Module5:ManagingComputerAccounts
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: CreateComputersandJointheDomain CreateComputersandJointheDomain AdministerComputerObjectsandAccounts AdministerComputerObjectsandAccounts OfflineDomainJoin PerformanOfflineDomainJoin
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
1/99
07/06/13
Computersinadomainaresecurityprincipals,likeusers.Theyhaveanaccountwith alogonnameandpasswordthatWindowschangesautomaticallyevery30daysor so.Theyauthenticatewiththedomain.Theycanbelongtogroups,haveaccessto resources,andbeconfiguredbyGroupPolicy.Inaddition,likeusers,computers sometimeslosetrackoftheirpasswords,requireareset,orhaveaccountsthatneed tobedisabledorenabled. ManagingcomputersboththeobjectsinActiveDirectoryandthephysicaldevices isoneofthedaytodaytasksofmostITprofessionals.Newsystemsareaddedto yourorganization,computersaretakenofflineforrepairs,machinesareexchanged betweenusersorroles,andolderequipmentisretiredorupgraded,leadingtoan accessofreplacementsystems.Eachoftheseactivitiesrequiresmanagingtheidentity
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 2/99
07/06/13
ofthecomputerrepresentedbyitsobject,oraccount,andActiveDirectory. Unfortunately,mostenterprisesdonotinvestthesamekindofcareandprocessin thecreationandmanagementofcomputeraccountsastheydoforuseraccounts, eventhoughbotharesecurityprincipals.Inthismodule,youwilllearnhowtocreate computerobjects,whichincludeattributesthatarerequiredfortheobjectstobe accounts.Youwilllearnhowtosupportcomputeraccountsthroughtheirlifecycle, includingconfiguring,troubleshooting,repairing,anddeprovisioningcomputer objects.Youwillalsodeepenyourunderstandingoftheprocessthroughwhicha computerjoinsadomain,sothatyoucanidentifyandavoidpotentialpointsof failure.Inthethirdlessonofthismodule,youwillbeintroducedtoanewfeatureof WindowsServer2008R2ActiveDirectory,calledOfflineDomainJoin.Thisfeature enablesadministratorstojoincomputerstoadomainevenifthecomputersdonot haveaconnectiontothecorporatenetwork.
Objectives
Aftercompletingthismodule,youwillbeableto: Createcomputeraccountsandjointhemtoadomain. AdministercomputerobjectsandaccountsbyusingtheWindowsInterfaceand commandlinetools. DescribeandperformtheOfflineDomainJoinprocess.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 3/99
07/06/13
07/06/13
youwilllearnthestepstopreparethedomainforanewcomputeraccount,andyou willexploretheprocessthroughwhichacomputerjoinsthedomain.
Objectives
Aftercompletingthislesson,youwillbeableto: Understandtherelationshipbetweenadomainmemberandthedomain,interms ofidentityandaccess. Identifytherequirementsforjoiningacomputertothedomain. Prestageacomputeraccount. Joinacomputertothedomain. Redirectthedefaultcomputercontainer. Preventnonadministrativeusersfromcreatingcomputersandjoiningthedomain. Usecommandlinetoolstoimport,create,andjoincomputers.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
5/99
07/06/13
Inaworkgroup,eachsystemmaintainsanidentitystoreofuserandgroupaccounts againstwhichuserscanbeauthenticatedandaccesscanbegin.Thelocalidentity storeoneachcomputeriscalledtheSecurityAccountsManager(SAM)database.Ifa userlogsontoaworkgroupmachine,thesystemauthenticatestheuseragainstits localSAMdatabase.Ifauserconnectstoanothersystemtoaccessasharedfolder, theuserisreauthenticatedagainsttheidentitystoreoftheremotesystemandwill probablybepromptedtoenteranewsetofcredentialsfortheremotesystem.From asecurityperspective,aworkgroupcomputeris,forallintentsandpurposes,astand alonesystem. Whenacomputerjoinsadomain,itdelegatesthetaskofauthenticatinguserstothe domain.AlthoughthecomputercontinuestomaintainitsSAMdatabasetosupport
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 6/99
07/06/13
localuserandgroupaccounts,useraccountswilltypicallybecreatedinthecentral domaindirectory.Whenauserlogsontothecomputerwithadomainaccount,the userisauthenticatedbyadomaincontroller,ratherthanbytheSAM.Inotherwords, thecomputernowtrustsanotherauthoritytovalidateauser'sidentity.Trust relationshipsaregenerallydiscussedinthecontextoftwodomains,asyouwilllearn inanothermodule,butthereisalsoatrustbetweeneachdomainmembercomputer anditsdomainthatisestablishedwhenthecomputerjoinsthedomain.Becauseall domainmembercomputerstrustthedomain,theyalsotrusteachaccountthatis authenticatedbythatdomain.ThisallowsuserswithanaccountinActiveDirectoryto accessresourcesonvariousserverswithonlyonesetofcredentials.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
7/99
07/06/13
Theremainderofthislessonexamineseachoftheserequirements. NoteItisnotmandatorytocreateacomputerobjectinthedirectoryservice, butitishighlyrecommended.However,manyadministratorsjoincomputers toadomainwithoutfirstcreatingacomputerobject.Whenyoudothis, Windowsattemptstojointhedomaintoanexistingobject.WhenWindows doesnotfindtheobject,itfailsbackandcreatesacomputerobjectinthe defaultcomputercontainer.Thestepofcreatingacomputerobject,eitherby anadministratorbeforethejoinorbyWindowsduringthejoin,isnecessary beforethecomputercanjointhedomain.Itisstillarequirement.Itusesa differentsetofpermissionsinActiveDirectory(yourpermissiontocreatea computerobject)thanthejoinitself,andifyoudonothappentohave permissionstocreatecomputerobjectsinthedefaultcomputercontainer,the joinwillfail.Thebottomlineisthatitisarequirementforthecomputerobject toexistpriortothejoin,butWindowshelpsmeetthatrequirement
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 8/99
07/06/13
automatically.
