Windows 7 domain connection. Create and administer a computer object in Active Directory

29.04.2019 Internet, Wi-Fi, local networks

Offline domain entry

Offline input to the domain or offline domain join is a rather interesting feature introduced in Windows 7 and Windows Server 2008 R2. It allows you to join computers to an Active Directory domain offline, without having to connect to a domain controller.

To use Offline domain join, there is no need to change the functional mode of the domain or forest. You can even do without a Windows Server 2008 R2 domain controller. Autonomous domain entry requires only a utility djoin.exe, which is included with Windows 7 and Server 2008 R2. In other words, one computer running Windows 7/2008 R2 running in the desired domain is enough.

Autonomous input to the domain is performed in several stages. The first step is to create a file with account information for the attached computer. To do this, on any Windows 2008 R2 server (or Windows 7 workstation) in the target domain, run the command in the Shell that creates a computer account in the domain. The team has the following options:

/domain— name of the target domain;
/machine— name of the machine joined to the domain;
/machineou- the unit in which the car should be placed. If not specified, the machine will be placed in the default Computers container;
/dcname is the name of the specific domain controller that will create the computer account. If not specified, then the controller is selected automatically;
/savefile- a file in which the data of the connected computer is saved;
/reuse- use an existing computer account;
/downlevel- Support for a domain controller with a version prior to Windows Server 2008 R2.

For example, let's create a machine named WKS1 in the Contoso.com domain, place it in the Offline_Join OU, and save the data to the wks1.txt file:

djoin /provision /domain Contoso.com /machine WKS1 /machineOU
″OU=Offline_Join,DC=Contoso,DC=com″ /savefile c:\test\wks1.txt

The next step is to send the resulting file to a computer that must be autonomously added to the domain. You can do this in any available way, for example, send it by e-mail or put it on ftp. Keep in mind that the binary file contains the computer account password and other domain information, including the domain name, domain controller name, domain SID, and so on. Therefore, the transfer must be done in a secure manner.

The final step in offline domain entry is to add the computer account metadata from the file to Windows directory. For this you need to go to desired computer and at an elevated command prompt, run a command that will create an offline domain join request the next time you run it. The command uses the following options:

/loadfile- adds computer account metadata to the Windows directory;
/localos- indicates the installation of the local operating system (not the image file);
/windowspath- path to folder way Windows. When using the parameter /localos you need to set the environment variable %systemroot% or %windir% .

Note. The djoin utility can work with both physical and virtual machines. When working with virtual machines, the key /windowspath indicates the location of the VHD file with the installed system.

Let's add our workstation WKS1 to the domain with the command:

djoin /requestODJ /loadfile c:\test\wks1.txt /windowspath %systemroot% /localos

Now it remains only to reboot the machine, and if there is an available controller, you will be able to log into the domain.

And in conclusion, I will say that the article describes only one of several options for using djoin.exe. If you are interested this topic then more information can be found here.

The procedure for adding a computer located outside the perimeter of your corporate environment is not complex and consists of two steps that must be performed on the client and any server in your organization's domain.

1. Create answer file for offline entry (offline domain join) PC to domain

Let's connect to the server console using the Remote Desktop Protocol and run the command line or the powershell console. Use whichever you like best. In the example, I will use the command line. To do this, I will run the cmd utility as an administrator. To do this, click on command line right-click and select in the window that appears Run as administrator.

Using the command line interface, enter the following command:

Djoin.exe /provision /domain EXAMPLE.COM/machine COMPUTER NAME/rootcacerts/machineou " ou=desktops, dc=EXAMPLE, dc=COM» /policynames «DirectAccess client settings» /savefile C:\FILE NAME.txt

Help for working with the Djoin.exe utility:

/PROVISION- Provisions a computer account in the domain.
/DOMAIN <имя> — <имя>domain to join.
/MACHINE <имя> — <имя>a computer that is joined to a domain.
/MACHINEOU - an optional parameter that defines the division
The in which the account is created.
/DCNAME - an optional parameter that specifies the target domain controller on which the account will be created.
/REUSE- reuse an existing account (the password will be reset).
/SAVEFILE <путь_к_файлу>— save preparation data to a file located at the specified path.
/NOSEARCH- skip detection of account conflicts; requires DCNAME (better performance).
/DOWNLEVEL- Provides support for a Windows Server 2008 or earlier domain controller.
/PRINTBLOB- Returns the base64 encoded metadata blob for the response file.
/DEFPWD- Use the default computer account password (not recommended).
/ROOTCATERTS- optional parameter, enable root certificates certification authority.
/CERTTEMPLATE <имя>- optional parameter,<имя>computer certificate template. Includes Root Authority Certificates
certification.
/POLICYNAMES <имена>— an optional parameter, a semicolon-separated list of policy names. Each name is the display name of a GPO in AD.
/POLICYPATHS <пути>— an optional parameter, a list of paths to policies, separated by a semicolon. Each path points to the location of the registry policy file.
/NETBIOS <имя>- optional parameter, Netbios name of the computer to be joined to the domain.
/PSITE <имя>- optional parameter,<имя>the permanent site in which to place the domain-joined computer.
/DSITE <имя>- optional parameter,<имя>a dynamic site that initially hosts a domain-joined computer.
/PRIMARYDNS <имя>- optional parameter, the primary DNS domain of the computer being joined to the domain.
/REQUESTODJ- Requires offline domain join on next boot.
/LOADFILE <путь_к_файлу> — <путь_к_файлу>, specified earlier with the /SAVEFILE option.
/WINDOWSPATH <путь> — <путь>to the directory with offline Windows.
/localos- allows you to specify in the / WINDOWSPATH parameter the local operating system.
This command must be run by a local administrator.
You will need to restart your computer to apply the changes.

