Module 5 - Managing Computer Accounts

07/06/13
Module 5: Managing Computer Accounts
Module5:ManagingComputerAccounts
Contents: Lesson1: LabA: Lesson2: LabB: Lesson3: LabC: CreateComputersandJointheDomain CreateComputersandJointheDomain AdministerComputerObjectsandAccounts AdministerComputerObjectsandAccounts OfflineDomainJoin PerformanOfflineDomainJoin
Module Overview
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe
1/99
07/06/13
Computersinadomainaresecurityprincipals,likeusers.Theyhaveanaccountwith alogonnameandpasswordthatWindowschangesautomaticallyevery30daysor so.Theyauthenticatewiththedomain.Theycanbelongtogroups,haveaccessto resources,andbeconfiguredbyGroupPolicy.Inaddition,likeusers,computers sometimeslosetrackoftheirpasswords,requireareset,orhaveaccountsthatneed tobedisabledorenabled. ManagingcomputersboththeobjectsinActiveDirectoryandthephysicaldevices isoneofthedaytodaytasksofmostITprofessionals.Newsystemsareaddedto yourorganization,computersaretakenofflineforrepairs,machinesareexchanged betweenusersorroles,andolderequipmentisretiredorupgraded,leadingtoan accessofreplacementsystems.Eachoftheseactivitiesrequiresmanagingtheidentity
https://skillpipe.courseware-marketplace.com/reader/Print/be1aba64-6bbe-4ff5-82e5-4d7e5b9d8ee0?ChapterNumber=7&FontSize=3&FontType=segoe 2/99
07/06/13
ofthecomputerrepresentedbyitsobject,oraccount,andActiveDirectory. Unfortunately,mostenterprisesdonotinvestthesamekindofcareandprocessin thecreationandmanagementofcomputeraccountsastheydoforuseraccounts, eventhoughbotharesecurityprincipals.Inthismodule,youwilllearnhowtocreate computerobjects,whichincludeattributesthatarerequiredfortheobjectstobe accounts.Youwilllearnhowtosupportcomputeraccountsthroughtheirlifecycle, includingconfiguring,troubleshooting,repairing,anddeprovisioningcomputer objects.Youwillalsodeepenyourunderstandingoftheprocessthroughwhicha computerjoinsadomain,sothatyoucanidentifyandavoidpotentialpointsof failure.Inthethirdlessonofthismodule,youwillbeintroducedtoanewfeatureof WindowsServer2008R2ActiveDirectory,calledOfflineDomainJoin.Thisfeature enablesadministratorstojoincomputerstoadomainevenifthecomputersdonot haveaconnectiontothecorporatenetwork.
Objectives
Aftercompletingthismodule,youwillbeableto: Createcomputeraccountsandjointhemtoadomain. AdministercomputerobjectsandaccountsbyusingtheWindowsInterfaceand commandlinetools. DescribeandperformtheOfflineDomainJoinprocess.
07/06/13
Lesson 1: Create Computers and Join the Domain
ThedefaultconfigurationofWindowsServer2008andofallotherversionsof Windowsserverandclientoperatingsystemsisthatthecomputerbelongstoa workgroup.Beforeyoucanlogontoacomputerwithadomainaccount,that computermustbelongtothedomain.Tojointhedomain,thecomputermusthave anaccountinthedomain,which,likeauseraccount,includesalogonname(the sAMAccountNameattribute),apassword,andasecurityidentifier(SID)thatuniquely representsthecomputerasasecurityprincipalinthedomain.Thosecredentialsallow thecomputertoauthenticateagainstthedomainandtocreateasecurerelationship thatthenallowsuserstologontothesystemwithdomainaccounts.Inthislesson,

07/06/13
youwilllearnthestepstopreparethedomainforanewcomputeraccount,andyou willexploretheprocessthroughwhichacomputerjoinsthedomain.
Objectives
Aftercompletingthislesson,youwillbeableto: Understandtherelationshipbetweenadomainmemberandthedomain,interms ofidentityandaccess. Identifytherequirementsforjoiningacomputertothedomain. Prestageacomputeraccount. Joinacomputertothedomain. Redirectthedefaultcomputercontainer. Preventnonadministrativeusersfromcreatingcomputersandjoiningthedomain. Usecommandlinetoolstoimport,create,andjoincomputers.
Workgroups, Domains, and Trusts
5/99
07/06/13
Inaworkgroup,eachsystemmaintainsanidentitystoreofuserandgroupaccounts againstwhichuserscanbeauthenticatedandaccesscanbegin.Thelocalidentity storeoneachcomputeriscalledtheSecurityAccountsManager(SAM)database.Ifa userlogsontoaworkgroupmachine,thesystemauthenticatestheuseragainstits localSAMdatabase.Ifauserconnectstoanothersystemtoaccessasharedfolder, theuserisreauthenticatedagainsttheidentitystoreoftheremotesystemandwill probablybepromptedtoenteranewsetofcredentialsfortheremotesystem.From asecurityperspective,aworkgroupcomputeris,forallintentsandpurposes,astand alonesystem. Whenacomputerjoinsadomain,itdelegatesthetaskofauthenticatinguserstothe domain.AlthoughthecomputercontinuestomaintainitsSAMdatabasetosupport
07/06/13
localuserandgroupaccounts,useraccountswilltypicallybecreatedinthecentral domaindirectory.Whenauserlogsontothecomputerwithadomainaccount,the userisauthenticatedbyadomaincontroller,ratherthanbytheSAM.Inotherwords, thecomputernowtrustsanotherauthoritytovalidateauser'sidentity.Trust relationshipsaregenerallydiscussedinthecontextoftwodomains,asyouwilllearn inanothermodule,butthereisalsoatrustbetweeneachdomainmembercomputer anditsdomainthatisestablishedwhenthecomputerjoinsthedomain.Becauseall domainmembercomputerstrustthedomain,theyalsotrusteachaccountthatis authenticatedbythatdomain.ThisallowsuserswithanaccountinActiveDirectoryto accessresourcesonvariousserverswithonlyonesetofcredentials.
Requirements for Joining a Computer to the Domain
7/99
07/06/13
ThreeconditionsarerequiredforyoutojoinacomputertoanActiveDirectory domain: Acomputerobjectshouldbecreatedinthedirectoryservice. Youmusthaveappropriatepermissionstothecomputerobject.Thepermissions allowyoutojoinacomputerwiththesamenameastheobjecttothedomain. YoumustbeamemberofthelocalAdministratorsgrouponthecomputerto changeitsdomainorworkgroupmembership.
Theremainderofthislessonexamineseachoftheserequirements. NoteItisnotmandatorytocreateacomputerobjectinthedirectoryservice, butitishighlyrecommended.However,manyadministratorsjoincomputers toadomainwithoutfirstcreatingacomputerobject.Whenyoudothis, Windowsattemptstojointhedomaintoanexistingobject.WhenWindows doesnotfindtheobject,itfailsbackandcreatesacomputerobjectinthe defaultcomputercontainer.Thestepofcreatingacomputerobject,eitherby anadministratorbeforethejoinorbyWindowsduringthejoin,isnecessary beforethecomputercanjointhedomain.Itisstillarequirement.Itusesa differentsetofpermissionsinActiveDirectory(yourpermissiontocreatea computerobject)thanthejoinitself,andifyoudonothappentohave permissionstocreatecomputerobjectsinthedefaultcomputercontainer,the joinwillfail.Thebottomlineisthatitisarequirementforthecomputerobject toexistpriortothejoin,butWindowshelpsmeetthatrequirement
07/06/13
automatically.
The Computers Container and Organizational Units
Beforeyoucreateacomputerobjectinthedirectoryservice,youmusthaveaplace toputit.
The Default Computers Container

Whenyoucreateadomain,theComputerscontaineriscreatedbydefault (CN=Computers).Thiscontainerisnotanorganizationalunit(OU)itisanobjectof theContainerclass.Therearesubtlebutimportantdifferencesbetweenacontainer
07/06/13
andanOU.YoucannotcreateanOUwithinacontainer,soyoucannotsubdividethe ComputersOUandyoucannotlinkaGroupPolicyobjecttoacontainer.Therefore, wehighlyrecommendthatyoucreatecustomOUstohostcomputerobjects,instead ofusingtheComputerscontainer.
OUs for Computers

MostorganizationscreateatleasttwoOUsforcomputerobjects:onetohost computeraccountsforclientcomputersdesktops,laptops,andotherusersystems andanotherforservers.ThesetwoOUsareinadditiontotheDomainControllersOU createdbydefaultduringtheinstallationofActiveDirectory.IneachoftheseOUs, computerobjectsarecreated.Thereisnotechnicaldifferencebetweenacomputer objectinaclient'sOUandacomputerobjectinaserver'sordomaincontroller'sOU: computerobjectsarecomputerobjects.However,separateOUsaretypicallycreated toprovideuniquescopesofmanagement,sothatyoucandelegatemanagementof clientobjectstooneteamandmanagementofserverobjectstoanother. Youradministrativemodelmightnecessitatefurtherdividingyourclientandserver OUs.ManyorganizationscreatesubOUsbeneathaserverOUtocollectandmanage specifictypesofserversforexample,anOUforfileandprintserversandanOUfor databaseservers.Bydoingso,theteamofadministratorsforeachtypeofservercan bedelegatedpermissionstomanagecomputerobjectsintheappropriateOU. Similarly,geographicallydistributedorganizationswithlocaldesktopsupportteams oftendivideaparentOUforclientsintosubOUsforeachsite.Thisapproachenables eachsitessupportteamtocreatecomputerobjectsinthesiteforclientcomputers,
07/06/13
andjoincomputerstothedomainusingthosecomputerobjects.Thisisanexample only.WhatismostimportantisthatyourOUstructurereflectsyouradministrative modelsothatyourOUsprovidesinglepointsofmanagementforthedelegationof administration. Additionally,separateOUsallowyoutocreatedifferentbaselineconfigurationsusing differentGroupPolicyobjects(GPOs)linkedtotheclientandtheserverOUs.Group Policy,discussedindetailinanothermodule,allowsyoutospecifyconfigurationfor collectionsofcomputersbylinkingGPOsthatcontainconfigurationinstructionsto OUs.ItiscommonfororganizationstoseparateclientsintodesktopandlaptopOUs. GPOsspecifyingdesktoporlaptopconfigurationcanthenbelinkedtoappropriate OUs. Ifyourorganizationhasdecentralized,sitebasedadministrationandwantsto manageuniqueconfigurationsfordesktopsandlaptops,youfaceadesigndilemma. ShouldyoudivideyourclientsOUbasedonadministrationandthensubdivide desktopsandlaptops,orshouldyoudivideyourclientsOUintodesktopandlaptop OUs,andthensubdividebasedonadministration?Theoptionsareillustratedas follows. BecausetheprimarydesigndriverforActiveDirectoryOUsistheefficientdelegation ofadministrationthroughtheinheritanceofaccesscontrollists(ACLs)onOUs,the designontheleftwouldberecommended.
11/99
07/06/13
Delegating Permission to Create Computers

