Module 5_ Managing Computer Accounts

07/06/13 Module 5: Managing Computer Accounts

https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 1/99

Module5:ManagingComputerAccounts

Contents:

Lesson1: CreateComputersandJointheDomain

LabA: CreateComputersandJointheDomain

Lesson2: AdministerComputerObjectsandAccounts

LabB: AdministerComputerObjectsandAccounts

Lesson3: OfflineDomainJoin

LabC: PerformanOfflineDomainJoin

Module Overview



Computersinadomainaresecurityprincipals,likeusers.TheyhaveanaccountwithalogonnameandpasswordthatWindowschangesautomaticallyevery30daysorso.Theyauthenticatewiththedomain.Theycanbelongtogroups,haveaccesstoresources,andbeconfiguredbyGroupPolicy.Inaddition,likeusers,computerssometimeslosetrackoftheirpasswords,requireareset,orhaveaccountsthatneedtobedisabledorenabled.

ManagingcomputersboththeobjectsinActiveDirectoryandthephysicaldevicesisoneofthedaytodaytasksofmostITprofessionals.Newsystemsareaddedtoyourorganization,computersaretakenofflineforrepairs,machinesareexchangedbetweenusersorroles,andolderequipmentisretiredorupgraded,leadingtoanaccessofreplacementsystems.Eachoftheseactivitiesrequiresmanagingtheidentity



ofthecomputerrepresentedbyitsobject,oraccount,andActiveDirectory.

Unfortunately,mostenterprisesdonotinvestthesamekindofcareandprocessinthecreationandmanagementofcomputeraccountsastheydoforuseraccounts,eventhoughbotharesecurityprincipals.Inthismodule,youwilllearnhowtocreatecomputerobjects,whichincludeattributesthatarerequiredfortheobjectstobeaccounts.Youwilllearnhowtosupportcomputeraccountsthroughtheirlifecycle,includingconfiguring,troubleshooting,repairing,anddeprovisioningcomputerobjects.Youwillalsodeepenyourunderstandingoftheprocessthroughwhichacomputerjoinsadomain,sothatyoucanidentifyandavoidpotentialpointsoffailure.Inthethirdlessonofthismodule,youwillbeintroducedtoanewfeatureofWindowsServer2008R2ActiveDirectory,calledOfflineDomainJoin.Thisfeatureenablesadministratorstojoincomputerstoadomainevenifthecomputersdonothaveaconnectiontothecorporatenetwork.

Objectives

Aftercompletingthismodule,youwillbeableto:

Createcomputeraccountsandjointhemtoadomain.

AdministercomputerobjectsandaccountsbyusingtheWindowsInterfaceandcommandlinetools.

DescribeandperformtheOfflineDomainJoinprocess.



Lesson 1: Create Computers and Join the Domain

ThedefaultconfigurationofWindowsServer2008andofallotherversionsofWindowsserverandclientoperatingsystemsisthatthecomputerbelongstoaworkgroup.Beforeyoucanlogontoacomputerwithadomainaccount,thatcomputermustbelongtothedomain.Tojointhedomain,thecomputermusthaveanaccountinthedomain,which,likeauseraccount,includesalogonname(thesAMAccountNameattribute),apassword,andasecurityidentifier(SID)thatuniquelyrepresentsthecomputerasasecurityprincipalinthedomain.Thosecredentialsallowthecomputertoauthenticateagainstthedomainandtocreateasecurerelationshipthatthenallowsuserstologontothesystemwithdomainaccounts.Inthislesson,



youwilllearnthestepstopreparethedomainforanewcomputeraccount,andyouwillexploretheprocessthroughwhichacomputerjoinsthedomain.

Objectives

Aftercompletingthislesson,youwillbeableto:

Understandtherelationshipbetweenadomainmemberandthedomain,intermsofidentityandaccess.

Identifytherequirementsforjoiningacomputertothedomain.

Prestageacomputeraccount.

Joinacomputertothedomain.

Redirectthedefaultcomputercontainer.

Preventnonadministrativeusersfromcreatingcomputersandjoiningthedomain.

Usecommandlinetoolstoimport,create,andjoincomputers.

Workgroups, Domains, and Trusts



Inaworkgroup,eachsystemmaintainsanidentitystoreofuserandgroupaccountsagainstwhichuserscanbeauthenticatedandaccesscanbegin.ThelocalidentitystoreoneachcomputeriscalledtheSecurityAccountsManager(SAM)database.Ifauserlogsontoaworkgroupmachine,thesystemauthenticatestheuseragainstitslocalSAMdatabase.Ifauserconnectstoanothersystemtoaccessasharedfolder,theuserisreauthenticatedagainsttheidentitystoreoftheremotesystemandwillprobablybepromptedtoenteranewsetofcredentialsfortheremotesystem.Fromasecurityperspective,aworkgroupcomputeris,forallintentsandpurposes,astandalonesystem.

Whenacomputerjoinsadomain,itdelegatesthetaskofauthenticatinguserstothedomain.AlthoughthecomputercontinuestomaintainitsSAMdatabasetosupport



localuserandgroupaccounts,useraccountswilltypicallybecreatedinthecentraldomaindirectory.Whenauserlogsontothecomputerwithadomainaccount,theuserisauthenticatedbyadomaincontroller,ratherthanbytheSAM.Inotherwords,thecomputernowtrustsanotherauthoritytovalidateauser'sidentity.Trustrelationshipsaregenerallydiscussedinthecontextoftwodomains,asyouwilllearninanothermodule,butthereisalsoatrustbetweeneachdomainmembercomputeranditsdomainthatisestablishedwhenthecomputerjoinsthedomain.Becausealldomainmembercomputerstrustthedomain,theyalsotrusteachaccountthatisauthenticatedbythatdomain.ThisallowsuserswithanaccountinActiveDirectorytoaccessresourcesonvariousserverswithonlyonesetofcredentials.

Requirements for Joining a Computer to the Domain



ThreeconditionsarerequiredforyoutojoinacomputertoanActiveDirectorydomain:

Acomputerobjectshouldbecreatedinthedirectoryservice.

Youmusthaveappropriatepermissionstothecomputerobject.Thepermissionsallowyoutojoinacomputerwiththesamenameastheobjecttothedomain.

YoumustbeamemberofthelocalAdministratorsgrouponthecomputertochangeitsdomainorworkgroupmembership.

Theremainderofthislessonexamineseachoftheserequirements.

NoteItisnotmandatorytocreateacomputerobjectinthedirectoryservice,butitishighlyrecommended.However,manyadministratorsjoincomputerstoadomainwithoutfirstcreatingacomputerobject.Whenyoudothis,Windowsattemptstojointhedomaintoanexistingobject.WhenWindowsdoesnotfindtheobject,itfailsbackandcreatesacomputerobjectinthedefaultcomputercontainer.Thestepofcreatingacomputerobject,eitherbyanadministratorbeforethejoinorbyWindowsduringthejoin,isnecessarybeforethecomputercanjointhedomain.Itisstillarequirement.ItusesadifferentsetofpermissionsinActiveDirectory(yourpermissiontocreateacomputerobject)thanthejoinitself,andifyoudonothappentohavepermissionstocreatecomputerobjectsinthedefaultcomputercontainer,thejoinwillfail.Thebottomlineisthatitisarequirementforthecomputerobjecttoexistpriortothejoin,butWindowshelpsmeetthatrequirement



automatically.

The Computers Container and Organizational Units

Beforeyoucreateacomputerobjectinthedirectoryservice,youmusthaveaplacetoputit.

The Default Computers Container

Whenyoucreateadomain,theComputerscontaineriscreatedbydefault(CN=Computers).Thiscontainerisnotanorganizationalunit(OU)itisanobjectoftheContainerclass.Therearesubtlebutimportantdifferencesbetweenacontainer



andanOU.YoucannotcreateanOUwithinacontainer,soyoucannotsubdividetheComputersOUandyoucannotlinkaGroupPolicyobjecttoacontainer.Therefore,wehighlyrecommendthatyoucreatecustomOUstohostcomputerobjects,insteadofusingtheComputerscontainer.

OUs for Computers

MostorganizationscreateatleasttwoOUsforcomputerobjects:onetohostcomputeraccountsforclientcomputersdesktops,laptops,andotherusersystemsandanotherforservers.ThesetwoOUsareinadditiontotheDomainControllersOUcreatedbydefaultduringtheinstallationofActiveDirectory.IneachoftheseOUs,computerobjectsarecreated.Thereisnotechnicaldifferencebetweenacomputerobjectinaclient'sOUandacomputerobjectinaserver'sordomaincontroller'sOU:computerobjectsarecomputerobjects.However,separateOUsaretypicallycreatedtoprovideuniquescopesofmanagement,sothatyoucandelegatemanagementofclientobjectstooneteamandmanagementofserverobjectstoanother.

YouradministrativemodelmightnecessitatefurtherdividingyourclientandserverOUs.ManyorganizationscreatesubOUsbeneathaserverOUtocollectandmanagespecifictypesofserversforexample,anOUforfileandprintserversandanOUfordatabaseservers.Bydoingso,theteamofadministratorsforeachtypeofservercanbedelegatedpermissionstomanagecomputerobjectsintheappropriateOU.Similarly,geographicallydistributedorganizationswithlocaldesktopsupportteamsoftendivideaparentOUforclientsintosubOUsforeachsite.Thisapproachenableseachsitessupportteamtocreatecomputerobjectsinthesiteforclientcomputers,



andjoincomputerstothedomainusingthosecomputerobjects.Thisisanexampleonly.WhatismostimportantisthatyourOUstructurereflectsyouradministrativemodelsothatyourOUsprovidesinglepointsofmanagementforthedelegationofadministration.