As a result of executing the command with the above parameters, we will receive a response file that already contains the necessary work Direct Access certificates, direct access policy list, DNS namespace required.

2. Entering a computer domain via Direct Access

Sending the resulting text file to workplace user and run it from the command line:

djoin /requestODJ /loadfile C:\FILE NAME.txt/windowspath %SystemRoot% /localos

This completes the procedure for remotely adding a computer to a domain. In the invitation window, enter the domain user name and password.

You will need

- administrator rights;
- local network with Windows domain;
- user account in the domain;
- domain name.

Instruction

You can join a computer to a Windows domain on the Computer Name tab in the System Properties window. To open the System Properties window in the Windows XP operating system, use the Start menu to open the Control Panel and click System. If your computer is running Windows 7 or Vista, open the "Control Panel" and go to the "System and Security" category, in which click on the "System" item. On the page that opens, click on the link " Extra options system" located in the left side column.

In the System Properties window that opens, select the Computer Name tab. Click the "Edit" button and in the window that opens, enter the name of the domain you want to . Next, click on the OK button. In the window that appears, enter the domain username and password. Then click OK and restart your computer. Your computer is included in the domain.

Except GUI You can join a computer to a domain using the command line. The Windows XP operating system includes the NETDOM utility, which can add a computer to a domain using the command:

netdom join computer_name /domain:domain_name /userd:domain_name\user_name /passwordd:user_pass.

Where computer_name, domain_name and user_name should be replaced with the names of the added computer, domain and user, respectively, and user_pass should be changed to the user's password in the domain. In Windows 7, the NETDOM utility has been replaced by a command in PowerShell called add-computer. To join a computer to a domain from the console in Window 7, run the following command:

Add-computer -DomainName domain_name -credential domain_name\user_name

Where domain_name and user_name also replace the domain and user names.

DNS setup

First you need to change the DNS settings on your machine by setting the domain controller as the DNS server and the desired domain as the search domain.

If you have a static IP address, then in Ubuntu Desktop this can be done through Network Manager , in Ubuntu Server you need to change the contents of the /etc/resolv.conf file to something like this:

Domain domain.com search domain.com nameserver 192.168.0.1 nameserver 192.168.0.2

In modern distributions, the resolv.conf file is created automatically and does not need to be edited manually. For receiving desired result you need to add the necessary changes to the file: /etc/resolvconf/resolv.conf.d/head The data that will be added to it will be automatically inserted into the /etc/resolv.conf file

If the IP address is dynamic and is assigned by a DHCP server, then after resolv.conf restart, an “incorrect” resolv.conf" may be formed, for example, there is only one nameserver 192.168.0.1 and domain and search are not specified. You need to edit /etc/dhcp/dhclient.conf For the domain and search entries to appear, you need to remove the comment before the supersede domain-name line, and enter your domain:

supersede domain-name "domain.com";

To add another nameserver, you need to remove the comment before prepend domain-name-servers and specify the server ip:

Prepend domain-name-servers 192.168.0.2;

To apply the changes, it remains to restart the service:

/etc/init.d/networking restart

Now make sure you have set the correct hostname in /etc/hostname:

Smbsrv01

In addition, you need to edit the /etc/hosts file so that it contains an entry with the fully qualified domain name of the computer and necessarily short name host referring to one of the internal IP:

# Names of this computer 127.0.0.1 localhost 127.0.1.1 smbsrv01.domain.com smbsrv01

You need to immediately check that our domain controller is pinging normally, by the short and full name, so that in the future you will not receive errors that the domain controller was not found:

ping dc ping dc.domain.com

Not required, but if you change something, restart your computer to apply the changes.

Time Synchronization Setting

Next, you need to configure time synchronization with the domain controller. If the difference is more than 5 minutes, we will not be able to get the leaf from Kerberos. For one-time synchronization, you can use the command:

sudo net time set dc

If there is an exact time server on the network, then you can use it or any public one:

ntpdate ntp.mobatime.ru

Automatic synchronization is configured using ntpd , this daemon will periodically perform synchronization. To get started, you need to install it:

sudo aptitude install ntp

Now edit the /etc/ntp.conf file to include information about your time server:

# You do need to talk to an NTP server or two (or three). server dc.domain.com

Then restart the ntpd daemon:

sudo /etc/init.d/ntp restart

Now it's time to set up direct interaction with the domain.