Bydefault,theEnterpriseAdmins,DomainAdmins,Administrators,andAccount OperatorsgroupshavepermissiontocreatecomputerobjectsinanynewOU. However,asdiscussedinthemoduleaboutgroups,werecommendthatyoutightly restrictmembershipinthefirstthreegroups,andthatyoudonotaddadministrators totheAccountOperatorsgroup. Instead,youshoulddelegatethepermissiontocreatecomputerobjectsto appropriateadministratorsorsupportpersonnel.Thepermissionrequiredtocreatea computerobjectisCreateComputerObjects.Thispermission,assignedtoagroupfor anOU,allowsmembersofthegrouptocreatecomputerobjectsinthatOU.For example,youmightallowyourdesktopsupportteamtocreatecomputerobjectsin theclientsOU,andallowyourfileserveradministratorstocreatecomputerobjectsin thefileserversOU. Thepermissionsrequiredtoperformcomputermanagementtasksarelistedinthe topic,"SecureComputerCreationandJoins."Module8detailstheprocessof delegation.
Prestage a Computer Account
12/99
07/06/13
YoucanandshouldcreateacomputeraccountinthecorrectOUbeforejoiningthe computertothedomain.Thisprocessofcreatingacomputeraccountinadvanceis calledprestagingacomputer. Afteryouhavebeengivenpermissiontocreatecomputerobjects,youcandosoby rightclickingtheOUandchoosingComputerfromtheNewmenu.TheNewObject Computerdialogbox,shownbelow,appears:
13/99
07/06/13
Enterthecomputername,followingthenamingconventionofyourenterprise,and selecttheuserorgroupthatwillbeallowedtojointhecomputertothedomainwith thisaccount.ThetwocomputernamesComputerNameandComputerName(Pre Windows2000)shouldbethesame:Thereisveryrarely,ifever,ajustificationfor configuringthemseparately. NoteThepermissionsthatareappliedtotheuserorgroupyouselectinthe wizardaremorethannecessarysimplytojoinacomputertothedomain.The selecteduserorgroupisalsogiventheabilitytomodifythecomputerobject inotherways.Forguidanceregardingaleastprivilegeapproachtodelegating permissiontojoinacomputertothedomain,seeWindowsAdministration ResourceKit:ProductivitySolutionsforITProfessionalsbyDanHolme (MicrosoftPress,2008).
Theprocessyoucompletetocreateacomputeraccountbeforejoiningthecomputer
07/06/13
tothedomainiscalledprestagingtheaccount. Therearetwomajoradvantagesofprestagingacomputer: TheaccountisinthecorrectOUandisthereforedelegatedaccordingtothe securitypolicydefinedbytheaccesscontrollist(ACL)oftheOU. ThecomputeriswithinthescopeofGPOslinkedtotheOU,beforethecomputer joinsthedomain.
Join a Computer to the Domain
15/99
07/06/13
Byprestagingthecomputerobject,youfulfillthefirsttworequirementsforjoininga computertoadomain:thecomputerobjectexists,andyouhavespecifiedwhohas permissionstojoinacomputerwiththesamenametothedomain.Now,alocal administratorofthecomputercanchangethecomputersdomainmembershipand enterthespecifieddomaincredentialstosuccessfullycompletetheprocess. Tojoinacomputertothedomain,performthefollowingsteps: 1. LogontothecomputerwithcredentialsthatbelongtothelocalAdministrators grouponthecomputer. Onlylocaladministratorscanalterthedomainorworkgroupmembershipofa computer. 2. OpentheSystemPropertiesdialogboxbyusingoneofthefollowingmethods:
InWindowsXP,WindowsServer2003: OpentheSystempropertiesdialogboxbydoingoneofthefollowing: RightclickMyComputer,andthenclickProperties. PressWindowsLogo+Pause.
16/99
07/06/13
InWindowsVista,Windows7,WindowsServer2008,andWindowsServer2008 R2: a. OpentheSystempropertiesdialogboxbydoingoneofthefollowing: RightclickComputer,andthenclickProperties. PressWindowsLogo+Pause. b. IntheComputername,domain,andworkgroupsettingssection,click ChangeSettings. c. IfpromptedbyUserAccountControl,clickContinueorenteradministrative credentialsasappropriate.
3. 4. 5. 6.
ClicktheComputerNametab. ClickChange. UnderMemberOf,clickDomain. Typethenameofthedomainyouwanttojoin.
NoteUsethefullDNSnameofthedomain.Notonlyisthismore accurateandmorelikelytosucceed,butifitdoesnotsucceed,it indicatesthattherecouldbeaproblemwithDNSnameresolutionthat shouldberectifiedbeforejoiningthemachinetothedomain.

07/06/13
7. 8.
ClickOK. Windowspromptsforthecredentialsofyouruseraccountinthedomain. Thedomaincheckstoseeifacomputerobjectalreadyexistswiththenameof thecomputer.Oneofthefollowingthreethingshappens: Iftheobjectexistsandacomputerwiththatnamehasalreadyjoinedthe domain,anerrorisreturned,andyoucannotjointhecomputertothedomain. Iftheobjectexistsanditisprestagedacomputerwiththesamenamehas notjoinedthedomainthedomainconfirmsthatthedomaincredentialsyou enteredhavepermissiontojointhedomainusingthataccount.These permissionswerediscussedinthesection,PrestagingaComputerAccount. Ifthecomputeraccountisnotprestaged,Windowscheckstoseeifyouhave permissionstocreateanewcomputerobjectinthedefaultcomputer container.Ifyoudohavepermissionstocreateanewcomputerobjectinthe defaultcomputercontainer,theobjectiscreatedwiththenameofthe computer.Thismethodofjoiningadomainissupportedforbackwards compatibility,butisnotrecommended.Werecommendthatyouprestagethe accountasindicatedearlier,andasdetailedinthenextsection,Secure ComputerCreationandJoins.
18/99
07/06/13
ThecomputerthenjoinsthedomainbyassumingtheidentityofitsActiveDirectory object.ItconfiguresitsSIDtomatchthedomaincomputeraccountsSIDandsetsan initialpasswordwiththedomain.Thecomputerthenperformsothertasksrelatedto joiningthedomain.ItaddstheDomainAdminsgrouptothelocalAdministrators groupandtheDomainUsersgrouptothelocalUsersgroup. 9. Youarepromptedtorestartthecomputer.ClickOKtoclosethismessagebox.
10. ClickClose(inWindowsVista)orOK(inWindowsXP)toclosetheSystem Propertiesdialogbox. 11. Youarepromptedagaintorestartthecomputer,afterwhichthesystemisfullya memberofthedomain,andyoucanlogonbyusingdomaincredentials.
Secure Computer Creation and Joins
19/99
07/06/13
Creatingcomputeraccountsandjoiningcomputerstoadomainaresecuritysensitive operations. Therefore,itisveryimportantthatthesestepsareassecureaspossible.
Prestage Computer Objects

Thebestpracticeistoprestageacomputeraccountpriortojoiningthemachineto thedomain.However,Windowsallowsyoutojoinacomputertoadomainwithout followingthisbestpractice.Youcanlogontoaworkgroupcomputerasalocal administratorandchangethecomputermembershiptothedomain.Ondemand, Windowscreatesacomputerobjectinthedefaultcomputercontainer,givesyou
07/06/13
permissiontojoinacomputertothatobject,andthenproceedstojointhesystemto thedomain. TherearethreeproblemswiththisWindowsprocess: First,thecomputeraccountcreatedautomaticallybyWindowsisplacedinthe defaultcomputercontainer,whichisnotwherethecomputerobjectbelongsin mostenterprises. Second,youmustmovethecomputerfromthedefaultcomputercontainerintothe correctOU,whichisanextrastepthatisoftenforgotten. Third,anydomainusercanalsodothisnodomainleveladministrative permissionsarerequired.Anyusercanjoinanycomputertothedomainifyou don'tmanageandsecuretheprocess.Becauseacomputerobjectisasecurity principal,andbecausethecreatorofacomputerobjectownstheobjectandcan changeitsattributes,thisexposesapotentialsecurityvulnerability.Thenext sectionsdetailthesedisadvantages.
Configuring the Default Computer Container

Whenyoujoinacomputertothedomainandthecomputerobjectdoesnotalready existinActiveDirectory,Windowsautomaticallycreatesacomputeraccountinthe defaultcomputercontainer,whichiscalled,Computers(CN=Computers,DC=domain) bydefault.TheproblemwiththisrelatestothediscussionofOUdesignearlierinthe
07/06/13
lesson.Ifyouhaveimplementedthebestpracticesdescribedthere,youhave delegatedpermissionstoadministercomputerobjectsinspecificOUsforclientsand servers.Additionally,youmighthavelinkedGPOstothoseOUstomanagethe configurationofthesecomputerobjects.Ifanewcomputerobjectiscreatedoutside ofthoseOUs,inthedefaultcomputercontainer,thepermissionsandconfigurationit inheritsfromitsparentcontainerwillbedifferentthanwhatitshouldhavereceived. Youwillthenneedtoremembertomovethecomputerfromthedefaultcontainerto thecorrectOUafterjoiningthedomain. Therearetworecommendedstepstoreducethelikelihoodofthisproblem.First,you shouldattempttoalwaysprestagecomputeraccounts.Ifanaccountisprestagedfor acomputerinthecorrectOU,whenthecomputerjoinsthedomain,itwillusethe existingaccountandwillbesubjecttothecorrectdelegationandconfiguration. Second,toreducetheimpactofsystemsbeingjoinedtothedomainwithouta prestagedaccount,youshouldchangethedefaultcomputercontainersothatitisnot theComputerscontaineritself,butinsteadisanOUthatissubjecttoappropriate delegationandconfiguration.Forexample,ifyouhaveanOUcalledNewClients,you caninstructWindowstousethatOUasthedefaultcomputercontainer,sothatif computersarejoinedtothedomainwithoutprestagedaccounts,theobjectsare createdintheNewClientsOU. Theredircmp.execommandisusedtoredirectthedefaultcomputercontainerwith thefollowingsyntax.
07/06/13
r e d i r c m p" D No fO Uf o rn e wc o m p u t e ro b j e c t s "
Now,ifacomputerjoinsthedomainwithoutaprestagedcomputeraccount,Windows createsthecomputerobjectinthespecifiedorganizationalunit.OnthisOU,youcan applysomebaselineGPOsettingsthataffectallcomputersinthedomain. NoteThesameconceptsapplytothecreationofuseraccounts.Bydefault,if auseraccountiscreatedbyusingalegacypracticethatdoesnotspecifythe OUfortheaccount,theobjectiscreatedinthedefaultusercontainer (CN=Users,DC=domain,bydefault).Theredirusr.execommandcanbeused toredirectthedefaultcontainertoanactualOUthatisdelegatedand configuredappropriately.Redirusr,likeredircmp,takesasingleoption:the distinguishedname(DN)oftheOUthatwillbecomethedefaultuser container.
Restricting the Ability of Users to Create Computers