Additionally,separateOUsallowyoutocreatedifferentbaselineconfigurationsusingdifferentGroupPolicyobjects(GPOs)linkedtotheclientandtheserverOUs.GroupPolicy,discussedindetailinanothermodule,allowsyoutospecifyconfigurationforcollectionsofcomputersbylinkingGPOsthatcontainconfigurationinstructionstoOUs.ItiscommonfororganizationstoseparateclientsintodesktopandlaptopOUs.GPOsspecifyingdesktoporlaptopconfigurationcanthenbelinkedtoappropriateOUs.

Ifyourorganizationhasdecentralized,sitebasedadministrationandwantstomanageuniqueconfigurationsfordesktopsandlaptops,youfaceadesigndilemma.ShouldyoudivideyourclientsOUbasedonadministrationandthensubdividedesktopsandlaptops,orshouldyoudivideyourclientsOUintodesktopandlaptopOUs,andthensubdividebasedonadministration?Theoptionsareillustratedasfollows.

BecausetheprimarydesigndriverforActiveDirectoryOUsistheefficientdelegationofadministrationthroughtheinheritanceofaccesscontrollists(ACLs)onOUs,thedesignontheleftwouldberecommended.



Delegating Permission to Create Computers

Bydefault,theEnterpriseAdmins,DomainAdmins,Administrators,andAccountOperatorsgroupshavepermissiontocreatecomputerobjectsinanynewOU.However,asdiscussedinthemoduleaboutgroups,werecommendthatyoutightlyrestrictmembershipinthefirstthreegroups,andthatyoudonotaddadministratorstotheAccountOperatorsgroup.

Instead,youshoulddelegatethepermissiontocreatecomputerobjectstoappropriateadministratorsorsupportpersonnel.ThepermissionrequiredtocreateacomputerobjectisCreateComputerObjects.Thispermission,assignedtoagroupforanOU,allowsmembersofthegrouptocreatecomputerobjectsinthatOU.Forexample,youmightallowyourdesktopsupportteamtocreatecomputerobjectsintheclientsOU,andallowyourfileserveradministratorstocreatecomputerobjectsinthefileserversOU.

Thepermissionsrequiredtoperformcomputermanagementtasksarelistedinthetopic,"SecureComputerCreationandJoins."Module8detailstheprocessofdelegation.

Prestage a Computer Account



YoucanandshouldcreateacomputeraccountinthecorrectOUbeforejoiningthecomputertothedomain.Thisprocessofcreatingacomputeraccountinadvanceiscalledprestagingacomputer.

Afteryouhavebeengivenpermissiontocreatecomputerobjects,youcandosobyrightclickingtheOUandchoosingComputerfromtheNewmenu.TheNewObjectComputerdialogbox,shownbelow,appears:



Enterthecomputername,followingthenamingconventionofyourenterprise,andselecttheuserorgroupthatwillbeallowedtojointhecomputertothedomainwiththisaccount.ThetwocomputernamesComputerNameandComputerName(PreWindows2000)shouldbethesame:Thereisveryrarely,ifever,ajustificationforconfiguringthemseparately.

NoteThepermissionsthatareappliedtotheuserorgroupyouselectinthewizardaremorethannecessarysimplytojoinacomputertothedomain.Theselecteduserorgroupisalsogiventheabilitytomodifythecomputerobjectinotherways.Forguidanceregardingaleastprivilegeapproachtodelegatingpermissiontojoinacomputertothedomain,seeWindowsAdministrationResourceKit:ProductivitySolutionsforITProfessionalsbyDanHolme(MicrosoftPress,2008).

Theprocessyoucompletetocreateacomputeraccountbeforejoiningthecomputer



tothedomainiscalledprestagingtheaccount.

Therearetwomajoradvantagesofprestagingacomputer:

TheaccountisinthecorrectOUandisthereforedelegatedaccordingtothesecuritypolicydefinedbytheaccesscontrollist(ACL)oftheOU.

ThecomputeriswithinthescopeofGPOslinkedtotheOU,beforethecomputerjoinsthedomain.

Join a Computer to the Domain



Byprestagingthecomputerobject,youfulfillthefirsttworequirementsforjoiningacomputertoadomain:thecomputerobjectexists,andyouhavespecifiedwhohaspermissionstojoinacomputerwiththesamenametothedomain.Now,alocaladministratorofthecomputercanchangethecomputersdomainmembershipandenterthespecifieddomaincredentialstosuccessfullycompletetheprocess.

Tojoinacomputertothedomain,performthefollowingsteps:

1. LogontothecomputerwithcredentialsthatbelongtothelocalAdministratorsgrouponthecomputer.

Onlylocaladministratorscanalterthedomainorworkgroupmembershipofacomputer.

2. OpentheSystemPropertiesdialogboxbyusingoneofthefollowingmethods:

InWindowsXP,WindowsServer2003:

OpentheSystempropertiesdialogboxbydoingoneofthefollowing:

RightclickMyComputer,andthenclickProperties.

PressWindowsLogo+Pause.



InWindowsVista,Windows7,WindowsServer2008,andWindowsServer2008R2:

a. OpentheSystempropertiesdialogboxbydoingoneofthefollowing:

RightclickComputer,andthenclickProperties.

PressWindowsLogo+Pause.

b. IntheComputername,domain,andworkgroupsettingssection,clickChangeSettings.

c. IfpromptedbyUserAccountControl,clickContinueorenteradministrativecredentialsasappropriate.

3. ClicktheComputerNametab.

4. ClickChange.

5. UnderMemberOf,clickDomain.

6. Typethenameofthedomainyouwanttojoin.

NoteUsethefullDNSnameofthedomain.Notonlyisthismoreaccurateandmorelikelytosucceed,butifitdoesnotsucceed,itindicatesthattherecouldbeaproblemwithDNSnameresolutionthatshouldberectifiedbeforejoiningthemachinetothedomain.



7. ClickOK.

8. Windowspromptsforthecredentialsofyouruseraccountinthedomain.

Thedomaincheckstoseeifacomputerobjectalreadyexistswiththenameofthecomputer.Oneofthefollowingthreethingshappens:

Iftheobjectexistsandacomputerwiththatnamehasalreadyjoinedthedomain,anerrorisreturned,andyoucannotjointhecomputertothedomain.

Iftheobjectexistsanditisprestagedacomputerwiththesamenamehasnotjoinedthedomainthedomainconfirmsthatthedomaincredentialsyouenteredhavepermissiontojointhedomainusingthataccount.Thesepermissionswerediscussedinthesection,PrestagingaComputerAccount.

Ifthecomputeraccountisnotprestaged,Windowscheckstoseeifyouhavepermissionstocreateanewcomputerobjectinthedefaultcomputercontainer.Ifyoudohavepermissionstocreateanewcomputerobjectinthedefaultcomputercontainer,theobjectiscreatedwiththenameofthecomputer.Thismethodofjoiningadomainissupportedforbackwardscompatibility,butisnotrecommended.Werecommendthatyouprestagetheaccountasindicatedearlier,andasdetailedinthenextsection,SecureComputerCreationandJoins.



ThecomputerthenjoinsthedomainbyassumingtheidentityofitsActiveDirectoryobject.ItconfiguresitsSIDtomatchthedomaincomputeraccountsSIDandsetsaninitialpasswordwiththedomain.Thecomputerthenperformsothertasksrelatedtojoiningthedomain.ItaddstheDomainAdminsgrouptothelocalAdministratorsgroupandtheDomainUsersgrouptothelocalUsersgroup.

9. Youarepromptedtorestartthecomputer.ClickOKtoclosethismessagebox.

10. ClickClose(inWindowsVista)orOK(inWindowsXP)toclosetheSystemPropertiesdialogbox.

11. Youarepromptedagaintorestartthecomputer,afterwhichthesystemisfullyamemberofthedomain,andyoucanlogonbyusingdomaincredentials.

Secure Computer Creation and Joins



Creatingcomputeraccountsandjoiningcomputerstoadomainaresecuritysensitiveoperations.

Therefore,itisveryimportantthatthesestepsareassecureaspossible.

Prestage Computer Objects

Thebestpracticeistoprestageacomputeraccountpriortojoiningthemachinetothedomain.However,Windowsallowsyoutojoinacomputertoadomainwithoutfollowingthisbestpractice.Youcanlogontoaworkgroupcomputerasalocaladministratorandchangethecomputermembershiptothedomain.Ondemand,Windowscreatesacomputerobjectinthedefaultcomputercontainer,givesyou



permissiontojoinacomputertothatobject,andthenproceedstojointhesystemtothedomain.

TherearethreeproblemswiththisWindowsprocess:

First,thecomputeraccountcreatedautomaticallybyWindowsisplacedinthedefaultcomputercontainer,whichisnotwherethecomputerobjectbelongsinmostenterprises.

Second,youmustmovethecomputerfromthedefaultcomputercontainerintothecorrectOU,whichisanextrastepthatisoftenforgotten.

Third,anydomainusercanalsodothisnodomainleveladministrativepermissionsarerequired.Anyusercanjoinanycomputertothedomainifyoudon'tmanageandsecuretheprocess.Becauseacomputerobjectisasecurityprincipal,andbecausethecreatorofacomputerobjectownstheobjectandcanchangeitsattributes,thisexposesapotentialsecurityvulnerability.Thenextsectionsdetailthesedisadvantages.

Configuring the Default Computer Container

WhenyoujoinacomputertothedomainandthecomputerobjectdoesnotalreadyexistinActiveDirectory,Windowsautomaticallycreatesacomputeraccountinthedefaultcomputercontainer,whichiscalled,Computers(CN=Computers,DC=domain)bydefault.TheproblemwiththisrelatestothediscussionofOUdesignearlierinthe



lesson.Ifyouhaveimplementedthebestpracticesdescribedthere,youhavedelegatedpermissionstoadministercomputerobjectsinspecificOUsforclientsandservers.Additionally,youmighthavelinkedGPOstothoseOUstomanagetheconfigurationofthesecomputerobjects.IfanewcomputerobjectiscreatedoutsideofthoseOUs,inthedefaultcomputercontainer,thepermissionsandconfigurationitinheritsfromitsparentcontainerwillbedifferentthanwhatitshouldhavereceived.YouwillthenneedtoremembertomovethecomputerfromthedefaultcontainertothecorrectOUafterjoiningthedomain.

