Use novell-ad-util to disjoin an OES server from the AD domain. Using YaST or NSSMU, you cannot disjoin from the AD domain.
To disjoin the OES host from the Active Directory domain, execute the following:
kinit Administrator@EXAMPLE.COM
Authenticates the administrator with the AD server, where "Administrator" is the domain admin or user with the sufficient rights and "EXAMPLE.COM" is the AD domain.
novell-ad-util --leave-domain --domain-name EXAMPLE.COM
To disjoin a cluster resource from the Active Directory domain, execute the following:
kinit Administrator@EXAMPLE.COM
Authenticates the administrator with the AD server, where "Administrator" is the domain admin or user with the sufficient rights and "EXAMPLE.COM" is the AD domain.
Run the following command on the node where the cluster resource is running.
kinit Administrator@EXAMPLE.COM
novell-ad-util --leave-domain --cluster-resource .cn=CLUSTER-OES2018-POOLSERVER.o=novell.t=NSSAD_CLUSTER. --domain-name EXAMPLE.COM
Run the following command on all the cluster nodes except the node where step 2 is performed.
novell-ad-util --purge 0 --cluster-resource .cn=CLUSTER-OES2018-POOLSERVER.o=novell.t=NSSAD_CLUSTER.
Removes all the keytab entries of the cluster resource specified in the default keytab file.
If there are any additional SPNs added by using –add-spn and are not removed from the keytab file after step3, run the following command:
novell-ad-util –remove-spn –service-principal cifs/res.mydomain.com --cluster-resource .cn=CLUSTER-OES2018-POOLSERVER.o=novell.t=NSSAD_CLUSTER.
Removes the keytab entries cifs/res.mydomain.com from the default keytab file.
To ensure that the domain leave is successful, verify the following:
Computer objects in the AD domain representing the OES host and cluster resources are removed.
Keytab entries are removed from /etc/krb5.keytab.
klist -k | grep <netbios name of OES host>
It should be empty after the OES host leaves the domain.
klist -k | grep <netbios name of a cluster resource>
Execute this command from all the cluster nodes. It should be empty after the cluster resource leaves the domain.