Active Directory and Computers - Joining a Computer to a Domain

Problem

You want to join a computer to a domain after the computer object has already been created in Active Directory.

Solution

Using a graphical user interface

1. Log on to the computer you want to join to the domain and open the Control Panel.
   
2. Open the System applet.
   
3. Click the Computer Name tab.
   
4. Click the Change button.
   
5. Under “Member of,” select Domain.
   
6. Enter the domain you want to join and click OK.
   
7. You may be prompted to enter credentials that grant permission to join the computer.
   
8. Reboot the computer.

   Note that the tabs in the System applet vary between Windows 2000, Windows XP, and Windows Server 2003.

  > netdom join <ComputerName> /Domain <DomainName> /UserD <DomainUserUPN>   
  /PasswordD * /UserO <ComputerAdminUser>  /PasswordO * /Reboot  

Using VBScript

  ' This code joins a computer to a domain.
  ' ------ SCRIPT CONFIGURATION ------
  strComputer    = "<ComputerName>"   ' e.g. joe-xp
  strDomain      = "<DomainName>"     ' e.g. rallencorp.com
  strDomainUser  = "<DomainUserUPN>"  ' e.g. administrator@rallencorp.com
   strDomainPasswd = "<DomainUserPasswd>" 
  strLocalUser    = "<ComputerAdminUser>"
' e.g. administrator
  strLocalPasswd  = "<ComputerUserPasswd>"
  ' ------ END CONFIGURATION ---------

  '########################
  ' Constants
  '########################
  Const JOIN_DOMAIN             = 1
  Const ACCT_CREATE             = 2
  Const ACCT_DELETE             = 4
  Const WIN9X_UPGRADE           = 16
  Const DOMAIN_JOIN_IF_JOINED   = 32
  Const JOIN_UNSECURE           = 64
  Const MACHINE_PASSWORD_PASSED = 128
  Const DEFERRED_SPN_SET        = 256
  Const INSTALL_INVOCATION      = 262144

  '###########################
  ' Connect to Computer 
  '###########################
  set objWMILocator = CreateObject("WbemScripting.SWbemLocator") 
 objWMILocator.Security_.AuthenticationLevel = 6
  set objWMIComputer = objWMILocator.ConnectServer(strComputer, _
                           "root\cimv2", _
                           strLocalUser, _ 
                           strLocalPasswd)
  set objWMIComputerSystem = objWMIComputer.Get( _
          "Win32_ComputerSystem.Name='" & _
          strComputer & "'")

  '###########################
  ' Join Computer 
  '###########################
  rc = objWMIComputerSystem.JoinDomainOrWorkGroup(strDomain, _ 
                  strDomainPasswd, _
                  strDomainUser, _ 
                  vbNullString, _   
                  JOIN_DOMAIN)
  if rc <> 0 then
      WScript.Echo "Join failed with error: " & rc
  else
      WScript.Echo "Successfully joined " & strComputer & " to " & strDomain
  end if

Discussion

When trying to add a computer to Active Directory, you can either precreate the computer object as described in Recipes 8.1 and 8.2 before joining it to the domain, or you can perform both operations at the same time.

If you have the correct permissions in Active Directory, you can actually create a computer object at the same time as you join it to a domain via the instructions described in the GUI solution. Since the System applet doesn’t allow you to specify an OU for the computer object, if it needs to create a computerobject, it will do so in the defaultComputerscontainer. See Recipe 8.15 for more information on the default computers container and how to change it.

Using a command-line interface

The netdom command will attempt to create a computer object for the computer during a join if one does not already exist. An optional/OUswitch can be added to specify the OU in which to create thecomputerobject. To do so, you’ll need to have the necessary permissions to create and managecomputerobjects in the OU.

There are some restrictions on running thenetdom joincommand remotely. If a Windows XP machine has theForceGuestsecurity policy setting enabled, you cannot join it remotely. Running thenetdomcommand directly on the machine works regardless of theForceGuestsetting.

In order for the Win32_ComputerSystem::JoinDomainOrWorkGroup method to work remotely, you have to use an AuthenticationLevel equal to 6 so that the traffic between the two machines (namely the passwords) is encrypted. You can also create computerobjects usingJoinDomainOrWorkGroupby using theACCT_CREATEflag in combination withJOIN_DOMAIN.

This function works only with Windows XP and Windows Server 2003 and is not available for Windows 2000 and earlier machines.

Just like with the netdom utility, you cannot run this script against a remote computer if that computer has theForceGuestsetting enabled.

More information on the ForceGuest setting can be found here: http://www.microsoft. com/resources/ documentation/Windows/XP/all/reskit/en-us/ prde_ffs_ypuh.asp, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 251335 (Domain Users Cannot Join Workstation or Server to a Domain), MS KB 290403 (How to Set Security in Windows XP Professional That Is Installed in a Workgroup), MSDN: Win32_ComputerSystem::JoinDomainOrWorkgroup, and MSDN: NetJoinDomain.

Please check back next week for the continuation of this article.

Comments On: Active Directory and Computers

· This article is an excerpt from the book "Active Directory Cookbook, Second...   >>> Post your comment now!

Buy this book...

This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Check it out today at your favorite bookstore. Buy this book now.