net ads join seems to restrict itself to the first 5 DCs of those it finds

Richard Sharpe realrichardsharpe at
Fri Aug 9 16:04:50 UTC 2019

On Fri, Aug 9, 2019 at 8:33 AM Alexey A Nikitin <nikitin at> wrote:
> On Thursday, 8 August 2019 15:26:43 PDT Richard Sharpe via samba-technical wrote:
> > Hi folks,
> >
> > We are finding that net ads join is unable to join because it only
> > issues cldap requests for the first five DCs it finds when looking up
> > _ldap._tcp.realm ...
> >
> > Is this correct?
> >
> > The problem seems to be that sites and services is not correctly
> > configured to return the closest DC first in the list and the one they
> > should be contacting is around 16 out of 29 returned.
> >
> >
> I cannot confirm (yet) seeing this issue in `net ads join`, but I have seen something similar in `adcli info`, where the code selects only the first five entries among the SRV RR for _ldap._tcp, leading to domain discovery failure in some setups where DNS is configured to return non-site-specific DCs yet firewalls block communications from clients to those DCs. One could rightfully say that the setup itself is broken, yet Windows is robust enough to handle that, but adcli wasn't.
> I wrote a patch that fixes that behavior in adcli, it got accepted upstream some time ago. If someone can confirm this behavior with `net ads join` (or with Winbind in general - I have seen plenty cases where it fails to locate DCs, just haven't yet had time to pinpoint the root cause) then I imagine the patch for `net ads join` shouldn't be too difficult to write either.

Thanks for the hint. Yes, Windows is robust in this situation.

I will have an opportunity to determine if it is 'net ads join' doing
this or 'realm join' issuing weird instructions to net ads join, but
it looks like net ads join.

I will also get a level 10 log.

Richard Sharpe

More information about the samba-technical mailing list