How correctly join to a domain?

NethServer Version: 7.9
Module: AD/NSDC

Trying to join to an AD created on NSDC. Here the “cleaned” details

Bind password;-)
Base DN
Bind DN
LDAP server URI
Active Directory IP
User DN
Group DN

nethhost.domain.tld =
nsdc-nethhost.domain.tld =

solved both on nslookup.

Green: bridge for the two newtork interfaces.
nethhost hosts also DHCP server, wich provide nethhost as DNS and not NSDC.

nethhost is a ESXi guest, and now promiscuos mode is enabled.
Which name i should use for lookup for the domain?

A concrete wall for headbanging?



Make a DNS entry on your NethServer in the DNS:

ad.domain.tld with the IP of the AD
Create a second one with the full name shown in Cockpit under Account Provider, also using the same IP of your AD. Just to make sure…

Generally, DNS entries are always small caps, LDAP entries are shown with Caps… :slight_smile:

This should work!

My 2 cents

What OS are you trying to join to the AD?

Mac OS 12.0.1 Monterey
Mac OS 10.13.7 High Sierra
Windows 10 21H1
Windows 11 21H1

Is this mandatory? If it is… why is not automatically added from the AD container creation?


Hi Michael

No, it’s not - but it is best practices according to Microsoft, when your AD is resolveable with DNS… :slight_smile:
→ And it saves time troubleshooting!

It should be, IMHO, at least if NethServer is set as AD and DNS…

→ Maybe in NS 8.x… :slight_smile:

My 2 cents

For me I cannot get my Windows 10 machines to consistently join the SAMBA AD until I set NS as the (or one of) the DNS providers.

Currently DHCP server provides nethhost.domain.tld ip address as the only DNS server. And for what i’ve seen, it allows also to browse the internet. NTP servers provided are outside the network range (currently IDK if Nethserver acts as NTP proxy server or not)
I hope that this topic will become a… “nice enough” checklist with title “before damage your head against the wall, check these things to join NSDC/AD”.

1 Like


The decision to use Windows is absolutely voluntary - that already includes the optional choice for “headbanging”…

True enough, it’s not always one’s own fault… Clients sometimes insist… :slight_smile:

My 2 cents

Goal of using NSDC as AD is… having a Windows-friendly centralized authentication service.
If the creation of the A record for ad.domain.tld is considered best practice from the company who created this kind of service, IMVHO this should be automatically done…
You don’t like Redmond products? That’s fair, IMVHO sometimes Cupertino hardware policies should be showed down some deep and acid hole, and this should be fair too.
But anyway, even Linux and MacOS, moreover iOS are sort of “AD Friendly”, soon IMVHO they will become Azure friendly too. I mean… Even Samba TNG is sort of AD-friendliness… :wink:
Policy discussions aside, i will check soon if the record, still not showed, is already present into the DNS entry list.

1 Like