diff --git a/roles/samba-dc/defaults/main.yml b/roles/samba-dc/defaults/main.yml
index d788643..45f3335 100644
--- a/roles/samba-dc/defaults/main.yml
+++ b/roles/samba-dc/defaults/main.yml
@@ -1 +1,2 @@
 samba_dc_use_rfc2307: true
+samba_is_first_dc: false
diff --git a/roles/samba-dc/library/samba_domain b/roles/samba-dc/library/samba_domain
index 78fe228..759e10a 100644
--- a/roles/samba-dc/library/samba_domain
+++ b/roles/samba-dc/library/samba_domain
@@ -55,6 +55,20 @@ def main():
                     'SAMBA_INTERNAL',
                 ],
             ),
+            username=dict(
+                required=False,
+            ),
+            password=dict(
+                required=False,
+                no_log=True,
+            ),
+            state=dict(
+                required=True,
+                choices=[
+                    'provisioned',
+                    'joined',
+                ],
+            ),
         ),
         supports_check_mode=True,
     )
@@ -63,6 +77,9 @@ def main():
     domain = module.params['domain'] or realm.split('.')[0]
     use_rfc2307 = module.params['use_rfc2307']
     dns_backend = module.params['dns_backend']
+    state = module.params['state']
+    username = module.params['username']
+    password = module.params['password']
 
     samba_tool = module.get_bin_path('samba-tool', required=True)
     samba = module.get_bin_path('samba', required=True)
@@ -93,12 +110,30 @@ def main():
         cmd = [
             samba_tool,
             'domain',
-            'provision',
-            '--realm={}'.format(realm),
-            '--domain={}'.format(domain),
         ]
-        if use_rfc2307:
-            cmd.append('--use-rfc2307')
+        if state == 'provisioned':
+            cmd += [
+                'provision',
+                '--realm={}'.format(realm),
+                '--domain={}'.format(domain),
+            ]
+            if use_rfc2307:
+                cmd.append('--use-rfc2307')
+        else:
+            cmd += [
+                'join',
+                realm,
+                'DC',
+            ]
+            if username and password:
+                cmd += [
+                    '--username', username,
+                    '--password', password,
+                ]
+            else:
+                cmd += [
+                    '--kerberos', 'true',
+                ]
         if dns_backend:
             cmd += ('--dns-backend', dns_backend)
         rc, out, err = module.run_command(cmd, check_rc=True)
diff --git a/roles/samba-dc/tasks/main.yml b/roles/samba-dc/tasks/main.yml
index 2635240..ed3ec3a 100644
--- a/roles/samba-dc/tasks/main.yml
+++ b/roles/samba-dc/tasks/main.yml
@@ -32,6 +32,9 @@
     domain={{ netbios_domain|d(omit) }}
     use_rfc2307={{ samba_dc_use_rfc2307 }}
     dns_backend={{ samba_dc_dns_backend|d(omit) }}
+    username={{ samba_dc_join_username|d(omit) }}
+    password={{ samba_dc_join_password|d(omit) }}
+    state={{ 'provisioned' if samba_is_first_dc else 'joined' }}
   register: samba_dc_provision
   notify:
   - restore samba file contexts