Join a Linux VM to a domain

This topic shows you how to join a Linux VM to a Managed Microsoft AD domain by using the System Security Services Daemon (SSSD) with the following Linux distributions:

  • Ubuntu 16.04 LTS
  • Red Hat Enterprise Linux (RHEL) 8.2 (Ootpa)

Managed Microsoft AD interoperability works for many Linux distributions and other connectivity tools. Learn about these open source connectivity tools.

Before you begin

Before you begin, be sure you have completed the following tasks:

  • Create an Active Directory domain as explained in Quickstart: Creating a domain.

  • Create a Linux VM. For step 4, on the Public images tab, select the appropriate distribution, Ubuntu 16.04 LTS or Red Hat Enterprise Linux 8.

    • Create the VM in the project that hosts your Managed Microsoft AD domain. (If there is a Shared VPC that is an authorized network, you can also create the VM in any of its service projects.)
    • Create the VM on a VPC network that is peered with the Managed Microsoft AD domain.

  • Install realmd on the VM. Learn about realm.

    To install realmd run the following commands:

    Ubuntu 16.04 LTS 

    apt-get update
apt-get install realmd sssd packagekit

    RHEL 8.2 (Ootpa) 

    sudo yum install realmd oddjob oddjob-mkhomedir
sssd adcli

Joining a Linux VM to a domain

To join a Linux VM to a domain, complete the following steps. Both Ubuntu 16.04 LTS and RHEL 8.2 use realm.

  1. Run the following command:

    realm join domain-name -U 'username@domain-name'

    For verbose output, add the -v flag to the end of the command.

  2. At the prompt, enter the password for username@domain-name.

You should receive a message indicating a successful domain-join.

Specifying account location with realm join

By default, the realm join command creates a machine account that is located at: 

CN=account-name,OU=Computers,OU=Cloud,DC=machine,DC=mid-level,DC=extension

To specify where to create the account, use the --computer-ou flag to provide the path for the realm join command.

The username@domain-name account must have the permissions that are required to create accounts in the specified OU. By default, members of the Cloud Service Domain Join Accounts group have this permission. Learn about the groups that Managed Microsoft AD creates for you.

realm join domain-name
    --computer-ou="OU=org-unit,DC=machine,DC=mid-level,DC=extension"
    -U 'username@domain-name'

Removing a Linux VM from a domain

To remove a Linux VM from the domain-name domain, run the following command. Both Ubuntu 16.04 LTS and RHEL 8.2 use realm.

realm leave domain-name -U 'username@domain-name'

What's next