Recipe2.9.Joining a Server to a Domain

Recipe 2.9. Joining a Server to a Domain

Problem

You want to join a server to an Active Directory domain so that users in the domain can access resources on the server.

Solution

Using a graphical user interface

1. Log onto the computer you want to join and open Control Panel System applet.

2. Click the Change button.

3. Under Member of, select Domain.

4. Enter the domain you want to join and click OK.

5. You may be prompted to enter credentials that have permission to join the computer.

6. Reboot the computer.

7. Note that the tabs in the System applet vary between Windows 2000, Windows XP, and Windows Server 2003.

Using a command-line interface

The following command joins a computer to a domain:

> netdom join <ComputerName> /Domain <DomainName> /UserD <DomainUserUPN>  /PasswordD * /UserO <ComputerAdminUser> /PasswordO * /Reboot

The last character in the /UserO and /PasswordO options is the letter O, not the number 0.

Using VBScript

' This code joins a server to a domain. ' ------ SCRIPT CONFIGURATION ------ strComputer     = "<ComputerName>"      ' e.g. joe-xp strDomain       = "<DomainName>"        ' e.g. rallencorp.com strDomainUser   = "<DomainUserUPN>"     ' e.g. administrator@rallencorp.com strDomainPasswd = "<DomainUserPasswd>" strLocalUser    = "<ComputerAdminUser>" ' e.g. administrator strLocalPasswd  = "<ComputerUserPasswd>" ' ------ END CONFIGURATION --------- ' Constants Const JOIN_DOMAIN             = 1 Const ACCT_CREATE             = 2 Const ACCT_DELETE             = 4 Const WIN9X_UPGRADE           = 16 Const DOMAIN_JOIN_IF_JOINED   = 32 Const JOIN_UNSECURE           = 64 Const MACHINE_PASSWORD_PASSED = 128 Const DEFERRED_SPN_SET        = 256 Const INSTALL_INVOCATION      = 262144     ' Connect to Computer set objWMILocator = CreateObject("WbemScripting.SWbemLocator") objWMILocator.Security_.AuthenticationLevel = 6 set objWMIComp = objWMILocator.ConnectServer(strComputer,  _                                              "root\cimv2", _                                              strLocalUser, _                                              strLocalPasswd) set objWMICompSys = objWMIComp.Get( _                            "Win32_ComputerSystem.Name='" & _                            strComputer & "'") ' Join Computer intRC = objWMICompSys.JoinDomainOrWorkGroup(strDomain, _                                             strDomainPasswd, _                                             strDomainUser, _                                             vbNullString, _                                             JOIN_DOMAIN) if intRC <> 0 then     WScript.Echo "Join failed with error: " & rc else     WScript.Echo "Successfully joined " & strComputer & " to " & strDomain end if

Discussion

To join a computer to Active Directory, a computer account must be created in the domain. You can create this account before joining the computer or, in some cases, the account can be created during the join operation.

Using a graphical user interface

If you have the correct permissions in Active Directory, you can actually create a computer object at the same time as you join it to a domain via the instructions described in the graphical solution. Since the System applet doesn't allow you to specify an OU for the computer object, if it needs to create a computer object it will do so in the default cn=Computers container. However, the computer object may be pre-created in an alternate OU if you so desire.

With Windows Server 2003 Active Directory you can change the default container for computer objects. See Recipe 8.12 in Active Directory Cookbook (O'Reilly).

Using a command-line interface

The netdom.exe command attempts to create a computer object for the computer during a join if one does not already exist. An optional /OU option can be added to specify the OU in which to create the computer object. To do so, you'll need to have the necessary permissions to create and manage computer objects in the specified OU.

There are some restrictions on running the neTDom join command against a remote machine. If a Windows XP machine has the ForceGuest security policy setting enabled, you cannot join it to a domain remotely. Running the netdom command directly on the machine works regardless of the ForceGuest setting.

Using VBScript

In order for the Win32_ComputerSystem::JoinDomainOrWorkGroup method to work remotely, you have to use an AuthenticationLevel equal to 6 so that the traffic between the two machines (namely the passwords) is encrypted. You can also create computer objects using JoinDomainOrWorkGroup by using the ACCT_CREATE flag in combination with JOIN_DOMAIN.

This function works only with Windows XP and Windows Server 2003 and is not available for Windows 2000 and earlier machines.

Just as with the netdom utility, you cannot run this script against a remote computer if that computer has the ForceGuest setting enabled.

See Also

Recipe 8.12 in Active Directory Cookbook (O'Reilly) for more on changing the default computers container, the following URL for more information on the ForceGuest setting: http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prde_ffs_ypuh.asp, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 251335 (Domain Users Cannot Join Workstation or Server to a Domain), MS KB 290403 (How to Set Security in Windows XP Professional That Is Installed in a Workgroup), and MSDN: Win32_ComputerSystem::JoinDomainOrWorkgroup, and MSDN: NetJoinDomain