Beforeyoucreateacomputerobjectinthedirectoryservice,youmusthaveaplace toputit.
07/06/13
07/06/13
andjoincomputerstothedomainusingthosecomputerobjects.Thisisanexample only.WhatismostimportantisthatyourOUstructurereflectsyouradministrative modelsothatyourOUsprovidesinglepointsofmanagementforthedelegationof administration. Additionally,separateOUsallowyoutocreatedifferentbaselineconfigurationsusing differentGroupPolicyobjects(GPOs)linkedtotheclientandtheserverOUs.Group Policy,discussedindetailinanothermodule,allowsyoutospecifyconfigurationfor collectionsofcomputersbylinkingGPOsthatcontainconfigurationinstructionsto OUs.ItiscommonfororganizationstoseparateclientsintodesktopandlaptopOUs. GPOsspecifyingdesktoporlaptopconfigurationcanthenbelinkedtoappropriate OUs. Ifyourorganizationhasdecentralized,sitebasedadministrationandwantsto manageuniqueconfigurationsfordesktopsandlaptops,youfaceadesigndilemma. ShouldyoudivideyourclientsOUbasedonadministrationandthensubdivide desktopsandlaptops,orshouldyoudivideyourclientsOUintodesktopandlaptop OUs,andthensubdividebasedonadministration?Theoptionsareillustratedas follows. BecausetheprimarydesigndriverforActiveDirectoryOUsistheefficientdelegation ofadministrationthroughtheinheritanceofaccesscontrollists(ACLs)onOUs,the designontheleftwouldberecommended.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
11/99
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
12/99
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
13/99
07/06/13
Enterthecomputername,followingthenamingconventionofyourenterprise,and selecttheuserorgroupthatwillbeallowedtojointhecomputertothedomainwith thisaccount.ThetwocomputernamesComputerNameandComputerName(Pre Windows2000)shouldbethesame:Thereisveryrarely,ifever,ajustificationfor configuringthemseparately. NoteThepermissionsthatareappliedtotheuserorgroupyouselectinthe wizardaremorethannecessarysimplytojoinacomputertothedomain.The selecteduserorgroupisalsogiventheabilitytomodifythecomputerobject inotherways.Forguidanceregardingaleastprivilegeapproachtodelegating permissiontojoinacomputertothedomain,seeWindowsAdministration ResourceKit:ProductivitySolutionsforITProfessionalsbyDanHolme (MicrosoftPress,2008).
Theprocessyoucompletetocreateacomputeraccountbeforejoiningthecomputer
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 14/99
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
15/99
07/06/13
Byprestagingthecomputerobject,youfulfillthefirsttworequirementsforjoininga computertoadomain:thecomputerobjectexists,andyouhavespecifiedwhohas permissionstojoinacomputerwiththesamenametothedomain.Now,alocal administratorofthecomputercanchangethecomputersdomainmembershipand enterthespecifieddomaincredentialstosuccessfullycompletetheprocess. Tojoinacomputertothedomain,performthefollowingsteps: 1. LogontothecomputerwithcredentialsthatbelongtothelocalAdministrators grouponthecomputer. Onlylocaladministratorscanalterthedomainorworkgroupmembershipofa computer. 2. OpentheSystemPropertiesdialogboxbyusingoneofthefollowingmethods:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
16/99
07/06/13
3. 4. 5. 6.
07/06/13
7. 8.
ClickOK. Windowspromptsforthecredentialsofyouruseraccountinthedomain. Thedomaincheckstoseeifacomputerobjectalreadyexistswiththenameof thecomputer.Oneofthefollowingthreethingshappens: Iftheobjectexistsandacomputerwiththatnamehasalreadyjoinedthe domain,anerrorisreturned,andyoucannotjointhecomputertothedomain. Iftheobjectexistsanditisprestagedacomputerwiththesamenamehas notjoinedthedomainthedomainconfirmsthatthedomaincredentialsyou enteredhavepermissiontojointhedomainusingthataccount.These permissionswerediscussedinthesection,PrestagingaComputerAccount. Ifthecomputeraccountisnotprestaged,Windowscheckstoseeifyouhave permissionstocreateanewcomputerobjectinthedefaultcomputer container.Ifyoudohavepermissionstocreateanewcomputerobjectinthe defaultcomputercontainer,theobjectiscreatedwiththenameofthe computer.Thismethodofjoiningadomainissupportedforbackwards compatibility,butisnotrecommended.Werecommendthatyouprestagethe accountasindicatedearlier,andasdetailedinthenextsection,Secure ComputerCreationandJoins.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
18/99
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
19/99
07/06/13
07/06/13
permissiontojoinacomputertothatobject,andthenproceedstojointhesystemto thedomain. TherearethreeproblemswiththisWindowsprocess: First,thecomputeraccountcreatedautomaticallybyWindowsisplacedinthe defaultcomputercontainer,whichisnotwherethecomputerobjectbelongsin mostenterprises. Second,youmustmovethecomputerfromthedefaultcomputercontainerintothe correctOU,whichisanextrastepthatisoftenforgotten. Third,anydomainusercanalsodothisnodomainleveladministrative permissionsarerequired.Anyusercanjoinanycomputertothedomainifyou don'tmanageandsecuretheprocess.Becauseacomputerobjectisasecurity principal,andbecausethecreatorofacomputerobjectownstheobjectandcan changeitsattributes,thisexposesapotentialsecurityvulnerability.Thenext sectionsdetailthesedisadvantages.
