Avatar of Iwan Tamimi
Iwan TamimiFlag for Singapore

asked on 

RHEL 7.4 using realm cannot join the Windows AD

I am trying to join the domain for readhat server to our current Windows AD. The software using realm, to be honest I am not really familiar.

I installed the software needed but still have problem to connect/register to the domain.

This is what i did (server name I changed)

RHEL 7.4 server name: stl01
AD name: K1.LOCAL
AD server:  kocdc01.k1.local

The command:
# hostname
stl01
# realm join --user=adm_narahariak@K1.LOCAL --computer-ou="OU=Linux,OU=K1 Servers,DC=m1,DC=local kocdc01.k1.local" --verbose
.......
 * Created computer account: CN=STL01,OU=Linux,OU=K1 Servers,DC=k1,DC=local
 * Sending netlogon pings to domain controller: cldap://10.24.90.54
 * Received NetLogon info from: KOCDC01.k1.local
 ! Couldn't set password for computer account: STL01$: Cannot contact any KDC for requested realm
adcli: joining domain k1.local failed: Couldn't set password for computer account: STL01$: Cannot contact any KDC for requested realm
 ! Failed to join the domain
realm: Couldn't join realm: Failed to join the domain
#

It failed. But I checked in the OU, the name STL01 has been register (after i run the realm join command). Anyone experience with this?

Thank you,
Iwan Tamimi
SoftwareRedhatWindows NetworkingActive Directory

Avatar of undefined
Last Comment
Pavan Kumar A
Avatar of dfke
dfke

Hi,

commonly this is due to a DNS issue in your own domain.  To authenticate properly DNS should be able to resolve the KDC in your domain. Typically the KDC should be installed on a domain controller but in your case it looks like it is installed elsewhere. When it is not able to resolve the server where the KDC resides it will result in such an error.

So preferably check your DNS and fix any issues. Either that or do the dirty method by adding the domain entries in /etc/hosts.

Cheers
Avatar of Iwan Tamimi
Iwan Tamimi
Flag of Singapore image

ASKER

dfke,

Thank you for your reply. I may know the problem, seems like the firewall need to open port 464 (keberos) for password change. We did ok in the development system only  on production. i compared the ports between development and production, on production port 464 was not open.

i already request to open the firewall but since other dept. needs to do it, it took sometimes.

i will let you know.

Iwan
ASKER CERTIFIED SOLUTION
Avatar of Iwan Tamimi
Iwan Tamimi
Flag of Singapore image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of dfke
dfke

Hi,

happy to see it's solved.

Cheers
Avatar of Pavan Kumar A
Pavan Kumar A

Thank you, I have also faced the same issue and spent 3-4 hrs to resolve. After opening 464 port it got resolved.
Active Directory
Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo