The default configuration of Windows Server 2003, and all Microsoft Windows operating systems, is that the computer belongs to a workgroup. In a workgroup, a Windows NT–based computer (which includes Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003) can authenticate users only from its local Security Accounts Manager (SAM) database. It is a stand-alone system, for all intents and purposes. Its workgroup membership plays only a minor role, specifically in the browser service. Although a user at that computer can connect to shares on other machines in a workgroup or in a domain, the user is never actually logged on to the computer with a domain account.
Before you can log on to a computer with your domain user account, that computer must belong to a domain. The two steps necessary to join a computer to a domain are, first, to create an account for the computer and, second, to configure the computer to join the domain using that account. This lesson will focus on the skills related to the creation of computer accounts and joining computers to domains. The next lesson will explore, in more depth, the computer accounts themselves.
Computers maintain accounts, just as users do, that include a name, password, and security identifier (SID). Those properties are incorporated into the computer object class within Active Directory. Preparing for a computer to be part of your domain is therefore a process strikingly similar to preparing for a user to be part of your domain: you must create a computer object in Active Directory. After this lesson, you will be able to ■ Create computer accounts using Active Directory Users And Computers ■ Create computer accounts using the DSADD command-line tool ■ Create computer accounts using the NETDOM command-line tool ■ Join a computer to a domain by changing the network identification properties ■ Understand the importance of creating computer accounts prior to joining a domain Estimated lesson time: 20 minutes Creating Computer Accounts
You must be a member of the Administrators or Account Operators groups on the domain controllers to create a computer object in Active Directory. Domain Admins and Enterprise Admins are, by default, members of the Administrators group. Alternatively, it is possible to delegate administration so that other users or groups can create computer objects.
5-4 Chapter 5 Computer Accounts However, domain users can also create computer objects through an interesting, indirect process. When a computer is joined to the domain and an account does not exist, Active Directory creates a computer object automatically, by default, in the Computers OU. Each user in the Authenticated Users group (which is, in effect, all users) is allowed to join 10 computers to the domain, and can therefore create as many as 10 computer objects in this manner.
Creating Computer Objects Using Active Directory Users and Computers
To create a computer object, or “account,” open Active Directory Users And Computers and select the container or OU in which you want to create the object. From the Action menu or the right-click shortcut menu, choose the New–Computer command. The New Object–Computer dialog box appears, as illustrated in Figure 5-1. Figure 5-1 The New Object–Computer dialog box In the New Object–Computer dialog box, type the computer name. Other properties in this dialog box will be discussed in the following lesson. Click Next. The following page of the dialog box requests a GUID. A GUID is used to prestage a computer account for Remote Installation Services (RIS) deployment, which is beyond the scope of this discussion. It is not necessary to enter a GUID when creating a computer account for a machine you will be joining to the domain using other methods. So just click Next and then click Finish.
Creating Computer Objects Using DSADD
Chances are, this is something you’ve done before. But before you decide there’s nothing new under the sun, Windows Server 2003 provides a useful command-line tool, DSADD, which allows you to create computer objects from the command prompt or a batch file.
Lesson 1 Joining a Computer to a Domain 5-5 In Chapter 2, “Administering Microsoft Windows Server 2003,” you used DSADD to create user objects. To create computer objects, simply type dsadd computer ComputerDN, where ComputerDN is the distinguished name (DN) of the computer, such as CN=Desktop123,OU=Desktops,DC=contoso,DC=com.
If the computer’s DN includes a space, surround the entire DN with quotation marks. The ComputerDN… parameter can include more than one distinguished name for new computer objects, making DSADD Computer a handy way to generate multiple objects at once. The parameter can be entered in one of the following ways:
■ By piping a list of DNs from another command, such as dsquery.
■ By typing each DN on the command line, separated by spaces.
■.By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.
The DSADD Computer command can take the following optional parameters after the DN parameter:
■ -samid SAMName ■ -desc Description ■ -loc Location
Creating a Computer Account with NETDOM
The NETDOM command is available as a component of the Support Tools, installable from the Support\Tools directory of the Windows Server 2003 CD. The command is also available on the Windows XP and Windows 2000 CDs. Use the version that is appropriate for the platform. NETDOM allows you to perform numerous domain account and security tasks from the command line.