Setting up authorization through Kerberos

default_realm = DOMAIN.COM kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true v4_instance_resolve = false v4_name_convert = ( host = ( rcmd = host ftp = ftp ) plain = ( something = something-else ) ) fcc-mit-ticketflags = true DOMAIN.COM = ( kdc = dc kdc = dc2 admin_server = dc default_domain = DOMAIN.COM ) .domain.com = DOMAIN.COM domain.com = DOMAIN.COM krb4_convert = false krb4_get_tickets = false

You of course need to change domain.com to your domain and dc and dc2 to your domain controllers. By the way, you may need to write the full domain controller names dc.domain.com and dc2.domain.com . Since I have a DNS search domain, I don't need to do this.

Pay special attention to the case of writing a domain name - wherever the domain is written in upper case, it must be written in upper case. Otherwise, magically, nothing can work.

These are not all possible Kerberos configuration options, only the main ones. However, they are usually sufficient.

Now it's time to check that we can log in to the domain. To do this, run the command

Kinit [email protected]

Instead of username, it is natural to enter the name of an existing domain user.

The domain name must be written in capital letters!

If you don't get any errors, it means you configured everything correctly and the domain gives you a Kerberos ticket. By the way, some common mistakes are listed below.

To make sure that the ticket has been received, you can run the command

You can delete all tickets (you generally don’t need them) with the command

Common kinit errors

Kinit(v5): Clock skew too great while getting initial credentials

This means that your computer's time is not synchronized with the domain controller (see above).

Kinit(v5): Preauthentication failed while getting initial credentials

You entered the wrong password.

Kinit(v5): KDC reply did not match expectations while getting initial credentials

Weirdest mistake ever. Make sure the realm name in krb5.conf and the domain in the kinit command are capitalized:

DOMAIN.COM = ( # ... kinit [email protected] kinit(v5): Client not found in Kerberos database while getting initial credentials

The specified user does not exist in the domain.

Samba setup and domain login

In order to enter the domain, you need to write the correct settings in the /etc/samba/smb.conf file. At this stage, you should only be interested in some of the options in the section. Below is an example of a portion of the Samba configuration file with comments on the value important parameters:

# These two options must be written exactly in capital case, and workgroup without # the last section after the dot, and realm is the fully qualified domain name workgroup = DOMAIN realm = DOMAIN.COM # These two options are responsible for authorization via AD security = ADS encrypt passwords = true # Just important dns proxy = no socket options = TCP_NODELAY # If you don't want samba to try to become a leader in a domain on occasion, or working group, # or even become a domain controller, then always write these five options in this form domain master = no local master = no preferred master = no os level = 0 domain logons = no # Disable printer support load printers = no show add printer wizard = no printcap name=/dev/null disable spoolss=yes

After you edit smb.conf run the command

testparm

It will check your configuration for errors and give you a summary of it:

# testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions

As you can see, we have set the correct parameters for our computer to become a member of the domain. Now it's time to try to log into the domain directly. To do this, enter the command:

Net ads join -U username -D DOMAIN

And if successful, you will see something similar to:

# net ads join -U username -D DOMAIN Enter username"s password: Using short domain name -- DOMAIN Joined "SMBSRV01" to realm "domain.com"

Net command options to use

Username%password: Required parameter, instead of username, you must substitute the username with domain administrator rights, and specify the password.

D DOMAIN: DOMAIN - the domain itself, the domain may not be specified, but it's better to always do it - it won't get worse.

S win_domain_controller: win_domain_controller , can be omitted, but there are times when the server does not automatically find the domain controller.

createcomputer="OU/OU/...": OU (Organizational Unit) is often used in AD, there is OU = Office in the root of the domain, OU = Cabinet in it, to immediately add to the one you need, you can specify this: sudo net ads join -U username createcomputer="Office/Cabinet".

If there are no more messages, then everything is fine. Try pinging your computer by name from another domain member to make sure that everything is registered in the domain as it should.

You can also type the command:

Net ads testjoin

If all is well, you can see:

#net ads testjoin Join is OK

But sometimes after the message about joining the domain, an error like this is given:

DNS update failed!

This is not very good, and in this case it is recommended to read the section on configuring DNS again a little higher and understand what you did wrong. After that, you need to remove the computer from the domain and try to enter it again. If you are sure that everything is set up correctly, but DNS is still not updated, then you can manually make an entry for your computer on your DNS server and everything will work. Of course, if there are no other errors and you have successfully logged into the domain. However, it's better to figure out why the DNS is not updated automatically. This may be due not only to your computer, but also to incorrect AD settings.

Before you figure out why DNS is not updating, do not forget to restart your computer after entering the domain! It is possible that this will solve the problem.

