Disjointed Namespaces in AD Bridge

In some environments, AD Bridge agents must be joined with FQDNs that differ from the Active Directory domain name. For example, the computer oracle12.prod.domain.com might need to join the company.com domain. This is a disjointed namespace scenario since prod.domain.com and company.com are different DNS domains.

By default, the domainjoin-cli command updates the FQDN on the AD Bridge agent to match the AD domain being joined. To prevent this behavior, and allow the host to retain its original domain name, use the --disable hostname parameter. For example:

domainjoin-cli join --disable hostname --ou UnixServers contoso.com jsmith AlphaOne1

Only accounts given the authority to modify the dnsHostName attribute can join a computer with a domain name that differs from the Active Directory name. Accounts without this authority may see an error similar to the following when attempting to join a computer with a disjointed namespace:

Error: LW_ERROR_LDAP_CONSTRAINT_VIOLATION [code 0x00009d7b]

There are two ways to grant the rights necessary.

For more information, please see Delegate Control to Join AD Bridge Computers to the Domain.

Any account with Write permission can modify this attribute directly. This is the quickest and most direct way to grant the ability to join with a disjoint namespace and should already be defined if choosing to use the Write instead of Validated Write permission on dNSHostName attribute.

This method grants a more restricted Validated Write permission to the computer object’s dnsHostName value. Any attempt to modify this value is validated against a list of allowed domains listed in the domain’s Naming Context (NC).

In addition to granting the Validated Write option to the computer object, the Domain NC must be updated. To modify this behavior, register additional namespaces in the msDS-AllowedDNSSuffixes attribute.

For more information, please see Create a Disjoint Namespace.