To create a computer account in a domain, type the following command:
netdom add ComputerName /domain:DomainName /userd:User /PasswordD:UserPassword [/ou:OUDN]
This command creates the computer account for ComputerName in the domain DomainName using the domain credentials User and UserPassword. The /ou parameter causes the object to be created in the OU specified by the OUDN distinguished name following the parameter. If no OUDN is supplied, the computer account is created in the Computers OU by default. The user credentials must, of course, have permissions to create computer objects.
5-6 Chapter 5 Computer Accounts Joining a Computer to a Domain
A computer account alone is not enough to create the secure relationship required between a domain and a machine. The machine must join the domain.
To join a computer to the domain, perform the following steps:
1. Right-click My Computer and choose Properties. Click the Computer Name tab.
❑.Open Control Panel, select System, and in the System Properties dialog box, click the Computer Name tab.
❑.Open the computer’s Computer Name properties. These properties can be accessed in several ways: Note The Computer Name tab is called Network Identification on Windows 2000 systems. The Change button is called Properties. The functionality is, however, identical. 2. Open the Network Connections folder from Control Panel and choose the Net-work Identification command from the Advanced menu.
3. On the Computer Name tab, click Change. The Computer Name Changes dialog box, shown in Figure 5-2 allows you to change the name and the domain and workgroup membership of the computer. ! Exam Tip You will not be able to change a computer’s name or membership if you are not logged on with administrative credentials on that system. Only users who belong to the local Administrators group will find the Change button enabled and functional. Figure 5-2 The Computer Name Changes dialog box
Lesson 1 Joining a Computer to a Domain 5-7 4. In the Computer Name Changes dialog box, click Domain and type the name of the domain. Tip Although the NetBIOS (flat) domain name may succeed in locating the target domain, it is best practice to enter the DNS name of the target domain. DNS configuration is critical to a Windows 2000, Windows XP, or Windows Server 2003 computer. By using the DNS domain name, you leverage the preferred name resolution process and test the computer’s DNS con-figuration. If the computer is unable to locate the domain you’re attempting to join, ensure that the DNS server entries configured for the network connection are correct. 5. Click OK. The computer contacts the domain controller. If there is a problem connecting to the domain, examine network connectivity and configuration, as well as DNS configuration.
When the computer successfully contacts the domain, you will be prompted, as in Figure 5-3, for a user name and password with privileges to join the domain. Note that the credentials requested are your domain user name and password. Figure 5-3 Prompt for credentials to join domain If you have not created a domain computer account with a name that matches the computer’s name, Active Directory creates an account automatically in the default Computers container. Once a domain computer account has been created or located, the computer establishes a trust relationship with the domain, alters its SID to match that of the account, and makes modifications to its group memberships. The computer must then be restarted to complete the process. Note The NETDOM JOIN command can also be used to join a workstation or server to a domain. Its functionality is identical to the Computer Name Changes user interface, except that it also allows you to specify the OU in which to create an account if a computer object does not already exist in Active Directory.
5-8 Chapter 5 Computer Accounts The Computers Container vs. OUs
The Computers container is the default location for computer objects in Active Directory. After a domain is upgraded from Windows NT 4 to Windows 2000, all computer accounts are found, initially, in this container. Moreover, when a machine joins the domain and there is no existing account in the domain for that computer, a computer object is created automatically in the Computers container. Tip The Microsoft Windows Server 2003 Resource Kit includes the REDIRCOMP tool, which allows you to redirect the creation of automatic computer objects to an OU of your choice. The domain must be in Windows Server 2003 Domain functionality, meaning that all domain con-trollers must be running Windows Server 2003. Such a tool is useful to organizations in which computer account creation is less tightly controlled. Because automatically created computer objects are created in an OU, they can be managed by policies linked to that OU. See the Windows Server 2003 Resource Kit for more information on REDIRCOMP. Although the Computers container is the default container for computer objects, it is not the ideal container for computer objects. Unlike OUs, containers such as Computers, Users and Builtin cannot be linked to policies, limiting the possible scope of computer-focused group policy. A best-practice Active Directory design will include at least one OU for computers. Often, there are multiple OUs for computers, based on administrative division, region, or for the separate administration of laptops, desktops, file and print servers, and application servers. As an example, there is a default OU for Domain Controllers in Active Directory, which is linked to the Default Domain Controller Policy. By creating one or more OUs for computers, an organization can delegate administration and manage computer configuration, through group policy, more flexibly.
If your organization has one or more OUs for computers, you must move any computer objects created automatically in the Computers container into the appropriate OU. To move a computer object, select the computer and choose Move from the Action menu. Alternatively, use the new drag-and-drop feature of the MMC to move the object. Tip Because a computer object in the Computers OU will not be governed by the group policies linked to the OUs your organization has created specifically for computers; and because it requires an extra step to move a computer object from the Computers OU into the appropriate OU, it is recommended to create computer objects before joining the computer to the domain. You can create the computer object in the correct OU initially, so that once the system joins the domain it is immediately governed by the policies linked to that OU.
Lesson 1 Joining a Computer to a Domain 5-9 You can also move a computer object, or any other object, with the DSMOVE command. The syntax of DSMOVE is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
The -newname parameter allows you to rename an object. The -newparent parameter allows you to move an object. To move a computer named DesktopABC from the Computers container to the Desktops OU, you would type the following:
dsmove ?CN=DesktopABC,CN=Computers,DC=Contoso,DC=com? -newparent ?OU=Desktops,DC=Contoso,DC=com?
In this command you again see the distinction between the Computers container (CN) and the Desktops organizational unit (OU).
You must have appropriate permissions to move an object in Active Directory. Default permissions allow Account Operators to move computer objects between containers including the Computers container and any OUs except into or out of the Domain Con-trollers OU. Administrators, which include Domain Admins and Enterprise Admins, can move computer objects between any containers, including the Computers container, the Domain Controllers OU, and any other OUs.
注册－收款工具那么多，为何选择Payoneer？ ｜ 为何申请Payoneer万事达预付卡+欧美日收款银行账号？
Payoneer有卡账户和无卡账户的区别 ｜ Payoneer个人账户注册申请教程 ｜ P卡公司帐户注册教程
Payoneer欧元帐户（虚拟卡） ｜ Payoneer英镑帐户 ｜ Payoneer日元帐户 ｜ 订购实体卡（P卡）
Payoneer卡年费啥时候扣？ ｜ Payoneer卡休眠和激活 ｜ P卡到期后如何更换？ ｜ 如何注销P卡？
官方－Payoneer秉承公正、公开、透明服务 ｜ Payoneer官方最新政策汇总 ｜ 官方客服联系方式
Payoneer官方费用表 ｜ 如何减少Payoneer的手续费？ ｜ 点此免除入账费 ｜ 点此降低提现费
跨境收款服务商拷问篇——Payoneer ｜ Payoneer客户答疑手册（FAQ） ｜ Payoneer手机App
收款－跨境电商/外贸收款方式对比 ｜ Payoneer可以错名收款吗？
Amazon亚马逊卖家设置Payoneer卡收款教程 ｜ Payoneer支持从美国电商平台Newegg收款
CJ联盟设置Payoneer卡收款 ｜ ClickBank联盟设置Payoneer收款 ｜ Amazon联盟设置P卡收款
Payoneer如何从东南亚电商平台Lazada收款 ｜ 如何在Lazada开店？
Payoneer如何从拉美电商平台Linio收款？ ｜ Payoneer绑定非洲电商平台Jumia收款
Payoneer如何从跨境移动电商Wish收款？ ｜ Wish模式正在改变电商格局
Payoneer支持从法国乐天Priceminister收款 ｜ 法国电商平台CDiscount对接Payoneer收款
如何使用Payoneer请求付款？ ｜ 关于Payoneer卡充值
从PayPal提现到Payoneer卡教程及手续费用 ｜ PayPal无法绑定并转账到Payoneer卡？
提现－从Payoneer卡提现到国内银行账户 ｜ Payoneer无法从Dating联盟收款并限制提现方式
用P卡在中国银行ATM机取款4000元 ｜ 用Payoneer卡在中国建设银行ATM机取款500元