It how to join machines to your active directory domain

I am running 10 pro and there is no “join domain” option at all

Go to the bottom of the ABOUT page and click RENAME THIS PC (ADVANCED)

This will take you to the original SYSTEM PROPERTIES page

Click CHANGE button and enter domain > restart > etc.

In the section “Related settings” there is a link “System Info” click this should take you to the old windows 7 system info screen. The third group down if headed “Computer name, Domain and workgroup settings” next to which is a link “Change settings”. This will take you to the old Windows 7 domain wizard. Don’t know if it will work – windows networking is always problematic in my experience

for those who don’t see “Join Domain” that’s explained in this article, I found “Advanced system settings” under “Related settings”…this brought back the old Windows interface.

i agree Michael Mast on my computer there is no join domain button somehow they need to add a button or something else.

running win10 pro. The domain does not show under networks in explorer. PC cannot connect to the domain when trying to join. Server running Server2008 with 2003 functional level. Are any changes required on the firewall required? PC’s running XP join the domain without any problem. Any ideas?

change the dns settings on the client machine to point at the server. Once connected you can change them back again if required.

Frustratingly couldn’t connect to the domain but this suggestion worked for me, went into the network settings, clicked on the ipv4 connection and clicked properties and changed automatically accept DNS address and entered the servers DNS address manually. Once updated, the laptop connected straight away. Once connected and logged in I reverted the DNS settings to automatic. Thanks a bunch for this suggest @Mark.

I can access to domain, and I can access to shared server resources, but every time I log into domain, I log in with a temporary profile.
In windows register there aren’t any .bak entry. I’ve tried to remove users, create again, remove entries in register, but always the same problem.
Do ypu hace any idea how to solve this?

Any idea why my registered workstation windows 10 machines are registered as Operating System MAC OS in my Active Directory console ? Even in my network asset inventory tool is registered as MAC OS operating system.

I appreciate any help.

How can I remove the other user choice in lock screen?

The moment I connect with my organization’s domain, my win 10 apps, start menu and task bar does not open anymore. Any idea how to resolve it?

Probably there are some policies implemented by Domain Admin. These policies determinates Your permissions on host. I am not sure it is the reason, but it can be so.

I try the tips given above but nothing changes.after I have format my system it was win 7 b4 when I installed win 10 at the final process of the installation my battery run down. When I switched on the system it ask me to sign-in into
How do I sign-in into another domain?
And sign-in options: local or domain account password and Microsoft account.
Can anyone help me and I don’t have Microsoft account

I have upgraded to windows 10 pro but the join domain option still does not appear. The Microsoft tech reinstalled but no change. Any ideas?

Farther up the thread is mentioned that W10pro doesn’t offer “Join Domain”, need W10home edition.
The SurfacePro4 is a joke – how many decades have laptop’s been around now? And simple home networking? And MicroSoft can’t get it right with their latest and greatest portable piece of equipment?
Lets see – problems with battery charging at the most basic level, SP4’s hang at the “getting Windows ready” for hours on end, both of these problems have made it thru SP2, 3 and now the 4’s, and now can’t connect to a home network – day one I used a USB/ETH adapter because home isn’t microwaved (i mean wifi’d) and could connect everywhere, day 2 that same connection will not ping others let-alone connect to internet, nothing changed. Thanks BG/MS.

I have with me one laptop, with windows 10 pro, i am not able to join this laptop to domain. I have web domain register with godaddy.

I click to 1)This PC 2)Moves to page Control Panel->System and Security->System, 3) This shows page View Basic Information about your computer 4)I click on Change Setting link 5) It opens System Properties Page 6) I click on Change Button to which shows me my computer name and allows to become member of domain. 7)I select radio button for domain 8)Enter my domain name which i have registered with godaddy and click ok 9)it shows error as under:
Note: This information is intended for a network administrator. If you are not your network’s administrator, notify the administrator that you received this information, which has been recorded in the file C:\WINDOWS\debug\dcdiag.txt.

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain “spinfonet.com”:

The error was: “DNS name does not exist.”
(error code 0x0000232B RCODE_NAME_ERROR)

Can you tell me exact procedure to join my computer to domain? and how can i configured my dns.

You need to have network access to a pc running Windows Server Edition and we are talking about Active Directory domains, not web domains.

Win 10 pro no place to join domain,i try changing from propertis in my computer till asks for username n password for domain,after entering cant connect to the domain error.advise

I found join a domain under Settings, Accounts, Access work or school, Connect, Join this device to a local Active Directory domain.

can’t find my domain but at least I have the spot to continue trying

you need to click on the “change your key” text to get to the page u want. Its a pain in the rump. that or just pressing “win + Pause/break”

I am looking into doing this in place of a VPN. Does connecting allow you to control the server PC like a VPN, or does it just let you access files?

The problem of integrating an Ubuntu workstation with Windows Active directory is quite common. Below we describe the required steps to help DataSunrise users accomplish this task:

1. Specify the name of the configured computer in the /etc/hostname file

Query the current host name:

If necessary, specify a new host name:

echo myhost > /etc/hostname

Note. Host name cannot be localhost, because localhost is the name for 127.0.0.1 (specified in the /etc/hosts file when you install the operating system).

2. Specify full domain controller name in the /etc/hosts file

Add a static record with full domain controller name in the end of the file /etc/hosts. Translation between IP address and the name of the computer is required so that you could use hostname instead of the IP address.

echo 192.168.1.51 hostname.db.local hostname >> /etc/hosts

3. Set a DNS server on the configured computer

Domain controller should be the first option for search. Add domain controller IP address to /etc/ resolv.conf. In most of distributives resolv.conf is generated automatically, so add the domain controller IP address to the /etc/resolvconf/resolv.conf.d/head.

sudo vim /etc/resolvconf/resolv.conf.d/head

Change the opened file as follows:

Restart the networking service.

Use nslookup command to check.

4. Configure time synchronization

The system time on the machine must be synchronized with the system time on domain controller server. Install the ntp tool and change the ntp.conf file.

sudo apt-get install ntp sudo vim /etc/ntp.conf

Change the file as follows.

Restart the ntpd daemon.

sudo /etc/init.d/ntp restart

5. Install a Kerberos client

6. Install Samba, Winbind and NTP

7. Edit the /etc/krb5.conf file to add full domain name, domain controller name and the realm parameter

Important: Do not leave any comments tagged with the “#” sign in the config file.

8. Edit the /etc/samba/smb.conf file to add short domain name and full domain name:

Important: Do not leave any comments tagged with the “#” sign in the config file.

Note. Before using the config file remove comment lines.

9. Enter the domain:

After joining the domain successfully you will be able to ping Active Directory hostnames, e.g.:

/ds$ ping johnny.domain.com PING johnny.domain.com (192.168.1.39) 56(84) bytes of data. 64 bytes from johnny.domain.com (192.168.1.39): icmp_seq=1 ttl=128 time=0.200 ms 64 bytes from johnny.domain.com (192.168.1.39): icmp_seq=2 ttl=128 time=0.560 ms

10. Verify that authentication for an Active Directory user is successful:

Note. Type the domain name in upper-case letters.