Therearetworecommendedstepstoreducethelikelihoodofthisproblem.First,youshouldattempttoalwaysprestagecomputeraccounts.IfanaccountisprestagedforacomputerinthecorrectOU,whenthecomputerjoinsthedomain,itwillusetheexistingaccountandwillbesubjecttothecorrectdelegationandconfiguration.

Second,toreducetheimpactofsystemsbeingjoinedtothedomainwithoutaprestagedaccount,youshouldchangethedefaultcomputercontainersothatitisnottheComputerscontaineritself,butinsteadisanOUthatissubjecttoappropriatedelegationandconfiguration.Forexample,ifyouhaveanOUcalledNewClients,youcaninstructWindowstousethatOUasthedefaultcomputercontainer,sothatifcomputersarejoinedtothedomainwithoutprestagedaccounts,theobjectsarecreatedintheNewClientsOU.

Theredircmp.execommandisusedtoredirectthedefaultcomputercontainerwiththefollowingsyntax.



redircmp "DN of OU for new computer objects"

Now,ifacomputerjoinsthedomainwithoutaprestagedcomputeraccount,Windowscreatesthecomputerobjectinthespecifiedorganizationalunit.OnthisOU,youcanapplysomebaselineGPOsettingsthataffectallcomputersinthedomain.

NoteThesameconceptsapplytothecreationofuseraccounts.Bydefault,ifauseraccountiscreatedbyusingalegacypracticethatdoesnotspecifytheOUfortheaccount,theobjectiscreatedinthedefaultusercontainer(CN=Users,DC=domain,bydefault).Theredirusr.execommandcanbeusedtoredirectthedefaultcontainertoanactualOUthatisdelegatedandconfiguredappropriately.Redirusr,likeredircmp,takesasingleoption:thedistinguishedname(DN)oftheOUthatwillbecomethedefaultusercontainer.

Restricting the Ability of Users to Create Computers

Whenacomputeraccountisprestaged,thepermissionsontheaccountdeterminewhoisallowedtojointhatcomputertothedomain.Whenanaccountisnotprestaged,Windowswill,bydefault,allowanyauthenticatedusertocreateacomputerobjectinthedefaultcomputercontainer.Infact,Windowswillallowanyauthenticatedusertocreate10computerobjectsinthedefaultcomputercontainer.Thecreatorofacomputerobject,bydefault,haspermissiontojointhatcomputertothedomain.Itisthroughthismechanismthatanyauthenticatedusercanjoin10



computerstothedomainwithoutanyexplicitpermissiontodoso.

The10computerquotaisconfiguredbythemsDSMachineAccountQuotaattributeofthedomain.Itallowsanyauthenticatedusertojoinamachinetothedomain,noquestionsasked.Thisisproblematicfromasecurityperspectivebecausecomputersaresecurityprincipals,andthecreatorofasecurityprincipalhaspermissiontomanagethatcomputersproperties.Inaway,thequotaislikeallowinganydomainusertocreate10useraccounts,withoutanycontrols.

Wehighlyrecommendthatyouclosethisloophole,sothatnonadministrativeuserscannotjoinmachinestothedomain.TochangethemsDSMachineAccountQuotaattribute,performthefollowingsteps:

1. OpentheADSIEditMMCconsolefromtheAdministrativeToolsfolder.

2. RightclickADSIEdit,andthenclickConnectTo.

3. IntheConnectionPointsection,clickSelectAWellKnownNamingContext,andthenselectDefaultNamingContextfromthedropdownlist.

4. ClickOK.

5. Intheconsoletree,expandDefaultNamingContext.

6. Rightclickthedomainfolderdc=contoso,dc=com,forexampleandthenclickProperties.



7. ClickmsDSMachineAccountQuota,andthenclickEdit.

8. Type0.

9. ClickOK.

TheAuthenticatedUsersgroupisalsoassignedtheuserrighttoaddworkstationstothedomain,butyoudonothavetomodifythisrightifyouhavechangedthedefaultvalueofthemsDSMachineAccountQuotaattribute.

AfteryouhavechangedthemsDSMachineAccountQuotaattributeto0,youcanbeassuredthattheonlyuserswhocanjoincomputerstothedomainarethosewhohavebeenspecificallydelegatedpermissiontojoinprestagedcomputerobjectsortocreatenewcomputerobjects.

Afteryouveeliminatedthisloophole,youmustensureyouhavegivenappropriateadministratorsexplicitpermissiontocreatecomputerobjectsinthecorrectOUs,asdescribedinthe"DelegatingPermissiontoCreateComputers"section,otherwisethefollowingerrormessagewillappear.



Delegating Computer Management

ThefourthtasktoimprovethesecurityofcomputeraccountsistodelegatecomputermanagementtasksattheOUlevel.DelegationisdiscussedinModule8.Thefollowingdsaclscommandscanbeusedtodelegatecomputermanagementtasks:

Createacomputer.

dsacls "DN of OU" /I:T /G "DOMAIN\group":CC;computer

Deleteacomputer.

dsacls "DN of OU" /I:T /G "DOMAIN\group":DC;computer

Joinacomputertothedomain.



dsacls "DN of OU" /I:S /G "DOMAIN\group": "Validated write to DNShost name";computer dsacls "DN of OU" /I:S /G "DOMAIN\group":"Validated write to service principal name";computer dsacls "DNof OU" /I:S /G "DOMAIN\group": CA;Reset Password;computer dsacls"DN of OU" /I:S /G "DOMAIN\group": WP;AccountRestrictions;computer

Theprecedingfourcommandsshouldbeenteredatthecommandpromptwithnospaceafterthecolon.

Moveacomputer.

RequirespermissionstodeletecomputersinthesourceOUandcreatecomputersinthedestinationOU.Eventhoughamovedoesnotactuallydeleteorcreatetheaccount,thisisthepermissionthatisusedbytheAccessCheck.

Question:Whattwofactorsdeterminewhetheryoucanjoinacomputeraccounttothedomain?

Automate Computer Account Creation



Thestepsyouhavelearnedforcreatingacomputeraccountbecomeburdensomeifyouaretaskedwithcreatingdozensorevenhundredsofcomputeraccountsatthesametime.CommandssuchasCommaSeparatedValueDirectoryExchange(CSVDE),LightweightDirectoryAccessProtocol(LDAP)DataInterchangeFormatDirectoryExchange(LDIFDE),andDSAddcanimportandautomatethecreationofcomputerobjects.Scriptscanalsoallowyoutoprovisioncomputerobjects,thatis,toperformbusinesslogicsuchastheenforcementofcomputernamingconventions.Also,ifyouareusingWindowsServer2008R2,youcanuseWindowsPowerShellwithActiveDirectoryModuletoautomatethecreationofcomputeraccounts.

Import Computers with CSVDE



CSVDEisacommandlinetoolthatimportsorexportsActiveDirectoryobjectsfromortoacommadelimitedtextfile(alsoknownasacommaseparatedvaluetextfile,or.csvfile).ThebasicsyntaxoftheCSVDEcommandis.

csvde [-i] [-f "Filename"] [-k]

Theioptionspecifiesimportmodewithoutit,thedefaultmodeofCSVDEisexport.Thefoptionidentifiesthefilenametoimportfromorexportto.Thekoptionisusefulduringimportoperations,becauseitinstructsCSVDEtoignoreerrors,includingobjectalreadyexists,constraintviolation,andattributeorvaluealreadyexists.



Commadelimitedfilescanbecreated,modified,andopenedwithtoolsasfamiliarasNotepadandMicrosoftOfficeExcel.ThefirstlineofthefiledefinestheattributesbytheirLDAPattributenames.Eachobjectfollows,oneperline,andmustcontainexactlytheattributeslistedonthefirstline.AsamplefileisshowninExcelasfollows.

Whenimportingcomputers,besuretoincludetheuserAccountControlattribute,andsetitto4096.Thisattributeensuresthatthecomputerwillbeabletojointheaccount.AlsoincludethepreWindows2000logonnameofthecomputer,thesAMAccountNameattribute,whichisthenameofthecomputerfollowedbyadollarsign($),asshownintheprecedingsample.

Import Computers with LDIFDE



LDIFDE.exeimportsdatafromfilesintheLDAPDataInterchangeFormat(LDIF)format.LDIFfilesaretextfileswithinwhichoperationsarespecifiedbyablockoflinesseparatedbyablankline.EachoperationbeginswiththeDNattributeoftheobjectthatisthetargetoftheoperation.Thenextline,changeType,specifiesthetypeofoperation:add,modify,ordelete.

ThefollowinglistingisanLDIFfilethatwillcreateacomputeraccountintheServersOU.

dn: CN=FILE25,OU=File,OU=Servers,DC=contoso,DC=com changetype:add objectClass: top objectClass: person objectClass:



organizationalPerson objectClass: user objectClass: computer cn:

FILE25 userAccountControl: 4096 sAMAccountName: FILE25$

ThebasicsyntaxoftheLDIFDEcommandissimilartothatoftheCSVDEcommand.

ldifde [-i] [-f "Filename"] [-k]

Bydefault,LDIFDEisinexportmode.Theioptionspecifiestheimportmode.Youmustspecifyftoidentifythefileyouareusingforimportorexport.LDIFDEwillstopwhenitencounterserrors,unlessyouspecifythekoption,inwhichcase,LDIFDEcontinuesprocessing.

Create Computer Accounts with DSAdd and PowerShell



TheDSAddcommandisusedtocreateobjectsinActiveDirectory.Tocreatecomputerobjects,simplytypethefollowingcommand.

dsadd computer ComputerDN

whereComputerDNisthedistinguishedname(DN)ofthecomputer,suchasCN=DESKTOP123,OU=NYC,OU=ClientComputers,DC=contoso,DC=com.

IfthecomputersDNincludesaspace,surroundtheentireDNwithquotationmarks.



TheDSAddComputercommandcantakethefollowingoptionsaftertheDNoption:

samidComputerName

descDescription

locLocation

NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.

YoucanalsousetheActiveDirectorymoduleforWindowsPowerShelltocreateacomputeraccountinADDS.Thefollowingexampledemonstrateshowtocreateanewcomputer,DESKTOP123,intheClientComputersOUinthecontoso.comdomain.

New-ADComputer -SamAccountName DESKTOP123 Path OU=ClientComputers,DC=contoso,DC=com'

ForafullexplanationoftheparametersthatyoucanpasstoNewADComputer,attheActiveDirectorymodulecommandprompt,typeGetHelpNewADComputer



detailed,andthenpressEnter.

Create and Join Computers with NetDom and PowerShell

TheNetDomcommandisalsoabletoperformavarietyofdomainaccountandsecuritytasksfromthecommandprompt.YoucanalsouseNetDomtocreateacomputeraccount,bytypingthefollowingcommand.

netdom add ComputerName /domain:DomainName [/ou:"OUDN"][/UserD:DomainUsername /PasswordD:DomainPassword]



ThiscommandcreatesthecomputeraccountforComputerNameinthedomainindicatedbythe/domainoption,usingthecredentialsspecifiedby/UserDand/PasswordD.The/ouoptioncausestheobjecttobecreatedintheOUspecifiedbytheorganizationalunitdistinguishedname(OUDN)followingtheoption.IfnoOUDNissupplied,thecomputeraccountiscreatedinthedefaultcomputercontainer.Theusercredentialsmust,ofcourse,havepermissionstocreatecomputerobjects.

Using NetDom.exe

TheNetDom.execommandallowsyoutojoinacomputertothedomainfromthecommandprompt.Thebasicsyntaxofthecommandisasfollows.

netdom join MachineName /Domain:DomainName [/OU:"OUDN"][/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ][/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ][/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]

Itcanbeusefultojoinamachinetoadomainfromthecommandprompt.Thefirstreasonthisisusefulisbecausethejoincanbeincludedinascriptthatperformsotheractions.Forexample,youcouldcreateabatchfilethatcreatesthecomputeraccountbyusingNetDomorDSAddthelatterofwhichallowsyoutospecifyotherattributes,includingdescriptionandthenjoinsthemachinetothataccountbyusingNetDom.Second,NetDom.execanbeusedtoremotelyjoinamachinetothedomain.



Third,NetDom.exeallowsyoutospecifytheOUforthecomputerobject.Thecommandsoptionsare,forthemostpart,selfexplanatory./UserOand/PasswordOarecredentialsthataremembersoftheworkgroupcomputerslocalAdministratorsgroup.Specifying*forthepasswordcausesNetDom.exetopromptforthepasswordatthecommandprompt./UserDand/PasswordDaredomaincredentialswithpermissiontocreateacomputerobject,iftheaccountisnotprestaged,ortojoinacomputertoaprestagedaccount.The/rebootoptioncausesthesystemtorebootafterjoiningthedomain.Thedefaulttimeoutis30seconds.The/SecurePasswordPromptoptiondisplaysapopupforcredentialswhen*isspecifiedforeither/PasswordOor/PasswordD.

NoteIfyouwanttouseNetDomremotely,theWindowsFirewallconfigurationonthecomputerthatwillbejoinedtothedomainmustallowNetworkDiscoveryandRemoteAdministration.

Using Windows PowerShell


Besidethenetdomcommand,youcanalsouseWindowsPowerShellwithActiveDirectoryModuletoperformadomainjoinforalocalmachine.InPowerShell,youshouldusetheAddComputercmdlettoperformadomainjoin.



Thefollowingexampledemonstrateshowtoaddthelocalcomputeronwhichthiscommandisbeingrun,tothecontoso.comdomain.ThelocalcomputerisaddedtotheOUinthedirectorythatisspecifiedbytheOUPathparameter,usingthecurrentloggedonusercredentials.Youmustrunthiscommandonthelocalcomputer.

Add-Computer -DomainOrWorkgroupName Contoso -OUPath OU=ClientComputers,DC=contoso,DC=com

ForafullexplanationoftheparametersthatyoucanpasstoAddComputer,attheActiveDirectoryModulecommandprompt,typeGetHelpAddComputerdetailed,andthenpressEnter.

Lab A: Create Computers and Join the Domain



Lab Setup

Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmustcompletethefollowingsteps:

1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.

2. InHyperVManager,click6425CNYCDC1and6425CNYCDC2,andintheActionspane,clickStart.

3. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.

4. Logonbyusingthefollowingcredentials:



Username:Pat.Coleman_Admin

Password:Pa$$w0rd

Domain:Contoso

5. OpenWindowsExploreron6425CNYCDC1andthenbrowsetoD:\Labfiles\Lab05a.

6. RunLab05a_Setup.batwithadministrativecredentials.UsetheaccountPat.Coleman_Admin,withthepassword,Pa$$w0rd.

7. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue.

8. ClosetheWindowsExplorerwindow,Lab05a.

9. InHyperVManager,click6425CNYCSVR2,andintheActionspane,clickStart.

10. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.DonotlogontoNYCSVR2untildirectedtodoso.

Lab Scenario

YouareanadministratorforContoso,Ltd.Duringasecurityaudit,itwasidentifiedthatthereisnocontroloverthecreationofnewcomputeraccounts:bothclientsandserversarebeingaddedtothedomainwithnoassurancethatprocessisbeing



followed.Infact,anumberofcomputeraccountswerediscoveredintheComputerscontainer.Thesecomputerobjectswereforactivecomputeraccounts,butthecomputershadnotbeencreatedinormovedtothecorrectOUswithintheClientComputersorServersOUsaccordingtostandardprocedures.Youvebeentaskedwithimprovingtheprocedures.

Exercise 1: Join a Computer to the Domain with the WindowsInterface

Inthisexercise,youwilljoinacomputertothedomainusingtheWindowsinterface,andthenyouwillremovethemachinefromthedomain.

Themaintasksforthisexerciseareasfollows:

1. IdentifyandcorrectaDNSconfigurationerror.

2. JoinNYCSVR2tothedomain.

3. VerifythelocationoftheNYCSVR2account.

4. RemoveNYCSVR2fromthedomain.

5. DeletetheNYCSVR2account.

Task 1: Identify and correct a DNS configuration error.



1. LogontoNYCSVR2asAdministrator,withthepassword,Pa$$w0rd.

2. OpenSystemPropertiesbyusingoneofthefollowingmethods:

ClickStart,rightclickComputer,andthenclickProperties.

OpenSystemfromControlPanel.

PresstheWindowslogokeyandthePausekey.

3. Attempttojointhecomputertothedomain,contoso.com,beingsuretousethefullyqualifieddomainname(contoso.com)ratherthantheNetBIOSnameforthedomain(contoso).

DoingsoteststhatDNSisconfiguredcorrectlyontheclientforlocatingthedomain.

4. ChangetheDNSServerconfigurationontheclientto10.0.0.10.

Question:Whymightthejoinhavesucceededifyouhadusedthedomainnamecontoso,insteadofcontoso.com?WhatmightgowrongafterthedomainwassuccessfullyjoinedbutwithDNSincorrectlyconfigured?

Answer:TheuseofthefullyqualifiednameforcedthenameresolutionprocesstouseDNS,andbecauseDNSfailed,thedomainjoinfailed.Thedomainname,contoso,isaflatdomainnamethatcouldberesolvedthroughNetBIOSnameresolution.Eventhoughthedomainjoinwouldbesuccessful,theclientwouldlikelyhaveproblemslocatingdomaincontrollersinothersites,andlocatingotherresourcesinthedomain.Performingthe



joinwithafullyqualifieddomainnameensuresthatDNSisfunctioningbeforejoiningthedomain.

Task 2: Join NYC-SVR2 to the domain.

1. JoinNYCSVR2tothedomain.Whenpromptedfordomaincredentials,entertheusername,Aaron.Painter,andthepassword,Pa$$w0rd.

2. NotethatAaron.Painterisastandarduserinthecontoso.comdomain.Hehasnospecialrightsorpermissions,andyetheisabletojoinacomputertothedomain.Hedoeshavetobeloggedontothecomputerwithanaccountthatisamemberofthecomputer'sAdministratorsgroup.

3. Allowthesystemtorestart.

Task 3: Verify the location of the NYC-SVR2 account.

1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator,withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.

2. LocatetheNYCSVR2account.

Question:InwhichOUorcontainerdoestheaccountexist?



Answer:TheComputerscontainer.

Task 4: Remove NYC-SVR2 from the domain.

1. LogontoNYCSVR2asAdministrator,withthepassword,Pa$$w0rd.

2. ChangeNYCSVR2'sdomain/workgroupmembershiptoaworkgroupnamed,WORKGROUP.

3. Restarttheserver.

Task 5: Delete the NYC-SVR2 account.

Question:OnNYCDC1,refreshtheviewoftheComputerscontainerandexaminetheNYCSVR2account.Whatisitsstatus?

Answer:ThestatusisDisabled.

Question:YouwerenotpromptedfordomaincredentialsinTask4,andyetachangewasmadetothedomain:thecomputeraccountwasresetanddisabled.Whatcredentialswereusedtodothis?Whatcredentialswereusedtochangetheworkgroup/domainmembershipofNYCSVR2?



Answer:Thisisatrickyquestion.Domaincredentialswithappropriatepermissionsarerequiredtomakeachangetothedomain,suchasresettinganddisablingacomputeraccountandcredentialsthatareinthelocalAdministratorsgroupontheclientarerequiredtochangethecomputersworkgroup/domainmembership.