07/06/13
lesson.Ifyouhaveimplementedthebestpracticesdescribedthere,youhave delegatedpermissionstoadministercomputerobjectsinspecificOUsforclientsand servers.Additionally,youmighthavelinkedGPOstothoseOUstomanagethe configurationofthesecomputerobjects.Ifanewcomputerobjectiscreatedoutside ofthoseOUs,inthedefaultcomputercontainer,thepermissionsandconfigurationit inheritsfromitsparentcontainerwillbedifferentthanwhatitshouldhavereceived. Youwillthenneedtoremembertomovethecomputerfromthedefaultcontainerto thecorrectOUafterjoiningthedomain. Therearetworecommendedstepstoreducethelikelihoodofthisproblem.First,you shouldattempttoalwaysprestagecomputeraccounts.Ifanaccountisprestagedfor acomputerinthecorrectOU,whenthecomputerjoinsthedomain,itwillusethe existingaccountandwillbesubjecttothecorrectdelegationandconfiguration. Second,toreducetheimpactofsystemsbeingjoinedtothedomainwithouta prestagedaccount,youshouldchangethedefaultcomputercontainersothatitisnot theComputerscontaineritself,butinsteadisanOUthatissubjecttoappropriate delegationandconfiguration.Forexample,ifyouhaveanOUcalledNewClients,you caninstructWindowstousethatOUasthedefaultcomputercontainer,sothatif computersarejoinedtothedomainwithoutprestagedaccounts,theobjectsare createdintheNewClientsOU. Theredircmp.execommandisusedtoredirectthedefaultcomputercontainerwith thefollowingsyntax.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 22/99
07/06/13
r e d i r c m p" D No fO Uf o rn e wc o m p u t e ro b j e c t s "
Now,ifacomputerjoinsthedomainwithoutaprestagedcomputeraccount,Windows createsthecomputerobjectinthespecifiedorganizationalunit.OnthisOU,youcan applysomebaselineGPOsettingsthataffectallcomputersinthedomain. NoteThesameconceptsapplytothecreationofuseraccounts.Bydefault,if auseraccountiscreatedbyusingalegacypracticethatdoesnotspecifythe OUfortheaccount,theobjectiscreatedinthedefaultusercontainer (CN=Users,DC=domain,bydefault).Theredirusr.execommandcanbeused toredirectthedefaultcontainertoanactualOUthatisdelegatedand configuredappropriately.Redirusr,likeredircmp,takesasingleoption:the distinguishedname(DN)oftheOUthatwillbecomethedefaultuser container.
07/06/13
computerstothedomainwithoutanyexplicitpermissiontodoso. The10computerquotaisconfiguredbythemsDSMachineAccountQuotaattribute ofthedomain.Itallowsanyauthenticatedusertojoinamachinetothedomain,no questionsasked.Thisisproblematicfromasecurityperspectivebecausecomputers aresecurityprincipals,andthecreatorofasecurityprincipalhaspermissionto managethatcomputersproperties.Inaway,thequotaislikeallowinganydomain usertocreate10useraccounts,withoutanycontrols. Wehighlyrecommendthatyouclosethisloophole,sothatnonadministrativeusers cannotjoinmachinestothedomain.TochangethemsDSMachineAccountQuota attribute,performthefollowingsteps: 1. 2. 3. OpentheADSIEditMMCconsolefromtheAdministrativeToolsfolder. RightclickADSIEdit,andthenclickConnectTo. IntheConnectionPointsection,clickSelectAWellKnownNaming Context,andthenselectDefaultNamingContextfromthedropdownlist. 4. 5. 6. ClickOK. Intheconsoletree,expandDefaultNamingContext. Rightclickthedomainfolderdc=contoso,dc=com,forexampleandthen clickProperties.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 24/99
07/06/13
7. 8. 9.
TheAuthenticatedUsersgroupisalsoassignedtheuserrighttoaddworkstationsto thedomain,butyoudonothavetomodifythisrightifyouhavechangedthedefault valueofthemsDSMachineAccountQuotaattribute. AfteryouhavechangedthemsDSMachineAccountQuotaattributeto0,youcanbe assuredthattheonlyuserswhocanjoincomputerstothedomainarethosewho havebeenspecificallydelegatedpermissiontojoinprestagedcomputerobjectsorto createnewcomputerobjects. Afteryouveeliminatedthisloophole,youmustensureyouhavegivenappropriate administratorsexplicitpermissiontocreatecomputerobjectsinthecorrectOUs,as describedinthe"DelegatingPermissiontoCreateComputers"section,otherwisethe followingerrormessagewillappear.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
25/99
07/06/13
Deleteacomputer.
d s a c l s" D No fO U "/ I : T/ G" D O M A I N \ g r o u p " : D C ; c o m p u t e r
Joinacomputertothedomain.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
26/99
07/06/13
d s a c l s" D No fO U "/ I : S/ G" D O M A I N \ g r o u p " :" V a l i d a t e dw r i t et oD N S h o s tn a m e " ; c o m p u t e rd s a c l s" D No fO U "/ I : S/ G" D O M A I N \ g r o u p " : " V a l i d a t e dw r i t et os e r v i c ep r i n c i p a ln a m e " ; c o m p u t e rd s a c l s" D N
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
27/99
07/06/13
07/06/13
c s v d e[ i ][ f" F i l e n a m e " ][ k ]
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
30/99
07/06/13
d n :C N = F I L E 2 5 , O U = F i l e , O U = S e r v e r s , D C = c o n t o s o , D C = c o mc h a n g e t y p e : a d do b j e c t C l a s s :t o po b j e c t C l a s s :p e r s o no b j e c t C l a s s :
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 31/99
07/06/13
o r g a n i z a t i o n a l P e r s o no b j e c t C l a s s :u s e ro b j e c t C l a s s :c o m p u t e rc n : F I L E 2 5u s e r A c c o u n t C o n t r o l :4 0 9 6s A M A c c o u n t N a m e :F I L E 2 5 $
ThebasicsyntaxoftheLDIFDEcommandissimilartothatoftheCSVDEcommand.
l d i f d e[ i ][ f" F i l e n a m e " ][ k ]
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
32/99
07/06/13
TheDSAddcommandisusedtocreateobjectsinActiveDirectory.Tocreate computerobjects,simplytypethefollowingcommand.
d s a d dc o m p u t e rC o m p u t e r D N
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
33/99
07/06/13
NoteContentinthefollowingsectionisspecifictoWindowsServer2008 R2.