Whenacomputeraccountisprestaged,thepermissionsontheaccountdetermine whoisallowedtojointhatcomputertothedomain.Whenanaccountisnot prestaged,Windowswill,bydefault,allowanyauthenticatedusertocreatea computerobjectinthedefaultcomputercontainer.Infact,Windowswillallowany authenticatedusertocreate10computerobjectsinthedefaultcomputercontainer. Thecreatorofacomputerobject,bydefault,haspermissiontojointhatcomputerto thedomain.Itisthroughthismechanismthatanyauthenticatedusercanjoin10
07/06/13
computerstothedomainwithoutanyexplicitpermissiontodoso. The10computerquotaisconfiguredbythemsDSMachineAccountQuotaattribute ofthedomain.Itallowsanyauthenticatedusertojoinamachinetothedomain,no questionsasked.Thisisproblematicfromasecurityperspectivebecausecomputers aresecurityprincipals,andthecreatorofasecurityprincipalhaspermissionto managethatcomputersproperties.Inaway,thequotaislikeallowinganydomain usertocreate10useraccounts,withoutanycontrols. Wehighlyrecommendthatyouclosethisloophole,sothatnonadministrativeusers cannotjoinmachinestothedomain.TochangethemsDSMachineAccountQuota attribute,performthefollowingsteps: 1. 2. 3. OpentheADSIEditMMCconsolefromtheAdministrativeToolsfolder. RightclickADSIEdit,andthenclickConnectTo. IntheConnectionPointsection,clickSelectAWellKnownNaming Context,andthenselectDefaultNamingContextfromthedropdownlist. 4. 5. 6. ClickOK. Intheconsoletree,expandDefaultNamingContext. Rightclickthedomainfolderdc=contoso,dc=com,forexampleandthen clickProperties.
07/06/13
7. 8. 9.
ClickmsDSMachineAccountQuota,andthenclickEdit. Type0. ClickOK.
TheAuthenticatedUsersgroupisalsoassignedtheuserrighttoaddworkstationsto thedomain,butyoudonothavetomodifythisrightifyouhavechangedthedefault valueofthemsDSMachineAccountQuotaattribute. AfteryouhavechangedthemsDSMachineAccountQuotaattributeto0,youcanbe assuredthattheonlyuserswhocanjoincomputerstothedomainarethosewho havebeenspecificallydelegatedpermissiontojoinprestagedcomputerobjectsorto createnewcomputerobjects. Afteryouveeliminatedthisloophole,youmustensureyouhavegivenappropriate administratorsexplicitpermissiontocreatecomputerobjectsinthecorrectOUs,as describedinthe"DelegatingPermissiontoCreateComputers"section,otherwisethe followingerrormessagewillappear.
25/99
07/06/13
Delegating Computer Management

Thefourthtasktoimprovethesecurityofcomputeraccountsistodelegatecomputer managementtasksattheOUlevel.DelegationisdiscussedinModule8.The followingdsaclscommandscanbeusedtodelegatecomputermanagementtasks: Createacomputer.
d s a c l s" D No fO U "/ I : T/ G" D O M A I N \ g r o u p " : C C ; c o m p u t e r
Deleteacomputer.
d s a c l s" D No fO U "/ I : T/ G" D O M A I N \ g r o u p " : D C ; c o m p u t e r
Joinacomputertothedomain.
26/99
07/06/13
d s a c l s" D No fO U "/ I : S/ G" D O M A I N \ g r o u p " :" V a l i d a t e dw r i t et oD N S h o s tn a m e " ; c o m p u t e rd s a c l s" D No fO U "/ I : S/ G" D O M A I N \ g r o u p " : " V a l i d a t e dw r i t et os e r v i c ep r i n c i p a ln a m e " ; c o m p u t e rd s a c l s" D N
o fO U "/ I : S/ G" D O M A I N \ g r o u p " :C A ; R e s e tP a s s w o r d ; c o m p u t e rd s a c l s

" D No fO U "/ I : S/ G" D O M A I N \ g r o u p " :W P ; A c c o u n t R e s t r i c t i o n s ; c o m p u t e r
Theprecedingfourcommandsshouldbeenteredatthecommandpromptwithno spaceafterthecolon. Moveacomputer. RequirespermissionstodeletecomputersinthesourceOUandcreatecomputers inthedestinationOU.Eventhoughamovedoesnotactuallydeleteorcreatethe account,thisisthepermissionthatisusedbytheAccessCheck. Question:Whattwofactorsdeterminewhetheryoucanjoinacomputer accounttothedomain?
Automate Computer Account Creation
27/99
07/06/13
Thestepsyouhavelearnedforcreatingacomputeraccountbecomeburdensomeif youaretaskedwithcreatingdozensorevenhundredsofcomputeraccountsatthe sametime.CommandssuchasCommaSeparatedValueDirectoryExchange(CSVDE), LightweightDirectoryAccessProtocol(LDAP)DataInterchangeFormatDirectory Exchange(LDIFDE),andDSAddcanimportandautomatethecreationofcomputer objects.Scriptscanalsoallowyoutoprovisioncomputerobjects,thatis,toperform businesslogicsuchastheenforcementofcomputernamingconventions.Also,ifyou areusingWindowsServer2008R2,youcanuseWindowsPowerShellwithActive DirectoryModuletoautomatethecreationofcomputeraccounts.
Import Computers with CSVDE

07/06/13
CSVDEisacommandlinetoolthatimportsorexportsActiveDirectoryobjectsfrom ortoacommadelimitedtextfile(alsoknownasacommaseparatedvaluetextfile, or.csvfile).ThebasicsyntaxoftheCSVDEcommandis.
c s v d e[ i ][ f" F i l e n a m e " ][ k ]
Theioptionspecifiesimportmodewithoutit,thedefaultmodeofCSVDEisexport. Thefoptionidentifiesthefilenametoimportfromorexportto.Thekoptionis usefulduringimportoperations,becauseitinstructsCSVDEtoignoreerrors,including objectalreadyexists,constraintviolation,andattributeorvaluealreadyexists.

07/06/13
Commadelimitedfilescanbecreated,modified,andopenedwithtoolsasfamiliaras NotepadandMicrosoftOfficeExcel.Thefirstlineofthefiledefinestheattributes bytheirLDAPattributenames.Eachobjectfollows,oneperline,andmustcontain exactlytheattributeslistedonthefirstline.AsamplefileisshowninExcelasfollows.
Whenimportingcomputers,besuretoincludetheuserAccountControlattribute,and setitto4096.Thisattributeensuresthatthecomputerwillbeabletojointhe account.AlsoincludethepreWindows2000logonnameofthecomputer,the sAMAccountNameattribute,whichisthenameofthecomputerfollowedbyadollar sign($),asshownintheprecedingsample.
Import Computers with LDIFDE
30/99
07/06/13
LDIFDE.exeimportsdatafromfilesintheLDAPDataInterchangeFormat(LDIF) format.LDIFfilesaretextfileswithinwhichoperationsarespecifiedbyablockof linesseparatedbyablankline.EachoperationbeginswiththeDNattributeofthe objectthatisthetargetoftheoperation.Thenextline,changeType,specifiesthe typeofoperation:add,modify,ordelete. ThefollowinglistingisanLDIFfilethatwillcreateacomputeraccountintheServers OU.
d n :C N = F I L E 2 5 , O U = F i l e , O U = S e r v e r s , D C = c o n t o s o , D C = c o mc h a n g e t y p e : a d do b j e c t C l a s s :t o po b j e c t C l a s s :p e r s o no b j e c t C l a s s :
07/06/13
o r g a n i z a t i o n a l P e r s o no b j e c t C l a s s :u s e ro b j e c t C l a s s :c o m p u t e rc n : F I L E 2 5u s e r A c c o u n t C o n t r o l :4 0 9 6s A M A c c o u n t N a m e :F I L E 2 5 $
ThebasicsyntaxoftheLDIFDEcommandissimilartothatoftheCSVDEcommand.
l d i f d e[ i ][ f" F i l e n a m e " ][ k ]
Bydefault,LDIFDEisinexportmode.Theioptionspecifiestheimportmode.You mustspecifyftoidentifythefileyouareusingforimportorexport.LDIFDEwill stopwhenitencounterserrors,unlessyouspecifythekoption,inwhichcase, LDIFDEcontinuesprocessing.
Create Computer Accounts with DSAdd and PowerShell
32/99
07/06/13
TheDSAddcommandisusedtocreateobjectsinActiveDirectory.Tocreate computerobjects,simplytypethefollowingcommand.
d s a d dc o m p u t e rC o m p u t e r D N
whereComputerDNisthedistinguishedname(DN)ofthecomputer,suchas CN=DESKTOP123,OU=NYC,OU=ClientComputers,DC=contoso,DC=com. IfthecomputersDNincludesaspace,surroundtheentireDNwithquotationmarks.
33/99
07/06/13
TheDSAddComputercommandcantakethefollowingoptionsaftertheDNoption: samidComputerName descDescription locLocation
NoteContentinthefollowingsectionisspecifictoWindowsServer2008 R2.
YoucanalsousetheActiveDirectorymoduleforWindowsPowerShelltocreatea computeraccountinADDS.Thefollowingexampledemonstrateshowtocreatea newcomputer,DESKTOP123,intheClientComputersOUinthecontoso.com domain.
N e w A D C o m p u t e rS a m A c c o u n t N a m eD E S K T O P 1 2 3 P a t h O U = C l i e n t C o m p u t e r s , D C = c o n t o s o , D C = c o m '
ForafullexplanationoftheparametersthatyoucanpasstoNewADComputer,at theActiveDirectorymodulecommandprompt,typeGetHelpNewADComputer
07/06/13
detailed,andthenpressEnter.
Create and Join Computers with NetDom and PowerShell
TheNetDomcommandisalsoabletoperformavarietyofdomainaccountand securitytasksfromthecommandprompt.YoucanalsouseNetDomtocreatea computeraccount,bytypingthefollowingcommand.
n e t d o ma d dC o m p u t e r N a m e/ d o m a i n : D o m a i n N a m e[ / o u : " O U D N " ] [ / U s e r D : D o m a i n U s e r n a m e/ P a s s w o r d D : D o m a i n P a s s w o r d ]
35/99
07/06/13
ThiscommandcreatesthecomputeraccountforComputerNameinthedomain indicatedbythe/domainoption,usingthecredentialsspecifiedby/UserDand /PasswordD.The/ouoptioncausestheobjecttobecreatedintheOUspecifiedby theorganizationalunitdistinguishedname(OUDN)followingtheoption.IfnoOUDN issupplied,thecomputeraccountiscreatedinthedefaultcomputercontainer.The usercredentialsmust,ofcourse,havepermissionstocreatecomputerobjects.
Using NetDom.exe
TheNetDom.execommandallowsyoutojoinacomputertothedomainfromthe commandprompt.Thebasicsyntaxofthecommandisasfollows.
n e t d o mj o i nM a c h i n e N a m e/ D o m a i n : D o m a i n N a m e[ / O U : " O U D N " ] [ / U s e r D : D o m a i n U s e r n a m e ][ / P a s s w o r d D : { D o m a i n P a s s w o r d | * }] [ / U s e r O : L o c a l U s e r n a m e ][ / P a s s w o r d O : { L o c a l P a s s w o r d | * }] [ / S e c u r e P a s s w o r d P r o m p t ][ / R E B o o t [ : T i m e I n S e c o n d s ] ]
Itcanbeusefultojoinamachinetoadomainfromthecommandprompt.Thefirst reasonthisisusefulisbecausethejoincanbeincludedinascriptthatperforms otheractions.Forexample,youcouldcreateabatchfilethatcreatesthecomputer accountbyusingNetDomorDSAddthelatterofwhichallowsyoutospecifyother attributes,includingdescriptionandthenjoinsthemachinetothataccountbyusing NetDom.Second,NetDom.execanbeusedtoremotelyjoinamachinetothedomain.