YouwereloggedontoNYCSVR2asthelocalAdministrator,soyouwereabletochangethecomputersworkgroup/domainmembership.Normally,youwouldhavebeenpromptedfordomaincredentials,butitjustsohappensthatthelocalAdministratoraccountsusername,Administrator,andpassword,Pa$$w0rd,areidenticaltothoseofthedomainAdministratoraccount,whichofcoursehaspermissiontomodifyobjectsinthedomain.Windowsattemptstoauthenticateyoubehindthescenes,andonlypromptsyoufordomaincredentialsifthatauthenticationfails.Inthiscase,becauseofthesimilarityincredentials,youwereactuallyauthenticatedasthedomainsAdministrator.

Inaproductionenvironment,thedomainsAdministratoraccountshouldhaveaverylong,complex,securepasswordthatisdifferentfromthepasswordsusedforAdministratoraccountsinthedomainmembercomputer.

DeletetheNYCSVR2computerobject.

Result:Inthisexercise,youbecamefamiliarwithtypicallegacypracticesusedto



joincomputerstoadomain.

Exercise 2: Secure Computer Joins

Inthisexercise,youwillimplementbestpracticestosecurethejoiningofmachinestothedomain.


1. Redirectthedefaultcomputercontainer.

2. Restrictunmanageddomainjoins.

3. ValidatetheeffectivenessofmsDSMachineAccountQuota.

Task 1: Redirect the default computer container.

1. OnNYCDC1,runacommandpromptasanadministratorwiththeusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.

2. UsetheRedirCmpcommandtoredirectthedefaultcomputerscontainertotheNewComputersOUinthecontoso.comdomain.



Task 2: Restrict unmanaged domain joins.

1. RuntheADSIEditconsoleasanadministratorwiththeusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.

2. Connecttothedomainand,inthepropertiesofthedomain,changethemsDSMachineAccountQuotatozero(0).

Task 3: Validate the effectiveness of ms-DS-MachineAccountQuota.

LogontoNYCSVR2asAdministratorandattempttojoinNYCSVR2tothecontoso.comdomainjustasyoudidinExercise1.Whenpromptedfordomaincredentials,entertheusername,Aaron.Painter,andthepassword,Pa$$w0rd.

InExercise1,AaronPainterwasabletojointhedomain.Now,heisunabletojointhedomain.

Question:WhatmessagedoyoureceivewhenauserisnolongerabletocreateacomputerobjectbecauseofthemsDSMachineAccountQuota?

Results:Inthisexercise,youredirectedthecontainerforcreatingcomputeraccountstotheNewComputersOU,andrestrictedtheusersfromjoiningcomputerstothedomainwithoutexplicitpermissionstodoso.



Exercise 3: Manage Computer Account Creation

Inthisexercise,youwillimplementseveralbestpracticesforcreatingcomputeraccountsandjoiningmachinestothedomain.


1. Prestageacomputeraccount.

2. JoinacomputerremotelytoaprestagedaccountbyusingNetDom.

Task 1: Prestage a computer account.

1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministratorwiththeusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.

2. IntheServers\FileOU,createanewcomputerobjectforNYCSVR2andgivetheAD_Server_Deploygrouppermissiontojointhecomputertothedomain.

Task 2: Join a computer remotely to a prestaged account by using NetDom.



Inthistask,youwilljoinNYCSVR2tothedomainremotely,usingcredentialsthatareinthelocalAdministratorsgroupofNYCSVR2anddomaincredentialsthatareintheAD_Server_Deploygroup.

1. Runthecommandpromptasanadministrator,withtheusername,Aaron.Painter_Admin,andthepassword,Pa$$word.

NoteAaron.Painter_Adminisnotanadministrator.TheRunasanadministratorcommandallowsyoutorunaprocesswithanycredentials,aslongasthosecredentialshavesufficientprivilegetoruntheprocessitself.

2. Typethecommand,whoami/groups,tolistthegroupmembershipsofthecurrentaccount(Aaron.Painter_Admin).NotethattheuserisamemberofAD_Server_Deployandisnotamemberofanyotheradministrativegroup.

3. UsingtheNetDomcommand,joinNYCSVR2tothedomain.UsethelocalAdministratoraccountcredentialsforNYCSVR2andthedomaincredentialsforAaron.Painter_Admin,whoisamemberofAD_Server_Deployandthereforehaspermissiontojointhecomputertothedomain.Configuretheservertorebootautomaticallyin5seconds.

Typethefollowingcommand,andthenpressEnter.



netdom join NYC-SVR2 /domain:contoso.com /UserO:Administrator/PasswordO:* /UserD:CONTOSO\Aaron.Painter_Admin /PasswordD:*/REBoot:5

NoteTheNYCSVR2firewallexceptionsareconfiguredforports135,139,andforNetworkDiscovery(NBNameIn).TheseexceptionsallowNetDomJointobeusedtoremotelyjoinNYCSVR2tothedomain.

4. Theserverrestarts.

5. LogontoNYCSVR2asContoso\Pat.Coleman,withthepasswordofPa$$w0rd.Thisconfirmsthattheserverhassuccessfullyjoinedthedomain.

6. LogofffromNYCSVR2.

Results:Aftercompletingthisexercise,NYCSVR2willbejoinedtothedomainwithanaccountintheServers\FileOU.

ImportantDonotshutdownthevirtualmachinesafteryoufinishthislabbecausethesettingsyouhaveconfiguredherewillbeusedinLabB.



Lab Review Questions

Question:WhatdidyoulearnabouttheprosandconsofvariousapproachestocreatingcomputeraccountsinanADDSdomain?

Question:Whatarethetwocredentialsthatarenecessaryforanycomputertojoinadomain?

Lesson 2: Administer Computer Objects andAccounts



Acomputeraccountbeginsitslifecyclewhenitiscreatedandwhenthecomputerjoinsthedomain.DaytodayadministrativetasksincludeconfiguringcomputerpropertiesmovingthecomputerbetweenOUsmanagingthecomputeritselfandrenaming,resetting,disabling,enabling,andeventuallydeletingthecomputerobject.Thislessonlookscloselyatthecomputerpropertiesandproceduresinvolvedwiththesetasks,andwillequipyoutoadministercomputersinadomain.

Objectives

Aftercompletingthislesson,youwillbeableto:

Configurecomputeraccountproperties.

MoveacomputerbetweenOUs.

Recognizecomputeraccountproblems.

Resetacomputeraccount.

Renameacomputer.

Disableandenableacomputer.

Configure Computer Attributes



WhenyoucreateacomputerobjectbyusingActiveDirectoryUsersandComputers,youarepromptedtoconfigureonlythemostfundamentalattributes,includingthecomputernameandthedelegationtojointhecomputertothedomain.Computershaveseveralpropertiesthatarenotvisiblewhenyouarecreatingthecomputerobjectyoushouldconfigurethesepropertiesaspartoftheprocessofstagingthecomputeraccount.

OpenacomputerobjectsPropertiesdialogboxtosetitslocationanddescription,configureitsgroupmembershipsanddialinpermissions,andlinkittotheuserobjectoftheusertowhomthecomputerisassigned.TheOperatingSystemtabisreadonly.Theinformationwillbeblankuntilacomputerhasjoinedthedomainusingthataccount,atwhichtimetheclientpublishestheinformationtoitsaccount.



SeveralobjectclassesinActiveDirectorysupportthemanagedByattributethatisshownontheManagedBytab.Thislinkedattributecreatesacrossreferencetoauserobject.Allotherpropertiestheaddressesandtelephonenumbersaredisplayeddirectlyfromtheuserobject.Theyarenotstoredaspartofthecomputerobjectitself.SomeorganizationsusetheManagedBytabtolinkthecomputertotheprimaryuserofthecomputer.Alternatively,youmightchoosetolinkthecomputertoagroupthatisresponsibleforthesupportofacomputer.Forexample,thisasanoptionmightbeattractiveforcomputeraccountsthatrepresentservers.

OntheMemberOftabofacomputersPropertiesdialogbox,youcanaddthecomputertogroups.TheabilitytomanagecomputersingroupsisanimportantandoftenunderutilizedfeatureofActiveDirectory.Agrouptowhichcomputersbelongcanbeusedtoassignresourceaccesspermissionstothecomputer,tofiltertheapplicationofaGPO,orasacollectionforasoftwaremanagementtool,suchasMicrosoftSystemCenterConfigurationManager2007.

Aswithusersandgroups,itispossibletoselectmorethanonecomputerobjectandsubsequentlymanageormodifypropertiesofallselectedcomputerssimultaneously.

Configuring Computer Attributes with DSMod

YoucanusetheDSModcommandtomodifythedescriptionandthelocationattributesofacomputerobject.Itusesthefollowingsyntax.



dsmod computer "ComputerDN" [-desc "Description"] [-loc"Location"]


AttributesofacomputeraccountcanalsobemanagedbyusingWindowsPowerShellwithActiveDirectoryModule.

ThefollowingexampledemonstrateshowtomodifytheManagedByattributeofthecomputerLONSRV1.

Set-ADComputer LON-SRV1 -ManagedBy 'CN=SQL Administrator01,OU=UserAccounts,OU=Managed,DC=contoso,DC=com'

Move a Computer



ManyorganizationshavemultipleOUsforcomputerobjects.Somedomains,forexample,havecomputerOUsbasedongeographicsites,asshownearlierinthismodule.IfyouhavemorethanoneOUforcomputers,itislikelythatsomedayyouwillneedtomoveacomputerbetweenOUs.

TomoveacomputerbyusingtheActiveDirectoryUsersandComputerssnapin,youcanuseoneofthefollowingoptions:

Clickthecomputerandthendraganddropthecomputertothedesiredlocation.

Rightclickthecomputer,andthenclickMove.



