In this practice, you will create computer accounts using Active Directory Users and Computers and DSADD. You then can join a computer to the domain, if you have access to a second system.
Exercise 1: Creating Computer Accounts with Active Directory Users and Computers
1. Open Active Directory Users And Computers
2. In the Servers OU, create a computer object for a computer named “SERVER02.” Configure only the computer name. Do not change any of the other default properties.
Note that, like a user, a computer has two names—the computer name and the “Pre–Windows 2000” computer name. It is a best practice to keep the names the same.
Exercise 2: Creating Computer Accounts with DSADD
1. Open the command prompt.
2. Type the command:
Exercise 3: Moving a Computer Object
1. Open Active Directory Users And Computers.
2. Using the Move command, move the Desktop03 computer object from the Servers OU to the Desktops OU.
3. Drag Server02 from the Servers container to the Computers container.
4. Select the Computers container to confirm that Server02 arrived in the right place. Drag-and-drop is, of course, subject to user error.
Off the Record The MMC is notorious for causing mild panic attacks. It does not refresh automatically. You must use the Refresh command or shortcut key (F5) to refresh the console after making a change such as moving an object.
5. Open the properties of the Computers container. You will see that it does not have a Group Policy tab, unlike an OU such as Servers. This is among the reasons why organizations create one or more additional OUs for computer objects.
6. Open a command prompt.
7. Type the command:
dsmove ?CN=Server02,CN=Computers,DC=contoso,DC=com? -newparent ?OU=Servers,DC=contoso,DC=com?
This command, as you can deduce, will move the computer object back to the Servers OU.
8. Confirm that the computer is again in the Servers OU.
Exercise 4 (Optional): Join a Computer to a Domain
This exercise requires an additional system with network connectivity to Server01. In addition, DNS must be configured correctly so that Server01’s service records (SRV) are created. The additional computer must have DNS configured so that it can locate Server01 as a domain controller for contoso.com.
1. If you have an additional system that you are able to join to the domain in the next exercise, create an account for it in the Desktops OU using either Active Directory Users And Computers or DSADD. Be certain that the name you use is the same name as the computer.
2. Log on to the computer. You must log on as an account with membership in the computer’s local Administrators group to change its domain membership.
Lesson 1 Joining a Computer to a Domain 5-11
3. Locate the Computer Name tab by opening System from Control Panel, or the
Network Identification command from the Advanced menu of the Network Con nections folder.
4. Click Change.
5. Click Domain and type the DNS domain name, contoso.com.
6. Click OK.
7. When prompted, enter the credentials for the contoso.com domain’s Administrator account.
8. Click OK.
9. The computer will prompt you that a reboot is necessary. Click OK to each mes sage and to close each dialog box. Reboot the system.
Lesson Review
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.
1. What are the minimum credentials necessary to create a Windows Server 2003 computer account in an OU in a domain? Consider all steps of the process. Assume Active Directory does not yet have an account for the computer.
a. Domain Admins
b. Enterprise Admins
c. Administrators on a domain controller d. Account Operators on a domain controller e. Server Operators on a domain controller
f. Account Operators on the server g. Server Operators on the server h. Administrators on the server
2. Which locations allow you to change the domain membership of a Windows
Server 2003 computer?
a. The properties of My Computer b. Control Panel’s System application
c. Active Directory Users and Computers d. The Network Connections folder e. The Users application in Control Panel
3. What command-line tools will create a domain computer account in Active Direc tory? a. NETDOM b. DSADD c. DSGET d. NETSH e. NSLOOKUP
Lesson Summary
■ Members of the Administrators and Account Operators groups have, by default, permission to create computer objects in Active Directory.
■ Active Directory Users And Computers, DSADD, and NETDOM can be used to cre
ate computer accounts.
■ You must be logged on as a member of the local Administrators group to change the domain membership of a machine.
Lesson 2 Managing Computer Accounts 5-13
Lesson 2: Managing Computer Accounts
In the previous lesson, you examined the fundamental components of a computer’s relationship with a domain: the computer’s account, and joining the computer to the domain. This lesson looks more closely at the computer object in Active Directory. You will learn about the other properties and permissions that make computer objects “tick,” and how to manage those properties and permissions using GUI and command- line tools.
After this lesson, you will be able to
■ Configure the permissions of a new Active Directory computer object ■ Configure the properties of an Active Directory computer object
■ Find and manage computer accounts using Active Directory Users And Computers Estimated lesson time: 10 minutes