Creating Computers and Joining a Domain
The default configuration of Windows Server 2008, 2003, Windows Vista, Windows XP, and Windows 2000 is that the computer belongs to a workgroup.
Use the buttons below to navigate through the lesson
Before you can log on to a computer with a domain account, that computer must belong to the domain. To join the domain, the computer must have an account in the domain which, like a user account, includes a logon name (sAMAccountName), a password, and a security identifier (SID) that uniquely represent the computer as a security principal in the domain.
Those credentials enable the computer to authenticate against the domain and to create a secure relationship that then enables users to log on to the system with domain accounts.
A Windows 2000/2003/2008/XP Professional machine can be either a member of a Domain or a Workgroup. The full benefits of Windows 2000/2003/2008/XP can only be achieved by placing all of the computers on the network into domains. N.B. In order to utilise all of the features of Windows 2x domains, computers must be running either Windows 2000/XP Professional or Windows 2000/2003/2008 Server families.
In a Workgroup configuration, computers are connected but there is no central control. Although files and folders may still be shared, security policies have to be set at each individual computer. In a workgroup, every computer stores its own security database. For example, a new user- Fred -would have to be created on every single computer. This can become troublesome in larger environments. Although the User Account Fred has been created four times, Fred’s profile might be different on each machine, e.g. Fred might see a different desktop screen on each computer. In a domain environment all security policies are managed centrally, i.e. The Domain Controller decides what all the client machines can and cannot do, allowing for a more secure and easily managed network environment. In a domain, all security is managed centrally. Fred’s details are stored on the Domain Controller. The domain controller downloads Fred’s details into whichever workstation he logs on to. Fred can now log onto any computer in the domain and his profile will follow him, e.g. His desktop, wallpaper and My Documents folder will be the same on all the machines in the domain.
Creating Computers and Joining a Domain
Identifying Requirements for Joining a Computer to the Domain
Three things are required for you to join a computer to an Active Directory domain:
- A computer object must be created in the directory service.
- You must have appropriate permissions to the computer object. The permissions allow you to join a computer with the same name as the object to the domain.
- You must be a member of the local Administrators group on the computer to change its domain or workgroup membership.
Computers Container
When you create a domain, the Computers container is created by default (CN=Computers, . . .). This container is not an organizational unit (OU); it is an object of class container. There are subtle but important differences between a container and an OU. You cannot create an OU within a container, so you cannot subdivide the Computers OU, and you cannot link a Group Policy object to a container. Therefore, it is highly recommended to create custom OUs to host computer objects instead of using the Computers container.
Creating OUs for Computers
You should consider creating at least two OUs for computer objects: one to host clients computer accounts and another for servers. These two OUs are in addition to the Domain Controllers OU created by default during the installation of Active Directory. In each of these OUs, computer objects can be created. There is no technical difference between a computer object in a clients OU and a computer object in a servers or domain controllers OU; computer objects are computer objects. But separate OUs are typically created to provide unique scopes of management so that you can delegate management of client objects to one team and server objects to another.
Two OUs created for all computers accounts. You might consider further dividing your client and server OUs. Creating sub-OUs beneath a server or client OU to collect and manage specific types of computers, for example, an OU for file and print servers and an OU for database servers. By doing so, the team of administrators for each type of server can be delegated permissions to manage computer objects in the appropriate OU.
Delegating Permission to Create Computers
You can delegate the permission to create computer objects to the appropriate administrators or support personnel. The permission required to create a computer object is Create Computer Objects. This permission, assigned to a group for an OU, allows members of the group to create computer objects in that OU. To assign this permission you will need to enable the Advanced Features view in Active Directory Users and Computers.
Select View and click Advanced Features. Right click the OU and select Properties. Click Advanced. Click Add. Select the group and Click OK. Select the Object tab. Ensure the Apply to This object and all descendant objects is selected. Select Create Computer objects. Click OK.
New Domain Clients
To join a domain the client must have the correct TCP/IP settings and point to the correct DNS server that hosts the domain. You must also have an account with appropriate privileges to join a computer to the domain – normally this is the domain administrator. To join the client to the domain you must point it to the DNS server for that domain. To join the client to the domain right-click on My Computer. Select Properties. Select Computer Name. Select Change. The computer Admin2 is currently a member of a workgroup. Select the Domain box to join the client to a domain. In the Domain box type in the name for the domain, e.g. ES-NET. Click on OK to accept. The Domain Username and Password box will appear. Type in the username and password of a domain user who has the right to join clients to the domain, e.g. the Domain Administrator account. Click on OK to continue. Click on OK to reboot the computer.
The new client appears on the Domain Controller inside the Computers container.
Prestaging Computers
The best practice is to prestage a computer account prior to joining the computer to the domain. Unfortunately, as seen previously Windows enables you to join a computer to a domain without following best practices.
There are three problems with this behavior of Windows. First, the computer account created automatically by Windows is placed in the default computer container, which is not where the computer object belongs in most enterprises.
Second, you must move the computer from the default computer container into the correct OU, which is an extra step that is often forgotten.
Third, any user can join a computer to the domain—no domain-level administrative permissions are required. Because a computer object is a security principal, and because the creator of a computer object owns the object and can change its attributes, this exposes a potential security vulnerability.
To create the computer right click the relevant OU and select New>Computer. Type in the computer name, to assign the rights to join this computer to the domain, click Change. Select the user or group and click OK. Then click Next. Click Finish. The new computer object has been created.