I remember back in the olden days of Windows NT you could create “blank” computer accounts so that anyone could join a computer of that name to the domain.
I would like to do the same thing with Active Directory. Specifically:
- create a “blank” computer account for a member or RODC
- join the computer to the domain without interaction
The problem I’m trying to solve is I have 1,400 samba4 servers that I need to join to the domain as RODCs. I really, really, really don’t want to type in the password 1400 times. I want it to be properly automated (puppet/chef/whatever).
Maybe I can solve this using kssh and Kerberos ticket forwarding? Open to ideas.
My first approach to this would be:
- Create a new domain user and give it rights to join computers to the domain.
- Embed its username and password into your automation tool (puppet, chef, shell script, whatever).
- Once all the computers are joined to the domain, you can delete the domain-joining user. If you keep the user, you should change its password or lock the account.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.