07/06/13
Third,NetDom.exeallowsyoutospecifytheOUforthecomputerobject.The commandsoptionsare,forthemostpart,selfexplanatory./UserOand/PasswordO arecredentialsthataremembersoftheworkgroupcomputerslocalAdministrators group.Specifying*forthepasswordcausesNetDom.exetopromptforthepassword atthecommandprompt./UserDand/PasswordDaredomaincredentialswith permissiontocreateacomputerobject,iftheaccountisnotprestaged,ortojoina computertoaprestagedaccount.The/rebootoptioncausesthesystemtoreboot afterjoiningthedomain.Thedefaulttimeoutis30seconds.The /SecurePasswordPromptoptiondisplaysapopupforcredentialswhen*isspecified foreither/PasswordOor/PasswordD. NoteIfyouwanttouseNetDomremotely,theWindowsFirewall configurationonthecomputerthatwillbejoinedtothedomainmustallow NetworkDiscoveryandRemoteAdministration.
Using Windows PowerShell

NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
Besidethenetdomcommand,youcanalsouseWindowsPowerShellwithActive DirectoryModuletoperformadomainjoinforalocalmachine.InPowerShell,you shouldusetheAddComputercmdlettoperformadomainjoin.
37/99
07/06/13
Thefollowingexampledemonstrateshowtoaddthelocalcomputeronwhichthis commandisbeingrun,tothecontoso.comdomain.Thelocalcomputerisaddedto theOUinthedirectorythatisspecifiedbytheOUPathparameter,usingthecurrent loggedonusercredentials.Youmustrunthiscommandonthelocalcomputer.
A d d C o m p u t e rD o m a i n O r W o r k g r o u p N a m eC o n t o s oO U P a t hO U = C l i e n t C o m p u t e r s , D C = c o n t o s o , D C = c o m
ForafullexplanationoftheparametersthatyoucanpasstoAddComputer,atthe ActiveDirectoryModulecommandprompt,typeGetHelpAddComputer detailed,andthenpressEnter.
Lab A: Create Computers and Join the Domain
38/99
07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmustcompletethefollowingsteps: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. InHyperVManager,click6425CNYCDC1and6425CNYCDC2,andin theActionspane,clickStart. 3. 4. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts. Logonbyusingthefollowingcredentials:
39/99
07/06/13
Username:Pat.Coleman_Admin Password:Pa$$w0rd Domain:Contoso 5. OpenWindowsExploreron6425CNYCDC1andthenbrowseto D:\Labfiles\Lab05a. 6. RunLab05a_Setup.batwithadministrativecredentials.Usetheaccount Pat.Coleman_Admin,withthepassword,Pa$$w0rd. 7. 8. 9. Thelabsetupscriptruns.Whenitiscomplete,pressanykeytocontinue. ClosetheWindowsExplorerwindow,Lab05a. InHyperVManager,click6425CNYCSVR2,andintheActionspane,click Start. 10. IntheActionspane,clickConnect.Waituntilthevirtualmachinestarts.Donot logontoNYCSVR2untildirectedtodoso.
Lab Scenario
YouareanadministratorforContoso,Ltd.Duringasecurityaudit,itwasidentified thatthereisnocontroloverthecreationofnewcomputeraccounts:bothclientsand serversarebeingaddedtothedomainwithnoassurancethatprocessisbeing
07/06/13
followed.Infact,anumberofcomputeraccountswerediscoveredintheComputers container.Thesecomputerobjectswereforactivecomputeraccounts,butthe computershadnotbeencreatedinormovedtothecorrectOUswithintheClient ComputersorServersOUsaccordingtostandardprocedures.Youvebeentaskedwith improvingtheprocedures.
Exercise 1: Join a Computer to the Domain with the Windows Interface

Inthisexercise,youwilljoinacomputertothedomainusingtheWindows interface,andthenyouwillremovethemachinefromthedomain. Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. 5. IdentifyandcorrectaDNSconfigurationerror. JoinNYCSVR2tothedomain. VerifythelocationoftheNYCSVR2account. RemoveNYCSVR2fromthedomain. DeletetheNYCSVR2account.
Task 1: Identify and correct a DNS configuration error.

07/06/13
1. 2.
LogontoNYCSVR2asAdministrator,withthepassword,Pa$$w0rd. OpenSystemPropertiesbyusingoneofthefollowingmethods: ClickStart,rightclickComputer,andthenclickProperties. OpenSystemfromControlPanel. PresstheWindowslogokeyandthePausekey.
3.
Attempttojointhecomputertothedomain,contoso.com,beingsuretouse thefullyqualifieddomainname(contoso.com)ratherthantheNetBIOSname forthedomain(contoso). DoingsoteststhatDNSisconfiguredcorrectlyontheclientforlocatingthe domain.
4.
ChangetheDNSServerconfigurationontheclientto10.0.0.10. Question:Whymightthejoinhavesucceededifyouhadusedthedomain namecontoso,insteadofcontoso.com?Whatmightgowrongafterthe domainwassuccessfullyjoinedbutwithDNSincorrectlyconfigured? Answer:Theuseofthefullyqualifiednameforcedthenameresolution processtouseDNS,andbecauseDNSfailed,thedomainjoinfailed.The domainname,contoso,isaflatdomainnamethatcouldberesolved throughNetBIOSnameresolution.Eventhoughthedomainjoinwouldbe successful,theclientwouldlikelyhaveproblemslocatingdomaincontrollers inothersites,andlocatingotherresourcesinthedomain.Performingthe
42/99
07/06/13
joinwithafullyqualifieddomainnameensuresthatDNSisfunctioning beforejoiningthedomain.
Task 2: Join NYC-SVR2 to the domain.
1.
JoinNYCSVR2tothedomain.Whenpromptedfordomaincredentials,enter theusername,Aaron.Painter,andthepassword,Pa$$w0rd.
2.
NotethatAaron.Painterisastandarduserinthecontoso.comdomain.He hasnospecialrightsorpermissions,andyetheisabletojoinacomputertothe domain.Hedoeshavetobeloggedontothecomputerwithanaccountthatisa memberofthecomputer'sAdministratorsgroup.
3.
Allowthesystemtorestart.
Task 3: Verify the location of the NYC-SVR2 account.
1.
OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator, withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
LocatetheNYCSVR2account. Question:InwhichOUorcontainerdoestheaccountexist?
43/99
07/06/13
Answer:TheComputerscontainer.
Task 4: Remove NYC-SVR2 from the domain.
1. 2.
LogontoNYCSVR2asAdministrator,withthepassword,Pa$$w0rd. ChangeNYCSVR2'sdomain/workgroupmembershiptoaworkgroupnamed, WORKGROUP.
3.
Restarttheserver.
Task 5: Delete the NYC-SVR2 account. Question:OnNYCDC1,refreshtheviewoftheComputerscontainerand examinetheNYCSVR2account.Whatisitsstatus? Answer:ThestatusisDisabled. Question:YouwerenotpromptedfordomaincredentialsinTask4,andyeta changewasmadetothedomain:thecomputeraccountwasresetanddisabled. Whatcredentialswereusedtodothis?Whatcredentialswereusedtochange theworkgroup/domainmembershipofNYCSVR2?
07/06/13
Answer:Thisisatrickyquestion.Domaincredentialswithappropriate permissionsarerequiredtomakeachangetothedomain,suchasresettingand disablingacomputeraccountandcredentialsthatareinthelocalAdministrators groupontheclientarerequiredtochangethecomputersworkgroup/domain membership. YouwereloggedontoNYCSVR2asthelocalAdministrator,soyouwereableto changethecomputersworkgroup/domainmembership.Normally,youwouldhave beenpromptedfordomaincredentials,butitjustsohappensthatthelocal Administratoraccountsusername,Administrator,andpassword,Pa$$w0rd,are identicaltothoseofthedomainAdministratoraccount,whichofcoursehas permissiontomodifyobjectsinthedomain.Windowsattemptstoauthenticateyou behindthescenes,andonlypromptsyoufordomaincredentialsifthatauthentication fails.Inthiscase,becauseofthesimilarityincredentials,youwereactually authenticatedasthedomainsAdministrator.
Inaproductionenvironment,thedomainsAdministratoraccountshouldhaveavery long,complex,securepasswordthatisdifferentfromthepasswordsusedfor Administratoraccountsinthedomainmembercomputer.
DeletetheNYCSVR2computerobject.
Result:Inthisexercise,youbecamefamiliarwithtypicallegacypracticesusedto
07/06/13
joincomputerstoadomain.
Exercise 2: Secure Computer Joins

Inthisexercise,youwillimplementbestpracticestosecurethejoiningof machinestothedomain. Themaintasksforthisexerciseareasfollows: 1. 2. 3. Redirectthedefaultcomputercontainer. Restrictunmanageddomainjoins. ValidatetheeffectivenessofmsDSMachineAccountQuota.
Task 1: Redirect the default computer container.
1.
OnNYCDC1,runacommandpromptasanadministratorwiththeusername, Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
UsetheRedirCmpcommandtoredirectthedefaultcomputerscontainertothe NewComputersOUinthecontoso.comdomain.
46/99
07/06/13
Task 2: Restrict unmanaged domain joins.
1.
RuntheADSIEditconsoleasanadministratorwiththeusername, Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
Connecttothedomainand,inthepropertiesofthedomain,changethems DSMachineAccountQuotatozero(0).
Task 3: Validate the effectiveness of ms-DS-MachineAccountQuota.
LogontoNYCSVR2asAdministratorandattempttojoinNYCSVR2tothe contoso.comdomainjustasyoudidinExercise1.Whenpromptedfordomain credentials,entertheusername,Aaron.Painter,andthepassword,Pa$$w0rd. InExercise1,AaronPainterwasabletojointhedomain.Now,heisunabletojoin thedomain. Question:Whatmessagedoyoureceivewhenauserisnolongerableto createacomputerobjectbecauseofthemsDSMachineAccountQuota?
Results:Inthisexercise,youredirectedthecontainerforcreatingcomputer accountstotheNewComputersOU,andrestrictedtheusersfromjoining computerstothedomainwithoutexplicitpermissionstodoso.

07/06/13
Exercise 3: Manage Computer Account Creation

Inthisexercise,youwillimplementseveralbestpracticesforcreating computeraccountsandjoiningmachinestothedomain. Themaintasksforthisexerciseareasfollows: 1. 2. Prestageacomputeraccount. JoinacomputerremotelytoaprestagedaccountbyusingNetDom.
Task 1: Prestage a computer account.
1.
OnNYCDC1,runActiveDirectoryUsersandComputersasanadministrator withtheusername,Pat.Coleman_Admin,andthepassword,Pa$$w0rd.
2.
IntheServers\FileOU,createanewcomputerobjectforNYCSVR2andgive theAD_Server_Deploygrouppermissiontojointhecomputertothedomain.
Task 2: Join a computer remotely to a prestaged account by using NetDom.
48/99
07/06/13
Inthistask,youwilljoinNYCSVR2tothedomainremotely,usingcredentialsthat areinthelocalAdministratorsgroupofNYCSVR2anddomaincredentialsthat areintheAD_Server_Deploygroup.
1.
Runthecommandpromptasanadministrator,withtheusername, Aaron.Painter_Admin,andthepassword,Pa$$word.
NoteAaron.Painter_Adminisnotanadministrator.TheRunasan administratorcommandallowsyoutorunaprocesswithany credentials,aslongasthosecredentialshavesufficientprivilegetorun theprocessitself.
2.
Typethecommand,whoami/groups,tolistthegroupmembershipsofthe currentaccount(Aaron.Painter_Admin).Notethattheuserisamemberof AD_Server_Deployandisnotamemberofanyotheradministrativegroup.
3.
UsingtheNetDomcommand,joinNYCSVR2tothedomain.Usethelocal AdministratoraccountcredentialsforNYCSVR2andthedomaincredentialsfor Aaron.Painter_Admin,whoisamemberofAD_Server_Deployand thereforehaspermissiontojointhecomputertothedomain.Configurethe servertorebootautomaticallyin5seconds. Typethefollowingcommand,andthenpressEnter.
49/99
07/06/13
n e t d o mj o i nN Y C S V R 2/ d o m a i n : c o n t o s o . c o m/ U s e r O : A d m i n i s t r a t o r / P a s s w o r d O : */ U s e r D : C O N T O S O \ A a r o n . P a i n t e r _ A d m i n/ P a s s w o r d D : * / R E B o o t : 5
NoteTheNYCSVR2firewallexceptionsareconfiguredforports135, 139,andforNetworkDiscovery(NBNameIn).Theseexceptionsallow NetDomJointobeusedtoremotelyjoinNYCSVR2tothedomain.
4. 5.
Theserverrestarts. LogontoNYCSVR2asContoso\Pat.Coleman,withthepasswordofPa$$w0rd. Thisconfirmsthattheserverhassuccessfullyjoinedthedomain.
6.
LogofffromNYCSVR2.
Results:Aftercompletingthisexercise,NYCSVR2willbejoinedtothedomain withanaccountintheServers\FileOU.
ImportantDonotshutdownthevirtualmachinesafteryoufinishthislab becausethesettingsyouhaveconfiguredherewillbeusedinLabB.
50/99
07/06/13
Lab Review Questions Question:Whatdidyoulearnabouttheprosandconsofvariousapproaches tocreatingcomputeraccountsinanADDSdomain? Question:Whatarethetwocredentialsthatarenecessaryforanycomputerto joinadomain?
Lesson 2: Administer Computer Objects and Accounts
51/99
07/06/13
Acomputeraccountbeginsitslifecyclewhenitiscreatedandwhenthecomputer joinsthedomain.Daytodayadministrativetasksincludeconfiguringcomputer propertiesmovingthecomputerbetweenOUsmanagingthecomputeritselfand renaming,resetting,disabling,enabling,andeventuallydeletingthecomputerobject. Thislessonlookscloselyatthecomputerpropertiesandproceduresinvolvedwith thesetasks,andwillequipyoutoadministercomputersinadomain.
Objectives
Aftercompletingthislesson,youwillbeableto: Configurecomputeraccountproperties. MoveacomputerbetweenOUs. Recognizecomputeraccountproblems. Resetacomputeraccount. Renameacomputer. Disableandenableacomputer.
Configure Computer Attributes
52/99
07/06/13
WhenyoucreateacomputerobjectbyusingActiveDirectoryUsersandComputers, youarepromptedtoconfigureonlythemostfundamentalattributes,includingthe computernameandthedelegationtojointhecomputertothedomain.Computers haveseveralpropertiesthatarenotvisiblewhenyouarecreatingthecomputer objectyoushouldconfigurethesepropertiesaspartoftheprocessofstagingthe computeraccount. OpenacomputerobjectsPropertiesdialogboxtosetitslocationanddescription, configureitsgroupmembershipsanddialinpermissions,andlinkittotheuserobject oftheusertowhomthecomputerisassigned.TheOperatingSystemtabisread only.Theinformationwillbeblankuntilacomputerhasjoinedthedomainusingthat account,atwhichtimetheclientpublishestheinformationtoitsaccount.
07/06/13
SeveralobjectclassesinActiveDirectorysupportthemanagedByattributethatis shownontheManagedBytab.Thislinkedattributecreatesacrossreferencetoa userobject.Allotherpropertiestheaddressesandtelephonenumbersare displayeddirectlyfromtheuserobject.Theyarenotstoredaspartofthecomputer objectitself.SomeorganizationsusetheManagedBytabtolinkthecomputertothe primaryuserofthecomputer.Alternatively,youmightchoosetolinkthecomputerto agroupthatisresponsibleforthesupportofacomputer.Forexample,thisasan optionmightbeattractiveforcomputeraccountsthatrepresentservers. OntheMemberOftabofacomputersPropertiesdialogbox,youcanaddthe computertogroups.Theabilitytomanagecomputersingroupsisanimportantand oftenunderutilizedfeatureofActiveDirectory.Agrouptowhichcomputersbelong canbeusedtoassignresourceaccesspermissionstothecomputer,tofilterthe applicationofaGPO,orasacollectionforasoftwaremanagementtool,suchas MicrosoftSystemCenterConfigurationManager2007. Aswithusersandgroups,itispossibletoselectmorethanonecomputerobjectand subsequentlymanageormodifypropertiesofallselectedcomputerssimultaneously.
Configuring Computer Attributes with DSMod

YoucanusetheDSModcommandtomodifythedescriptionandthelocation attributesofacomputerobject.Itusesthefollowingsyntax.
54/99
07/06/13
d s m o dc o m p u t e r" C o m p u t e r D N "[ d e s c" D e s c r i p t i o n " ][ l o c " L o c a t i o n " ]
AttributesofacomputeraccountcanalsobemanagedbyusingWindowsPowerShell withActiveDirectoryModule. ThefollowingexampledemonstrateshowtomodifytheManagedByattributeofthe computerLONSRV1.
S e t A D C o m p u t e rL O N S R V 1M a n a g e d B y' C N = S Q LA d m i n i s t r a t o r 0 1 , O U = U s e r A c c o u n t s , O U = M a n a g e d , D C = c o n t o s o , D C = c o m '
Move a Computer
55/99
07/06/13
ManyorganizationshavemultipleOUsforcomputerobjects.Somedomains,for example,havecomputerOUsbasedongeographicsites,asshownearlierinthis module.IfyouhavemorethanoneOUforcomputers,itislikelythatsomedayyou willneedtomoveacomputerbetweenOUs. TomoveacomputerbyusingtheActiveDirectoryUsersandComputerssnapin,you canuseoneofthefollowingoptions: Clickthecomputerandthendraganddropthecomputertothedesiredlocation. Rightclickthecomputer,andthenclickMove.
56/99
07/06/13
TheDSMovecommandallowsyoutomoveacomputerobjectoranyotherobject. ThesyntaxofDSMoveisasfollows.
d s m o v eO b j e c t D N[ n e w n a m eN e w N a m e ][ n e w p a r e n tP a r e n t D N ]
Thenewnameoptionallowsyoutorenameanobject.Thenewparentoptionallows youtomoveanobject.Tomoveacomputernamed,DESKTOP153,fromthe ComputerscontainertotheNYCOU,youwouldtypethefollowingcommand.
d s m o v e" C N = D E S K T O P 1 5 3 , C N = C o m p u t e r s , D C = c o n t o s o , D C = c o m "n e w p a r e n t" O U = N Y C , O U = C l i e n tC o m p u t e r s , D C = c o n t o s o , D C = c o m "
Using Windows PowerShell

YoucanalsoperformthemoveprocessforacomputerbyusingWindowsPowerShell withActiveDirectoryModule.Thisisperformedbyusingpipelinedcmdlets,Get ADComputerandMoveADObject.Thefollowingexampledemonstrateshowto movethecomputer,Workstation1,totheManagedComputersOUinthecontoso.com domain.

07/06/13
G e t A D C o m p u t e rW o r k s t a t i o n 1|M o v e A D O b j e c tT a r g e t P a t h ' O U = M a n a g e d C o m p u t e r s , D C = c o n t o s o , D C = c o m '
Computer Account and Secure Channel
EverymembercomputerinanActiveDirectorydomainmaintainsacomputeraccount withausername(sAMAccountName)andpassword,justlikeauseraccountdoes. Thecomputerstoresitspasswordintheformofalocalsecurityauthority(LSA) secretandchangesitspasswordwiththedomainevery30daysorso.TheNetLogon serviceusesthecredentialstologontothedomain,whichestablishesthesecure channelwithadomaincontroller.

07/06/13
Computeraccountsandthesecurerelationshipsbetweencomputersandtheirdomain arerobust.However,certainscenariosmightariseinwhichacomputerisnolonger abletoauthenticatewiththedomain.Examplesofsuchscenariosincludethe following: Afterreinstallingtheoperatingsystemonaworkstation,theworkstationisunable toauthenticate,eventhoughthetechnicianusedthesamecomputername. BecausethenewinstallationgeneratedanewSIDandbecausethenewcomputer doesnotknowthecomputeraccountpasswordinthedomain,itdoesnotbelong tothedomainandcannotauthenticatetothedomain. Acomputeriscompletelyrestoredfrombackupandisunabletoauthenticate.Itis likelythatthecomputerchangeditspasswordwiththedomainafterthebackup operation.Computerschangetheirpasswordsevery30days,andActiveDirectory remembersthecurrentandpreviouspassword.Iftherestoreoperationrestoredthe computerwithasignificantlyoutdatedpassword,thecomputerwillnotbeableto authenticate. AcomputersLSAsecretgetsoutofsynchronizationwiththepasswordknownby thedomain.Youcanthinkofthisasthecomputerforgettingitspassword althoughitdidnotforgetitspassword,itjustdisagreeswiththedomainoverwhat thepasswordreallyis.Whenthishappens,thecomputercannotauthenticateand thesecurechannelcannotbecreated.
59/99
07/06/13
Recognize Computer Account Problems
Themostcommonsignsofcomputeraccountproblemsarethefollowing: Messagesatlogonindicatethatadomaincontrollercannotbecontacted,thatthe computeraccountmightbemissing,thatthepasswordonthecomputeraccountis incorrect,orthatthetrustrelationship(anotherwayofsayingthesecure relationship)betweenthecomputerandthedomainhasbeenlost.Anexampleis shownhere. Errormessagesoreventsintheeventlogindicatesimilarproblemsorsuggestthat passwords,trusts,securechannels,orrelationshipswiththedomainoradomain

07/06/13
controllerhavefailed.OnesucherrorisNETLOGONEventID3210:FailedTo Authenticate,whichappearsinthecomputer'seventlog. AcomputeraccountismissinginActiveDirectory.
Reset a Computer Account
Whenthesecurechannelfails,youmustresetthesecurechannel.Many administratorsdosobyremovingthecomputerfromthedomain,puttingitina workgroup,andthenrejoiningthedomain.Thisisnotagoodpracticebecauseithas thepotentialtodeletethecomputeraccountaltogether,whichlosesthecomputers SID,andmoreimportantly,itsgroupmemberships.Whenyourejointhedomain,

07/06/13
eventhoughthecomputerhasthesamename,theaccounthasanewSID,andall thegroupmembershipsofthepreviouscomputerobjectmustberecreated.
Do not remove a computer from the domain and rejoin it.

Ifthetrustwiththedomainhasbeenlost,donotremoveacomputerfromthe domainandrejoinit.Instead,resetthesecurechannel. Toresetthesecurechannelbetweenadomainmemberandthedomain,usethe ActiveDirectoryUsersandComputerssnapin,DSMod.exe,NetDom.exe,or NLTest.exe.Ifyouresettheaccount,thecomputersSIDremainsthesameandit maintainsitsgroupmemberships. ToresetthesecurechannelbyusingtheActiveDirectoryUsersandComputerssnap in: 1. 2. 3. Rightclickacomputer,andthenclickResetAccount. ClickYestoconfirmyourchoice. Rejointhecomputertothedomain,andthenrestartthecomputer.
ToresetthesecurechannelbyusingDSMod:
62/99
07/06/13
1.
Typethefollowingcommand.
d s m o dc o m p u t e r" C o m p u t e r D N " r e s e t .
2.
Rejointhecomputertothedomain,andthenrestartthecomputer.
ToresetthesecurechannelbyusingNetDom: Typethefollowingcommand,
n e t d o mr e s e tM a c h i n e N a m e/ d o m a i nD o m a i n N a m e/ U s e r OU s e r N a m e / P a s s w o r d O{ P a s s w o r d|* }
wherethecredentialsbelongtothelocalAdministratorsgroupofthecomputer. Thiscommandresetsthesecurechannelbyattemptingtoresetthepasswordon boththecomputerandthedomain,soitdoesnotrequirerejoiningorrebooting. ToresetthesecurechannelbyusingNLTest,onthecomputerthathaslostitstrust, typethefollowingcommand.

