In this set up the RODCs (Read Only Domain Controllers) are not in the top level SRV query results and all other DC's are blocked. The join includes -s <site> to let vastool/vasd know the right SRV query to find the reachable DCs (Domain Controllers).
Failed
ERROR: Unable to join computer object
ERROR: Could not join to the domain
VAS_ERR_KRB5: Kerberos error
Could not change password
Caused by:
KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm
Reason: unable to reach any changepw server in realm
Workaround: Configure the site name prior to joining by running the following where <site> is the name of the site in AD (Active Directory).
/opt/quest/bin/vastool configure vas libvas site-name-override <site>
Fix: To be fixed in a future version of Safeguard Authentication Services.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center