If everything was configured correctly, the ticket will be created.

Make sure that the ticket was created:

And, there you have it – an Ubuntu workstation integrated with Windows Active directory.

Please refer to Active Directory Authentication for MySQL Database if you need more information.

Next, does your database contains a sensitive data that has to be secured and protected? Or do you need to be in compliance with GDPR, SOX or HIPAA? Check DataSunrise database security and data masking software or download the trial .

It how to join machines to your active directory domain

Adding a computer to Active Directory is straightforward. In most cases, all you need to do is join the workstation to your Windows domain and reboot it once or twice. You can use Active Directory Users and Computers to double-check that a computer was successfully added. While the feature is built into Windows Server, if you want to use a Windows 7 computer to manage Active Directory computers, it must be joined to the domain as well after downloading Remote Server Administration Tools for Windows 7.

Add Computer to Domain

Log in to the computer in question with a local administrator account.

Click Start and right-click “Computer.”

Click the “Change settings” link under “Computer name, domain, and workgroup settings.”

Click the “Computer Name” tab.

Click the “Change . . . “ button.

Click the “Domain” radio button and type the name of your Windows domain in the domain field.

Click “OK.” When prompted, enter the username and password of an account that has the right to add computers to the domain. Usually, this account must be in the Account Operators, Domain Admins or Enterprise Admins security group.

Reboot the computer when prompted.

Check the Account in Active Directory

Log in to your Windows domain controller or a Windows 7 workstation that has the Remote Server Administration Tools for Windows 7 installed. You must use an account in the Account Operators, Domain Admins or Enterprise Admins group for the domain in question, or have been granted explicit permission to manage domain computers.

Click Start, then “Control Panel,” double-click “Administrative Tools” and double-click “Active Directory Users and Computers.” If you’re logged into a Windows Server machine, click Start and type “dsa.msc” (without quotation marks) in the Search box and press “Enter.”

Right-click on the domain name in the tree on the left and click “Find.”

Click “Computers” in the “Find” dialog box.

Type the name of the computer you just added to the domain in the “Name” field.

Click “Find.” If the computer name appears in the search results, you’ve successfully added the computer to Active Directory.

Many enterprises and organizations rely on Microsoft Active Directory (AD) for provisioning user accounts, applying security policies to operating systems, and enabling access to applications. In classic on-premises environments, Windows operating systems are “joined to the (AD) domain” in order to enable these functions. Frame allows administrators to join their workload VMs to their Active Directory domain. This allows their users to log in to a Windows machine using their own AD credentials. Since the Windows operating system is joined to the customer’s domain, the user can use Windows applications that rely on AD for access, authentication and authorization, such as SAP apps. If the IT managers joins the Sandbox to the domain, they can use their existing app packages, app tools, and deployment processes to install, run, and manage their organization’s applications on Frame.

To use the Domain Join feature, you will need to utilize your own public cloud account or bring your own AHV cluster, where these Windows machines will be provisioned and orchestrated by the Frame Platform. This is called our Bring Your Own (BYO) infrastructure feature. Before continuing with this setup guide, you will need to set up your BYO infrastructure described in these articles: BYO AWS, BYO Azure, BYO GCP, or Frame on AHV.

This section of Frame documentation will outline the required steps to prepare and implement Domain Joined Instances (DJI) for your Frame account. Before reading the guides below, please review the requirements and recommendations for Domain Join to function properly on your Frame account.

Frame Account with Windows 10, Windows Server 2016, or Windows Server 2019-based image.

The Domain Join feature requires customers use Windows Server 2008 R2 and Domain Functional Level 2008 R2 or higher.

The Frame account workloads must reside in a VPC/VNET/VLAN with a non-overlapping CIDR with the rest of your network, including where your Windows domain controllers reside. Currently, Frame only supports subnet masks between /16 and /24.

The workload VMs to be joined to the domain must be able to route to the domain controller.

For customers using AWS, they must update their AWS IAM role before enabling DJI.

For customers using Azure, they must configure their Azure DNS before enabling DJI.

Considerations:

Please consider the following before moving on to the Domain Controller Preparation guide and setup process :

The Frame user created by Frame must be a local Windows administrator. Any GPO settings that take effect on workload instances must not remove this user from the “Local administrators” group.

Autologin must be allowed for a local Frame user session to initiate successfully. Any GPO settings that disable this function will prevent domain joined instances from working properly.

Interactive Logon message must be disabled in GPO settings for successful initiation of a Frame session.

The domain join feature does not join the Sandbox or any utility servers to the domain. Frame strongly advises that administrators do not manually join the Sandbox or the utility server to the domain unless there is a specific requirement for an application to function. If either of these two VM types must be joined to the domain, the Frame administrator should enable RDP and create another local Windows admin user in that server. Before the server is joined to the domain, the administrator should verify that they can reach the server using RDP.

Do not modify the Frame user local admin account password. We rotate the password for the Frame user (Frame guest agent) and modifying it will cause autologon to fail. For password security options like LAPS, there is a need to exclude the local Frame user.

Static DNS IPs are not supported and should not be entered in the Sandbox or workload VMs.

Restricting remote RPC connections to the Windows Security Account Manager (SAM) on a domain controller to Administrators only may introduce issues with renaming computer objects in Active Directory. Delegated rights to the service account will be ignored if this policy is configured

The local Frame user password is stored in LSA (Local Security Authority) portion of the machine registry that is accessible only to SYSTEM account processes. Some of these secrets are credentials that must persist after reboot and they are stored in encrypted form on the hard disk drive. Credentials stored as LSA secrets might include:

This page describes the various options for connecting to a Managed Service for Microsoft Active Directory domain.

Connecting to a domain-joined Windows VM with RDP

You can connect to your domain with Remote Desktop Protocol (RDP). For security reasons, you cannot use RDP to connect directly to a domain controller. Instead, you can use RDP to connect to a Compute Engine instance, and then use the standard AD Manageability tools to work remotely with your AD domain.

Troubleshooting RDP connections

If you are having difficulty connecting to your Windows instance with RDP, see Troubleshooting RDP for tips and approaches to troubleshoot and resolve common RDP issues.

Resolving Kerberos issues

If you try to use Kerberos for your RDP connection, but it falls back to NTLM, your configuration may not meet the necessary requirements.

To RDP to a Managed Microsoft AD-joined VM using Kerberos, the RDP client needs a ticket issued for the target server. To get this ticket, the client must be able to:

  • Determine the service principal name (SPN) of the server. For RDP, the SPN is derived from the server's DNS name.
  • Contact the domain controller of the domain the client's workstation is joined to and request a ticket for that SPN.

To ensure the client can determine the SPN, add an IP-based SPN to the server's computer object in AD.

To ensure the client can find the right domain controller to contact, you must do one of the following:

  • Create a trust to your on-premises AD domain. Learn more about creating and managing trusts.
  • Connect from a domain-joined workstation via Cloud VPN or Cloud Interconnect.

Connecting to a domain-joined Linux VM

This section lists some of the open source options for managing Active Directory interoperation with Linux. Learn how to join a Linux VM to a Managed Microsoft AD domain.

System Security Services Daemon (SSSD) joined directly to Active Directory

You can use System Security Services Daemon (SSSD) to manage Active Directory interoperation. Note that SSSD does not support cross-forest trusts. Learn about SSSD.

Winbind

You can use Winbind to manage Active Directory interoperation. It uses Microsoft Remote Procedure Calls (MSRPCs) to interact with Active Directory, which is similar to a Windows client. Winbind supports cross-forest trusts. Learn about Winbind.

OpenLDAP

OpenLDAP is a suite of LDAP applications. Some third-party providers have developed proprietary Active Directory interoperation tools based on OpenLDAP. Learn about OpenLDAP.

Connecting to a domain via trust

If you create a trust between your on-premises domain and your Managed Microsoft AD domain, you can access your AD resources in Google Cloud as if they are in your on-premises domain. Learn how to create and manage trusts in Managed Microsoft AD.

Connecting to a domain with Hybrid Connectivity products

You can connect to your Managed Microsoft AD domain with Google Cloud Hybrid Connectivity products, like Cloud VPN or Cloud Interconnect. You can configure the connection from your on-premises or other network to an authorized network of Managed Microsoft AD domain.

Before you begin

Join your Windows VM or your Linux VM to the Managed Microsoft AD domain.

Connecting using domain name

We recommend connecting to a domain controller using its domain name rather than its address because Managed Microsoft AD does not provide static IP addresses. Using the name, the Active Directory DC Locator process can find the domain controller for you, even if it's IP address has changed.

Using IP address for DNS resolution

If you must use the IP address to connect, you can create an inbound DNS policy on your VPC network so it can use the same name resolution services that Managed Microsoft AD uses. Managed Microsoft AD uses Cloud DNS to provide name resolution to Managed Microsoft AD domain using Cloud DNS Peering.

To use the inbound DNS policy, you must configure your on-premises systems or name servers to forward DNS queries to the proxy IP address located in the same region as the Cloud VPN tunnel or VLAN attachment that connects your on-premises network to your VPC network. Learn about creating an inbound server policy.

Using peerings

Managed Microsoft AD does not support nested peering, so only networks that are directly authorized for Active Directory can access the domain. Peers of the authorized network cannot reach the Managed Microsoft AD domain.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

You can join ClearPass Policy Manager to an Active Directory (AD) domain to authenticate users and computers that are members of an Active Directory domain. If you join ClearPass to an Active Directory domain, it creates an account for the ClearPass node in the Active Directory database.

Users can then authenticate into the network using 802.1X and EAP methods, such as PEAP-MSCHAPv2, with their own their own Active Directory credentials.

If you need to authenticate users belonging to multiple Active Directory forests or domains in your network, and there is no trust relationship between these entities, then you must join ClearPass to each of these untrusted forests or domains.

ClearPass is not required to join multiple domains belonging to the same Active Directory forest because a one-way trust relationship exists between those domains. In this case, ClearPass can join the root domain.

ClearPass can join or leave an Active Directory domain by using the following two buttons in the Server Configuration page > System tab:

Join Domain: Click Join Domain to join this ClearPass appliance to an Active Directory domain. Password servers can be configured after Policy Manager is successfully joined. For more information on adding a password server, see Adding a Password Server.

Leave Domain: If the server is already part of multiple Active Directory domains, click Leave Domain to disassociate this ClearPass appliance from an Active Directory domain.

For most use cases, if you have multiple nodes in the cluster, you must join each node to the same Active Directory domain.

To join the selected ClearPass server to an Active Directory domain:

1. From the Server Configuration page > System tab > AD Domains , click Join AD Domain .

The Join AD Domain dialog opens:

Figure 1   Join AD Domain Dialog

It how to join machines to your active directory domain

2. Specify the Join AD Domain parameters as described in the following table.
Table 1: Join AD Domain Parameters

Enter the Fully Qualified Domain Name (FQDN) of the domain controller , then press Tab .

The following message is displayed: Trying to determine the NetBIOS name.

ClearPass searches for the NetBIOS name for the domain.

NetBIOS name (optional)

Enter the NetBIOS name of the domain.

Enter this value only if this is different from your regular Active Directory domain name. If this is different from your domain name (usually a shorter name), enter that name here. Contact your Active Directory administrator about the NetBIOS name.

NOTE: If you enter an incorrect value for the NetBIOS name, you see a warning message in the user interface. If you see this warning message, leave the domain by clicking on the Leave Domain button (which replaces the Join Domain button once you join the domain). After leaving the domain, join again with the correct NetBIOS name.

Domain Controller name conflict

Specify the action to take in the event of a domain controller name conflict.

In some deployments (especially if there are multiple domain controllers , or if the domain name has been wrongly entered in the last step), the domain controller FQDN returned by the DNS query can be different from what was entered. In this case, you can:

Use specified Domain Controller: Continue to use the domain controller name that you entered.

Use Domain Controller returned by DNS query: Use the domain controller name returned by the DNS query.

Fail on conflict: Abort the Join Domain operation.

Use default domain admin user

Check this box to use the Administrator user name to join the domain.

NOTE: In a production environment, it is likely that an Administrative username that has permissions to join machines to the domain would be used for the default domain admin user. In that case, 1) disable (that is, uncheck) the Use default domain admin user [Administrator] check box and 2) enter the Admin username and password in the fields provided.

Enter the user ID of the domain administrator account.

NOTE: This field is disabled if the Use default domain admin user check box is selected.

Enter the password for the user account that will join ClearPass with the domain (for related information, see Table 2, which displays the characters that are allowed and not allowed for the Active Directory username and password).

Search by either entering keywords or by selecting a product.

Joining a Buffalo NAS to an Active Directory Domain

Preparing a domain account for the Buffalo NAS

  1. Connect to your domain controller, either at the console or via remote desktop.
  2. Verify that the domain controller has a static IP address(suggested but not required) and that the primary DNS server is the domain controller.
  3. If the AD domain controller is NOT on the same network segment with the Buffalo NAS device, then the networks have to be configured to let packets be able to route between these networks.
    The Buffalo NAS device has to be able to send DNS requests to the remote network. The Buffalo NAS device must use the domain controller as its primary DNS server.
  4. Create an AD service account for the NAS. (Windows 2003, AD) (Best practice is to not use special characters in the username). The password can only contain the following special characters: . – _ (Legacy Linux).
  5. The account must be member of the Administrators Group
  6. Create a DNS A record for the NAS. If the NAS has multiple IP addresses, create an A record for each IP address.
  7. Create a computer account for the NAS (Windows 2003, AD).
  8. The computer name must be the same as the name assigned to the NAS.
  9. Select “Assign this computer account as a pre-Windows 2003 computer”. Do not select “Assign this computer account as a backup domain controller”.
  10. After the computer account is created, examine the Delegation tab on the Properties page. Select “Trust this computer for delegation to any service” (Kerberos only).
  11. SMBv1 MUST be enabled on the domain controller. (TS5010/TS3010 series do not have this restriction)
  12. In some cases, if digital SMB Signing is disabled on the domain controller, you will need to enable it to join. You can find this under Local Security Policy on the DC. (Or change it under Domain defaults in group policy editor to have it updated on all DCs)

Setting the time and time zone

Note: The time and time zone must be set correctly on the NAS device in order to successfully join an Active Directory domain. If the difference in time between the NAS the domain controller is off by more than five minutes, the NAS will be unable to join the domain.