N e w A D C o m p u t e rS a m A c c o u n t N a m eD E S K T O P 1 2 3 P a t h O U = C l i e n t C o m p u t e r s , D C = c o n t o s o , D C = c o m '
ForafullexplanationoftheparametersthatyoucanpasstoNewADComputer,at theActiveDirectorymodulecommandprompt,typeGetHelpNewADComputer
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 34/99
07/06/13
detailed,andthenpressEnter.
n e t d o ma d dC o m p u t e r N a m e/ d o m a i n : D o m a i n N a m e[ / o u : " O U D N " ] [ / U s e r D : D o m a i n U s e r n a m e/ P a s s w o r d D : D o m a i n P a s s w o r d ]
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
35/99
07/06/13
Using NetDom.exe
TheNetDom.execommandallowsyoutojoinacomputertothedomainfromthe commandprompt.Thebasicsyntaxofthecommandisasfollows.
n e t d o mj o i nM a c h i n e N a m e/ D o m a i n : D o m a i n N a m e[ / O U : " O U D N " ] [ / U s e r D : D o m a i n U s e r n a m e ][ / P a s s w o r d D : { D o m a i n P a s s w o r d | * }] [ / U s e r O : L o c a l U s e r n a m e ][ / P a s s w o r d O : { L o c a l P a s s w o r d | * }] [ / S e c u r e P a s s w o r d P r o m p t ][ / R E B o o t [ : T i m e I n S e c o n d s ] ]
07/06/13
Third,NetDom.exeallowsyoutospecifytheOUforthecomputerobject.The commandsoptionsare,forthemostpart,selfexplanatory./UserOand/PasswordO arecredentialsthataremembersoftheworkgroupcomputerslocalAdministrators group.Specifying*forthepasswordcausesNetDom.exetopromptforthepassword atthecommandprompt./UserDand/PasswordDaredomaincredentialswith permissiontocreateacomputerobject,iftheaccountisnotprestaged,ortojoina computertoaprestagedaccount.The/rebootoptioncausesthesystemtoreboot afterjoiningthedomain.Thedefaulttimeoutis30seconds.The /SecurePasswordPromptoptiondisplaysapopupforcredentialswhen*isspecified foreither/PasswordOor/PasswordD. NoteIfyouwanttouseNetDomremotely,theWindowsFirewall configurationonthecomputerthatwillbejoinedtothedomainmustallow NetworkDiscoveryandRemoteAdministration.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
37/99
07/06/13
A d d C o m p u t e rD o m a i n O r W o r k g r o u p N a m eC o n t o s oO U P a t hO U = C l i e n t C o m p u t e r s , D C = c o n t o s o , D C = c o m
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
38/99
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1and6425CNYCDC2,andin theActionspane,clickStart. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials:
39/99
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
07/06/13
Username:Pat.Coleman_Admin Password:Pa$$w0rd Domain:Contoso 5. OpenWindowsExploreron6425CNYCDC1andthenbrowseto D:\Labfiles\Lab05a. 6. RunLab05a_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_Admin,withthepassword,Pa$$w0rd. 7. 8. 9. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab05a. InHyperVManager,click6425CNYCSVR2,andintheActionspane,click Start. 10. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.Donot logontoNYCSVR2untildirectedtodoso.
Lab Scenario
YouareanadministratorforContoso,Ltd.Duringasecurityaudit,itwasidentified thatthereisnocontroloverthecreationofnewcomputeraccounts:bothclientsand serversarebeingaddedtothedomainwithnoassurancethatprocessisbeing
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 40/99
07/06/13
07/06/13
1. 2.
3.
4.
ChangetheDNSServerconfigurationontheclientto10.0.0.10. Question:Whymightthejoinhavesucceededifyouhadusedthedomain namecontoso,insteadofcontoso.com?Whatmightgowrongafterthe domainwassuccessfullyjoinedbutwithDNSincorrectlyconfigured? Answer:Theuseofthefullyqualifiednameforcedthenameresolution processtouseDNS,andbecauseDNSfailed,thedomainjoinfailed.The domainname,contoso,isaflatdomainnamethatcouldberesolved throughNetBIOSnameresolution.Eventhoughthedomainjoinwouldbe successful,theclientwouldlikelyhaveproblemslocatingdomaincontrollers inothersites,andlocatingotherresourcesinthedomain.Performingthe
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
42/99
07/06/13
joinwithafullyqualifieddomainnameensuresthatDNSisfunctioning beforejoiningthedomain.
1.
JoinNYCSVR2tothedomain.Whenpromptedfordomaincredentials,enter theusername,Aaron.Painter,andthepassword,Pa$$w0rd.
2.
3.
Allowthesystemtorestart.
1.
OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator, withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
LocatetheNYCSVR2account. Question:InwhichOUorcontainerdoestheaccountexist?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
43/99
07/06/13
Answer:TheComputerscontainer.
1. 2.
3.
Restarttheserver.
Task 5: Delete the NYC-SVR2 account. Question:OnNYCDC1,refreshtheviewoftheComputerscontainerand examinetheNYCSVR2account.Whatisitsstatus? Answer:ThestatusisDisabled. Question:YouwerenotpromptedfordomaincredentialsinTask4,andyeta changewasmadetothedomain:thecomputeraccountwasresetanddisabled. Whatcredentialswereusedtodothis?Whatcredentialswereusedtochange theworkgroup/domainmembershipofNYCSVR2?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 44/99
07/06/13
Answer:Thisisatrickyquestion.Domaincredentialswithappropriate permissionsarerequiredtomakeachangetothedomain,suchasresettingand disablingacomputeraccountandcredentialsthatareinthelocalAdministrators groupontheclientarerequiredtochangethecomputersworkgroup/domain membership. YouwereloggedontoNYCSVR2asthelocalAdministrator,soyouwereableto changethecomputersworkgroup/domainmembership.Normally,youwouldhave beenpromptedfordomaincredentials,butitjustsohappensthatthelocal Administratoraccountsusername,Administrator,andpassword,Pa$$w0rd,are identicaltothoseofthedomainAdministratoraccount,whichofcoursehas permissiontomodifyobjectsinthedomain.Windowsattemptstoauthenticateyou behindthescenes,andonlypromptsyoufordomaincredentialsifthatauthentication fails.Inthiscase,becauseofthesimilarityincredentials,youwereactually authenticatedasthedomainsAdministrator.
DeletetheNYCSVR2computerobject.
Result:Inthisexercise,youbecamefamiliarwithtypicallegacypracticesusedto
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 45/99
07/06/13
joincomputerstoadomain.
1.
OnNYCDC1,runacommandpromptasanadministratorwiththeusername, Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
UsetheRedirCmpcommandtoredirectthedefaultcomputerscontainertothe NewComputersOUinthecontoso.comdomain.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
46/99
07/06/13
1.
RuntheADSIEditconsoleasanadministratorwiththeusername, Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
Connecttothedomainand,inthepropertiesofthedomain,changethems DSMachineAccountQuotatozero(0).
07/06/13
1.
OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
IntheServers\FileOU,createanewcomputerobjectforNYCSVR2andgive theAD_Server_Deploygrouppermissiontojointhecomputertothedomain.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
48/99
07/06/13
1.
Runthecommandpromptasanadministrator,withtheusername, Aaron.Painter_Admin,andthepassword,Pa$$word.
2.
3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
49/99
07/06/13
n e t d o mj o i nN Y C S V R 2/ d o m a i n : c o n t o s o . c o m/ U s e r O : A d m i n i s t r a t o r / P a s s w o r d O : */ U s e r D : C O N T O S O \ A a r o n . P a i n t e r _ A d m i n/ P a s s w o r d D : * / R E B o o t : 5
4. 5.
6.
LogofffromNYCSVR2.
Results:Aftercompletingthisexercise,NYCSVR2willbejoinedtothedomain withanaccountintheServers\FileOU.
ImportantDonotshutdownthevirtualmachinesafteryoufinishthislab becausethesettingsyouhaveconfiguredherewillbeusedinLabB.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
50/99
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
51/99
07/06/13
Objectives
Aftercompletingthislesson,youwillbeableto: Configurecomputeraccountproperties. MoveacomputerbetweenOUs. Recognizecomputeraccountproblems. Resetacomputeraccount. Renameacomputer. Disableandenableacomputer.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
52/99
07/06/13
WhenyoucreateacomputerobjectbyusingActiveDirectoryUsersandComputers, youarepromptedtoconfigureonlythemostfundamentalattributes,includingthe computernameandthedelegationtojointhecomputertothedomain.Computers haveseveralpropertiesthatarenotvisiblewhenyouarecreatingthecomputer objectyoushouldconfigurethesepropertiesaspartoftheprocessofstagingthe computeraccount. OpenacomputerobjectsPropertiesdialogboxtosetitslocationanddescription, configureitsgroupmembershipsanddialinpermissions,andlinkittotheuserobject oftheusertowhomthecomputerisassigned.TheOperatingSystemtabisread only.Theinformationwillbeblankuntilacomputerhasjoinedthedomainusingthat account,atwhichtimetheclientpublishestheinformationtoitsaccount.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 53/99
07/06/13
SeveralobjectclassesinActiveDirectorysupportthemanagedByattributethatis shownontheManagedBytab.Thislinkedattributecreatesacrossreferencetoa userobject.Allotherpropertiestheaddressesandtelephonenumbersare displayeddirectlyfromtheuserobject.Theyarenotstoredaspartofthecomputer objectitself.SomeorganizationsusetheManagedBytabtolinkthecomputertothe primaryuserofthecomputer.Alternatively,youmightchoosetolinkthecomputerto agroupthatisresponsibleforthesupportofacomputer.Forexample,thisasan optionmightbeattractiveforcomputeraccountsthatrepresentservers. OntheMemberOftabofacomputersPropertiesdialogbox,youcanaddthe computertogroups.Theabilitytomanagecomputersingroupsisanimportantand oftenunderutilizedfeatureofActiveDirectory.Agrouptowhichcomputersbelong canbeusedtoassignresourceaccesspermissionstothecomputer,tofilterthe applicationofaGPO,orasacollectionforasoftwaremanagementtool,suchas MicrosoftSystemCenterConfigurationManager2007. Aswithusersandgroups,itispossibletoselectmorethanonecomputerobjectand subsequentlymanageormodifypropertiesofallselectedcomputerssimultaneously.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
54/99
07/06/13
NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
S e t A D C o m p u t e rL O N S R V 1M a n a g e d B y' C N = S Q LA d m i n i s t r a t o r 0 1 , O U = U s e r A c c o u n t s , O U = M a n a g e d , D C = c o n t o s o , D C = c o m '
Move a Computer
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
55/99
07/06/13
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
56/99
07/06/13
TheDSMovecommandallowsyoutomoveacomputerobjectoranyotherobject. ThesyntaxofDSMoveisasfollows.
d s m o v eO b j e c t D N[ n e w n a m eN e w N a m e ][ n e w p a r e n tP a r e n t D N ]
07/06/13
07/06/13
Computeraccountsandthesecurerelationshipsbetweencomputersandtheirdomain arerobust.However,certainscenariosmightariseinwhichacomputerisnolonger abletoauthenticatewiththedomain.Examplesofsuchscenariosincludethe following: Afterreinstallingtheoperatingsystemonaworkstation,theworkstationisunable toauthenticate,eventhoughthetechnicianusedthesamecomputername. BecausethenewinstallationgeneratedanewSIDandbecausethenewcomputer doesnotknowthecomputeraccountpasswordinthedomain,itdoesnotbelong tothedomainandcannotauthenticatetothedomain. Acomputeriscompletelyrestoredfrombackupandisunabletoauthenticate.Itis likelythatthecomputerchangeditspasswordwiththedomainafterthebackup operation.Computerschangetheirpasswordsevery30days,andActiveDirectory remembersthecurrentandpreviouspassword.Iftherestoreoperationrestoredthe computerwithasignificantlyoutdatedpassword,thecomputerwillnotbeableto authenticate. AcomputersLSAsecretgetsoutofsynchronizationwiththepasswordknownby thedomain.Youcanthinkofthisasthecomputerforgettingitspassword althoughitdidnotforgetitspassword,itjustdisagreeswiththedomainoverwhat thepasswordreallyis.Whenthishappens,thecomputercannotauthenticateand thesecurechannelcannotbecreated.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
59/99
07/06/13
07/06/13
07/06/13
eventhoughthecomputerhasthesamename,theaccounthasanewSID,andall thegroupmembershipsofthepreviouscomputerobjectmustberecreated.
