AD domain join

MikeyB asked:

I remember back in the olden days of Windows NT you could create “blank” computer accounts so that anyone could join a computer of that name to the domain.

I would like to do the same thing with Active Directory. Specifically:

  • create a “blank” computer account for a member or RODC
  • join the computer to the domain without interaction

The problem I’m trying to solve is I have 1,400 samba4 servers that I need to join to the domain as RODCs. I really, really, really don’t want to type in the password 1400 times. I want it to be properly automated (puppet/chef/whatever).

Maybe I can solve this using kssh and Kerberos ticket forwarding? Open to ideas.

My answer:

My first approach to this would be:

  1. Create a new domain user and give it rights to join computers to the domain.
  2. Embed its username and password into your automation tool (puppet, chef, shell script, whatever).
  3. Once all the computers are joined to the domain, you can delete the domain-joining user. If you keep the user, you should change its password or lock the account.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.