If everything went without errors, then congratulations, you have successfully entered the domain! You can look into AD and see for yourself. Also, it's good to check that you can see the resources in the domain. To do this, install smbclient:

sudo aptitude install smbclient

You can now view domain computer resources. But for this you need to have a kerberos ticket, i.e. if we deleted them, then we get it again through kinit (see above). Let's see what resources are provided to the network by the workstation computer:

Smbclient -k -L workstation

You should see a list of shares on this computer.

Configuring Winbind

If you need to somehow work with domain users, for example, configure SMB shares with access control, then in addition to Samba itself, you will also need Winbind, a special daemon that connects the local Linux user and group management system with server Active Directory. Simply put Winbind is needed if you want to see domain users on your Ubuntu machine.

Winbind allows you to map all users and all AD groups to your Linux system, assigning them an ID from the specified range. Thus, you can assign domain users as owners of folders and files on your computer and perform any other operations related to users and groups.

Winbind is configured using the same /etc/samba/smb.conf file. Add the following lines to the section:

# Options for matching domain users and virtual users in the system via Winbind. # ID ranges for virtual users and groups. idmap uid = 10000 - 40000 idmap gid = 10000 - 40000 # These options should not be disabled. winbind enum groups = yes winbind enum users = yes # Use default domain for usernames. Without this option, usernames and groupnames # will be used with the domain, ie. instead of username - DOMAIN\username. # This may be exactly what you want, but it's usually easier to turn this option on. winbind use default domain = yes # If you want to allow domain users to use the command line, then # add next line, otherwise /bin/false template shell = /bin/bash will be called as shell"a # For automatic update Kerberos ticket with the pam_winbind.so module, you need to add the line winbind refresh tickets = yes

Options:

idmap uid = 10000 - 40000

idmap gid = 10000 - 40000

in new versions of Samba are already outdated and when checking the samba config using testparm, a warning will be issued:

WARNING: The "idmap uid" option is deprecated

WARNING: The "idmap gid" option is deprecated

To remove warnings, you need to replace these lines with new ones:

idmap config * : range = 10000-20000

idmap config * : backend = tdb

Now restart the Winbind and Samba daemon in the following order:

sudo /etc/init.d/winbind stop sudo smbd restart sudo /etc/init.d/winbind start

We launch

sudo testparm

See if there are any errors or warnings if it appears:

"rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)"

You can fix it without a reboot like this:

Ulimit -n 16384

To save after reboot, edit the file /etc/security/limits.conf

# Add lines to the end of the file: * - nofile 16384 root - nofile 16384

After restarting, check that Winbind has installed trusting relationship with AD command:

# wbinfo -t checking the trust secret for domain DCN via RPC calls succeeded

And also that Winbind saw users and groups from AD with the commands:

wbinfo -u wbinfo -g

These two commands should return a list of users and groups from the domain, respectively. Either with or without the DOMAIN\ prefix, depending on what value you specified for the "winbind use default domain" option in smb.conf .

So, Winbind works, but it is not yet integrated into the system.

Adding Winbind as Users and Groups Source

In order for your Ubuntu to deal transparently with domain users, in particular so that you can assign domain users ownership of folders and files, you need to tell Ubuntu to use Winbind as an additional source of information about users and groups.

To do this, change two lines in the /etc/nsswitch.conf file:

passwd:compat group:compat

adding winbind to the end:

passwd: compat winbind group: compat winbind

Files: dns mdns4_minimal mdns4

ubuntu server 14.04, the /etc/nsswitch.conf file did not contain the line "files: dns mdns4_minimal mdns4" instead it was: "hosts: files mdns4_minimal dns wins" Which I converted to: "hosts: dns mdns4_minimal mdns4 files" after which everything worked

Now check that Ubuntu is asking Winbind for user and group information by running

getent passwd getent group

The first command should return the entire contents of your /etc/passwd file, i.e. your local users, plus domain users with IDs from the range you specified in smb.conf. The second should do the same for groups.

Now you can take any domain user and make him, for example, the owner of some file.

Authorization in Ubuntu through domain users

Despite the fact that all domain users have actually become full-fledged users of the system (which can be verified by running the last two commands from the previous section), none of them can still log into the system. To enable authorization of domain users on an Ubuntu machine, PAM must be configured to work with Winbind.

Online authorization

For Ubuntu 10.04 and above add just one line to /etc/pam.d/common-session , because PAM does a pretty good job with authorization:

Session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077

For Ubuntu 13.10 in order for the manual login field to appear, you need to add the line below to any file from the /etc/lightdm/lightdm.conf/ folder:

Greeter-show-manual-login=true

For Ubuntu 9.10 and below you will have to edit several files (but no one forbids using this method in 10.04 - it also works):

The sequence of lines in files matters!

