The default configuration of Windows Server 2003, and all Microsoft Windows operating systems, is that the computer belongs to a workgroup. In a workgroup, a Windows NT–based computer (which includes Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003) can authenticate users only from its local Security Accounts Manager (SAM) database. It is a stand-alone system, for all intents and purposes. Its workgroup membership plays only a minor role, specifically in the browser service. Although a user at that computer can connect to shares on other machines in a workgroup or in a domain, the user is never actually logged on to the computer with a domain account.
Before you can log on to a computer with your domain user account, that computer must belong to a domain. The two steps necessary to join a computer to a domain are, first, to create an account for the computer and, second, to configure the computer to join the domain using that account. This Topic will focus on the skills related to the creation of computer accounts and joining computers to domains. The next topic will explore, in more depth, the computer accounts themselves.
Computers maintain accounts, just as users do, that include a name, password, and security identifier (SID). Those properties are incorporated into the computer object class within Active Directory. Preparing for a computer to be part of your domain is therefore a process strikingly similar to preparing for a user to be part of your domain: you must create a computer object in Active Directory.
Creating Computer Accounts
You must be a member of the Administrators or Account Operators groups on the domain controllers to create a computer object in Active Directory. Domain Admins and Enterprise Admins are, by default, members of the Administrators group. Alternatively, it is possible to delegate administration so that other users or groups can create computer objects.
However, domain users can also create computer objects through an interesting, indirect process. When a computer is joined to the domain and an account does not exist, Active Directory creates a computer object automatically, by default, in the Computers OU. Each user in the Authenticated Users group (which is, in effect, all users) is allowed to join 10 computers to the domain, and can therefore create as many as 10 computer objects in this manner.
Creating Computer Objects Using Active Directory Users and Computers
To create a computer object, or “account,” open Active Directory Users And Computers and select the container or OU in which you want to create the object. From the Action menu or the right-click shortcut menu, choose the New–Computer command. The New Object–Computer dialog box appears, as illustrated in below Figure.
In the New Object–Computer dialog box, type the computer name. Other properties in this dialog box will be discussed in the following lesson. Click Next. The following page of the dialog box requests a GUID. A GUID is used to prestage a computer account for Remote Installation Services (RIS) deployment, which is beyond the scope of this discussion. It is not necessary to enter a GUID when creating a computer account for a machine you will be joining to the domain using other methods. So just click Next and then click Finish
Creating Computer Objects Using DSADD
Chances are, this is something you’ve done before. But before you decide there’s nothing new under the sun, Windows Server 2003 provides a useful command-line tool, DSADD, which allows you to create computer objects from the command prompt or a batch file.
In earlier topic, “Administering Microsoft Windows Server 2003,” you used DSADD to create user objects. To create computer objects, simply type dsadd computer ComputerDN, where ComputerDN is the distinguished name (DN) of the computer, such as CN=Desktop123, OU=Desktop, DC=mcseweb DC=com.
If the computer’s DN includes a space, surround the entire DN with quotation marks. The ComputerDN… parameter can include more than one distinguished name for new computer objects, making DSADD Computer a handy way to generate multiple objects at once. The parameter can be entered in one of the following ways:
* By piping a list of DNs from another command, such as dsquery.
* By typing each DN on the command line, separated by spaces.
* By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.
The DSADD Computer command can take the following optional parameters after the DN parameter:
*-samid SAMName
*-desc Description
*-loc Location
Creating a Computer Account with NETDOM
The NETDOM command is available as a component of the Support Tools, installable from the Support\Tools directory of the Windows Server 2003 CD. The command is also available on the Windows XP and Windows 2000 CDs. Use the version that is appropriate for the platform. NETDOM allows you to perform numerous domain account and security tasks from the command line.
To create a computer account in a domain, type the following command:
netdom add ComputerName /domain:DomainName /userd:User /PasswordD:UserPassword [/ou:OUDN]
This command creates the computer account for ComputerName in the domain DomainName using the domain credentials User and UserPassword. The /ou parameter causes the object to be created in the OU specified by the OUDN distinguished name following the parameter. If no OUDN is supplied, the computer account is created in the Computers OU by default. The user credentials must, of course, have permissions to create computer objects.
Joining a Computer to a Domain
A computer account alone is not enough to create the secure relationship required between a domain and a machine. The machine must join the domain.
To join a computer to the domain, perform the following steps:
1. Right-click My Computer and choose Properties. Click the Computer Name tab.
❑Open Control Panel, select System, and in the System Properties dialog box, click the Computer Name tab.
❑Open the computer’s Computer Name properties. These properties can be accessed in several ways:
2. Open the Network Connections folder from Control Panel and choose the Network Identification command from the Advanced menu.
3. On the Computer Name tab, click Change. The Computer Name Changes dialog box, shown in below Figure allows you to change the name and the domain and workgroup membership of the computer.
4. In the Computer Name Changes dialog box, click Domain and type the name of the domain.
5. Click OK. The computer contacts the domain controller. If there is a problem connecting to the domain, examine network connectivity and configuration, as well as DNS configuration.
When the computer successfully contacts the domain, you will be prompted, as in below Figure, for a user name and password with privileges to join the domain. Note that the credentials requested are your domain user name and password.
If you have not created a domain computer account with a name that matches the computer’s name, Active Directory creates an account automatically in the default Computers container. Once a domain computer account has been created or located, the computer establishes a trust relationship with the domain, alters its SID to match that of the account, and makes modifications to its group memberships. The computer must then be restarted to complete the process.
The Computers Container vs. OUs
The Computers container is the default location for computer objects in Active Directory. After a domain is upgraded from Windows NT 4 to Windows 2000, all computer accounts are found, initially, in this container. Moreover, when a machine joins the domain and there is no existing account in the domain for that computer, a computer object is created automatically in the Computers container.
Although the Computers container is the default container for computer objects, it is not the ideal container for computer objects. Unlike OUs, containers such as Computers, Users and Builtin cannot be linked to policies, limiting the possible scope of computer-focused group policy. A best-practice Active Directory design will include at least one OU for computers. Often, there are multiple OUs for computers, based on administrative division, region, or for the separate administration of laptops, desktops, file and print servers, and application servers. As an example, there is a default OU for Domain Controllers in Active Directory, which is linked to the Default Domain Controller Policy. By creating one or more OUs for computers, an organization can delegate administration and manage computer configuration, through group policy, more flexibly.
If your organization has one or more OUs for computers, you must move any computer objects created automatically in the Computers container into the appropriate OU. To move a computer object, select the computer and choose Move from the Action menu. Alternatively, use the new drag-and-drop feature of the MMC to move the object.
You can also move a computer object, or any other object, with the DSMOVE command. The syntax of DSMOVE is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
The -newname parameter allows you to rename an object. The -newparent parameter allows you to move an object. To move a computer named DesktopABC from the Computers container to the Desktops OU, you would type the following:
dsmove ?CN=DesktopABC,CN=Computers,DC=mcseweb,DC=com? -newparent
?OU=Desktops,DC=mcseweb ,DC=com?
In this command you again see the distinction between the Computers container (CN) and the Desktops organizational unit (OU).
You must have appropriate permissions to move an object in Active Directory. Default permissions allow Account Operators to move computer objects between containers including the Computers container and any OUs except into or out of the Domain Controllers OU. Administrators, which include Domain Admins and Enterprise Admins, can move computer objects between any containers, including the Computers container, the Domain Controllers OU, and any other OUs.
Saturday, January 9, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment