X
x_coder
What are the sequence of steps that happen when a computer (principal)
join a domain?
join a domain?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
P
Paul du Toit
Hi
Not to sure if this is what you looking for, but here goes.
How Domain Controllers Are Located in Windows
Windows Xp => http://support.microsoft.com/?id=314861
Windows 2000 => http://support.microsoft.com/?id=247811
These articles describes the mechanism used by Windows to locate a domain
controller in a Windows-based domain
Regards
Paul du Toit
Not to sure if this is what you looking for, but here goes.
How Domain Controllers Are Located in Windows
Windows Xp => http://support.microsoft.com/?id=314861
Windows 2000 => http://support.microsoft.com/?id=247811
These articles describes the mechanism used by Windows to locate a domain
controller in a Windows-based domain
Regards
Paul du Toit
J
Jorge_de_Almeida_Pinto
Hi
Not to sure if this is what you looking for, but here goes.
How Domain Controllers Are Located in Windows
Windows Xp => http://support.microsoft.com/?id=314861
Windows 2000 => http://support.microsoft.com/?id=247811
These articles describes the mechanism used by Windows to
locate a domain
controller in a Windows-based domain
Regards
Paul du Toit
Hi,
Some additional info concerning permissions for joining computers to a
domain you might be interested in
#######################
Using the delegation of control wizard you can delegate the creation
of computer accounts to the domain. This does not mean the same
user/group can also JOIN the computer to the domain. In the
DELEGWIZ.INF file (%WINDIR%INF) look at template 6.....
By default the "AppliesToClasses" is set to "domainDNS" (case
sensitive and without quotes) With this you can only delegate computer
account creation at domain level. Change that to
"domainDNS,organizationalUnit,container" (case sensitive and without
quotes) and yuo will be able to delegate at OU level
If you delegate the creation of computer accounts to a group (e.g.
GROUP-CREATE-COMPOBJ), the member of that group that creates the
computer becomes the owner of the computer account and automatically
receives the right to join a computer with that name to the domain.
The other members of that group will not be able to join the computer
to the domain. In this case only the user that created the computer
account will be able to join the computer. Lets say you have another
group called GROUP-JOIN-COMP that is allowed to join (not create
computer accounts) to the domain, the user who creates the computer
account has the possibility to designate which user or group gets the
rights to join the computer to the domain with the option ("The
following group or user can join this computer to a domain" and this
is by default Domain Admins group) The group mentioned in that option
will be able to join the computer to the domain. In my opinion that is
a lot of work just to create a computer computer account and join it.
It is however possible to pre-configure the option called "The
following group or user can join this computer to a domain and this is
by default Domain Admins group"
Add to the DELEGWIZ.INF file (%WINDIR%INF) a NEW template you can use
to delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the
creation of computer accounts) The minimum rights are mentioned below!
REPLACE THE X with a NUMBER!
;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Join a computer to the domain in an OU (computer
account pre-created)"
ObjectTypes = computer
[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host
name","Validated write to service principal name", "Account
Restrictions"
;----------------------------------------------------------
This way you can delegate the creation of computer accounts to group1
and the joining of the computers to group2.
It is also however possible you have a group of people who create
computers accounts and also join them. To able so everyone in that
group can create a computer accounts and join the computers to the
domain independent who created the computer accounts replace TEMPLATE
6 with what is mentioned below or perform the delegate twice with the
additional task created above! If you want to join a computer to the
domain in a specific OU and the computer account has not been
pre-created you cannot use the GUI at the computer. For this you must
use the tool NETDOM so you can specify the OU the computer account
must reside in! The latter only is only possible when you at least
have the right to create a computer object in the designated OU.
Joining will also be possible because you automatically become the
owner of the computer account!
;----------------------------------------------------------
[template6]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Add and/or join a computer to the domain in an OU
(computer)"
ObjectTypes = SCOPE, computer
[template6.SCOPE]
;Right to create computer objects
computer=CC
[template6.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host
name","Validated write to service principal name", "Account
Restrictions"
;----------------------------------------------------------
#######################