/etc/pam.d/common-auth

Auth required pam_env.so auth sufficient pam_unix.so likeauth nullok try_first_pass auth sufficient pam_winbind.so use_first_pass krb5_auth krb5_ccache_type=FILE auth required pam_deny.so

/etc/pam.d/common-account

Account sufficient pam_winbind.so account required pam_unix.so

/etc/pam.d/common-session

session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_ck_connector.so nox11 session required pam_limits.so session required pam_env.so session required pam_unix.so

/etc/pam.d/common-password

password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_winbind.so password required pam_deny.so

And finally, you need to move the start of Winbind at system boot after all other services (by default it starts with index 20). To do this, run the following command in the terminal:

sudo bash -c "for i in 2 3 4 5; do mv /etc/rc$i.d/S20winbind /etc/rc$i.d/S99winbind; done"

Which is equivalent to running for each level (in the example - 4) the command:

Mv /etc/rc4.d/S20winbind /etc/rc4.d/S99winbind

In some cases, winbind may have a different runlevel (for example, S02winbind). Therefore, first check the filenames by issuing the command "ls /etc/rc(2,3,4,5).d/ | grep winbind" (without quotes).

Done, all settings are complete. Reboot and try to login with a domain user account.

Off-line authorization

Often a situation arises when the domain controller is unavailable for various reasons - prevention, power outages, or you brought a laptop home and want to work. In this case, Winbind can be configured to cache domain user accounts. To do this, do the following. Add the following lines to the /etc/samba/smb.conf file section:

# Possibility of offline authorization when the domain controller is unavailable winbind offline logon = yes # Account caching period, default is 300 seconds winbind cache time = 300 # Optional setting, but eliminates tedious pauses, specify the domain controller dc, # you can also specify ip, but it's bad manners password server = dc

Usually this is enough. If errors occur, then you need to create the /etc/security/pam_winbind.conf file with the following content:

Attention! When using the tips below, a completely random "Authentication Failed" error may occur! Therefore, everything you do, you do at your own peril and risk!

# # pam_winbind configuration file # # /etc/security/pam_winbind.conf # # turn on debugging debug = no # request a cached login if possible # (needs "winbind offline logon = yes" in smb.conf) cached_login = yes # authenticate using kerberos krb5_auth = yes # when using kerberos, request a "FILE" krb5 credential cache type # (leave empty to just do krb5 authentication but not have a ticket # afterwards) krb5_ccache_type = FILE # make successful authentication dependend on membership of one SID # (can also take a name) ;require_membership_of = silent = yes

The /etc/pam.d/gnome-screensaver file then takes the form:

Auth sufficient pam_unix.so nullok_secure auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so

And the file /etc/pam.d/common-auth is also changed:

auth optional pam_group.so auth sufficient pam_unix.so nullok_secure use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so

Hello, dear computer lovers and readers of the MyFirstComp.ru blog. Today we will consider a rather important topic that any system administrator has faced or will definitely face in the near future. Corporate LAN medium or large enterprise in 99% of cases it has a domain structure. This is dictated, first of all, by the enterprise security policy. Thus, all computers on the network use the settings of the main computer - the domain (security can be provided by a firewall or a defender, which can be easily disabled).

Now I propose to consider an example of how to enter a computer under windows control 7. Although, in principle, adding computers with other versions of windows to the domain is not much different - the main thing is to understand the essence.

First of all, we insert network cable to the computer =). Now you need to set up your network connection. We right-click on the computer in the tray and open the Network and Sharing Center.

In the window that appears, click Change adapter settings - all available network connections will open. We need to select Local Area Connection, right-click on it and select Properties.

In the window that opens, you need to enter data such as IP address, subnet mask, gateway, and DNS server. It should be something like this.

Click OK, thereby saving the changes. This completes the preparatory work. Now let's move on to adding a computer to the domain.

Click Start, right-click on Computer, select Properties. In the left part of the window we find the item Advanced system settings and click on it with the left mouse button. In the window that appears, open the Computer Name tab.

We press OK. You will be prompted to enter a username and password that has the right to join computers to the domain, for example, a domain administrator. After that, a reboot is required.

At the end of the reboot, your computer will be in the domain.

If the computer has dropped out of the domain

Yes, it happens. The computer may for no reason refuse to see the domain. Accordingly, authorization will not work.

Then again we enter the computer into the domain as shown above and reboot again.

Tags: windows, domain, computer

myfirstcomp.com

How to join a windows 7 PC to a domain

Putting a PC in a domain will allow you to enjoy domain goodies such as scalability, centralized management, group policies, security settings and more.

Before joining your windows 7 machine to the domain, make sure that the following conditions are met:

You are using windows 7 Professional, Ultimate or Enterprise - only these distributions of windows 7 can be included in a domain. windows 7 Home is impossible, don't even try.

You have Network Card(NIC) - a wireless card will do

You are physically connected to a local network from which the domain controller is accessible. Please note that windows 7 can be joined to a domain without network connection with the latter (this feature appeared in the domain on windows Server 2008 R2), but this is a topic for a separate article.

You have the correct IP address for the network you are connected to. You can set it up manually or get it from DHCP server.

You "see" the domain controller over the network.

Do you have a properly configured DNS server? correct setting DNS, your computer cannot be entered into a domain.

You have local administrator rights - a simple user will not be able to do this.

You must know the domain name, and have an active user/administrator account on the domain. By default, any domain user can add 10 machines to the domain. But this setting can be changed by the domain administrator.

There are 3 options for joining a machine with 7 to the domain: using the graphical interface (My Computer-> Properties->Change Settings->Computer Name tab), using the NETDOM command line utility, using the Power Shell command (add-computer). I will not dwell on the first one, everyone knows this very well.

Using the NETDOM utility, you can solve the problem of connecting to a domain from the command line. But by default, this utility does not work! How to make netdom work in windows 7?

Open a command prompt window with administrator rights and enter the following line:

Netdom join %computername% /domain:winitpro.ru /userd:DOMAIN\administrator /passwordd:

Note: Replace winitpro.ru with your domain name, and enter the correct username and password. domain with your correct name domain, and, of course, enter the appropriate user permissions. Also note the extra "d" in the /userd and /passwordd options, that's not a typo.

Restart your computer. That's it, now you are in the domain!

Also check out the article: how to disable leaving a domain, as well as the offline domain join feature in windows Server 2008.

winitpro.ru

/ how to add a computer to a windows domain

Good afternoon, dear readers of the pyatilistnik.org blog, today I want to tell you how to add a computer to a windows server 2008 R2 domain. What is a domain can be read in the article Introduction to the basic concepts of Active Directory. To add a computer to domain active directory, there are several ways.

How to add a computer to a domain

And so there are several methods to enter a computer into a domain, one through the GUI interface, but the second is for team lovers, but both have their own application scenarios. Let me remind you that in order to add a computer to AD, you must have user or domain administrator credentials. By default, an ordinary user can add up to 10 computers to AD, but if desired, this can be bypassed by increasing the figure, or it can be delegated necessary rights for an account.

1. Via GUI

Go to the properties of My Computer, to do this, right-click and select from context menu Properties. Or press combination Win keys+ Pause Break, which will also open the system properties window.

how to add computer to windows domain

Click Change settings

How to add a computer to a windows 2008 R2 domain

On the Computer Name tab, click the Change button

How to add a computer to a windows 2008 R2 domain

We set the computer name to a maximum of 16 characters, it is better to immediately set a name that is understandable to you and meets your standards.

How to add a computer to a windows 2008 R2 domain

And write the name of the domain, click OK

specify the domain suffix

We enter the credentials that have the right to enter the server into the domain, by default each user can enter up to 10 times into the domain, unless of course you have prohibited this.

Entering credentials

successful addition to domain active directory

Do not forget that as soon as you entered the server in AD, it also needs to immediately configure the static ip address and only then reboot

After the reboot, we see that everything is fine and we are members of the domain and you managed to enter the PC into the domain.

2. Netdom utility

Open (command line) cmd. Earlier I described how to open the windows command line. The convenience of this method is that it can be done as a script and passed it, for example, to remote user who lacks the knowledge of how to do it.

Netdom join %competername% /domain:contoso.com /userd:contosoadmin1 /passwordd:* - %competername% company name can be left like this - /domain write the domain - /userd login - passwordd:* means that you will be prompted to enter a password

I think it was not difficult and you yourself will choose the method that suits you. It is useful to know both, since it is more correct to do the server in core mode, for maximum security.

3. Through the Offline file and the djoin.exe utility

Let's imagine a situation that you have no connection with the controller on the computer that you want to enter from the Active Directory domain, but you need to do it, well, the network engineer has not yet set up a vpn channel between offices, Microsoft at the moment has an Offline domain join script or as it is also commonly called autonomous entry into the domain. Offline domain join appeared with the advent of windows 7 and windows Server 2008 R2. And so what does adding a computer to an AD domain look like.

Here, for clarity, there is main office and a remote branch, they need to be linked together, deployed separately under the domain, there is no point in the branch, since there are only 3 employees allowed there, and according to company standards, they should be part of the Active Directory domain.

Stages of offline domain join

At the very beginning, you need any computer that has a connection with a domain controller, on which we will create a special file, it is called a blob (binary large object), by executing the djoin / provision command on the command line, which will create a computer account in the Active Directory database
The second stage is to transfer this file, via mail or the Internet, and on the client side, which needs to be entered into the domain, execute a command using the received file.

