Adding Domain Client Computers

When a computer running Windows NT/2000/XP/.NET system joins an Active Directory domain, a corresponding computer account is always created in the Computers container. You can then move this account to any desired OU or container. There is, however, an alternative way. It is possible to create an account before actually adding the computer to the domain (manually, or with the netdom ADD command). Pre-create the account in any container, and then add the computer using this account.

There are two main problem sources that can prevent domain members running Windows 2000/XP/.NET from correctly joining or working with a domain:

• DNS

• Windows Time service

Verifying the Preferred DNS Server

To add a client computer (a workstation running Windows 2000/XP or a member server running Windows 2000/.NET) to an Active Directory domain, you should first verify the client's DNS settings and the availability of a DC that belongs to that domain. The updated version of the NetDiag.exe utility is the best instrument for that purpose. The test command and successful sample output are shown below:

     C:\>netdiag /test:DsGetDc /d:net.dom /v     ...     DC discovery test. . . . . . . . . : Passed        Find DC in domain 'NET':        Found this DC in domain 'NET':        DC. . . . . . . . . . . : \\netdcl.net.dom        Address . . . . . . . . : \\192.168.1.2        Domain Guid . . . . . . : {36622959-3372-43E6-BBBA-8D77CAA1FC46}        Domain Name . . . . . . : net.dom        Forest Name . . . . . . : net.dom        DC Site Name. . . . . . : NET-Site        Our Site Name . . . . . : NET-Site        Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV GTIMESERV WRIT     ABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8       Find PDC emulator in domain 'NET':        Found this PDC emulator in domain 'NET':            DC. . . . . . . . . . . : \\netdcl.net.dom     ...        Find Windows 2000 DC in domain 'NET':        Found this Windows 2000 DC in domain 'NET':        DC. . . . . . . . . . . : \\netdcl.net.dom     ...     The command completed successfully 

This result indicates that you can add the tested computer to the specified domain.

When a client computer is already added to a domain, you may verify that this operation has been successfully completed. Both command — netdiag /test:DsGetDc and netdiag /test:DcListx — should run successfully. The following example indicates that problems exist: the command reports that for some reason the client cannot access the DC:

    C:\>netdiag /test:DcList /d:net.dom /v    ...    DC list test . . . . . . . . . . . : Failed        Find DC in domain 'NET':        Found this DC in domain 'NET':            DC. . . . . . . . . . . : \\netdcl.net.dom    ...        You don't have access to DsBind to netdcl (192.168.1.2).        [ERROR_ACCESS_DENIED]        List of DCs in Domain 'NET':            netdcl.net.dom    The command completed successfully 

DNS Settings and Domain Name

Make sure that the primary DNS suffix is properly set. (It is enough if the Change primary DNS suffix when domain membership changes checkbox is always set; in that case, the suffix is changed automatically and you need not worry about it.) An improper value may affect DNS registration of the computer name, which results in various errors, such as a failed secure channel, authentication problems, etc.

When a Window XP/.NET client computer is deleted from a domain, its primary DNS suffix will be cleared, and as a result, its name is de-registered from the domain's authoritative zone. The primary DNS suffix will remain on clients running Windows 2000 and therefore, the computer name will still be present in the domain zone, whereas the computer itself no longer belongs to that domain.

If a computer runningd Windows 2000/XP/.NET is added to a domain, it is strongly recommended that you specify the DNS name of the domain rather than its NetBIOS name. (Nevertheless, the latter case is also possible, especially if you perform the operation on a remote computer.) In any case, when a computer has been added to a domain, verify that a secure channel has been established between the computer and a domain controller. On a local computer, it is possible to use the commands nltest /query and nltest /sc_query (see details in Chapter 11, "Verifying Network and Distributed Services"). On a remote computer, use the following command parameters:

    C:\>netdom VERIFY xp-pro3 /D: net.dom 

or

    C:\>nltest /sc_query: net.dom /server: xp-pro3 

When the TCP/IP settings are incorrect on a Windows XP/.NET computer, or the specified domain is not accessible, you will see a pop-up window similar to the one shown in Fig. 5.5. A Windows 2000 computer will report, "The specified domain either does not exist or could not be contacted". If this happens, you will need to check the computer network configuration and accessibility of domain controllers (see later "Verifying DNS and Availability of Domain Controllers").

While adding a client computer running Windows 2000/XP/.NET to a domain, you may specify the NetBIOS name of the domain. If, nevertheless, the computer can find a domain controller belonging to that domain, it will be added to the domain. However, if the computer's TCP/IP settings are incorrect, the following NetDiag tests may fail (the Windows 2000 and Windows .NET version of NetDiag may produce slightly different results):

• DC discovery test

• DC list test

• Trust relationship test

• Kerberos test (skipped with a diagnostic message "Cannot find DC")

• LDAP test

Therefore, it is always recommended that you verify the computer's DNS settings if the computer experiences problems such as slow system startup or access to shared resources; improper group policies applied; failed start of domain administrative tools, and so on.

Windows Time Service

When you add a Windows XP/.NET client to a domain, the client computer will then periodically synchronize its clock with the PDC Emulator of that domain. The register value Parameters\Type that controls the Windows Time service and is set by default to NTP, will be changed to NT5DS (see details in Chapter 2, "Active Directory Terminology and Concepts"). The following command will help you to see the computer time offset and the name and IP address of a domain controller that serves as the timeserver:

    C:\>w32tm /monitor /domain:net.dom 

A domain client running Windows 2000 does not automatically synchronize its clock with the domain. You may manually set both registry values — Parameters\ServerType and Parameters\Type — to NT5DS and thus enable time synchronization with the PDC Emulator. The following command will display the name and IP address of the timeserver:

    C:\>w32tm -source -v