Difference between revisions of "Joining a Windows Client or Server to a Domain"

(Add Windows server versions to the list, as they are also able to be joined as a domain member)
m (/* added Windows 2019 as domain member)
 
(19 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
Computers, that should be part of a Domain, have to join it. After this process they are members of the joined domain and able to access domain resources. During the join, an account for the machine will be created. This allows the computer to authenticate itself in the domain.
+
After setting up a [[Active_Directory_Domain_Controller|Samba Active Directory (AD)]] or an [[NT4_Domains|Samba NT4 domain]], you have to join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.
  
This documentation describes the join process as a Windows domain member to a Samba Active Directory or Samba NT4 domain.
+
In case, you are joining a Windows Server <u>as a domain controller (DC)</u> to an AD, see:
 +
* [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]]
 +
* [[Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD|Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD]]
 +
 
 +
Use this documentation for joining a Windows client or server operating system to a Samba AD or Samba NT4 domain as a domain member.
  
  
Line 11: Line 15:
 
= System Requirements =
 
= System Requirements =
  
== Windows Version ==
+
== Supported Windows Versions ==
  
To join a Domain, the Windows version requires the necessary capabilities. The following Windows version are able to join a Domain as a member:
+
To join a domain, the Windows edition requires the corresponding capabilities. You can join the following Windows operating systems as a domain member:
  
<u>Workstation editions</u>
+
<u>Workstation editions:</u>
* Windows 10 Pro / Enterprise / Education
+
* Windows 10: Pro, Enterprise, and Education
* Windows 8/8.1 Pro / Enterprise
+
* Windows 8 and 8.1: Pro and Enterprise
* Windows 7 Professional / Ultimate / Enterprise
+
* Windows 7: Professional, Ultimate, and Enterprise
* Windows Vista / Business / Ultimate / Enterprise
+
* Windows Vista: Business, Ultimate, and Enterprise
* Windows XP Professional
+
* Windows XP: Professional
* Windows 2000 Professional
+
* Windows 2000: Professional
* Windows NT4 ''(can only join NT4-style domains!)''
+
* Windows NT4 ''(only NT4 domain support)''
  
 
+
<u>Server (all editions):</u>
<u>Server editions</u>
+
* Windows Server 2019
* Windows Server 2012 / 2012R2
+
* Windows Server 2016
* Windows Server 2008 / 2008R2
+
* Windows Server 2012 and 2012R2
* Windows Server 2003 / 2003R2
+
* Windows Server 2008 and 2008R2
 +
* Windows Server 2003 and 2003R2
 
* Windows Server 2000
 
* Windows Server 2000
  
Line 35: Line 40:
 
== Permissions ==
 
== Permissions ==
  
To join a client to a domain, you require
+
To join a machine to a domain you require:
* local Administrator permissions on the computer you want to join
+
* local administrator permissions on the computer you want to join
* knowledge of credentials of a Domain account, that is allowed to join machines to the domain.
+
* credentials of a domain account that is enabled to join machines to the domain. For example:
** At least the Domain Administrator account can join computers to a domain, but it's possible that the permissions are [[Delegation/Join_machines_to_a_domain|delegated to other accounts]], too.
+
** the domain administrator account
** In an Active Directory, [https://support.microsoft.com/kb/243327/en authenticated user accounts are allowed per default to join up to 10 machines] to the domain, if this wasn't changed or disabled by the Domain Administrator.
+
** an account with [[Delegation/Joining_Machines_to_a_Domain|delegated permissions]] (AD only)
 +
: Note, that in an AD authenticated user accounts are enabled to join up to 10 machines to the domain, if the administrator has not disabled the feature. See https://support.microsoft.com/kb/243327/en
  
Ask your Domain Administrator for details.
 
  
  
 +
== Required Settings for NT4 Domains ==
  
== Required settings for NT4-style domains ==
+
If you are joining the host to a Samba NT4 domain, some Windows operating systems require modifications. See [[Required_Settings_for_Samba_NT4_Domains|Required Settings for Samba NT4 domain]].
  
In case you're joining an Samba NT4-style domain, some [[Required_settings_for_NT4-style_domains|settings may be required]].
 
  
  
  
  
 +
= DNS Settings (AD only) =
  
= DNS Setting =
+
In an Active Directory (AD), a working DNS configuration is indispensable. AD uses DNS to locate domain controllers (DC), resolve host names, and for many other tasks. Ensure that the client has at least one DNS server configured, that is able to resolve the AD DNS zone. For further information, see [[Windows_DNS_Configuration|DNS Configuration on Windows Hosts]].
  
The client requies to have at least one DNS server configured, that is able to resolve names of the Domain it should join.
 
  
See [[DNS_Configuration_Windows|DNS Configuration on Windows]].
 
  
  
  
 +
= Date and Time Settings (AD only) =
  
 +
Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default), the client is not able to access domain resources for security reasons.
  
= Date And Time Settings =
+
Before you join the domain, check the time configuration:
  
''If you're joining an NT4-style domain, this step is optional. But a correct system time is always recommended.''
+
* Open the <code>Control Panel</code>.
  
Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default setting in an AD) to your Domain Controller.
+
* Navigate to <code>Clock, Language and Region</code>.
  
* Open the Control Panel.
+
* Click <code>Date and Time</code>.
  
* Navigate to „Clock, Language and Region“.
+
* Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  
* Click „Date and Time“.
+
* Click <code>OK</code> to save the changes.
:[[Image:Date_and_Time_Settings.png]]
 
  
* Check your date, time and time zone settings.
 