  1. Log in to Settings for the TeraStation. You can access Settings by either entering the TeraStation's IP address into a web browser window or by using NAS Navigator.
  2. Click the Management tab on the left and click on the widget to the right of “Name/Time/Language”.
    It how to join machines to your active directory domain
  3. Click the Time tab, then click the Edit button.
    It how to join machines to your active directory domain
  4. The default NTP server should work if the NAS can access the Internet. If the NAS cannot access the Internet and no local NTP server is available, set the time manually. Click the dropdown at the bottom to set the time zone.
    It how to join machines to your active directory domain
  5. You must scroll all the way to the bottom of the list in order to access North American time zones.
    It how to join machines to your active directory domain

Joining the NAS to the domain

First, find the NETBIOS name and the FQDN (Fully Qualified Domain Name) for the domain to be joined. Usually these will be the same, but in the case of parent/child domains they may be different.

  1. Open a command prompt and type the following commands:

It how to join machines to your active directory domain

The nslookup command will give us the FQDN, BT.COM in the example below. The nbtstat –n command will give us the NETBIOS name, BT-Child in the example below.

It how to join machines to your active directory domain

Note: The NetBIOS name and the DNS name are the values obtained earlier in step 1 above. The DNS name is the FQDN. The Administrator Name and Password must be a DOMAIN Administrator!

For TeraStation 5010/3010 series firmware 4.00 or later :

You can use the “Detect Domain Controller” feature (Enter your Domain Controller info and then click Search)

The NetBIOS name / DNS name and the Domain Controller Name should be auto populated.

Enter the DOMAIN Administrator Name and Password, then click OK to join AD.

It how to join machines to your active directory domain

If the NAS fails to join the domain, verify that all information is correct and that the time on the NAS matches that of the domain controller.

Delegate Control to Join AD Bridge Computers to the Domain

Because of the complexities outlined in the Domain Join Process Overview, the basic delegation procedure described in the Delegation of Control Overview is not sufficient. Additional modifications are required to ensure that a computer account can join the domain in all circumstances. The following procedure can be performed either at the root of the domain, the Computers OU, or one or more specific OUs.

We recommend designating a specific OU to hold all subordinate AD Bridge joined systems and that delegation is granted over this OU. This is the preferred method since scoping the location for an account to create computer objects in the domain is more secure. Additionally, joining systems directly to a targeted OU ensures that they will receive the appropriate security and configuration setting (for example, GPO) without delay.

For more information about the basic rights required for joining a computer to a specific OU, please see the following knowledgebase article from Microsoft under the section “Users cannot join a computer to a domain”: https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/access-denied-when-joining-computers

Following the KB article grants the minimum required rights to limit any errors on domain join. However, AD Bridge requires additional rights not required natively by Windows systems. While domain join errors may not be immediately present when following the KB article only, we recommend you complete the procedure below to ensure optimal operation of AD Bridge .

Granting a user or group Full Control to all computer objects in a subset of the directory (Container or OU) can be sufficient. This might conflict with the desired security policy of the organization. The following procedure outlines the minimal rights required by AD Bridge to work in all join scenarios.

To delegate control, first identify a specific user or (preferably) group with the right to join. Then, using Active Directory Users and Computers, perform the following tasks:

  1. Right-click the OU to add computers to, and then click Delegate Control.
  2. In the Delegation of Control Wizard, click Next.
  3. Click Add to add a user or group to the Selected users and groups list, and then click Next. We strongly recommend using a group, even if that group only contains one user.
  4. On the Tasks to Delegate page, click Create a custom task to delegate, and then click Next.
  5. Click Only the following objects in the folder,
    • From the list, select Computer objects.
    • Select the following options below the object list:
      • Create selected objects in this folder
      • Delete selected objects in this folder
  1. Click Next.
  2. In the Permissions list, select the General and Property-Specific check boxes.
  3. Select the required permissions shown in the table below.
  1. Click Next, and then click Finish.
  • Read permissions are not absolutely required, but preferred since Write permissions are granted.
  • Using a Write permission allows any value to be placed in the attribute without validation. Using only a Validated Write permission might be more secure. However, this might limit AD Bridge’s ability to create hashed names when conflicts occur.

Read and write Account Restrictions

Delegate Control to Move Computer Objects on Rejoin

AD Bridge supports the ability to target a computer to a specific OU at join time. If the delegation procedure specified in the previous section has been performed, users will be able to join new computer objects in all scenarios, including a targeted OU. However, when attempting to re-join a computer with an existing object already in AD (including pre-staged computer objects), additional complications can arise when requesting a targeted OU.

When rejoining the domain and targeting a specific OU (using the domainjoin-cli –ou parameter), LDAP requests a move on the computer object in the AD hierarchy (even if specifying the same OU the object already resides). The modification of the object requires the ability to write to specific attributes of the object which will need to be properly delegated.

To allow rejoins when using the targeted –ou parameter the appropriate modDNRequest LDAP operations need to be performed on the existing object. The following permissions must be delegated:

  • DELETE_CHILD on the source container or DELETE on the object being moved
  • CREATE_CHILD on the destination container.
  • WRITE_PROP on the object being moved for two properties: name/Name and cn (or whatever happens to be the cn: RDN attribute for the class. For example, ou for organizational units).

The DELETE_CHILD and CREATE_CHILD are standard permissions granted to an OU if the steps in “Delegate Control to Join AD Bridge Computers to the Domain” are followed (specifically Step #5). Ensure these permissions are granted on any additional OUs the computer objects will be moved between.

The WRITE_PROP permissions need to be assigned using ADSIEdit as the necessary permissions are not exposed using Active Directory Users and Computers.

To use ADSIEdit to set the appropriate WRITE_PROP permissions, perform the following on each required OU:

  1. Launch adsiedit.msc.
  2. Connect to the Default Naming Context for the domain.
  3. Right-click the OU and choose Properties.
  4. Click the Security tab.
  5. Click Advanced.
  6. Click Add to add the security principal.
  7. Enter the group name to delegate and click OK.
  8. Select the Properties tab.
  9. From the menu, select Descendent Computer Objects.
  10. Select the following Allow permissions:
    • Read and Write canonicalName
    • Read and Write name
    • Read and Write Name
  1. Click OK on all open dialog boxes.

BeyondTrust is the worldwide leader in Privileged Access Management (PAM), empowering companies to secure and manage their entire universe of privileges. The BeyondTrust Universal Privilege Management approach secures and protects privileges across passwords, endpoints, and access, giving organizations the visibility and control they need to reduce risk, achieve compliance, and boost operational performance.

©2003-2022 BeyondTrust Corporation . All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority. 3/9/2022

In this article, we’ll take a look at how to join a Windows 10 device in an Active Directory domain. We’ll look at how to add to an AD domain from the Windows GUI by using PowerShell CLI.

Basic prerequisites for joining a Windows device to an AD domain:

  • Windows edition — the following Windows editions can be joined to the domain: Professional, S, Education, Enterprise. Windows 10 Home cannot be connected to an Active Directory domain;
  • Permissions — to join the device to the AD domain, you must have local administrator privileges, as well as domain user credentials with the permissions to add new devices to the domain;
  • Network and DNS setting — your computer must be on the corporate network. It must be configured with an IP address and DNS server addresses that allow it to connect to at least one domain controller;
  • Date and time settings — since Kerberos is used for authentication in Active Directory, the time on the domain controller and on the client should not differ by more than 5 minutes.

Joining AD Domain from Classic System Properties on Windows 10

  1. Right-click on the Start menu and select Run;
  2. Type in the command sysdm.cpl and click OK;
    It how to join machines to your active directory domain
  3. The name of the current workgroup should be indicated in the System Properties window. Click on the Change button;
    It how to join machines to your active directory domain
  4. Move the switch to the Domain position and type in the domain name;
    It how to join machines to your active directory domain
  5. In the window that opens, you need to specify the credentials of the domain user who has the permissions to join computers to the domain (by default, any domain user can add up to 10 devices to the domain);
    It how to join machines to your active directory domain
  6. If everything was done correctly, a message will appear “Welcome to the youdomainname.com domain”;
    It how to join machines to your active directory domain
  7. Reboot the computers;
  8. After the computer boots up, you can log in under a domain account.

Check if your computer account object appears in Active Directory. Active Directory Users and Computers (dsa.msc) > go to the Computers container and make sure that a new Computer type object with the name of your computer appeared in it.

It how to join machines to your active directory domain

How to Join Windows 10 to Domain with Modern Settings App?

Let’s look at how to join a device with a modern Windows 10 build to the AD domain (in this example, Windows 10 20H2).

  1. Go to the Settings > Accounts > Access work or school;
  2. Click the Connect button;
    It how to join machines to your active directory domain
  3. Select “Join this device to a local Active Directory domain” in the bottom “Alternate Actions” section;
    It how to join machines to your active directory domain
  4. Specify the domain name and click Next;
    It how to join machines to your active directory domain
  5. Then you need to specify the name and password of the domain account with the rights to join the devices to the domain;
  6. Reboot your device by clicking “Restart now”.
    It how to join machines to your active directory domain

How to Add Windows 10 to a Domain Using PowerShell?

You can use the Add-Computer cmdlet to add a computer to a domain via PowerShell. Follow the steps below:

    ;
  1. Run the command:
    Add-Computer -DomainName theitbros.com –verbose
    (where theitbros.com is your AD domain name);
  2. Enter the domain user credentials you want to use to join the device to the domain;
  3. Wait until the message “WARNING: The changes will take effect after you restart the computer computername” appears, and restart the computer with the command:

If you want to place the computer not in the default container Computers, but in a specific Organizational Unit, use the following PowerShell script:

Organizations require virtualization systems that not only support different types of applications but also simplify IT .

Virtualization brings cost benefits and saves time for IT teams that oversee ROBOs. Effective implementation requires cloud-based.

Admins often evaluate Xen vs. KVM as open source options. The main factors to consider in a primary hypervisor are organizational.

To achieve high availability and fault tolerance in AWS, IT admins must first understand the differences between the two models.

Amazon ECS and EKS are similar, but their differences are enough to set them apart for AWS users. Learn which best fits your .

New storage additions such as Flexible Block Volumes and high availability for ZFS grow Oracle’s cloud platform to compete .

Good database design is a must to meet processing needs in SQL Server systems. In a webinar, consultant Koen Verbeeck offered .

SQL Server databases can be moved to the Azure cloud in several different ways. Here’s what you’ll get from each of the options .

In this book excerpt, you’ll learn LEFT OUTER JOIN vs. RIGHT OUTER JOIN techniques and find various examples for creating SQL .

IT admins considering a migration to Windows 11 should learn how the features of the Enterprise edition can benefit their .

The latest Windows 11 developer build lets people open multiple folders in the file management app. The feature is supposed to .

Desktop administrators should look for Windows 10’s native security features and architecture to establish a baseline of desktop .

Folder redirection can support a virtual desktop environment with roaming profiles by providing users with consistency when it .

People running VMware’s virtual desktop on Samsung’s smartphones and tablets can access Windows on both the device and an .

Organizations with virtual desktops should plan out their profile management strategy, and one key component is profile .

It how to join machines to your active directory domain

It how to join machines to your active directory domain

4.7 (оценок: 18,220)

Количество зарегистрированных учащихся: 240 тыс.

This course will transition you from working on a single computer to an entire fleet. Systems administration is the field of IT that’s responsible for maintaining reliable computers systems in a multi-user environment. In this course, you’ll learn about the infrastructure services that keep all organizations, big and small, up and running. We’ll deep dive on cloud so that you’ll understand everything from typical cloud infrastructure setups to how to manage cloud resources. You'll also learn how to manage and configure servers and how to use industry tools to manage computers, user information, and user productivity. Finally, you’ll learn how to recover your organization’s IT infrastructure in the event of a disaster. By the end of this course you’ll be able to: ● utilize best practices for choosing hardware, vendors, and services for your organization ● understand how the most common infrastructure services that keep an organization running work, and how to manage infrastructure servers ● understand how to make the most of the cloud for your organization ● manage an organization’s computers and users using the directory services, Active Directory, and OpenLDAP ● choose and manage the tools that your organization will use ● backup your organization’s data and know how to recover your IT infrastructure in the case of a disaster ● utilize systems administration knowledge to plan and improve processes for IT environments

Получаемые навыки

Directory Service, Lightweight Directory Access Protocol (LDAP), Backup

Рецензии

4.7 (оценок: 18,220)

Great and helped to do the course succesfully and it was intresting the process and the way the course is designed to meet the capability to understand anyone has a basic knowledge in AD,DNS and DHCP

This chapter is very interesting since describes a lot of the things that we have at the office running on the background but we never understood well. The material is well put together, congrats.

In the fourth week of this course, we'll learn about directory services. Specifically, we'll cover how two of the most popular directory services, Active Directory and OpenLDAP, work in action. We'll explore the concept of centralized management and how this can help SysAdmins maintain and support all the different parts of an IT infrastructure. By the end of this module, you will know how to add users, passwords, and use group policies in Active Directory and OpenLDAP.

Чтобы подключить систему Business Storage Windows Server NAS к домену Active Directory и назначить пользователям домена права доступа на общие папки, выполните следующие действия.

Установка статического адреса сервера DNS

По умолчанию система Windows Server NAS настроена на автоматическое получение IP-адреса и адреса сервера DNS. Рекомендуется установить статические IP-адрес и адрес сервера DNS вручную.
В данном примере будет установлен только статический адрес сервера DNS.

  1. Откройте панель управления.
  2. Выберите View network status and tasks (Просмотр состояния сети и задач) или Network and Sharing Center (Центр управления сетями и общим доступом).
  3. Выберите Ethernet.
  4. Выберите Properties (Свойства).
  5. Выберите IPv4 и нажмите Properties (Свойства).
  6. Выберите Use the following DNS server addresses (Использовать следующие адреса DNS-серверов).
  7. Укажите IP-адрес контроллера домена (или сервера DNS) и нажмите OK.

Подключение устройства NAS к домену

  1. Откройте меню «Пуск».
    (Нажмите клавишу Windows [ ] + D, чтобы сначала перейти к рабочему столу.)
  2. Откройте проводник ( ).
  3. Щелкните правой кнопкой мыши значок «Компьютер» и выберите Properties (Свойства).
  4. Выберите Change settings (Изменить параметры).

Создание общей папки и назначение пользователю домена прав доступа на общую папку

  1. Нажмите значок диспетчера серверов ( ) в верхней левой части экрана Windows.
  2. Выберите File and Storage Services (Файловые службы и службы хранилища).
  3. Выберите Shares (Общие ресурсы) и нажмите To Create a file share, start the New Share Wizard (Чтобы создать общий файловый ресурс, запустите мастер создания общих ресурсов).

Назначение пользователям домена разрешений и прав доступа на общую папку

  1. Выберите Customize permissions (Настройка разрешений доступа).
  2. В окне дополнительных параметров безопасности для общей папки перейдите на кладку Share (Общий ресурс).
  3. Выберите Allow Everyone Full Control (Разрешить всем полный доступ), нажмите Remove (Удалить) и Apply (Применить).

Выбор пользователя домена

Существует два способа выбрать пользователя домена.

  • В разделе Enter the object name to select (Введите имена выбираемых объектов) введите имя пользователя домена и нажмите Check Names (Проверить имена).
    Может отобразиться запрос на ввод учетных данных для входа в систему администратора контроллера домена.
  • Выберите Advanced (Дополнительно) и нажмите Find Now (Поиск). Отобразится список пользователей домена. Выберите пользователя и нажмите OK.
    Может отобразиться запрос на ввод учетных данных для входа в систему администратора контроллера домена.

Следующий рисунок относится ко второму способу.

It how to join machines to your active directory domain

Теперь пользователь отображается в качестве объекта. Нажмите OK.

It how to join machines to your active directory domain

Установка разрешений для пользователя

  1. По умолчанию установлены только разрешения Read (Чтение) и Execute (Выполнение).
    Выберите Full Control (Полный доступ) и Change (Изменение) и нажмите OK.

It how to join machines to your active directory domain

In this blog I will explain how to join a Windows 11 computer into an Active-Directory domain.

You can add any Windows machine to an Active Directory domain. In this article you can find the activation to create your own domain join.

If you host servers, applications, printers and software in Microsoft Azure, integrated with Azure AD then you may no longer need an Active-Directory environment. In a previous blog I also wrote how you can add devices without an Active-Directory environment.

Make sure your Windows 11 computer is connected to the domain controllers

Before you can add your Windows-11 computer to the domain, it is necessary that this computer has a direct connection to the domain controllers. It is also necessary that the computer can ‘resolve’ the DNS name of the domain.

Join a Windows 11 computer in an Active Directory domain

It how to join machines to your active directory domain

Press Settings – About

It how to join machines to your active directory domain

Select: Domain or workgroup to add your computer to an AD domain.

It how to join machines to your active directory domain

Then select -> Change.

It how to join machines to your active directory domain

Add the desired domain that can be reached from the internal network.

Enter credentials of a domain administrator

It how to join machines to your active directory domain

Enter credentials from a domain administrator to add the Windows 11 computer to the Active-Directory domain. After this step is completed, the computer is domain joined.

Restart your Windows 11 computer

Once your computer has restarted, you can authenticate with Active Directory accounts in Windows 11. It how to join machines to your active directory domain It how to join machines to your active directory domain

If you got Windows 11 machines running in your setup, you can join Windows 11 computer to domain. You can perform the Windows 11 domain join process using multiple methods.

When you set up an Active Directory Domain Controller server in your network, you can then join one or more Windows 11 machines to the Active Directory domain.

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

If you are new to the concept of Active Directory, I recommend reading Overview of Active Directory Domain Services.

Using AD Domain Controller, you can centrally manage domain-joined Windows 11 PCs. You can create, configure and apply group policies to push various user and computer settings to a domain-joined Windows 11 computers.

In addition, you can also create and manage user accounts accessing the domain-joined Windows 11 computers and other resources of the Active Directory domain.

The steps used for Windows 11 domain join process is slightly different from the one that we used with Windows 10. However, it is not difficult and if you are a Windows admin, it shouldn’t make much difference.

You can join a Windows 11 computer to a domain using multiple methods.

  1. Manually join Windows 11 computer to Active Directory Domain.
  2. Using PowerShell, add the Windows 11 computer to the domain.
  3. Join Windows 11 computer to domain using command line.

Table of Contents

Prerequisites for Windows 11 domain Join

If you are planning to add or join Windows 11 computer to AD domain, here are the basic requirements.

  1. In order for a computer or server to join a domain, there must be communication with a DNS server that can locate at least one Domain Controller (DC).
  2. To find if a Windows 11 computer can communicate with the Domain Controller, either ping the DC using the FQDN or IP address.
  3. For joining Windows 11 computer to AD domain, you need to log in to the computer with local administrator account.
  4. Know your domain name before joining the Windows 11 computer to domain.
  5. You need an account to join the existing Windows 11 computer to a domain. Learn how to delegate permissions to allow a user to join a computer to an AD Domain.

Method 1 – Manually Join Windows 11 Computer to Domain

The domain join process of Windows 11 is simple. To join a Windows 11 computer to AD domain, you need to log in to the machine as local administrator. You must use domain administrator credentials while joining the machine to the domain.

On your Windows 11 computer, click Start and select Settings.

Joining Windows 11 to AD Domain

Now select System and then select About.

Joining Windows 11 to AD Domain

The About screen shows the Windows 11 device specifications. Look for Related links and select Domain or Workgroup.

How to Join Windows 11 Computer to Domain

You should now see the System Properties window. To rename the computer or change it’s domain or workgroup, click Change.

How to Join Windows 11 Computer to Domain

In this step, ensure your computer name is correct. You may change your computer name if required. Select Domain and enter the domain name to which your Windows 11 computer should join. Click OK.

How to Join Windows 11 Computer to Domain

To join your Windows 11 computer to domain, you must enter the credentials to add the machine to domain. Enter the username in the format domain\username and specify the password. Click OK.

How to Join Windows 11 Computer to Domain

If the supplied credentials are correct, the Windows 11 computer will be added to AD domain. Welcome to the domainname domain confirms that Windows 11 computer has been successfully joined to the domain. Click OK.

How to Join Windows 11 Computer to Domain

After you join any Windows device to AD domain, you must restart the computer. Click Restart Now.

Joining Windows 11 to AD Domain

After the reboot, do not log in with your local account. Instead, use your domain credentials to log in. Enter your domain credentials and press enter key.

Congratulations you are now logged in to Windows 11 with your domain credentials. The computer is now part of Active Directory domain.

Joining Windows 11 to AD Domain

Active directory admins can see the newly joined computers by opening the Active Directory users and computers console and selecting the computers OU.

Joining Windows 11 to AD Domain

Method 2 – Add Windows 11 Computer to Domain using PowerShell

You can join a Windows 11 workgroup computer to AD domain using PowerShell.

When you setup Active Directory Domain Controller server in your network, you can then join one or more Windows clients to the Active Directory domain. You can centrally manage domain-joined PCs from domain controller. You can create, configure and apply group policies to push various user and computer settings to the domain-joined machine. Similarly, you can also create and manage user accounts accessing the domain-joined PCs and other resources of the Active Directory domain. This article shows steps to join Windows 10 to Domain.

Join Windows 10 to Domain

To join a Windows 10 machine to domain you need to login to the machine as local administrator and use domain administrator credentials while joining the machine to domain.

It how to join machines to your active directory domain

Step 1. Logon to Windows 10 machine. Open Run application and type sysdm.cpl. It will open System Properties dialog box.

It how to join machines to your active directory domain

Step 2. Under System Properties, select Computer Name tab and click Change.

It how to join machines to your active directory domain

Step 3. In the Computer Name/Domain Changes dialog box, choose Domain under Member of option and enter domain name of your AD Domain and click OK.

It how to join machines to your active directory domain

Step 4. Enter domain Administrator credential. If you are using any other domain administrator account other than administrator then make sure the user is assigned with domain admins rights and click OK.

It how to join machines to your active directory domain

Step 5. Once you click OK, you will get welcome message as shown above. Click OK.

It how to join machines to your active directory domain

Step 6. For the change to take affect you need to restart the PC. Click OK

It how to join machines to your active directory domain

Step 7. You can see the computer name is now FQDN and domain is mustbegeek.com. This means the PC is now joined to domain mustbegeek.com. Now click Close.

It how to join machines to your active directory domain

Step 8. Click Restart Now to restart the PC. After PC restarts, you can login to the PC with domain user account.

It how to join machines to your active directory domain

You can also verify from domain controller. Open Active Directory Users and Computers, expand domain name and select Computers OU. You can see the machine from domain controller.

How do I detect whether the machine is joined to an Active Directory domain (versus in Workgroup mode)?

It how to join machines to your active directory domain

12 Answers 12

Don’t fool with pinvoke if you don’t have to.

Reference System.DirectoryServices, then call:

Throws an ActiveDirectoryObjectNotFoundException if the machine is not domain-joined. The Domain object that’s returned contains the Name property you’re looking for.

You can PInvoke to Win32 API’s such as NetGetDcName which will return a null/empty string for a non domain-joined machine.

Even better is NetGetJoinInformation which will tell you explicitly if a machine is unjoined, in a workgroup or in a domain.

Using NetGetJoinInformation I put together this, which worked for me:

Can also be called by using system.net

If the domain string is empty the machine isn’t bound.

That should allow you to get the domain. I believe it will be null or empty if you are part of a workgroup and not a domain.

Make sure to reference System.Management

Just wanted to drop Rob’s Code in VB:

As Well as Stephan’s code here:

I believe that only the second code will allow you to know what domain the machine joined, even if the current user IS NOT a domain member.

The Environment variables could work for you.

MSDN Link for some more details.

I’m not sure this environment variable exists without being in a domain.

Correct me if I’m wrong Windows Admin geeks — I believe a computer can be in several domains so it may be more important to know what domain, if any, you are in instead of it being in any domain.

Organizations may need to join remote Windows devices to their Active Directory Domain. Netskope Private Access can be used to join devices to the domain or to authenticate new users on the device. By default, the Netskope Steering Client only begins steering traffic once an authenticated user has logged into the system. The device must therefore be deployed in IDP mode, with an email invite, or already be joined to the domain for the following flows to work.

Joining a Windows Machine to an Active Directory Domain

This requires a Netskope steering client deployed in IDP mode or using an email invite already installed on the machine. Users will initially logon with a local computer account.

You can join a Windows computer to an Active Directory Domain using the Windows UI or the command line. Instructions are below assuming the Netskope agent is installed and connected.

Ensure that a private application, Publisher, and allow policy have been configured in the Netskope UI. Sample configurations are below:

It how to join machines to your active directory domain

Log in to the computer using the local Windows account.

Open File Explorer.

Right-click This Computer and then select Properties .

It how to join machines to your active directory domain

Under Computer Name, Domain, and Workgroup, click Change Settings .

Click Change…

Enter the domain info and click Ok .

Enter the credentials for the domain administrator or user that has rights to join to the domain.

When prompted reboot the computer.

Proceed to the section on cached credentials.

Updating Cached Credentials using Run As

Once a machine is domain joined, a new user can login to the machine by caching the credentials using Run As option in the Windows UI. Other methods are available such as using scripts or mapping a network drive using your username and password. To use the Run As.. command, follow the below instructions.

Log in to the machine using the local account or another domain joined user.

Hold shift and right-click Command Prompt or another program.

Select Run as different user .

It how to join machines to your active directory domain

Enter your Active Directory credentials.

It how to join machines to your active directory domain

After the program opens you may sign out of the local user or switch users and sign in with the new user.

Updating Cached Credentials using the Command Line

You can also run as a user in a Powershell or Bash script. A sample Powershell script is below that customers can use or modify as needed. Customers can configure this script to run via GPO or direct users to run it.

It how to join machines to your active directory domain

Computer accounts or objects represent devices connected to the AD. They are stored in AD database after connecting to the domain. This is needed to apply different GPOs to them and keep track of their updates if you have WSUS installed. And what is more important establish secure authentication for users logging into Windows.

In order to join a workstation to a domain, the device needs to be in the same network with domain controllers. It is also possible to join a device through a VPN. In this case device needs to be able to resolve the name of the AD environment. DHCP can definitely help with that but you can also do this by adding the domain information to the hosts file.

How to Join a Computer to the Domain

It is possible to join a computer to the domain in three different ways, lets see how to do this on practice.

Joining the Domain with the GUI

In order to join a Windows server to AD, perform the following steps:

Rightclick on Start button or press the Start button on your keyboard and the X key simultaneously, and select System. Scroll down till the bottom and click on “System Info”. After that click on “Change settings” next to Computer name, and in appeared window click Change…

It how to join machines to your active directory domain

In Domain changes window type the DNS domain name under “Member of Domain” and click OK. Enter domain admin credentials, and click OK three times.

It how to join machines to your active directory domain

Click Close and then Restart Now. Congratulations, your workstation has joined the domain!

