Joining a Computer to a Domain






Joining a Computer to a Domain

Problem

You want to join a computer to a domain after the computer object has already been created in Active Directory.

Solution

Using a graphical user interface
  1. Log on to the computer you want to join to the domain and open the Control Panel.

  2. Open the System applet.

  3. Click the Computer Name tab.

  4. Click the Change button.

  5. Under "Member of," select Domain.

  6. Enter the domain you want to join and click OK.

  7. You may be prompted to enter credentials that grant permission to join the computer.

  8. Reboot the computer.

    Note that the tabs in the System applet vary between Windows 2000, Windows XP, and Windows Server 2003.

Using a command-line interface
	> netdom join <ComputerName> /Domain <DomainName> /UserD <DomainUserUPN>
	/PasswordD * /UserO <ComputerAdminUser> /PasswordO * /Reboot

Using VBScript
	' This code joins a computer  
to a domain.
	' ------ SCRIPT CONFIGURATION ------
	strComputer     = "<ComputerName>"      ' e.g. joe-xp
	strDomain       = "<DomainName>"        ' e.g. rallencorp.com
	strDomainUser   = "<DomainUserUPN>"     ' e.g. [email protected]
	strDomainPasswd = "<DomainUserPasswd>"
	strLocalUser    = "<ComputerAdminUser>" ' e.g. administrator
	strLocalPasswd  = "<ComputerUserPasswd>"
	' ------ END CONFIGURATION ---------

	'########################
	' Constants
	'########################
	Const JOIN_DOMAIN             = 1
	Const ACCT_CREATE             = 2
	Const ACCT_DELETE             = 4
	Const WIN9X_UPGRADE           = 16
	Const DOMAIN_JOIN_IF_JOINED   = 32
	Const JOIN_UNSECURE           = 64
	Const MACHINE_PASSWORD_PASSED = 128
	Const DEFERRED_SPN_SET        = 256
	Const INSTALL_INVOCATION      = 262144

	'###########################
	' Connect to Computer
	'###########################
	set objWMILocator = CreateObject("WbemScripting.SWbemLocator")
	objWMILocator.Security_.AuthenticationLevel = 6
	set objWMIComputer = objWMILocator.ConnectServer(strComputer,  _
	                                                 "root\cimv2", _
	                                                 strLocalUser, _
	                                                 strLocalPasswd)
	set objWMIComputerSystem = objWMIComputer.Get( _
	                               "Win32_ComputerSystem.Name='" & _
	                               strComputer & "'")

	'###########################
	' Join Computer
	'###########################
	rc = objWMIComputerSystem.JoinDomainOrWorkGroup(strDomain, _
	                                                strDomainPasswd, _
	                                                strDomainUser, _
	                                                vbNullString, _
	                                                JOIN_DOMAIN)
	if rc <> 0 then
	    WScript.Echo "Join failed with error: " & rc
	else
	    WScript.Echo "Successfully joined " & strComputer & " to " & strDomain
	end if

Discussion

When trying to add a computer to Active Directory, you can either precreate the computer object as described in Recipes 8.1 and 8.2 before joining it to the domain, or you can perform both operations at the same time.

Using a graphical user interface

If you have the correct permissions in Active Directory, you can actually create a computer object at the same time as you join it to a domain via the instructions described in the GUI solution. Since the System applet doesn't allow you to specify an OU for the computer object, if it needs to create a computer object, it will do so in the default Computers container. See Recipe 8.15 for more information on the default computers container and how to change it.

Using a command-line interface

The netdom command will attempt to create a computer object for the computer during a join if one does not already exist. An optional /OU switch can be added to specify the OU in which to create the computer object. To do so, you'll need to have the necessary permissions to create and manage computer objects in the OU.

There are some restrictions on running the netdom join command remotely. If a Windows XP machine has the ForceGuest security policy setting enabled, you cannot join it remotely. Running the netdom command directly on the machine works regardless of the ForceGuest setting.

Using VBScript

In order for the Win32_ComputerSystem:: JoinDomainOrWorkGroup method to work remotely, you have to use an AuthenticationLevel equal to 6 so that the traffic between the two machines (namely the passwords) is encrypted. You can also create computer objects using JoinDomainOrWorkGroup by using the ACCT_CREATE flag in combination with JOIN_DOMAIN.

This function works only with Windows XP and Windows Server 2003 and is not available for Windows 2000 and earlier machines.


Just like with the netdom utility, you cannot run this script against a remote computer if that computer has the ForceGuest setting enabled.

See Also

More information on the ForceGuest setting can be found here: http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/prde_ffs_ypuh.asp, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 251335 (Domain Users Cannot Join Workstation or Server to a Domain), MS KB 290403 (How to Set Security in Windows XP Professional That Is Installed in a Workgroup), MSDN: Win32_ComputerSystem::JoinDomainOrWork-group, and MSDN: NetJoinDomain



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows