How to Fix “AlmaLinux Failed to Join Windows Active Directory Domain” Error

Introduction

If you’re trying to join an AlmaLinux server to a Windows Active Directory (AD) domain and running into errors, you’re not alone. A common culprit is the use of RC4 encryption, which newer Windows environments may reject for security reasons.

In this guide, I’ll walk you through diagnosing and resolving the “failed to join domain” issue — with clear steps, tips, and background explanation to help you get your Linux host smoothly connected to your AD domain.

Why It Fails: RC4 Encryption Is Often the Root Cause

When joining a Linux host to AD, the encryption types supported during Kerberos authentication must align on both sides. Modern Windows setups frequently disable RC4 (which is considered weak) or blacklist it by default. If your Linux client is trying RC4-based encryption, the AD domain controller may reject it — causing the failure.

So, before further troubleshooting, understand that your Linux side (AlmaLinux) must be configured to use encryption types acceptable to the domain.

Step-by-Step Fix: Join AlmaLinux to AD Successfully

Here’s a detailed procedure you can follow. Adjust domain names, hostnames, and configurations to match your environment.

1. Update Your System & Install Required Packages

sudo dnf update -y
sudo dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools

These packages are essential for domain discovery, Kerberos, and SSSD integration.

2. Set Hostname & DNS

• Use hostnamectl to set a fully qualified hostname:

sudo hostnamectl set-hostname myserver.example.com

• Ensure your /etc/hosts and DNS records match the hostname and domain.
• Configure /etc/resolv.conf (or your DNS resolver setup) so that the domain controller’s DNS is used:

realm discover example.com

You should get domain info such as domain controllers, configuration flags, etc.

4. Join with Proper Encryption Settings

When joining, explicitly specify allowed encryption types that your AD domain supports (i.e. not RC4-only). For instance:

realm join --user=administrator --computer-ou="OU=Servers,DC=example,DC=com" example.com \
  --client-software=sssd --verbose

If joining fails, you can pass additional parameters (depending on adcli or realmd) to restrict encryption types. For example:

adcli join example.com --domain-realm example.com --login-user administrator \
  --no-dns-updates --use-ntv2 --encryption-types aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96

Check which encryption types your domain accepts, and do not default to RC4.

5. Configure /etc/sssd/sssd.conf

Make sure your sssd.conf has a domain block like:

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam

[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
id_provider = ad
access_provider = ad
ldap_id_mapping = true
fallback_homedir = /home/%u@%d
default_shell = /bin/bash
enumerate = false
override_homedir = /home/%u

Important: Permissions on sssd.conf must be tight:

chmod 600 /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf

6. Start & Enable SSSD, Test Authentication

sudo systemctl enable sssd
sudo systemctl restart sssd

Use commands like getent passwd DOMAIN\\user or id username@DOMAIN to verify domain account lookup works.

Extra Tips & Troubleshooting

• DNS is critical. AD depends heavily on DNS (SRV records, proper resolution of domain controllers). If DNS is misconfigured, the join will fail.
• Check logs. journalctl -u sssd, /var/log/sssd/, or adcli logs can hint at encryption mismatches, Kerberos issues, or authorization errors.
• Permissions on AD. The account you use to join the domain must have rights (like “create computer objects,” updating DNS host records, etc.). Linux machines sometimes require extra attribute write permissions compared to Windows.
• Test encryption negotiation. Use klist, kinit, or packet captures to verify what encryption types the Linux host is proposing and what the DC is accepting or rejecting.

Conclusion

Joining an AlmaLinux server to a Windows Active Directory domain can fail when encryption types don’t match, especially when older RC4 algorithms are disabled on newer Windows setups. By updating your system, installing required packages, configuring SSSD properly, and forcing acceptable encryption types, you can overcome the “failed to join domain” error and integrate your Linux host smoothly.