Joining Domain Using Windows PowerShell

The easiest way to add a Windows-based device to an Active Directory is Powershell and Add-Computer cmdlet:

Add-Computer -DomainName office.com -Credential OFFICE\Administrator
Restart-Computer

How to Rename a Computer Account

Renaming a computer is pretty easy task to accomplish, it can be done three different ways.

Renaming Computer in the Settings

In Windows Server it can be done similar to joining into the domain but this time we will do it a little bit differently.

Rightclick on Start button or press the Start button on your keyboard and the X key simultaneously, and select System. Click on Rename this PC and enter new name for your device according to your naming policy.

It how to join machines to your active directory domain

Click Next, enter your domain admin credentials if your computer is already inside the domain and then restart your server. You will have a server with new name after the restart.

Renaming Computer in the Cmd.exe

Renaming computer in command prompt is an easy task, just type in the following code on the target computer:

netdom.exe renamecomputer localhost /newname WKS033 /reboot

Renaming Computer with Windows PowerShell

Windows PowerShell allows to rename a computer in seconds by typing two short commands on a target machine:

You can join a storage virtual machine (SVM) to an Active Directory domain without deleting the existing SMB server by modifying the domain using the vserver cifs modify command. You can rejoin the current domain or join a new one.

The SVM must already have a DNS configuration.

The DNS configuration for the SVM must be able to serve the target domain.

The DNS servers must contain the service location records (SRV) for the domain LDAP and domain controller servers.

The administrative status of the CIFS server must be set to “down” to proceed with Active Directory domain modification.

If the command completes successfully, the administrative status is automatically set to “up”.

When joining a domain, this command might take several minutes to complete.

Join the SVM to the CIFS server domain: vserver cifs modify -vserver vserver_name -domain domain_name -status-admin down

For more information, see the man page for the vserver cifs modify command. If you need to reconfigure DNS for the new domain, see the man page for the vserver dns modify command.

In order to create an Active Directory machine account for the SMB server, you must supply the name and password of a Windows account with sufficient privileges to add computers to the ou= example ou container within the example .com domain.

Beginning with ONTAP 9.7, your AD administrator can provide you with a URI to a keytab file as an alternative to providing you with a name and password to a privileged Windows account. When you receive the URI, include it in the -keytab-uri parameter with the vserver cifs commands.

Verify that the CIFS server is in the desired Active Directory domain: vserver cifs show

It how to join machines to your active directory domain

The aim of a granular delegation concept is to assign only those rights that are necessary for the operation of the assigned role.

Principle of least privilege to join the Active Directory Domain

We could give Domain-Admin-permissions to any admin. Any admin could work and thats is.
Though, the question is: Do we want to give Domain-Admin-rights to any helpdesk employee?
I don’t think so. This leads to the question: Which authorizations are really essential for the joining of a computer.

Computer objects must be “prestaged”

A requirement for this delegation: computer objects must be “prestaged”.
That means that empty computer objects have to be created in the proper OU by a central authority in advance. I can only recommend this.
Without “prestaged” computer objects all objects are placed in the computer container of the domain (except you changed the standard container, as described in Tim’s article).
Otherwise they have to be moved to the proper target OU.

To move computer objects to the target OU you need:

  • Delete-authorization for the computer container
  • Create-authorization for the target OU

These high-ranking authorizations should be avoided.

Necessary delegations for the target OU

The following delegations are needed for the target-OU containing the “prestaged” computer-objects:

Apply to: Descendant Computer objects
Allow: Reset password
Allow: Validated write to DNS host name
Allow: Validated write to service principal name
Allow: Read account restrictions
Allow: Write account restrictions

Now I need to reestablish the membership of the PC in the domain. But since I can’t logon I can’t change neither the computer name nor the domain membership.

  • How can I re-trust PC and domain?
  • Can I add or renew the membership from the domain controllers console?

Edit:

There are no active local accounts on the machine that I could use to logon.

11 Answers 11

This trick comes to be via my Active Directory study group. I suggest that everyone join a usergroup and/or a study group. It’s not that we don’t know AD, it’s that we forget or miss new features. A refresher course is fun too.

Occasionally a computer will come “disjoined” from the domain. The symptoms can be that the computer can’t login when connected to the network, message that the computer account has expired, the domain certificate is invalid, etc. These all stem from the same problem and that is that the secure channel between the computer and domain is hosed. (that’s a technical term. Smile )

The classic way to fix this problem is to unjoin and rejoin the domain. Doing so is kind of a pain because it requires a couple of reboots and the user profile isn’t always reconnected. Ewe. Further if you had that computer in any groups or assigned specific permissions to it those are gone because now your computer has a new SID, so the AD doesn’t see it as the same machine anymore. You’ll have to recreate all of that stuff from the excellent documentation that you’ve been keeping. Uh, huh, your excellent documentation. Double Ewe.

Instead of doing that we can just reset the secure channel. There are a couple of ways do this:

Once you’ve setup your Active Directory server, you will be ready to join your Active Directory domain. This can be done on the Windows clients that will be used in your network. You could also have a Windows Server machine as a client of your domain.

For a Windows client to be able to join a domain, you will need one of the following levels:

  • Professional
  • Enterprise
  • Ultimate

Step 1: Setting your DNS servers

First off, you will need to set your DNS servers to those of your domain controller. Every primary domain controller has to host a DNS server, and therefore, so does your primary domain controller. Your Windows client will need to be able to contact Active Directory; and it can only do so if the DNS servers are set to those of a domain controller.

In order to do that, go to “Network and Sharing Center”, click “Change adapter settings” in the sidebar. Choose your connection, and click “Change settings of this connection”. In the list that will appear, find: “Internet Protocol Version 4 (TCP/IPv4)”. Click “Properties” once it’s selected. In the “General” tab, you will be able to change your DNS servers. Usually, it’s set to “Obtain DNS server address automatically”. We will need to change that to “Use the following DNS server addresses”, so check that. You will now be able to set the preferred and alternate DNS server.

The preferred DNS server should always be the DNS server on your domain controller, so enter the IP address of your domain controller in that field. The alternate DNS server is not something we’ll really need, so just set that to a random address. A lot of people tend to set it to “8.8.8.8” (Google’s DNS server). Once you’ve done that, click “OK”.

Step 2: Joining the Active Directory domain

Your Windows client should now be able to contact Active Directory. At this point, we need to join the server or computer to the Active Directory domain. In order to do this, go to “This PC -> System properties”. In the sidebar, you should see an option called “Advanced system settings”. This will open the tab “Advanced”. Click “Computer Name”.

You will see the following option:

There will be a button labeled “Change. ” next to it. Aside from being able to change the computer name, you can also change of where the computer will be a member. There are two choices:

  • Domain
  • Workgroup

Naturally, we are going to choose “Domain” as we want to join an Active Directory domain. So check “Domain” and enter the domain that you want to join. If this domain exists, you will be asked to enter a username and password in order to join the domain.

If you get the following message, though:

It means that the domain was either not typed correctly, the DNS servers are not set correctly, or the domain does not exist. Please confirm that all of these are correct!