Parameters of the djoin.exe utility

/PROVISION - Provisions a computer account in the domain.
/DOMAIN - the domain to join.
/MACHINE - The computer to be joined to the domain.
/MACHINEOU is an optional parameter that specifies the organizational unit in which the account is created.
/DCNAME - An optional parameter that specifies the target domain controller on which the account will be created.
/REUSE - Reuse an existing account (the password will be reset).
/SAVEFILE - save preparation data to a file located at the specified path.
/NOSEARCH - skip detection of account conflicts; requires DCNAME (better performance).
/DOWNLEVEL - Provides support for a Windows Server 2008 or earlier domain controller.
/PRINTBLOB - Returns the base64 encoded metadata blob for the response file.
/DEFPWD - use the default computer account password (not recommended).
/ROOTCACERTS - optional parameter, include the root certificates of the CA.
/CERTTEMPLATE - optional parameter of the computer certificate template. Includes root CA certificates.
/POLICYNAMES - optional parameter, semicolon-separated list of policy names. Each name is the display name of a GPO in AD.
/POLICYPATHS - optional parameter, semicolon-separated list of paths to policies. Each path points to the location of the registry policy file.
/NETBIOS - optional parameter, Netbios name of the computer to be joined to the domain.
/PSITE is an optional parameter of the permanent site in which to place the computer that is joining the domain.
/DSITE is an optional parameter of the dynamic site in which the domain-joined computer is initially placed.
/PRIMARYDNS - optional parameter, the primary DNS domain of the computer being joined to the domain.
/REQUESTODJ - Requires offline domain join on next boot.
/LOADFILE - specified earlier with the /SAVEFILE option.
/WINDOWSPATH - to the directory with the offline windows image.
/LOCALOS - allows you to specify the local operating system in the /WINDOWSPATH parameter.

In the test environment, we will create a WKS1 computer, and we will add it to the Active Directory domain. WKS1 will be located in the Offline_Join subdivision, the blob file will be called wks1.txt

djoin /provision /domain Contoso.com /machine WKS1 /machineOU "OU=Offline_Join,DC=Contoso,DC=com" /savefile c:\test\wks1.txt

If you suddenly decide that you can find useful information in a blob file, then you are mistaken, it is encrypted and not human readable.

Now we need to transfer these couple of kilobytes to remote computer, where autonomous input to the domain will be made. Copy the blob to the root of the C:\ drive, open a command prompt and enter the command

djoin /requestODJ /loadfile c:\test\wks1.txt /windowspath %systemroot% /localos

After executing the command, the computer account metadata from the blob file will be added to the windows directory.

With virtual machines, djoin works, just with a bang, it makes no difference, there is a key / windowspath points to the location of the VHD file with the installed system.

4. add to domain via Powershell

Open Powershell as administrator and enter the following command

Add-Computer -DomainName your domain name

Specify the name of your domain, you will get out the login and password entry form

if everything is ok, then you will see a yellow inscription that there will be a reboot.

As you can see, there are a lot of methods and everyone will be able to use their own and for their own tasks, I think the question of how to join a computer to an ad domain can be closed.

Site material Pyatilistnik.org

www.pyatilistnik.org

How to add a computer to a domain

Domains greatly facilitate the work of users, allowing you to log in just once and forget about all the passwords to various devices and files on a large local network.

To do this, you need: 1.admin rights; 2.local network with windows domain; 3.user account in the domain;

4.domain name.

1. You can include a computer in a windows domain on the "Computer Name" tab in the "System Properties" window. To open the "System Properties" window in the Windows XP operating system, use the "Start" menu to open the "Control Panel" and click on the "System" item. If your computer is running windows 7 or Vista, open the "Control Panel" and go to the "System and Security" category, in which click on the "System" item. On the page that opens, click on the link "Advanced system settings" located in the left side column. 2. In the System Properties window that opens, select the Computer Name tab. Click the "Change" button and in the window that opens, enter the name of the domain in which you want to include the computer. Next, click on the OK button. In the window that appears, enter the domain username and password. Then click OK and restart your computer. Your computer is included in the domain. 3. In addition to the graphical interface, you can join the computer to the domain using the command line. The Windows XP operating system includes the NETDOM utility, which can add a computer to a domain using the command:

netdom join computer_name /domain:domain_name /userd:domain_name\user_name /passwordd:user_pass.

In windows 7, the NETDOM utility has been replaced by a command in PowerShell - add-computer. To join a computer to a domain from the console in Window 7, run the following command:

add-computer -DomainName domain_name -credential domain_name\user_name

Where domain_name and user_name also replace the domain and user names.

The windows domain is not intended for home use, it is very convenient in corporate networks with a large number of users with different levels of access to files and devices. Therefore, computers running operating systems for home use, that is, below the Professional level, do not have domain inclusion tools. To add such computers, first reinstall the system.

There is a faster way to launch the System Properties window. If you have a windows XP operating system, right-click on the "My Computer" icon and in the menu that opens, click on the "System Properties" item. If you have windows 7 or Vista operating system, right-click on the "Computer" icon, select "System Properties" and click on "Advanced system settings".

When joining a computer to a domain, on the same "Computer Name" tab, you can specify a description of your computer, which will be a hint for domain users.

complaz.ru

How to enter a computer into a domain in different ways?

The question of connecting a computer to a domain usually arises from system administrators, which need to create local network. Domain system means that all computers on the network use the settings of the main PC. Let's try to figure out how to connect a computer running windows 7 to a domain. For other operating systems, the connection is not too different.

What are the benefits of a domain structure? With it, you can use, for example, group policies and centralized management. This allows you to work efficiently.