07/06/13
N L T E S T/ S E R V E R : S E R V E R N A M E/ S C _ R E S E T : D O M A I N \ D O M A I N C O N T R O L L E R
Forexample,thefollowingcommand,likeNetDom,attemptstoresetthesecure channelbyresettingthepasswordonboththecomputerandinthedomain,soit doesnotrequirerejoiningorrestarting.
n l t e s t/ s e r v e r : N Y C S V R 2/ s c _ r e s e t : C O N T O S O \ N Y C S V R 2
BecauseNLTestandNetDomresetthesecurechannelwithoutrequiringareboot,you shouldtrythosecommandsfirst.Onlyifthosearenotsuccessfulshouldyouusethe ResetAccountcommandorDSModtoresetthecomputeraccount. NoteContentinthefollowingsectionisspecifictoWindowsServer2008R2.
YoucanalsouseWindowsPowerShellwithActiveDirectoryModuletoreseta computeraccount.Thefollowingexampledemonstrateshowtoresetthesecure channelbetweenthelocalcomputerandthedomaintowhichitisjoined.Youmust runthiscommandonthelocalcomputer.
T e s t C o m p u t e r S e c u r e C h a n n e l R e p a i r
07/06/13
ForafullexplanationoftheparametersthatyoucanpasstoTest ComputerSeureChannel,attheActiveDirectoryModulecommandprompt,typeGet HelpTestComputerSecureChanneldetailed,andthenpressEnter.
Rename a Computer
Whenyourenameacomputer,youmustbecarefultodoitcorrectly.Rememberthat thecomputerusesitsnametoauthenticatewiththedomain,soifyourenameonly thedomainobject,oronlythecomputeritself,theywillbeoutofsynch.Youmust renamethecomputerinsuchawaythatboththecomputerandthedomainobject

07/06/13
arechanged. Youcanrenameacomputercorrectlybyloggingontothecomputer,eitherlocallyor witharemotedesktopsession. 1. 2. OpenSystemPropertiesfromControlPanel. IntheComputername,domain,andworkgroupsettingssection,click ChangeSettings. 3. 4. 5. 6. 7. IfyouarepromptedbyUserAccountControl,clickContinue. ClicktheComputerNametab. ClicktheChangebutton. TypethenewnameandclickOKtwicetoclosethedialogboxes. Restartthecomputertoallowthechangetotakeeffect.
Fromthecommandprompt,youcanusetheNetDomcommand,withthefollowing syntax.
n e t d o mr e n a m e c o m p u t e rM a c h i n e N a m e/ N e w N a m e : N e w N a m e [ / U s e r O : L o c a l U s e r n a m e ][ / P a s s w o r d O : { L o c a l P a s s w o r d | * }]
07/06/13
[ / U s e r D : D o m a i n U s e r n a m e ][ / P a s s w o r d D : { D o m a i n P a s s w o r d | * }] [ / S e c u r e P a s s w o r d P r o m p t ][ / R E B o o t [ : T i m e I n S e c o n d s ] ]
Inadditiontospecifyingthemachinetorename(MachineName)andthedesirednew name(NewName),youmusthavecredentialsthatareamemberofthelocal Administratorsgrouponthecomputerandcredentialsthathavepermissionto renamethedomaincomputerobject.Bydefault,NetDomwillusethecredentialswith whichthecommandisrun.Youcanspecifycredentialsbyusing/UserOand /PasswordOforthecredentialsinthecomputerslocalAdministratorsgroup,and /UserDand/PasswordDforthedomaincredentialswithpermissiontorenamethe computerobject.Specifying*forthepasswordcausesNetDom.exetopromptforthe passwordatthecommandprompt.The/SecurePasswordPromptoptiondisplaysa popupforcredentialswhen*isspecifiedforeither/PasswordOor/PasswordD.After yourenameacomputer,youmustrebootthecomputer.The/REBootoptioncauses thesystemtorebootafter30seconds,unlessotherwisespecifiedbyTimeInSeconds. Whenyourenameacomputer,youcanadverselyaffectservicesrunningonthe computer.Forexample,ActiveDirectoryCertificateServices(ADCS)reliesonthe serversname.Becertaintoconsidertheimpactofrenamingacomputerbeforedoing so.Donotusethesemethodstorenameadomaincontroller. NoteThecontentinthefollowingsectionisspecifictoWindowsServer2008 R2.
07/06/13
ItisalsopossibletouseWindowsPowerShellwithActiveDirectoryModuletorename acomputer.Youcanusethisapproachtochangethelocalcomputernameandto changetheActiveDirectorycomputerobjectname.Thefollowingexample demonstrateshowtorenamethelocaldomainjoinedcomputeronwhichthe commandisbeingrun.Thiscommandmustberunonthelocalcomputer.
R e N a m e C o m p u t e rN C NM y C o m p u t e r
Thesecondexampleshowshowtochangethenameofcomputerobjectnamed, Server1,intheManagedComputersOUinthecontoso.comdomain.
R e n a m e A D O b j e c t C N = f a b r i k a m s r v 1 , O U = M a n a g e d C o m p u t e r s , D C = F a b r i k a m , D C = c o m N e w N a m e f a b r i k a m s r v 3
Disable and Enable a Computer
68/99
07/06/13
Ifacomputeristakenofflineorisnottobeusedforanextendedperiodoftime,you shouldconsiderdisablingtheaccount.Thisrecommendationreflectsthesecurity principlethatanidentitystoreshouldallowauthenticationonlyoftheminimum numberofaccountsrequiredtoachievethegoalsofanorganization.Disablingthe accountdoesnotmodifythecomputersSIDorgroupmembership,sowhenthe computerisbroughtbackonline,theaccountcanbeenabled. TodisableacomputerintheActiveDirectoryUsersandComputerssnapin,right clickthecomputer,andthenclickDisableAccount. AdisabledaccountappearswithadownarrowiconintheActiveDirectoryUsersAnd Computerssnapin,asshownhere:
07/06/13
Whileanaccountisdisabled,thecomputercannotcreateasecurechannelwiththe domain.Theresultisthatuserswhohavenotpreviouslyloggedontothecomputer, andwhothereforedonothavecachedcredentialsonthecomputer,willbeunableto logonuntilthesecurechannelisreestablishedbyenablingtheaccount. Toenableacomputeraccount,rightclickthecomputer,andthenclickEnable Account. Todisableorenableacomputerfromthecommandprompt,usetheDSMod command.Thesyntaxusedtodisableorenablecomputersisasfollows.
d s m o dc o m p u t e rC o m p u t e r D Nd i s a b l e dy e sd s m o dc o m p u t e r
C o m p u t e r D Nd i s a b l e dn o
Delete and Recycle Computer Accounts
70/99
07/06/13
Youhavelearnedthateachcomputeraccount,likeeachuseraccount,maintainsa uniqueSID,whichenablesanadministratortograntpermissionstocomputers.Also, likeuseraccounts,computerscanbelongtogroups.Therefore,itisimportantto understandtheeffectofdeletingacomputeraccount.Whenacomputeraccountis deleted,itsgroupmembershipsandSIDarelost.Ifthedeletionisaccidental,and anothercomputeraccountiscreatedwiththesamename,itisnonethelessanew account,withanewSID.Groupmembershipsmustbereestablished,andany permissionassignedtothedeletedcomputermustbereassignedtothenewaccount. Deletecomputerobjectsonlywhenyouarecertainthatyounolongerrequirethose securityrelatedattributesoftheobject. TodeleteacomputeraccountbyusingActiveDirectoryUsersandComputers,
07/06/13
performthefollowingsteps: 1. Rightclickthecomputerobject,andthenclickDelete. Youarepromptedtoconfirmthedeletion,andbecausedeletionisnotreversible, thedefaultresponsetothepromptisNo. 2. ClickYestodeletetheobject.
TheDSRmcommandallowsyoutodeleteacomputerobjectfromthecommand prompt.TodeleteacomputerwithDSRm,typethefollowingcommand.
d s r mO b j e c t D N
WhereObjectDNisthedistinguishednameofthecomputer,suchas CN=Desktop154,OU=NYC,OU=ClientComputers,DC=contoso,DC=com.Again,you willbepromptedtoconfirmthedeletion.
Recycling Computers
IfacomputeraccountsgroupmembershipsandSID,andthepermissionsassigned tothatSID,areimportanttotheoperationsofadomain,youdonotwanttodelete thataccount.Sowhatwouldyoudoifacomputerwasreplacedwithanewsystem,
07/06/13
withupgradedhardware?Thatisanotherscenarioinwhichyouwouldreseta computeraccount. Resettingacomputeraccountresetsitspassword,butmaintainsallofthecomputer objectsproperties.Witharesetpassword,theaccountbecomes,ineffect,available foruse.Anycomputercanthenjointhedomainusingthataccount,includingthe upgradedsystem.Ineffect,youverecycledthecomputeraccount,assigningittoa newpieceofhardware.Youcanevenrenametheaccount.TheSIDandgroup membershipsremainthesame. Asyoulearnedearlierinthislesson,theResetAccountcommandisavailableinthe contextmenuwhenyourightclickacomputerobject.TheDSModcommandcanalso beusedtoresetacomputeraccount,whenyoutypedsmodcomputer"ComputerDN" reset.
Lab B: Administer Computer Objects and Accounts
73/99
07/06/13
Lab Setup
ThevirtualmachinesshouldalreadybestartedandavailableaftercompletingLabA. However,iftheyarenot,youshouldcompletesteps1to3andthenstepthrough exercises1to3inLabAbeforecontinuing.Youwillbeunabletosuccessfully completeLabBunlessyouhavecompletedLabA. 1. 2. 3. Start6425CNYCDC1. LogontoNYCDC1asPat.Coleman.admin,withthepassword,Pa$$w0rd. Start6425CNYCSVR2.Donotlogonuntildirectedtodoso.
74/99
07/06/13
Lab Scenario
YouareanadministratorforContoso,Ltd.Duringasecurityaudit,anumberof computeraccountswerediscovered.Thosecomputersnolongerexistinthedomain. Youvebeentaskedwithimprovingthemanagementofcomputeraccounts,and identifyingthebestpracticesforadministeringtheentirelifecycleofacomputer account.
Exercise 1: Administer Computer Objects Through Their Life Cycle

Inthisexercise,youwillconfigurecommonattributesofcomputerobjects, includingdescriptionandManagedBy.Youwillalsomanagethegroup membershipofcomputersandmovecomputersbetweenOUs. Themaintasksforthisexerciseareasfollows: 1. 2. 3. 4. Configurecomputerobjectattributes. Addcomputerstosoftwaremanagementgroups. MoveacomputerbetweenOUs. Disable,enable,anddeletecomputers.
Task 1: Configure computer object attributes.

