Sign in with
Sign up | Sign in
Your question

what happens when a computer joins a domain?

Last response: in Windows 2000/NT
Share
Anonymous
July 17, 2005 10:12:54 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

What are the sequence of steps that happen when a computer (principal)
join a domain?

More about : computer joins domain

Anonymous
July 18, 2005 6:09:12 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

Not to sure if this is what you looking for, but here goes.
How Domain Controllers Are Located in Windows
Windows Xp => http://support.microsoft.com/?id=314861
Windows 2000 => http://support.microsoft.com/?id=247811

These articles describes the mechanism used by Windows to locate a domain
controller in a Windows-based domain

Regards
Paul du Toit

<x_coder@hotmail.com> wrote in message
news:1121649174.007007.60830@g43g2000cwa.googlegroups.com...
> What are the sequence of steps that happen when a computer (principal)
> join a domain?
>
Anonymous
July 19, 2005 5:35:41 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"" wrote:
> Hi
>
> Not to sure if this is what you looking for, but here goes.
> How Domain Controllers Are Located in Windows
> Windows Xp => http://support.microsoft.com/?id=314861
> Windows 2000 => http://support.microsoft.com/?id=247811
>
> These articles describes the mechanism used by Windows to
> locate a domain
> controller in a Windows-based domain
>
> Regards
> Paul du Toit
>
> <x_coder@hotmail.com> wrote in message
> news:1121649174.007007.60830@g43g2000cwa.googlegroups.com...
> > What are the sequence of steps that happen when a computer
> (principal)
> > join a domain?
> >

Hi,

Some additional info concerning permissions for joining computers to a
domain you might be interested in

#######################
Using the delegation of control wizard you can delegate the creation
of computer accounts to the domain. This does not mean the same
user/group can also JOIN the computer to the domain. In the
DELEGWIZ.INF file (%WINDIR%INF) look at template 6.....
By default the "AppliesToClasses" is set to "domainDNS" (case
sensitive and without quotes) With this you can only delegate computer
account creation at domain level. Change that to
"domainDNS,organizationalUnit,container" (case sensitive and without
quotes) and yuo will be able to delegate at OU level

If you delegate the creation of computer accounts to a group (e.g.
GROUP-CREATE-COMPOBJ), the member of that group that creates the
computer becomes the owner of the computer account and automatically
receives the right to join a computer with that name to the domain.
The other members of that group will not be able to join the computer
to the domain. In this case only the user that created the computer
account will be able to join the computer. Lets say you have another
group called GROUP-JOIN-COMP that is allowed to join (not create
computer accounts) to the domain, the user who creates the computer
account has the possibility to designate which user or group gets the
rights to join the computer to the domain with the option ("The
following group or user can join this computer to a domain" and this
is by default Domain Admins group) The group mentioned in that option
will be able to join the computer to the domain. In my opinion that is
a lot of work just to create a computer computer account and join it.

It is however possible to pre-configure the option called "The
following group or user can join this computer to a domain and this is
by default Domain Admins group"

Add to the DELEGWIZ.INF file (%WINDIR%INF) a NEW template you can use
to delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the
creation of computer accounts) The minimum rights are mentioned below!

REPLACE THE X with a NUMBER!

;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Join a computer to the domain in an OU (computer
account pre-created)"

ObjectTypes = computer

[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host
name","Validated write to service principal name", "Account
Restrictions"
;----------------------------------------------------------

This way you can delegate the creation of computer accounts to group1
and the joining of the computers to group2.

It is also however possible you have a group of people who create
computers accounts and also join them. To able so everyone in that
group can create a computer accounts and join the computers to the
domain independent who created the computer accounts replace TEMPLATE
6 with what is mentioned below or perform the delegate twice with the
additional task created above! If you want to join a computer to the
domain in a specific OU and the computer account has not been
pre-created you cannot use the GUI at the computer. For this you must
use the tool NETDOM so you can specify the OU the computer account
must reside in! The latter only is only possible when you at least
have the right to create a computer object in the designated OU.
Joining will also be possible because you automatically become the
owner of the computer account!

;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container

Description = "Add and/or join a computer to the domain in an OU
(computer)"

ObjectTypes = SCOPE, computer

[template6.SCOPE]
;Right to create computer objects
computer=CC

[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host
name","Validated write to service principal name", "Account
Restrictions"
;----------------------------------------------------------

#######################

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active-Directory-computer-...
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1312922
Related resources
!