AD Domain Join Delegation

Last Updated: 2026-06-09

Self-service checklists for delegating minimum Active Directory® permissions for Roadrunner SMB™ domain join — without granting Domain Admin.

See also: Identity and permissions · Quick Start — Join AD · VPC Prerequisites — Active Directory

Overview

Roadrunner SMB joins your domain using Samba net ads join. The join account needs permission to create or use a computer object — not full domain administrator rights.

Microsoft reference: Active Directory domain join permissions.

Path A — Delegated create in OU (recommended default)

What Roadrunner SMB does

1. Allocates computer name RRSMB-NODE<n> (unless overridden in FTS).
2. Runs net ads join with optional OU when you specify one in FTS Step 3.
3. Creates the computer object in AD (or re-joins if the object already exists with matching name).
4. Sets computer description to Roadrunner SMB Appliance.

AD administrator checklist

• Create or designate an OU for Roadrunner SMB computer objects (e.g. OU=RRSMB,OU=Servers,DC=corp,DC=example,DC=com).
• Create a dedicated service account (e.g. svc-rrsmb-join) — not a personal user account.
• Delegate Create computer objects on the OU to the service account (or a group containing it).
• Optionally delegate Delete computer objects on the same OU for clean re-deploy testing.
• Ensure the service account is not in Domain Admins.
• Confirm network path from appliance subnet to DCs: 88, 389/636, 53, 445 (see VPC Prerequisites).
• Enter the OU path in FTS Step 3 when joining.

Delegation via Active Directory Users and Computers

1. Open Active Directory Users and Computers.
2. Right-click the target OU → Delegate Control.
3. Add the join service account.
4. Select Create a custom task to delegate.
5. Choose Only the following objects in the folder → Computer objects.
6. Grant Create All Child Objects (or Create computer objects depending on wizard version).

For scripted delegation, use dsacls or PowerShell Set-Acl on the OU — follow your organization's AD change process.

Lab self-validation

1. Deploy Roadrunner SMB in a test OU with the delegated account only (no Domain Admin).
2. Complete FTS Step 3 using the service account credentials.
3. Verify in AD: computer object exists under the OU with name RRSMB-NODE1 (or your override).
4. Confirm Admin UI shows successful domain join and Kerberos/SMB auth works.

Path B — Pre-staged computer object (enterprise hardening)

Concept

A domain administrator pre-creates the computer object before FTS. The join account receives join rights on that object only — not create rights on the entire OU.

Samba net ads join can attach to an existing object when the name matches.

AD administrator checklist

• Pre-create computer object RRSMB-NODE1 (and additional nodes if multi-node) in the target OU before FTS.
• Grant the join service account permission to join the pre-staged object (reset password / join rights per Microsoft guidance).
• Do not grant Domain Admin or broad OU create rights if policy requires minimum privilege.
• Use the same computer name in FTS as the pre-staged object (or rely on default RRSMB-NODE<n> allocation matching pre-staged names).

Lab self-validation (required — not RRSMB-validated)

Roadrunner SMB has not published end-to-end proof of the pre-staged path. Before production:

1. Pre-stage RRSMB-NODE1 in your lab OU with delegated join rights only.
2. Run FTS domain join with the service account.
3. Confirm join succeeds and the object is not duplicated.
4. Document results in your internal change record.

If join fails, fall back to Path A (OU create delegation) or use Domain Admin for evaluation only.

Ongoing appliance admin (Identity 3b)

Domain join delegation is separate from Admin UI administration:

See Identity 3 — Active Directory and Admin Guide — Settings.

Evaluation shortcut

Using Domain Admin credentials for FTS join is acceptable for time-boxed evaluation. Document the shortcut and migrate to Path A or B before production audit.

Related documentation