07/06/13
1.
OnNYCDC1,runActiveDirectoryUsersandComputersasan administrator,withtheusername,Pat.Coleman_Admin,andthepassword, Pa$$w0rd.
2.
IntheClientComputers\SEAOU,usetheManagedBytabofcomputer objectstoassignLNO8538toLindaMitchellandLOT9179toScott Mitchell.
3.
BecauseScottandLindaMitchellwilloccasionallyuseeachother'scomputer,use multiselecttochangethedescriptionofbothLNO8538andLOT9179toScott andLindaMitchell.
Task 2: Add computers to software management groups.
MicrosoftOfficeProjectisrequiredonbothScott'sandLinda'scomputers.Contoso, Ltd.usessecuritygroupsascollectionsforscopingthedeploymentofsoftware.You willaddeachoftheircomputerstothegroup,APP_Project,byusingtwodifferent methods.
Method1
1.
IntheClientComputers\SEAOU,rightclickLOT9179,andthenclickAddto agroup.
76/99
07/06/13
2.
TypeAPP_andpressEnter. TheMultipleItemsFounddialogboxappears.
3.
ClickAPP_Project,andthenclickOK. Amessageappears:TheAddtoGroupoperationwassuccessfullycompleted.
4.
ClickOK.
Method2
1. 2. 3. 4. 5.
Intheconsoletree,expandtheGroupsOU,andthenclickApplication. RightclickAPP_Project,andthenclickProperties. ClicktheMemberstab. ClickAdd. TypeLNO8538andpressEnter. TheNameNotFounddialogboxappears. Bydefault,theSelectUsers,Computers,orGroupsinterfacedoesnotsearch forcomputerobjects.
6.
ClickObjectTypes.
77/99
07/06/13
7. 8.
SelectthecheckboxnexttoComputers,andthenclickOK. ClickOKtoclosetheNameNotFounddialogbox. BothcomputerscannowbeseenontheMemberstab.
9.
ClickOK.
Task 3: Move a computer between OUs.
ScottandLindaarerelocatingtotheVancouveroffice.Youwillmovetheircomputers tothenewOUbyusingtwodifferentmethods.
Method1
1. 2.
IntheClientComputers\SEAOU,clickLOT9179. DragLOT9179intotheVANOU,visibleintheconsoletree. Amessageappearsthatremindsyoutobecarefulaboutmovingobjectsin ActiveDirectory.
3.
ClickYes.
78/99
07/06/13
Method2
4.
RightclickLNO8538,andthenclickMove. TheMovedialogboxappears.
5. 6.
Intheconsoletree,expandClientComputers,andthenclickVAN. ClickOK.
Task 4: Disable, enable, and delete computers.
1.
IntheClientComputers\SEAOU,disable,andthenenabletheaccountfor DEP6152.
2.
DeletetheaccountforDEP6152.
Result:Inthisexercise,youaddedcomputerstosoftwaremanagementgroups, movedacomputerbetweenOUs,anddeletedacomputer..
Exercise 2: Administer and Troubleshoot Computer Accounts
79/99
07/06/13
Inthisexercise,youwilladministerandtroubleshootcomputeraccounts andthesecurechannel. Themaintasksforthisexerciseareasfollows: 1. 2. 3. Resetacomputeraccount. Experienceasecurechannelproblem. Resetthesecurechannel.
Task 1: Reset a computer account.
Recently,ScottMitchell'scomputerrequiredreinstallation.Thenamingconventionat Contoso,Ltd.istousethenameofacomputerobjectasitsassettag,assignedby theITinventoryteam.BecauseScottreinstalledhiscomputeronthesamepieceof hardware,thecomputernameisthesame:LOT9179.Henowwantstojointhe machinetothedomain,butthereisalreadyanaccountforLOT9179,andthe accountisamemberofgroupsthatensurethecorrectsoftware(includingMicrosoft OfficeProject)andconfigurationareappliedtothesystem.Therefore,itisimportant thattheaccountnotbedeleted,sothatgroupmembershipscanberetained.
IntheClientComputers\VANOU,resettheaccountforLOT9179.
80/99
07/06/13
YoucouldnowjoinScott'sreinstalledcomputertothedomain.
Task 2: Experience a secure channel problem.
1.
LogontoNYCSVR2asPat.Coleman,withthepassword,Pa$$w0rd.After thedesktopappears,logoff.
2.
To"break"thesecurechannel,useActiveDirectoryUsersandComputerson NYCDC1toresettheaccountforNYCSVR2.
3.
AttempttologontoNYCSVR2asPat.Coleman,withthepassword, Pa$$w0rd.
Task 3: Reset the secure channel.
Tosolveabrokentrustrelationshipbetweenadomainmemberandthedomain,you canresetthecomputer'saccount,movethecomputerintoaworkgroup,andthen rejointhedomain.
ResetthecomputeraccountforNYCSVR2. Afterresettingthesecurechannel,youcouldmoveNYCSVR2intoaworkgroup, andthenrejointhedomain.Itwilljoinitsresetaccount,therebyretainingitsgroup

07/06/13
memberships.Donotperformthatstepatthistime.
Result:Inthisexercise,youresolvedsecurechannelissues..
Lab Review Question Question:Whatinsightsdidyougainintotheissuesandproceduresregarding computeraccountsandadministeringcomputeraccountsthroughtheirlifecycle?
Lesson 3: Offline Domain Join
82/99
07/06/13
OfflineDomainJoinisanewfunctionalityspecifictoWindowsServer2008R2.This functionalityenablesadministratorstojoincomputerstodomainwithoutnetwork connectivity.InthislessonyouwilllearnhowOfflineDomainJoinworksandhowto useit.
Objectives
Aftercompletingthislessonyouwillbeableto: DescribeOfflineDomainJoin. DescribetheprocessforperforminganOfflineDomainJoin.
07/06/13
PerformanOfflineDomainJoin.
NoteThecontentinthislessonisspecifictoWindowsServer2008R2.
What Is an Offline Domain Join?
InearlierWindowsversions,itwasmandatorytohaveanetworkconnectiontoa domaincontrollertojoinacomputertotheActiveDirectorydomain.Insome scenarios,thiscanbealimitation.Forexample,ifyouneedtoperformafullprovision

07/06/13
ofcomputersthatarecurrentlynotconnectedtoanetwork,ornotlocatedinthe sameplaceasdomaincontrollers,youcannotcompletetheprocessunlessyoujoin thecomputerstoadomain,andrestartthemoncemoreafternetworkconnections areestablished. OfflineDomainJoinisanewfunctionalityinWindowsServer2008R2andWindows7 thatallowsyoutojoinacomputertodomainwithoutactuallybeingconnectedtothe networkwherethedomaincontrollerresides.Infact,allpreparationstepsare performedonadomaincontrollerandacomputerwhileitisstilloffline.Afteritgets connectedtoanetwork,atrustrelationshipwiththedomainisestablishedwithout anyuserintervention.Noadditionalrestartisnecessarytocompletethedomainjoin. Thishelpsreducethetimeandeffortrequiredtocompletealargescalecomputer deploymentinplacessuchasdatacenters. YoucanalsobenefitfromtheOfflineDomainJoinfeatureifyouaredeployingvirtual machines.OfflineDomainJoinmakesitpossibleforyoutojointhevirtualmachines tothedomainwhentheyinitiallystartfollowingtheoperatingsysteminstallation.No additionalrestartisrequiredtocompletethedomainjoin.Thiscansignificantly reducetheoveralltimerequiredforwidescalevirtualmachinedeployments. ToperformanOfflineDomainJoin,youdonothavetohavedomaincontrollers runningonWindowsServer2008R2,Itisalsonotmandatorytohavethedomainor forestintheWindowsServer2008functionalmode.Theonlyessentialrequirement forusingthismethodisthatthemachineusedforprovisioningandthemachine
07/06/13
beingprovisionedmusthaveWindows7orWindowsServer2008R2. .
Process for Performing an Offline Domain Join
ToperformanOfflineDomainJoin,youmustuseanewcommandlineutilitynamed, Djoin.exe.ThisutilityisusedtobothprovisioncomputeraccountsintoADDSandfor insertingdomaindataintotheoperatingsystemofthecomputerthatisbeingjoined tothedomainbyusingthismethod.
Performing an Offline Join by Using Djoin.exe

07/06/13
Djoin.exeperformsthefollowingtasks: ProvisionsanewcomputeraccountintoADDS.Thisprecreatesacomputer accountandsetsituptobeconnectedatalaterdate. Generatesatextfile(ablob)thatcontainsinformationthatisnecessaryforan OfflineDomainJoin.Theblobcontainsthemachineaccountpasswordandother informationaboutthedomain,includingthedomainname,thenameofadomain controller,theSIDofthedomain,andsoon Insertsthedataprovidedintheblobintotheoperatingsystemofthecomputer beingjoinedtothedomain
Prerequisites for Performing an Offline Join

ThecomputeronwhichyourunDjoin.exetoprovisioncomputeraccountdatainto ADDSmustberunningWindows7orWindowsServer2008R2.Thecomputerthat youwanttojointothedomainmustalsoberunningWindows7orWindowsServer 2008R2. ItisnotmandatorythatyouperformanOfflineDomainJoinrightafteryouprovision acomputeraccountintoADDS.Youcandoitatanytimelater. ToperformanOfflineDomainJoin,youmusthavetherightsthatarenecessaryto joinworkstationstothedomainandtocreatecomputeraccountsinthedomain.
07/06/13
MembersoftheDomainAdminsgrouphavetheserightsbydefault.Ifyouarenota memberoftheDomainAdminsgroup,amemberoftheDomainAdminsgroupmust delegateyoutherighttojoincomputerstothedomainbyusingGroupPolicyorby editinganACLofthecontainerwherethecomputeraccountwillbestored. Djoin.exeshouldberunatanelevatedcommandprompttoprovisionthecomputer accountmetadata.Whenyouruntheprovisioningcommand,thecomputeraccount metadataiscreatedina.txtfilethatyouspecifyaspartofthecommand.Afteryou runtheprovisioningcommand,youcaneitherrunDjoin.exeagaintorequestthe computeraccountmetadataandinsertitintotheWindowsdirectoryofthe destinationcomputer,oryoucansavethecomputeraccountmetadatainthe Unattend.xmlfileandthenspecifytheUnattend.xmlfileduringanunattended operatingsysteminstallationofthedestinationcomputer.
Offline Domain Join Process