ToresetthesecurechannelbyusingDSMod:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
62/99
07/06/13
1.
Typethefollowingcommand.
d s m o dc o m p u t e r" C o m p u t e r D N " r e s e t .
2.
Rejointhecomputertothedomain,andthenrestartthecomputer.
ToresetthesecurechannelbyusingNetDom: Typethefollowingcommand,
n e t d o mr e s e tM a c h i n e N a m e/ d o m a i nD o m a i n N a m e/ U s e r OU s e r N a m e / P a s s w o r d O{ P a s s w o r d|* }
07/06/13
N L T E S T/ S E R V E R : S E R V E R N A M E/ S C _ R E S E T : D O M A I N \ D O M A I N C O N T R O L L E R
n l t e s t/ s e r v e r : N Y C S V R 2/ s c _ r e s e t : C O N T O S O \ N Y C S V R 2
T e s t C o m p u t e r S e c u r e C h a n n e l R e p a i r
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 64/99
07/06/13
Rename a Computer
07/06/13
arechanged. Youcanrenameacomputercorrectlybyloggingontothecomputer,eitherlocallyor witharemotedesktopsession. 1. 2. OpenSystemPropertiesfromControlPanel. IntheComputername,domain,andworkgroupsettingssection,click ChangeSettings. 3. 4. 5. 6. 7. IfyouarepromptedbyUserAccountControl,clickContinue. ClicktheComputerNametab. ClicktheChangebutton. TypethenewnameandclickOKtwicetoclosethedialogboxes. Restartthecomputertoallowthechangetotakeeffect.
Fromthecommandprompt,youcanusetheNetDomcommand,withthefollowing syntax.
n e t d o mr e n a m e c o m p u t e rM a c h i n e N a m e/ N e w N a m e : N e w N a m e [ / U s e r O : L o c a l U s e r n a m e ][ / P a s s w o r d O : { L o c a l P a s s w o r d | * }]
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 66/99
07/06/13
[ / U s e r D : D o m a i n U s e r n a m e ][ / P a s s w o r d D : { D o m a i n P a s s w o r d | * }] [ / S e c u r e P a s s w o r d P r o m p t ][ / R E B o o t [ : T i m e I n S e c o n d s ] ]
Inadditiontospecifyingthemachinetorename(MachineName)andthedesirednew name(NewName),youmusthavecredentialsthatareamemberofthelocal Administratorsgrouponthecomputerandcredentialsthathavepermissionto renamethedomaincomputerobject.Bydefault,NetDomwillusethecredentialswith whichthecommandisrun.Youcanspecifycredentialsbyusing/UserOand /PasswordOforthecredentialsinthecomputerslocalAdministratorsgroup,and /UserDand/PasswordDforthedomaincredentialswithpermissiontorenamethe computerobject.Specifying*forthepasswordcausesNetDom.exetopromptforthe passwordatthecommandprompt.The/SecurePasswordPromptoptiondisplaysa popupforcredentialswhen*isspecifiedforeither/PasswordOor/PasswordD.After yourenameacomputer,youmustrebootthecomputer.The/REBootoptioncauses thesystemtorebootafter30seconds,unlessotherwisespecifiedbyTimeInSeconds. Whenyourenameacomputer,youcanadverselyaffectservicesrunningonthe computer.Forexample,ActiveDirectoryCertificateServices(ADCS)reliesonthe serversname.Becertaintoconsidertheimpactofrenamingacomputerbeforedoing so.Donotusethesemethodstorenameadomaincontroller. NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008 R2.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 67/99
07/06/13
R e N a m e C o m p u t e rN C NM y C o m p u t e r
Thesecondexampleshowshowtochangethenameofcomputerobjectnamed, Server1,intheManagedComputersOUinthecontoso.comdomain.
R e n a m e A D O b j e c t C N = f a b r i k a m s r v 1 , O U = M a n a g e d C o m p u t e r s , D C = F a b r i k a m , D C = c o m N e w N a m e f a b r i k a m s r v 3
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
68/99
07/06/13
Ifacomputeristakenofflineorisnottobeusedforanextendedperiodoftime,you shouldconsiderdisablingtheaccount.Thisrecommendationreflectsthesecurity principlethatanidentitystoreshouldallowauthenticationonlyoftheminimum numberofaccountsrequiredtoachievethegoalsofanorganization.Disablingthe accountdoesnotmodifythecomputersSIDorgroupmembership,sowhenthe computerisbroughtbackonline,theaccountcanbeenabled. TodisableacomputerintheActiveDirectoryUsersandComputerssnapin,right clickthecomputer,andthenclickDisableAccount. AdisabledaccountappearswithadownarrowiconintheActiveDirectoryUsersAnd Computerssnapin,asshownhere:
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 69/99
07/06/13
d s m o dc o m p u t e rC o m p u t e r D Nd i s a b l e dy e sd s m o dc o m p u t e r
C o m p u t e r D Nd i s a b l e dn o
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
70/99
07/06/13
Youhavelearnedthateachcomputeraccount,likeeachuseraccount,maintainsa uniqueSID,whichenablesanadministratortograntpermissionstocomputers.Also, likeuseraccounts,computerscanbelongtogroups.Therefore,itisimportantto understandtheeffectofdeletingacomputeraccount.Whenacomputeraccountis deleted,itsgroupmembershipsandSIDarelost.Ifthedeletionisaccidental,and anothercomputeraccountiscreatedwiththesamename,itisnonethelessanew account,withanewSID.Groupmembershipsmustbereestablished,andany permissionassignedtothedeletedcomputermustbereassignedtothenewaccount. Deletecomputerobjectsonlywhenyouarecertainthatyounolongerrequirethose securityrelatedattributesoftheobject. TodeleteacomputeraccountbyusingActiveDirectoryUsersandComputers,
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 71/99
07/06/13
TheDSRmcommandallowsyoutodeleteacomputerobjectfromthecommand prompt.TodeleteacomputerwithDSRm,typethefollowingcommand.