TheDSMovecommandallowsyoutomoveacomputerobjectoranyotherobject.ThesyntaxofDSMoveisasfollows.

dsmove ObjectDN [-newname NewName] [-newparent ParentDN]

Thenewnameoptionallowsyoutorenameanobject.Thenewparentoptionallowsyoutomoveanobject.Tomoveacomputernamed,DESKTOP153,fromtheComputerscontainertotheNYCOU,youwouldtypethefollowingcommand.

dsmove "CN=DESKTOP153,CN=Computers,DC=contoso,DC=com" -newparent "OU=NYC,OU=Client Computers,DC=contoso,DC=com"

Using Windows PowerShell


YoucanalsoperformthemoveprocessforacomputerbyusingWindowsPowerShellwithActiveDirectoryModule.Thisisperformedbyusingpipelinedcmdlets,GetADComputerandMoveADObject.Thefollowingexampledemonstrateshowtomovethecomputer,Workstation1,totheManagedComputersOUinthecontoso.comdomain.



Get-ADComputer Workstation1 | Move-ADObject -TargetPath'OU=ManagedComputers,DC=contoso,DC=com'

Computer Account and Secure Channel

EverymembercomputerinanActiveDirectorydomainmaintainsacomputeraccountwithausername(sAMAccountName)andpassword,justlikeauseraccountdoes.Thecomputerstoresitspasswordintheformofalocalsecurityauthority(LSA)secretandchangesitspasswordwiththedomainevery30daysorso.TheNetLogonserviceusesthecredentialstologontothedomain,whichestablishesthesecurechannelwithadomaincontroller.



Computeraccountsandthesecurerelationshipsbetweencomputersandtheirdomainarerobust.However,certainscenariosmightariseinwhichacomputerisnolongerabletoauthenticatewiththedomain.Examplesofsuchscenariosincludethefollowing:

Afterreinstallingtheoperatingsystemonaworkstation,theworkstationisunabletoauthenticate,eventhoughthetechnicianusedthesamecomputername.BecausethenewinstallationgeneratedanewSIDandbecausethenewcomputerdoesnotknowthecomputeraccountpasswordinthedomain,itdoesnotbelongtothedomainandcannotauthenticatetothedomain.

Acomputeriscompletelyrestoredfrombackupandisunabletoauthenticate.Itislikelythatthecomputerchangeditspasswordwiththedomainafterthebackupoperation.Computerschangetheirpasswordsevery30days,andActiveDirectoryremembersthecurrentandpreviouspassword.Iftherestoreoperationrestoredthecomputerwithasignificantlyoutdatedpassword,thecomputerwillnotbeabletoauthenticate.

AcomputersLSAsecretgetsoutofsynchronizationwiththepasswordknownbythedomain.Youcanthinkofthisasthecomputerforgettingitspasswordalthoughitdidnotforgetitspassword,itjustdisagreeswiththedomainoverwhatthepasswordreallyis.Whenthishappens,thecomputercannotauthenticateandthesecurechannelcannotbecreated.



Recognize Computer Account Problems

Themostcommonsignsofcomputeraccountproblemsarethefollowing:

Messagesatlogonindicatethatadomaincontrollercannotbecontacted,thatthecomputeraccountmightbemissing,thatthepasswordonthecomputeraccountisincorrect,orthatthetrustrelationship(anotherwayofsayingthesecurerelationship)betweenthecomputerandthedomainhasbeenlost.Anexampleisshownhere.

Errormessagesoreventsintheeventlogindicatesimilarproblemsorsuggestthatpasswords,trusts,securechannels,orrelationshipswiththedomainoradomain



controllerhavefailed.OnesucherrorisNETLOGONEventID3210:FailedToAuthenticate,whichappearsinthecomputer'seventlog.

AcomputeraccountismissinginActiveDirectory.

Reset a Computer Account

Whenthesecurechannelfails,youmustresetthesecurechannel.Manyadministratorsdosobyremovingthecomputerfromthedomain,puttingitinaworkgroup,andthenrejoiningthedomain.Thisisnotagoodpracticebecauseithasthepotentialtodeletethecomputeraccountaltogether,whichlosesthecomputersSID,andmoreimportantly,itsgroupmemberships.Whenyourejointhedomain,



eventhoughthecomputerhasthesamename,theaccounthasanewSID,andallthegroupmembershipsofthepreviouscomputerobjectmustberecreated.

Do not remove a computer from the domain and rejoin it.

Ifthetrustwiththedomainhasbeenlost,donotremoveacomputerfromthedomainandrejoinit.Instead,resetthesecurechannel.

Toresetthesecurechannelbetweenadomainmemberandthedomain,usetheActiveDirectoryUsersandComputerssnapin,DSMod.exe,NetDom.exe,orNLTest.exe.Ifyouresettheaccount,thecomputersSIDremainsthesameanditmaintainsitsgroupmemberships.

ToresetthesecurechannelbyusingtheActiveDirectoryUsersandComputerssnapin:

1. Rightclickacomputer,andthenclickResetAccount.

2. ClickYestoconfirmyourchoice.

3. Rejointhecomputertothedomain,andthenrestartthecomputer.

ToresetthesecurechannelbyusingDSMod:



1. Typethefollowingcommand.

dsmod computer "ComputerDN" reset.

2. Rejointhecomputertothedomain,andthenrestartthecomputer.

ToresetthesecurechannelbyusingNetDom:

Typethefollowingcommand,

netdom reset MachineName /domain DomainName /UserO UserName/PasswordO {Password | *}

wherethecredentialsbelongtothelocalAdministratorsgroupofthecomputer.

Thiscommandresetsthesecurechannelbyattemptingtoresetthepasswordonboththecomputerandthedomain,soitdoesnotrequirerejoiningorrebooting.

ToresetthesecurechannelbyusingNLTest,onthecomputerthathaslostitstrust,typethefollowingcommand.



NLTEST /SERVER:SERVERNAME /SC_RESET:DOMAIN\DOMAINCONTROLLER

Forexample,thefollowingcommand,likeNetDom,attemptstoresetthesecurechannelbyresettingthepasswordonboththecomputerandinthedomain,soitdoesnotrequirerejoiningorrestarting.

nltest /server:NYC-SVR2 /sc_reset:CONTOSO\NYC-SVR2

BecauseNLTestandNetDomresetthesecurechannelwithoutrequiringareboot,youshouldtrythosecommandsfirst.OnlyifthosearenotsuccessfulshouldyouusetheResetAccountcommandorDSModtoresetthecomputeraccount.


YoucanalsouseWindowsPowerShellwithActiveDirectoryModuletoresetacomputeraccount.Thefollowingexampledemonstrateshowtoresetthesecurechannelbetweenthelocalcomputerandthedomaintowhichitisjoined.Youmustrunthiscommandonthelocalcomputer.

Test-ComputerSecureChannel Repair



ForafullexplanationoftheparametersthatyoucanpasstoTestComputerSeureChannel,attheActiveDirectoryModulecommandprompt,typeGetHelpTestComputerSecureChanneldetailed,andthenpressEnter.

Rename a Computer

Whenyourenameacomputer,youmustbecarefultodoitcorrectly.Rememberthatthecomputerusesitsnametoauthenticatewiththedomain,soifyourenameonlythedomainobject,oronlythecomputeritself,theywillbeoutofsynch.Youmustrenamethecomputerinsuchawaythatboththecomputerandthedomainobject



arechanged.

Youcanrenameacomputercorrectlybyloggingontothecomputer,eitherlocallyorwitharemotedesktopsession.

1. OpenSystemPropertiesfromControlPanel.

2. IntheComputername,domain,andworkgroupsettingssection,clickChangeSettings.

3. IfyouarepromptedbyUserAccountControl,clickContinue.

4. ClicktheComputerNametab.

5. ClicktheChangebutton.

6. TypethenewnameandclickOKtwicetoclosethedialogboxes.

7. Restartthecomputertoallowthechangetotakeeffect.

Fromthecommandprompt,youcanusetheNetDomcommand,withthefollowingsyntax.

netdom renamecomputer MachineName /NewName:NewName[/UserO:LocalUsername] [/PasswordO:{LocalPassword|*} ]



[/UserD:DomainUsername] [/PasswordD:{DomainPassword|*} ][/SecurePasswordPrompt] [/REBoot[:TimeInSeconds]]

Inadditiontospecifyingthemachinetorename(MachineName)andthedesirednewname(NewName),youmusthavecredentialsthatareamemberofthelocalAdministratorsgrouponthecomputerandcredentialsthathavepermissiontorenamethedomaincomputerobject.Bydefault,NetDomwillusethecredentialswithwhichthecommandisrun.Youcanspecifycredentialsbyusing/UserOand/PasswordOforthecredentialsinthecomputerslocalAdministratorsgroup,and/UserDand/PasswordDforthedomaincredentialswithpermissiontorenamethecomputerobject.Specifying*forthepasswordcausesNetDom.exetopromptforthepasswordatthecommandprompt.The/SecurePasswordPromptoptiondisplaysapopupforcredentialswhen*isspecifiedforeither/PasswordOor/PasswordD.Afteryourenameacomputer,youmustrebootthecomputer.The/REBootoptioncausesthesystemtorebootafter30seconds,unlessotherwisespecifiedbyTimeInSeconds.

Whenyourenameacomputer,youcanadverselyaffectservicesrunningonthecomputer.Forexample,ActiveDirectoryCertificateServices(ADCS)reliesontheserversname.Becertaintoconsidertheimpactofrenamingacomputerbeforedoingso.Donotusethesemethodstorenameadomaincontroller.

NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008R2.



ItisalsopossibletouseWindowsPowerShellwithActiveDirectoryModuletorenameacomputer.YoucanusethisapproachtochangethelocalcomputernameandtochangetheActiveDirectorycomputerobjectname.Thefollowingexampledemonstrateshowtorenamethelocaldomainjoinedcomputeronwhichthecommandisbeingrun.Thiscommandmustberunonthelocalcomputer.

ReName-Computer -NCN MyComputer

Thesecondexampleshowshowtochangethenameofcomputerobjectnamed,Server1,intheManagedComputersOUinthecontoso.comdomain.