  
  
  
  
 +
= Joining a Windows Client or Server to a Domain =
  
= Joining A Windows Client To A Domain =
+
* Open the <code>Control Panel</code>.
  
The procedure is for all Windows versions the same. It just differs in the ways opening the „System Properties“ window.
+
* Navigate to <code>System and Security</code> / </code>System</code>.
  
The first step differs on your OS version:
+
* Click <code>Change settings</code>, next to the computer name.
  
* Windows 10
+
* On the <code>Computer Name</code> tab, click the <code>Change</code> button.
:Search in the start menu for „System“ and click the „System - Control panel“ entry.
 
:[[Image:Join_Win10_Search_System.png]]
 
  
* Windows 8 / 8.1
+
* Verify the computer name. If you rename the computer, reboot before joining the domain.
:Search on the Modern UI screen for „System“ and click the icon.
 
:[[Image:Join_Win8_Search_System.png]]
 
  
* Windows 7
+
* Select <code>Domain</code>, enter the name of your domain, and click <code>OK</code>.
:Right-click to „Computer“ (e. g. on your desktop or in the start menu) and choose „Properties“.
+
:[[Image:Join_Enter_Domain_Name.png]]
:[[Image:Join_Win7_Computer_Properties.png]]
+
: Active Directory (AD) only: You can enter the NetBIOS name of the domain, if your client is able to resolve it. For example: <code>samdom</code> instead of <code>samdom.example.com</code>.
 
 
All further steps are the same on each Windows OS (the appearance may differ):
 
  
* Click „Change settings“ in the „Computer name, domain and workgroup settings“ area.
+
* Enter the credentials of an account that is able to join a computer to the domain. For example, the domain administrator account. Click <code>OK</code> to continue.
:[[Image:Join_Change_Settings.png]]
 
  
* In the „System properties“ window, click the „Change...“ button.
+
* Reboot the computer after the computer successfully joined the domain.
:[[Image:Join_System_Properties_Window.png]]
 
 
 
* Choose „Domain“ and enter the Domain name.
 
:[[Image:Join_Enter_Domain_Name.png]]
 
:''Note: If your client is able to resolve the NetBIOS name of your domain, you can use the this one (e. g. „samdom“). Otherwise you have to enter the full DNS name of your Domain (e. g. samdom.example.com).''
 
  
* Click „OK“
 
  
* If the computer is able to connect to the Domain Controller / PDC, you will be prompted for credentials that are allowed to join to the domain.
 
:[[Image:Join_Enter_Credentials.png]]
 
  
* Click „OK“.
 
  
* If the join succeeded, you will be welcomed in the domain.
 
:[[Image:Join_Welcome.png]]
 
  
* Reboot to take changes effect.
+
----
 +
[[Category:Active Directory]]
 +
[[Category:Domain Members]]
 +
[[Category:NT4 Domains]]

Latest revision as of 11:53, 4 May 2020

Introduction

After setting up a Samba Active Directory (AD) or an Samba NT4 domain, you have to join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.

In case, you are joining a Windows Server as a domain controller (DC) to an AD, see:

Use this documentation for joining a Windows client or server operating system to a Samba AD or Samba NT4 domain as a domain member.



System Requirements

Supported Windows Versions

To join a domain, the Windows edition requires the corresponding capabilities. You can join the following Windows operating systems as a domain member:

Workstation editions:

  • Windows 10: Pro, Enterprise, and Education
  • Windows 8 and 8.1: Pro and Enterprise
  • Windows 7: Professional, Ultimate, and Enterprise
  • Windows Vista: Business, Ultimate, and Enterprise
  • Windows XP: Professional
  • Windows 2000: Professional
  • Windows NT4 (only NT4 domain support)

Server (all editions):

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 and 2012R2
  • Windows Server 2008 and 2008R2
  • Windows Server 2003 and 2003R2
  • Windows Server 2000


Permissions

To join a machine to a domain you require:

  • local administrator permissions on the computer you want to join
  • credentials of a domain account that is enabled to join machines to the domain. For example:
Note, that in an AD authenticated user accounts are enabled to join up to 10 machines to the domain, if the administrator has not disabled the feature. See https://support.microsoft.com/kb/243327/en


Required Settings for NT4 Domains

If you are joining the host to a Samba NT4 domain, some Windows operating systems require modifications. See Required Settings for Samba NT4 domain.



DNS Settings (AD only)

In an Active Directory (AD), a working DNS configuration is indispensable. AD uses DNS to locate domain controllers (DC), resolve host names, and for many other tasks. Ensure that the client has at least one DNS server configured, that is able to resolve the AD DNS zone. For further information, see DNS Configuration on Windows Hosts.



Date and Time Settings (AD only)

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



Joining a Windows Client or Server to a Domain

  • Open the Control Panel.
  • Navigate to System and Security / System.
  • Click Change settings, next to the computer name.
  • On the Computer Name tab, click the Change button.
  • Verify the computer name. If you rename the computer, reboot before joining the domain.
  • Select Domain, enter the name of your domain, and click OK.
Join Enter Domain Name.png
Active Directory (AD) only: You can enter the NetBIOS name of the domain, if your client is able to resolve it. For example: samdom instead of samdom.example.com.
  • Enter the credentials of an account that is able to join a computer to the domain. For example, the domain administrator account. Click OK to continue.
  • Reboot the computer after the computer successfully joined the domain.