d s r mO b j e c t D N
Recycling Computers
IfacomputeraccountsgroupmembershipsandSID,andthepermissionsassigned tothatSID,areimportanttotheoperationsofadomain,youdonotwanttodelete thataccount.Sowhatwouldyoudoifacomputerwasreplacedwithanewsystem,
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 72/99
07/06/13
withupgradedhardware?Thatisanotherscenarioinwhichyouwouldreseta computeraccount. Resettingacomputeraccountresetsitspassword,butmaintainsallofthecomputer objectsproperties.Witharesetpassword,theaccountbecomes,ineffect,available foruse.Anycomputercanthenjointhedomainusingthataccount,includingthe upgradedsystem.Ineffect,youverecycledthecomputeraccount,assigningittoa newpieceofhardware.Youcanevenrenametheaccount.TheSIDandgroup membershipsremainthesame. Asyoulearnedearlierinthislesson,theResetAccountcommandisavailableinthe contextmenuwhenyourightclickacomputerobject.TheDSModcommandcanalso beusedtoresetacomputeraccount,whenyoutypedsmodcomputer"ComputerDN" reset.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
73/99
07/06/13
Lab Setup
ThevirtualmachinesshouldalreadybestartedandavailableaftercompletingLabA. However,iftheyarenot,youshouldcompletesteps1to3andthenstepthrough exercises1to3inLabAbeforecontinuing.Youwillbeunabletosuccessfully completeLabBunlessyouhavecompletedLabA. 1. 2. 3. Start6425CNYCDC1. LogontoNYCDC1asPat.Coleman.admin,withthepassword,Pa$$w0rd. Start6425CNYCSVR2.Donotlogonuntildirectedtodoso.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
74/99
07/06/13
Lab Scenario
YouareanadministratorforContoso,Ltd.Duringasecurityaudit,anumberof computeraccountswerediscovered.Thosecomputersnolongerexistinthedomain. Youvebeentaskedwithimprovingthemanagementofcomputeraccounts,and identifyingthebestpracticesforadministeringtheentirelifecycleofacomputer account.
07/06/13
1.
2.
3.
Method1
1.
IntheClientComputers\SEAOU,rightclickLOT9179,andthenclickAddto agroup.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
76/99
07/06/13
2.
TypeAPP_andpressEnter. TheMultipleItemsFounddialogboxappears.
3.
ClickAPP_Project,andthenclickOK. Amessageappears:TheAddtoGroupoperationwassuccessfullycompleted.
4.
ClickOK.
Method2
1. 2. 3. 4. 5.
6.
ClickObjectTypes.
77/99
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
07/06/13
7. 8.
9.
ClickOK.
ScottandLindaarerelocatingtotheVancouveroffice.Youwillmovetheircomputers tothenewOUbyusingtwodifferentmethods.
Method1
1. 2.
3.
ClickYes.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
78/99
07/06/13
Method2
4.
RightclickLNO8538,andthenclickMove. TheMovedialogboxappears.
5. 6.
Intheconsoletree,expandClientComputers,andthenclickVAN. ClickOK.
1.
IntheClientComputers\SEAOU,disable,andthenenabletheaccountfor DEP6152.
2.
DeletetheaccountforDEP6152.
Result:Inthisexercise,youaddedcomputerstosoftwaremanagementgroups, movedacomputerbetweenOUs,anddeletedacomputer..
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
79/99
07/06/13
IntheClientComputers\VANOU,resettheaccountforLOT9179.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
80/99
07/06/13
YoucouldnowjoinScott'sreinstalledcomputertothedomain.
1.
LogontoNYCSVR2asPat.Coleman,withthepassword,Pa$$w0rd.After thedesktopappears,logoff.
2.
To"break"thesecurechannel,useActiveDirectoryUsersandComputerson NYCDC1toresettheaccountforNYCSVR2.
3.
AttempttologontoNYCSVR2asPat.Coleman,withthepassword, Pa$$w0rd.
07/06/13
memberships.Donotperformthatstepatthistime.
Result:Inthisexercise,youresolvedsecurechannelissues..
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
82/99
07/06/13
Objectives
Aftercompletingthislessonyouwillbeableto: DescribeOfflineDomainJoin. DescribetheprocessforperforminganOfflineDomainJoin.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 83/99
07/06/13
PerformanOfflineDomainJoin.
NoteThecontentinthislessonisspecifictoWindowsServer2008R2.
