You must be a member of the Administrators or Account Operators groups on the domain controllers to create a computer object in Active Directory. Domain Admins and Enterprise Admins are, by default, members of the Administrators group. Alterna tively, it is possible to delegate administration so that other users or groups can create computer objects.
However, domain users can also create computer objects through an interesting, indi rect process. When a computer is joined to the domain and an account does not exist, Active Directory creates a computer object automatically, by default, in the Computers OU. Each user in the Authenticated Users group (which is, in effect, all users) is allowed to join 10 computers to the domain, and can therefore create as many as 10 computer objects in this manner.
Creating Computer Objects Using Active Directory Users and Computers
To create a computer object, or “account,” open Active Directory Users And Computers and select the container or OU in which you want to create the object. From the Action menu or the right-click shortcut menu, choose the New–Computer command. The New Object–Computer dialog box appears, as illustrated in Figure 5-1.
Figure 5-1 The New Object–Computer dialog box
In the New Object–Computer dialog box, type the computer name. Other properties in this dialog box will be discussed in the following lesson. Click Next. The following page of the dialog box requests a GUID. A GUID is used to prestage a computer account for Remote Installation Services (RIS) deployment, which is beyond the scope of this discussion. It is not necessary to enter a GUID when creating a computer account for a machine you will be joining to the domain using other methods. So just click Next and then click Finish.
Creating Computer Objects Using DSADD
Chances are, this is something you’ve done before. But before you decide there’s noth ing new under the sun, Windows Server 2003 provides a useful command-line tool, DSADD, which allows you to create computer objects from the command prompt or a batch file.
Lesson 1 Joining a Computer to a Domain 5-5
In Chapter 2, “Administering Microsoft Windows Server 2003,” you used DSADD to create user objects. To create computer objects, simply type dsadd computer ComputerDN, where ComputerDN is the distinguished name (DN) of the computer, such as CN=Desktop123,OU=Desktops,DC=contoso,DC=com.
If the computer’s DN includes a space, surround the entire DN with quotation marks. The ComputerDN… parameter can include more than one distinguished name for new computer objects, making DSADD Computer a handy way to generate multiple objects at once. The parameter can be entered in one of the following ways:
■ By piping a list of DNs from another command, such as dsquery. ■ By typing each DN on the command line, separated by spaces.
■. By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.
The DSADD Computer command can take the following optional parameters after the DN parameter:
■ -samid SAMName
■ -desc Description
■ -loc Location
Creating a Computer Account with NETDOM
The NETDOM command is available as a component of the Support Tools, installable from the Support\Tools directory of the Windows Server 2003 CD. The command is also available on the Windows XP and Windows 2000 CDs. Use the version that is appropriate for the platform. NETDOM allows you to perform numerous domain account and security tasks from the command line.
To create a computer account in a domain, type the following command: netdom add ComputerName /domain:DomainName /userd:User /PasswordD:UserPassword
[/ou:OUDN]
This command creates the computer account for ComputerName in the domain
DomainName using the domain credentials User and UserPassword. The /ou parameter causes the object to be created in the OU specified by the OUDN distinguished name following the parameter. If no OUDN is supplied, the computer account is created in the Computers OU by default. The user credentials must, of course, have permissions to create computer objects.
Joining a Computer to a Domain
A computer account alone is not enough to create the secure relationship required between a domain and a machine. The machine must join the domain.
To join a computer to the domain, perform the following steps:
1. Right-click My Computer and choose Properties. Click the Computer Name tab. ❑. Open Control Panel, select System, and in the System Properties dialog box,
click the Computer Name tab.
❑. Open the computer’s Computer Name properties. These properties can be
accessed in several ways:
Note The Computer Name tab is called Network Identification on Windows 2000 systems. The Change button is called Properties. The functionality is, however, identical.
2. Open the Network Connections folder from Control Panel and choose the Net-
work Identification command from the Advanced menu.
3. On the Computer Name tab, click Change. The Computer Name Changes dialog
box, shown in Figure 5-2 allows you to change the name and the domain and workgroup membership of the computer.
!
Exam Tip You will not be able to change a computer’s name or membership if you are not logged on with administrative credentials on that system. Only users who belong to the local Administrators group will find the Change button enabled and functional.Lesson 1 Joining a Computer to a Domain 5-7
4. In the Computer Name Changes dialog box, click Domain and type the name of
the domain.
Tip Although the NetBIOS (flat) domain name may succeed in locating the target domain, it is best practice to enter the DNS name of the target domain. DNS configuration is critical to a Windows 2000, Windows XP, or Windows Server 2003 computer. By using the DNS domain name, you leverage the preferred name resolution process and test the computer’s DNS con- figuration. If the computer is unable to locate the domain you’re attempting to join, ensure that the DNS server entries configured for the network connection are correct.
5. Click OK. The computer contacts the domain controller. If there is a problem con necting to the domain, examine network connectivity and configuration, as well as DNS configuration.
When the computer successfully contacts the domain, you will be prompted, as in Fig ure 5-3, for a user name and password with privileges to join the domain. Note that the credentials requested are your domain user name and password.
Figure 5-3 Prompt for credentials to join domain
If you have not created a domain computer account with a name that matches the com puter’s name, Active Directory creates an account automatically in the default Comput ers container. Once a domain computer account has been created or located, the computer establishes a trust relationship with the domain, alters its SID to match that of the account, and makes modifications to its group memberships. The computer must then be restarted to complete the process.
Note The NETDOM JOIN command can also be used to join a workstation or server to a domain. Its functionality is identical to the Computer Name Changes user interface, except that it also allows you to specify the OU in which to create an account if a computer object does not already exist in Active Directory.