TheOfflineDomainJoinprocessincludesthefollowingsteps: 1. Runthedjoin.exe/provisioncommandtocreatethecomputeraccountmetadata forthedestinationcomputer(thecomputerthatyouwanttojointothe domain).Aspartofthiscommand,youmustspecifythenameofthedomain thatyouwantthecomputertojoinandthenameofthecomputer,asfollows.
d j o i n/ p r o v i s i o n/ d o m a i nc o n t o s o . c o m/ m a c h i n eD E S K T O P 1 2 3 / s a v e f i l eC : \ d e s k t o p 1 2 3 . t x t
07/06/13
Afterperformingthisstep,acomputeraccountnamed,DESKTOP123,willbe provisionedtoADDS,andablobfilenameddesktop123.txtwillbecreated.Nowyou havetotransferthisfiletothecomputerthatisbeingjoinedtothedomain. NoteThebase64encodedmetadatablobthatiscreatedbytheprovisioning commandcontainsverysensitivedata.Itshouldbetreatedjustassecurelyas aplaintextpassword.
2.
Runthedjoin.exe/requestODJcommandtoinsertthecomputeraccount metadataintotheWindowsdirectoryofthedestinationcomputer,asfollows.
d j o i n/ r e q u e s t O D J/ l o a d f i l ed e s k t o p 1 2 3 . t x t/ w i n d o w s p a t h % S y s t e m R o o t %/ l o c a l o s
3.
Whenyoustartthedestinationcomputer,eitherasavirtualmachineoraftera completeoperatingsysteminstallation,thecomputerwillbejoinedtothe domainthatyouspecify.
89/99
07/06/13
Theswitch/localosfromthepreviouscommandisusedonlyifyouperformadjoin operationonthecomputerthatyouarejoiningtothedomain.However,ifduringthe provisioningprocess,youaremountingsystemharddrives(virtualorphysical)from thecomputersthatyouareprovisioning,youshouldnotusethe/localosswitch. NoteUsingdeploymenttoolssuchasWindowsSystemImageManager,you canperformanunattendeddomainjoinduringanoperatingsystem installationbyprovidinginformationthatisrelevanttothedomainjoininan Unattend.xmlfile.UsingthesameUnattend.xmlfile,youcansupplythe informationthatisnecessaryforthecomputersthatrunWindows7and WindowsServer2008R2toperformanOfflineDomainJoin.
Question:Whatisthecontentofthetextfilethatiscreatedduringadjoin provisioningprocess?
Demonstration: Perform an Offline Domain Join
90/99
07/06/13
Inthisdemonstration,yourinstructorwillshowyouhowtoperformanOffline DomainJoin.
Demonstration Steps
Provisionanewcomputeraccountcalled,NYCCL2,inthecontosodomainby usingthedjoinutility.
Lab C: Perform an Offline Domain Join

07/06/13
Lab Setup
Forthislab,youwillusetheavailablevirtualmachineenvironment.Beforeyoubegin thelab,youmust: 1. Onthehostcomputer,clickStart,pointtoAdministrativeTools,andthen clickHyperVManager. 2. 3. Ensurethatthe6425CNYCDC1virtualmachineisrunning. Logonto6425CNYCDC1byusingthefollowingcredentials: Username:Pat.Coleman_Admin
07/06/13
Password:Pa$$w0rd Domain:Contoso 4. Startthe6425CNYCCL2virtualmachine.Donotlogontotheclientmachine untildirectedtodoso.
Lab Scenario
YouareanadministratorforContoso,Ltd.Youmustprovisionalargenumberofnew computersinashortperiodoftime.Notallcomputerscanhavenetworkconnectivity, soyouhavedecidedtoleveragetheOfflineDomainJoinfunctionality.Inthislab,you willtestthisfunctionalityononevirtualmachine.
Exercise: Perform an Offline Domain Join

Inthisexercise,youwillperformanOfflineDomainJoin. Themaintasksforthisexerciseareasfollows: 1. 2. Ensurethattheclientcomputerisnotjoinedtothedomain. ProvisionacomputeraccountandperformanOfflineDomainJoin.
93/99
07/06/13
Task 1: Ensure that the client computer is not joined to the domain.
1. 2.
LogontoNYCCL2asAdmin,withthepassword,Pa$$w0rd. OpenSystemPropertiesandensurethatthecomputerisjoinedtoa workgroup,insteadofadomain
Task 2: Provision a computer account and perform an Offline Domain Join
1.
OnNYCDC1,openacommandpromptusingadministrativecredentialsanduse djoin.exetoprovisionanewcomputeraccounttoADDSbytypingthefollowing command.

d j o i n/ p r o v i s i o n/ d o m a i nc o n t o s o . c o m/ m a c h i n eN Y C C L 2 / s a v e f i l eC : \ N Y C C L 2 . t x t
2.
OpenActiveDirectoryUsersandComputersandverifythattheNYCCL2 machinehasbeenprovisionedintheComputerscontainer.
3.
OnNYCCL2,createafoldercalledC:\DJOIN.UseWindowsExplorerandbrowse to\\NYCDC1\C$.
4.
CopyNYCCL2.txttotheC:\DJOINfolder.
94/99
07/06/13
5.
OpenaCommandPromptusingadministrativeprivileges,typethefollowing command,andthenpressEnter.
d j o i n/ r e q u e s t o d j/ l o a d f i l eC : \ D J O I N \ N Y C C L 2 . t x t / w i n d o w s p a t h% S y s t e m R o o t %/ l o c a l o s
6. 7.
Afterthecommandiscompleted,restartNYCCL2. LogonasContoso\Pat.colemanandensurethatNYCCL2isjoinedtothe contoso.comdomain.
Result:Inthisexercise,youjoinedtheNYCCL2computertothedomainby usingOfflineDomainJointechnology.
To prepare for the next module
Whenyoufinishthelab,revertthevirtualmachinestotheirinitialstate.Todothis, completethefollowingsteps:
1. 2.
Onthehostcomputer,startHyperVManager. Rightclick6425CNYCDC1intheVirtualMachineslist,andthenclick
95/99
07/06/13
Revert. 3. 4. IntheRevertVirtualMachinedialogbox,clickRevert. Repeatthesestepsfor6425CNYCSVR2and6425CNYCCL2.
Module Review and Takeaways
Review Questions
1. WhatisthemaindifferencebetweentheComputerscontainerandanOU?
96/99
07/06/13
2.
Whenshouldyouresetacomputeraccount?Whyisitbettertoresetthe computeraccountthantodisjoinandrejoinittothedomain?
3.
InanOfflineDomainJoin,whatshouldyoudoafteryouprovisionanew computeraccounttothedomainbyusingthedjoin.exeutility?
Common Issues Related to Computer Account Management

Issue
Thecomputercannotbejoinedto thedomain. GroupPolicyisnotappliedtothe computerafteritisjoinedtothe domain. TheOfflineDomainJoinisnot workingasexpected.
Troubleshootingtip
Real-World Issues and Scenarios

1. YouareworkingasanITtechnicianinContoso,Ltd.Youaremanagingthe WindowsServerbasedinfrastructure.Youhavetofindamethodforjoiningnew Windows7basedcomputerstoadomainduringtheinstallationprocesswithout interventionofauseroranadministrator.
07/06/13
Best Practices Related to Computer Account Management

Alwaysprovisionacomputeraccountbeforejoiningcomputerstoadomainand placetheminappropriateOUs. RedirectthedefaultComputercontainertoanotherlocation. Resetthecomputeraccount,insteadofjustdoingadisjoinandrejoin. IntegratetheOfflineDomainJoinfunctionalitywithunattendedinstallations.
Tools
Tool
WindowsPowerShell withActiveDirectory Module CSVDE,LDIFDE Importingcomputeraccountsin ADDS Djoin.exe Offlinedomainjoin WindowsServer2008commandprompt WindowsServer2008commandprompt
Usefor
Computeraccountmanagement
Wheretofindit
AdministrativeTools
Windows Server 2008 R2 Features Introduced in this Module

07/06/13
WindowsServer2008 R2feature
WindowsPowerShellwithActive DirectoryModule OfflineDomainJoin
Description
NewadministrationutilityforActiveDirectory,basedonWindows PowerShell NewfeatureinWindowsServer2008R2andWindows7thatallows youtojoinmachinestodomainevenwhentheydon'thave networkconnectiontodomaincontroller
99/99

Module 5 - Managing Computer Accounts

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Module 5 - Managing Computer Accounts

Diunggah oleh

Hak Cipta:

Format Tersedia

07/06/13

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

Lesson 1: Create Computers and Join the Domain

Module 5: Managing Computer Accounts

Workgroups, Domains, and Trusts

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

Requirements for Joining a Computer to the Domain

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

The Computers Container and Organizational Units

The Default Computers Container

Module 5: Managing Computer Accounts

andanOU.YoucannotcreateanOUwithinacontainer,soyoucannotsubdividethe ComputersOUandyoucannotlinkaGroupPolicyobjecttoacontainer.Therefore, wehighlyrecommendthatyoucreatecustomOUstohostcomputerobjects,instead ofusingtheComputerscontainer.

OUs for Computers

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

Delegating Permission to Create Computers

Prestage a Computer Account

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

tothedomainiscalledprestagingtheaccount. Therearetwomajoradvantagesofprestagingacomputer: TheaccountisinthecorrectOUandisthereforedelegatedaccordingtothe securitypolicydefinedbytheaccesscontrollist(ACL)oftheOU. ThecomputeriswithinthescopeofGPOslinkedtotheOU,beforethecomputer joinsthedomain.

Join a Computer to the Domain

Module 5: Managing Computer Accounts

InWindowsXP,WindowsServer2003: OpentheSystempropertiesdialogboxbydoingoneofthefollowing: RightclickMyComputer,andthenclickProperties. PressWindowsLogo+Pause.

Module 5: Managing Computer Accounts

ClicktheComputerNametab. ClickChange. UnderMemberOf,clickDomain. Typethenameofthedomainyouwanttojoin.

NoteUsethefullDNSnameofthedomain.Notonlyisthismore accurateandmorelikelytosucceed,butifitdoesnotsucceed,it indicatesthattherecouldbeaproblemwithDNSnameresolutionthat shouldberectifiedbeforejoiningthemachinetothedomain.

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

10. ClickClose(inWindowsVista)orOK(inWindowsXP)toclosetheSystem Propertiesdialogbox. 11. Youarepromptedagaintorestartthecomputer,afterwhichthesystemisfullya memberofthedomain,andyoucanlogonbyusingdomaincredentials.

Secure Computer Creation and Joins

Module 5: Managing Computer Accounts

Creatingcomputeraccountsandjoiningcomputerstoadomainaresecuritysensitive operations. Therefore,itisveryimportantthatthesestepsareassecureaspossible.

Prestage Computer Objects

Module 5: Managing Computer Accounts

Configuring the Default Computer Container

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

Restricting the Ability of Users to Create Computers

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts

ClickmsDSMachineAccountQuota,andthenclickEdit. Type0. ClickOK.

Module 5: Managing Computer Accounts

Delegating Computer Management

Module 5: Managing Computer Accounts

o fO U "/ I : S/ G" D O M A I N \ g r o u p " :C A ; R e s e tP a s s w o r d ; c o m p u t e rd s a c l s

Automate Computer Account Creation

Module 5: Managing Computer Accounts

Import Computers with CSVDE

Module 5: Managing Computer Accounts

CSVDEisacommandlinetoolthatimportsorexportsActiveDirectoryobjectsfrom ortoacommadelimitedtextfile(alsoknownasacommaseparatedvaluetextfile, or.csvfile).ThebasicsyntaxoftheCSVDEcommandis.

Theioptionspecifiesimportmodewithoutit,thedefaultmodeofCSVDEisexport. Thefoptionidentifiesthefilenametoimportfromorexportto.Thekoptionis usefulduringimportoperations,becauseitinstructsCSVDEtoignoreerrors,including objectalreadyexists,constraintviolation,andattributeorvaluealreadyexists.

Module 5: Managing Computer Accounts

Commadelimitedfilescanbecreated,modified,andopenedwithtoolsasfamiliaras NotepadandMicrosoftOfficeExcel.Thefirstlineofthefiledefinestheattributes bytheirLDAPattributenames.Eachobjectfollows,oneperline,andmustcontain exactlytheattributeslistedonthefirstline.AsamplefileisshowninExcelasfollows.

Import Computers with LDIFDE

Module 5: Managing Computer Accounts

Module 5: Managing Computer Accounts