Rename-ADObjectCN=fabrikamsrv1,OU=ManagedComputers,DC=Fabrikam,DC=com NewNamefabrikamsrv3

Disable and Enable a Computer



Ifacomputeristakenofflineorisnottobeusedforanextendedperiodoftime,youshouldconsiderdisablingtheaccount.Thisrecommendationreflectsthesecurityprinciplethatanidentitystoreshouldallowauthenticationonlyoftheminimumnumberofaccountsrequiredtoachievethegoalsofanorganization.DisablingtheaccountdoesnotmodifythecomputersSIDorgroupmembership,sowhenthecomputerisbroughtbackonline,theaccountcanbeenabled.

TodisableacomputerintheActiveDirectoryUsersandComputerssnapin,rightclickthecomputer,andthenclickDisableAccount.

AdisabledaccountappearswithadownarrowiconintheActiveDirectoryUsersAndComputerssnapin,asshownhere:



Whileanaccountisdisabled,thecomputercannotcreateasecurechannelwiththedomain.Theresultisthatuserswhohavenotpreviouslyloggedontothecomputer,andwhothereforedonothavecachedcredentialsonthecomputer,willbeunabletologonuntilthesecurechannelisreestablishedbyenablingtheaccount.

Toenableacomputeraccount,rightclickthecomputer,andthenclickEnableAccount.

Todisableorenableacomputerfromthecommandprompt,usetheDSModcommand.Thesyntaxusedtodisableorenablecomputersisasfollows.

dsmod computer ComputerDN -disabled yes dsmod computerComputerDN -disabled no

Delete and Recycle Computer Accounts



Youhavelearnedthateachcomputeraccount,likeeachuseraccount,maintainsauniqueSID,whichenablesanadministratortograntpermissionstocomputers.Also,likeuseraccounts,computerscanbelongtogroups.Therefore,itisimportanttounderstandtheeffectofdeletingacomputeraccount.Whenacomputeraccountisdeleted,itsgroupmembershipsandSIDarelost.Ifthedeletionisaccidental,andanothercomputeraccountiscreatedwiththesamename,itisnonethelessanewaccount,withanewSID.Groupmembershipsmustbereestablished,andanypermissionassignedtothedeletedcomputermustbereassignedtothenewaccount.Deletecomputerobjectsonlywhenyouarecertainthatyounolongerrequirethosesecurityrelatedattributesoftheobject.

TodeleteacomputeraccountbyusingActiveDirectoryUsersandComputers,



performthefollowingsteps:

1. Rightclickthecomputerobject,andthenclickDelete.

Youarepromptedtoconfirmthedeletion,andbecausedeletionisnotreversible,thedefaultresponsetothepromptisNo.

2. ClickYestodeletetheobject.

TheDSRmcommandallowsyoutodeleteacomputerobjectfromthecommandprompt.TodeleteacomputerwithDSRm,typethefollowingcommand.

dsrm ObjectDN

WhereObjectDNisthedistinguishednameofthecomputer,suchasCN=Desktop154,OU=NYC,OU=ClientComputers,DC=contoso,DC=com.Again,youwillbepromptedtoconfirmthedeletion.

Recycling Computers

IfacomputeraccountsgroupmembershipsandSID,andthepermissionsassignedtothatSID,areimportanttotheoperationsofadomain,youdonotwanttodeletethataccount.Sowhatwouldyoudoifacomputerwasreplacedwithanewsystem,



withupgradedhardware?Thatisanotherscenarioinwhichyouwouldresetacomputeraccount.

Resettingacomputeraccountresetsitspassword,butmaintainsallofthecomputerobjectsproperties.Witharesetpassword,theaccountbecomes,ineffect,availableforuse.Anycomputercanthenjointhedomainusingthataccount,includingtheupgradedsystem.Ineffect,youverecycledthecomputeraccount,assigningittoanewpieceofhardware.Youcanevenrenametheaccount.TheSIDandgroupmembershipsremainthesame.

Asyoulearnedearlierinthislesson,theResetAccountcommandisavailableinthecontextmenuwhenyourightclickacomputerobject.TheDSModcommandcanalsobeusedtoresetacomputeraccount,whenyoutypedsmodcomputer"ComputerDN"reset.

Lab B: Administer Computer Objects and Accounts



Lab Setup

ThevirtualmachinesshouldalreadybestartedandavailableaftercompletingLabA.However,iftheyarenot,youshouldcompletesteps1to3andthenstepthroughexercises1to3inLabAbeforecontinuing.YouwillbeunabletosuccessfullycompleteLabBunlessyouhavecompletedLabA.

1. Start6425CNYCDC1.

2. LogontoNYCDC1asPat.Coleman.admin,withthepassword,Pa$$w0rd.

3. Start6425CNYCSVR2.Donotlogonuntildirectedtodoso.



Lab Scenario

YouareanadministratorforContoso,Ltd.Duringasecurityaudit,anumberofcomputeraccountswerediscovered.Thosecomputersnolongerexistinthedomain.Youvebeentaskedwithimprovingthemanagementofcomputeraccounts,andidentifyingthebestpracticesforadministeringtheentirelifecycleofacomputeraccount.

Exercise 1: Administer Computer Objects Through Their Life Cycle

Inthisexercise,youwillconfigurecommonattributesofcomputerobjects,includingdescriptionandManagedBy.YouwillalsomanagethegroupmembershipofcomputersandmovecomputersbetweenOUs.


1. Configurecomputerobjectattributes.

2. Addcomputerstosoftwaremanagementgroups.

3. MoveacomputerbetweenOUs.

4. Disable,enable,anddeletecomputers.

Task 1: Configure computer object attributes.



1. OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator,withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.

2. IntheClientComputers\SEAOU,usetheManagedBytabofcomputerobjectstoassignLNO8538toLindaMitchellandLOT9179toScottMitchell.

3. BecauseScottandLindaMitchellwilloccasionallyuseeachother'scomputer,usemultiselecttochangethedescriptionofbothLNO8538andLOT9179toScottandLindaMitchell.

Task 2: Add computers to software management groups.

MicrosoftOfficeProjectisrequiredonbothScott'sandLinda'scomputers.Contoso,Ltd.usessecuritygroupsascollectionsforscopingthedeploymentofsoftware.Youwilladdeachoftheircomputerstothegroup,APP_Project,byusingtwodifferentmethods.

Method1

1. IntheClientComputers\SEAOU,rightclickLOT9179,andthenclickAddtoagroup.



2. TypeAPP_andpressEnter.

TheMultipleItemsFounddialogboxappears.

3. ClickAPP_Project,andthenclickOK.

Amessageappears:TheAddtoGroupoperationwassuccessfullycompleted.

4. ClickOK.

Method2

1. Intheconsoletree,expandtheGroupsOU,andthenclickApplication.

2. RightclickAPP_Project,andthenclickProperties.

3. ClicktheMemberstab.

4. ClickAdd.

5. TypeLNO8538andpressEnter.

TheNameNotFounddialogboxappears.

Bydefault,theSelectUsers,Computers,orGroupsinterfacedoesnotsearchforcomputerobjects.

6. ClickObjectTypes.



7. SelectthecheckboxnexttoComputers,andthenclickOK.

8. ClickOKtoclosetheNameNotFounddialogbox.

BothcomputerscannowbeseenontheMemberstab.

9. ClickOK.

Task 3: Move a computer between OUs.

ScottandLindaarerelocatingtotheVancouveroffice.YouwillmovetheircomputerstothenewOUbyusingtwodifferentmethods.

Method1

1. IntheClientComputers\SEAOU,clickLOT9179.

2. DragLOT9179intotheVANOU,visibleintheconsoletree.

AmessageappearsthatremindsyoutobecarefulaboutmovingobjectsinActiveDirectory.

3. ClickYes.



Method2

4. RightclickLNO8538,andthenclickMove.

TheMovedialogboxappears.

5. Intheconsoletree,expandClientComputers,andthenclickVAN.

6. ClickOK.

Task 4: Disable, enable, and delete computers.

1. IntheClientComputers\SEAOU,disable,andthenenabletheaccountforDEP6152.

2. DeletetheaccountforDEP6152.

Result:Inthisexercise,youaddedcomputerstosoftwaremanagementgroups,movedacomputerbetweenOUs,anddeletedacomputer..

Exercise 2: Administer and Troubleshoot Computer Accounts



Inthisexercise,youwilladministerandtroubleshootcomputeraccountsandthesecurechannel.


1. Resetacomputeraccount.

2. Experienceasecurechannelproblem.

3. Resetthesecurechannel.

Task 1: Reset a computer account.

Recently,ScottMitchell'scomputerrequiredreinstallation.ThenamingconventionatContoso,Ltd.istousethenameofacomputerobjectasitsassettag,assignedbytheITinventoryteam.BecauseScottreinstalledhiscomputeronthesamepieceofhardware,thecomputernameisthesame:LOT9179.Henowwantstojointhemachinetothedomain,butthereisalreadyanaccountforLOT9179,andtheaccountisamemberofgroupsthatensurethecorrectsoftware(includingMicrosoftOfficeProject)andconfigurationareappliedtothesystem.Therefore,itisimportantthattheaccountnotbedeleted,sothatgroupmembershipscanberetained.

IntheClientComputers\VANOU,resettheaccountforLOT9179.



YoucouldnowjoinScott'sreinstalledcomputertothedomain.

Task 2: Experience a secure channel problem.

1. LogontoNYCSVR2asPat.Coleman,withthepassword,Pa$$w0rd.Afterthedesktopappears,logoff.

2. To"break"thesecurechannel,useActiveDirectoryUsersandComputersonNYCDC1toresettheaccountforNYCSVR2.

3. AttempttologontoNYCSVR2asPat.Coleman,withthepassword,Pa$$w0rd.

Task 3: Reset the secure channel.

Tosolveabrokentrustrelationshipbetweenadomainmemberandthedomain,youcanresetthecomputer'saccount,movethecomputerintoaworkgroup,andthenrejointhedomain.

ResetthecomputeraccountforNYCSVR2.

