- Use dnshostname=$(hostname -f) to register correct dNSHostName
  (e.g. host.office.etersoft.ru instead of host.etersoft.ru)
- Replace deprecated -k with --use-kerberos=required
- Add idempotency: check testjoin status before joining
- If already joined, verify keytab has correct FQDN
- If machine account is broken, leave and rejoin

Note: requires msDS-AllowedDNSSuffixes on DC to include the DNS subdomain
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>