Important requirements

Before you enter a Windows 7 computer into a domain, you need to check whether the PC meets a number of requirements, whether all settings have been completed. There are quite a few of them, although most of them should already be produced. Check the following:

Windows 7 must be used in the following versions: Professional, Ultimate or Enterprise. Only these versions can be joined to a domain;
A network card must be present. But that goes without saying;
A LAN connection must be made. In most cases, although you can connect Windows 7 to Windows Server 2008 R2 offline, this is a separate issue;
The correct IP address must be specified. It can be configured manually, obtained from a DHCP server, or it can be an APIPA-address (its values start with 169.254.X.Z);
You need to make sure that the controllers (at least one) are available for connection;
Also check the connection of the controller (for example, you can ping it, that is, check the quality of the connection);
The DNS server must be properly configured. This is important, if it is configured incorrectly, you may experience problems connecting to the domain. Even if the connection is successful, failures are possible later;
DNS servers must be available. To do this, you need to check the connection using the PING program;
Look at your rights on the local system. Rights must be present local administrator computer;
You need to know the domain name, administrator name and password.

Connecting a PC to a domain

There are two ways to add a computer to a domain. Let's look at them in more detail.

First method

This is the standard way to join a PC to a domain. Follow these steps:

Click the "Start" icon, right-click on the shortcut "Computer", select "Properties";
In the “Computer name, domain and work settings” item, click “change settings”;
Open the "Computer Name" tab and click "Change";
In the "Part of (something)" section, select "Domain";
Enter the name of the domain to which you are connecting, click "OK";
Enter the name again, and the password.

Then restart your computer. After that, the PC will be connected to a domain on the local network.

Second method

You must use the NETDOM application. To connect a domain, you need to enter only one command at the command line:

Wherein:

The "DOMAIN.COM" and "DOMAIN" parameters must be replaced with the domain name. You also need to specify a username and password;
The extra 'd' in 'user' and 'password' is not a typo;
In Windows 7, NETDOM is already in the operating system. In versions of Windows 2000, XP and 2003, you need to install Support Tools.

To complete the connection, restart your PC.

What to do if the domain "fell out"?

This happens after connecting the PC to the domain. The computer simply does not "see" it. You will immediately notice this, because you will not be able to log in. Do the following:

Log in as a local administrator;
Go to the system properties and in the "Computer name" item, note that the PC is part of the workgroup;
Restart your computer;
Then reconnect the PC to the domain, as described above;
Reboot.

The computer should now join the domain.

Placing a computer in a specific container

The disadvantage of the described methods of connecting to a domain is that the PC is placed in a standard container, usually in the "Computer" folder. And to move to another location, you need an administrator. But you can place the computer immediately in the desired container. There are two options for this.

Method number 1

To do this, an empty account is first created, where the computer is located (you need to have the rights to create an object). In the ADUC console, a new account is created with the same name that will be used to connect to the domain. Then use the connection method described above. The system will see an account that already exists in the domain but is simply not mapped to it. Once matched, the computer will fit in the correct container.

Method number 2

You can use the Powershell command:

Log in with administrator rights;
At the command line, enter "powershell" (then you can use PoSh instead);
The command to include a PC in the corp.company.ru domain from under the corpcompany_admin account, which creates an account in the corp.company.ru/ Admin /Computers container, where company is the name of the computer, will look like this:
add-computer -DomainName corp.company.ru -credential corp company_admin –OUPath "OU=Computers,OU=Admin,dc=corp,dc=company,DC=ru";
A new window will open, in which enter the company_admin user password;
Then the window "WARNING: The changes will take effect after you restart the computer pcwin8" (pcwin8 means operating system) will appear. Restart your computer.

Now the PC will be located in the right container, where the domain refers.

For the correct connection of a PC to a domain, it is better to perform it for the administrator who created this local network. He knows about all the pitfalls in this domain, and therefore will be able to quickly connect. If you decide to join the computer to the domain yourself, then in case of any problem, leave the PC in this state until the specialist performs a correction.

Windows 7 domain connection. Create and administer a computer object in Active Directory

1. Create answer file for offline entry (offline domain join) PC to domain

2. Entering a computer domain via Direct Access

DNS setup

Time Synchronization Setting

Setting up authorization through Kerberos

Common kinit errors

Samba setup and domain login

Net command options to use

Configuring Winbind

Adding Winbind as Users and Groups Source

Authorization in Ubuntu through domain users

Online authorization

Off-line authorization

If the computer has dropped out of the domain

How to join a windows 7 PC to a domain

/ how to add a computer to a windows domain

How to add a computer to a domain

1. Via GUI

2. Netdom utility

3. Through the Offline file and the djoin.exe utility

Stages of offline domain join

4. add to domain via Powershell

How to add a computer to a domain

How to enter a computer into a domain in different ways?

Important requirements

Connecting a PC to a domain

First method

Second method

What to do if the domain "fell out"?

Placing a computer in a specific container

Method number 1

Method number 2

Top Related Articles