Afterresettingthesecurechannel,youcouldmoveNYCSVR2intoaworkgroup,andthenrejointhedomain.Itwilljoinitsresetaccount,therebyretainingitsgroup



memberships.Donotperformthatstepatthistime.

Result:Inthisexercise,youresolvedsecurechannelissues..

Lab Review Question

Question:Whatinsightsdidyougainintotheissuesandproceduresregardingcomputeraccountsandadministeringcomputeraccountsthroughtheirlifecycle?

Lesson 3: Offline Domain Join



OfflineDomainJoinisanewfunctionalityspecifictoWindowsServer2008R2.Thisfunctionalityenablesadministratorstojoincomputerstodomainwithoutnetworkconnectivity.InthislessonyouwilllearnhowOfflineDomainJoinworksandhowtouseit.

Objectives

Aftercompletingthislessonyouwillbeableto:

DescribeOfflineDomainJoin.

DescribetheprocessforperforminganOfflineDomainJoin.



PerformanOfflineDomainJoin.

NoteThecontentinthislessonisspecifictoWindowsServer2008R2.

What Is an Offline Domain Join?

InearlierWindowsversions,itwasmandatorytohaveanetworkconnectiontoadomaincontrollertojoinacomputertotheActiveDirectorydomain.Insomescenarios,thiscanbealimitation.Forexample,ifyouneedtoperformafullprovision



ofcomputersthatarecurrentlynotconnectedtoanetwork,ornotlocatedinthesameplaceasdomaincontrollers,youcannotcompletetheprocessunlessyoujointhecomputerstoadomain,andrestartthemoncemoreafternetworkconnectionsareestablished.

OfflineDomainJoinisanewfunctionalityinWindowsServer2008R2andWindows7thatallowsyoutojoinacomputertodomainwithoutactuallybeingconnectedtothenetworkwherethedomaincontrollerresides.Infact,allpreparationstepsareperformedonadomaincontrollerandacomputerwhileitisstilloffline.Afteritgetsconnectedtoanetwork,atrustrelationshipwiththedomainisestablishedwithoutanyuserintervention.Noadditionalrestartisnecessarytocompletethedomainjoin.Thishelpsreducethetimeandeffortrequiredtocompletealargescalecomputerdeploymentinplacessuchasdatacenters.

YoucanalsobenefitfromtheOfflineDomainJoinfeatureifyouaredeployingvirtualmachines.OfflineDomainJoinmakesitpossibleforyoutojointhevirtualmachinestothedomainwhentheyinitiallystartfollowingtheoperatingsysteminstallation.Noadditionalrestartisrequiredtocompletethedomainjoin.Thiscansignificantlyreducetheoveralltimerequiredforwidescalevirtualmachinedeployments.

ToperformanOfflineDomainJoin,youdonothavetohavedomaincontrollersrunningonWindowsServer2008R2,ItisalsonotmandatorytohavethedomainorforestintheWindowsServer2008functionalmode.Theonlyessentialrequirementforusingthismethodisthatthemachineusedforprovisioningandthemachine



beingprovisionedmusthaveWindows7orWindowsServer2008R2.

.

Process for Performing an Offline Domain Join

ToperformanOfflineDomainJoin,youmustuseanewcommandlineutilitynamed,Djoin.exe.ThisutilityisusedtobothprovisioncomputeraccountsintoADDSandforinsertingdomaindataintotheoperatingsystemofthecomputerthatisbeingjoinedtothedomainbyusingthismethod.

Performing an Offline Join by Using Djoin.exe



Djoin.exeperformsthefollowingtasks:

ProvisionsanewcomputeraccountintoADDS.Thisprecreatesacomputeraccountandsetsituptobeconnectedatalaterdate.

Generatesatextfile(ablob)thatcontainsinformationthatisnecessaryforanOfflineDomainJoin.Theblobcontainsthemachineaccountpasswordandotherinformationaboutthedomain,includingthedomainname,thenameofadomaincontroller,theSIDofthedomain,andsoon

Insertsthedataprovidedintheblobintotheoperatingsystemofthecomputerbeingjoinedtothedomain

Prerequisites for Performing an Offline Join

ThecomputeronwhichyourunDjoin.exetoprovisioncomputeraccountdataintoADDSmustberunningWindows7orWindowsServer2008R2.ThecomputerthatyouwanttojointothedomainmustalsoberunningWindows7orWindowsServer2008R2.

ItisnotmandatorythatyouperformanOfflineDomainJoinrightafteryouprovisionacomputeraccountintoADDS.Youcandoitatanytimelater.

ToperformanOfflineDomainJoin,youmusthavetherightsthatarenecessarytojoinworkstationstothedomainandtocreatecomputeraccountsinthedomain.



MembersoftheDomainAdminsgrouphavetheserightsbydefault.IfyouarenotamemberoftheDomainAdminsgroup,amemberoftheDomainAdminsgroupmustdelegateyoutherighttojoincomputerstothedomainbyusingGroupPolicyorbyeditinganACLofthecontainerwherethecomputeraccountwillbestored.

Djoin.exeshouldberunatanelevatedcommandprompttoprovisionthecomputeraccountmetadata.Whenyouruntheprovisioningcommand,thecomputeraccountmetadataiscreatedina.txtfilethatyouspecifyaspartofthecommand.Afteryouruntheprovisioningcommand,youcaneitherrunDjoin.exeagaintorequestthecomputeraccountmetadataandinsertitintotheWindowsdirectoryofthedestinationcomputer,oryoucansavethecomputeraccountmetadataintheUnattend.xmlfileandthenspecifytheUnattend.xmlfileduringanunattendedoperatingsysteminstallationofthedestinationcomputer.

Offline Domain Join Process

TheOfflineDomainJoinprocessincludesthefollowingsteps:

1. Runthedjoin.exe/provisioncommandtocreatethecomputeraccountmetadataforthedestinationcomputer(thecomputerthatyouwanttojointothedomain).Aspartofthiscommand,youmustspecifythenameofthedomainthatyouwantthecomputertojoinandthenameofthecomputer,asfollows.

djoin /provision /domain contoso.com /machine DESKTOP123/savefile C:\desktop123.txt



Afterperformingthisstep,acomputeraccountnamed,DESKTOP123,willbeprovisionedtoADDS,andablobfilenameddesktop123.txtwillbecreated.Nowyouhavetotransferthisfiletothecomputerthatisbeingjoinedtothedomain.

NoteThebase64encodedmetadatablobthatiscreatedbytheprovisioningcommandcontainsverysensitivedata.Itshouldbetreatedjustassecurelyasaplaintextpassword.

2. Runthedjoin.exe/requestODJcommandtoinsertthecomputeraccountmetadataintotheWindowsdirectoryofthedestinationcomputer,asfollows.

djoin /requestODJ /loadfile desktop123.txt /windowspath%SystemRoot% /localos

3. Whenyoustartthedestinationcomputer,eitherasavirtualmachineorafteracompleteoperatingsysteminstallation,thecomputerwillbejoinedtothedomainthatyouspecify.



Theswitch/localosfromthepreviouscommandisusedonlyifyouperformadjoinoperationonthecomputerthatyouarejoiningtothedomain.However,ifduringtheprovisioningprocess,youaremountingsystemharddrives(virtualorphysical)fromthecomputersthatyouareprovisioning,youshouldnotusethe/localosswitch.

NoteUsingdeploymenttoolssuchasWindowsSystemImageManager,youcanperformanunattendeddomainjoinduringanoperatingsysteminstallationbyprovidinginformationthatisrelevanttothedomainjoininanUnattend.xmlfile.UsingthesameUnattend.xmlfile,youcansupplytheinformationthatisnecessaryforthecomputersthatrunWindows7andWindowsServer2008R2toperformanOfflineDomainJoin.

Question:Whatisthecontentofthetextfilethatiscreatedduringadjoinprovisioningprocess?

Demonstration: Perform an Offline Domain Join



Inthisdemonstration,yourinstructorwillshowyouhowtoperformanOfflineDomainJoin.

Demonstration Steps

Provisionanewcomputeraccountcalled,NYCCL2,inthecontosodomainbyusingthedjoinutility.

Lab C: Perform an Offline Domain Join



Lab Setup

Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubeginthelab,youmust:

1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthenclickHyperVManager.

2. Ensurethatthe6425CNYCDC1virtualmachineisrunning.

3. Logonto6425CNYCDC1byusingthefollowingcredentials:

Username:Pat.Coleman_Admin



Password:Pa$$w0rd

Domain:Contoso

4. Startthe6425CNYCCL2virtualmachine.Donotlogontotheclientmachineuntildirectedtodoso.

Lab Scenario

YouareanadministratorforContoso,Ltd.Youmustprovisionalargenumberofnewcomputersinashortperiodoftime.Notallcomputerscanhavenetworkconnectivity,soyouhavedecidedtoleveragetheOfflineDomainJoinfunctionality.Inthislab,youwilltestthisfunctionalityononevirtualmachine.

Exercise: Perform an Offline Domain Join

Inthisexercise,youwillperformanOfflineDomainJoin.


1. Ensurethattheclientcomputerisnotjoinedtothedomain.

2. ProvisionacomputeraccountandperformanOfflineDomainJoin.



Task 1: Ensure that the client computer is not joined to the domain.

1. LogontoNYCCL2asAdmin,withthepassword,Pa$$w0rd.

2. OpenSystemPropertiesandensurethatthecomputerisjoinedtoaworkgroup,insteadofadomain

Task 2: Provision a computer account and perform an Offline Domain Join

1. OnNYCDC1,openacommandpromptusingadministrativecredentialsandusedjoin.exetoprovisionanewcomputeraccounttoADDSbytypingthefollowingcommand.

djoin /provision /domain contoso.com /machine NYC-CL2/savefile C:\NYC-CL2.txt

2. OpenActiveDirectoryUsersandComputersandverifythattheNYCCL2machinehasbeenprovisionedintheComputerscontainer.

3. OnNYCCL2,createafoldercalled

Documents

Module 5_ Managing Computer Accounts