How to join to an Read Only Domain Controller (4250581)

During a join QAS needs to create a computer object for the host in Active Directory. How can I join to a RODC?

In AD
1. Pre-create the QAS computer account in AD
2. In ADUC Right Click on the new Computer account and "Reset Account". This sets the password to a known value (ie. the accounts hostname)
3. In ADUC, add the computer account into the "Password Replication Policy" for the RODC
4. In ADUC, add the computer account into the "Prepopulate Passwords" for the RODC

On the QAS client it is recommended that you use the latest QAS package which can be downloaded from the below URL:

https://support.oneidentity.com/authentication-services/download-new-releases

1. Create the 3 RODC entries in the /etc/hosts file
<IP_Address_RODC>  rodc rodc.yourdomain.com rodc.yourdomain.com.
ie. The hostname, the hostname in FQDN format, and the hostname in FQDN format with a dot as the last character.

2. Use vastool join to do a forced self-join, hardcoded to the RODC
/opt/quest/bin/vastool -u hostname$ -w hostname join -f -n hostname.yourdomain.com yourdomain.com rodc.yourdomain.com

**note that during the join the password is re-set to a secure random value.

In regards to pre-creating the Computer account, you could do this from another QAS machine (connected to a RWDC) eg. vastool -u administrator create computer <computername>

If a computer is created outside of that then you may want to pre-set the following attributes (which vastool create computer and joining to a RWDC would normally do).

userAccountControl: 69632
(WORKSTATION_TRUST_ACCOUNT, DONT_EXPIRE_PASSWORD)
sAMAccountName: HOSTNAME$
dNSHostName: hostname.yourdomain.com
userPrincipalName: host/hostname.yourdomain.com@YOURDOMAIN.COM
servicePrincipalName: host/HOSTNAME
servicePrincipalName: host/hostname.yourdomain.com