07/06/13
ofcomputersthatarecurrentlynotconnectedtoanetwork,ornotlocatedinthe sameplaceasdomaincontrollers,youcannotcompletetheprocessunlessyoujoin thecomputerstoadomain,andrestartthemoncemoreafternetworkconnections areestablished. OfflineDomainJoinisanewfunctionalityinWindowsServer2008R2andWindows7 thatallowsyoutojoinacomputertodomainwithoutactuallybeingconnectedtothe networkwherethedomaincontrollerresides.Infact,allpreparationstepsare performedonadomaincontrollerandacomputerwhileitisstilloffline.Afteritgets connectedtoanetwork,atrustrelationshipwiththedomainisestablishedwithout anyuserintervention.Noadditionalrestartisnecessarytocompletethedomainjoin. Thishelpsreducethetimeandeffortrequiredtocompletealargescalecomputer deploymentinplacessuchasdatacenters. YoucanalsobenefitfromtheOfflineDomainJoinfeatureifyouaredeployingvirtual machines.OfflineDomainJoinmakesitpossibleforyoutojointhevirtualmachines tothedomainwhentheyinitiallystartfollowingtheoperatingsysteminstallation.No additionalrestartisrequiredtocompletethedomainjoin.Thiscansignificantly reducetheoveralltimerequiredforwidescalevirtualmachinedeployments. ToperformanOfflineDomainJoin,youdonothavetohavedomaincontrollers runningonWindowsServer2008R2,Itisalsonotmandatorytohavethedomainor forestintheWindowsServer2008functionalmode.Theonlyessentialrequirement forusingthismethodisthatthemachineusedforprovisioningandthemachine
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 85/99
07/06/13
beingprovisionedmusthaveWindows7orWindowsServer2008R2. .
07/06/13
07/06/13
MembersoftheDomainAdminsgrouphavetheserightsbydefault.Ifyouarenota memberoftheDomainAdminsgroup,amemberoftheDomainAdminsgroupmust delegateyoutherighttojoincomputerstothedomainbyusingGroupPolicyorby editinganACLofthecontainerwherethecomputeraccountwillbestored. Djoin.exeshouldberunatanelevatedcommandprompttoprovisionthecomputer accountmetadata.Whenyouruntheprovisioningcommand,thecomputeraccount metadataiscreatedina.txtfilethatyouspecifyaspartofthecommand.Afteryou runtheprovisioningcommand,youcaneitherrunDjoin.exeagaintorequestthe computeraccountmetadataandinsertitintotheWindowsdirectoryofthe destinationcomputer,oryoucansavethecomputeraccountmetadatainthe Unattend.xmlfileandthenspecifytheUnattend.xmlfileduringanunattended operatingsysteminstallationofthedestinationcomputer.
07/06/13
2.
Runthedjoin.exe/requestODJcommandtoinsertthecomputeraccount metadataintotheWindowsdirectoryofthedestinationcomputer,asfollows.
d j o i n/ r e q u e s t O D J/ l o a d f i l ed e s k t o p 1 2 3 . t x t/ w i n d o w s p a t h % S y s t e m R o o t %/ l o c a l o s
3.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
89/99
07/06/13
Theswitch/localosfromthepreviouscommandisusedonlyifyouperformadjoin operationonthecomputerthatyouarejoiningtothedomain.However,ifduringthe provisioningprocess,youaremountingsystemharddrives(virtualorphysical)from thecomputersthatyouareprovisioning,youshouldnotusethe/localosswitch. NoteUsingdeploymenttoolssuchasWindowsSystemImageManager,you canperformanunattendeddomainjoinduringanoperatingsystem installationbyprovidinginformationthatisrelevanttothedomainjoininan Unattend.xmlfile.UsingthesameUnattend.xmlfile,youcansupplythe informationthatisnecessaryforthecomputersthatrunWindows7and WindowsServer2008R2toperformanOfflineDomainJoin.
Question:Whatisthecontentofthetextfilethatiscreatedduringadjoin provisioningprocess?
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
90/99
07/06/13
Inthisdemonstration,yourinstructorwillshowyouhowtoperformanOffline DomainJoin.
Demonstration Steps
Provisionanewcomputeraccountcalled,NYCCL2,inthecontosodomainby usingthedjoinutility.
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmust: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. 3. Ensurethatthe6425CNYCDC1virtualmachineisrunning. Logonto6425CNYCDC1byusingthefollowingcredentials: Username:Pat.Coleman_Admin
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 92/99
07/06/13
Lab Scenario
YouareanadministratorforContoso,Ltd.Youmustprovisionalargenumberofnew computersinashortperiodoftime.Notallcomputerscanhavenetworkconnectivity, soyouhavedecidedtoleveragetheOfflineDomainJoinfunctionality.Inthislab,you willtestthisfunctionalityononevirtualmachine.
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
93/99
07/06/13
Task 1: Ensure that the client computer is not joined to the domain.
1. 2.
1.
2.
OpenActiveDirectoryUsersandComputersandverifythattheNYCCL2 machinehasbeenprovisionedintheComputerscontainer.
3.
OnNYCCL2,createafoldercalledC:\DJOIN.UseWindowsExplorerandbrowse to\\NYCDC1\C$.
4.
CopyNYCCL2.txttotheC:\DJOINfolder.
94/99
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
07/06/13
5.
OpenaCommandPromptusingadministrativeprivileges,typethefollowing command,andthenpressEnter.
d j o i n/ r e q u e s t o d j/ l o a d f i l eC : \ D J O I N \ N Y C C L 2 . t x t / w i n d o w s p a t h% S y s t e m R o o t %/ l o c a l o s
6. 7.
Result:Inthisexercise,youjoinedtheNYCCL2computertothedomainby usingOfflineDomainJointechnology.
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick
95/99
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
07/06/13
Review Questions
1. WhatisthemaindifferencebetweentheComputerscontainerandanOU?
96/99
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
07/06/13
2.
Whenshouldyouresetacomputeraccount?Whyisitbettertoresetthe computeraccountthantodisjoinandrejoinittothedomain?
3.
InanOfflineDomainJoin,whatshouldyoudoafteryouprovisionanew computeraccounttothedomainbyusingthedjoin.exeutility?
Troubleshootingtip
07/06/13
Tools
Tool
WindowsPowerShell withActiveDirectory Module CSVDE,LDIFDE Importingcomputeraccountsin ADDS Djoin.exe Offlinedomainjoin WindowsServer2008commandprompt WindowsServer2008commandprompt
Usefor
Computeraccountmanagement
Wheretofindit
AdministrativeTools
07/06/13
WindowsServer2008 R2feature
WindowsPowerShellwithActive DirectoryModule OfflineDomainJoin
Description
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
99/99