Difference between revisions of "Joining a Windows Client or Server to a Domain"

(Replacing the "configure DNS settings" section with a link to the much more detailed section in the "DNS Administration HowTo" + some newlines for a better readability)
m (/* added Windows 2019 as domain member)
 
(31 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Configure a Windows Client to join our Samba Active Directory =
+
= Introduction =
  
Active Directory is a powerful administration service which enables an Administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, Windows Vista Business Edition, and Windows 7 Professional (and up) effectively. To test the real Samba capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).
+
After setting up a [[Active_Directory_Domain_Controller|Samba Active Directory (AD)]] or an [[NT4_Domains|Samba NT4 domain]], you have to join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.
  
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.
+
In case, you are joining a Windows Server <u>as a domain controller (DC)</u> to an AD, see:
It involves:
+
* [[Joining_a_Windows_Server_2008_/_2008_R2_DC_to_a_Samba_AD|Joining a Windows Server 2008 / 2008 R2 DC to a Samba AD]]
 +
* [[Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD|Joining a Windows Server 2012 / 2012 R2 DC to a Samba AD]]
  
# Configuring DNS Settings
+
Use this documentation for joining a Windows client or server operating system to a Samba AD or Samba NT4 domain as a domain member.
# Configuring Date & Time and Time Zone
 
# Joining the domain
 
  
  
Line 14: Line 13:
  
  
== Step 1: Configure DNS Setting for Windows ==
+
= System Requirements =
  
See the [[DNS_Administration#Configuring_clients_to_use_your_AD_DNS_server|Configuring clients to use your AD DNS server]] section in the [[DNS_Administration|DNS Administration HowTo]].
+
== Supported Windows Versions ==
  
 +
To join a domain, the Windows edition requires the corresponding capabilities. You can join the following Windows operating systems as a domain member:
  
 +
<u>Workstation editions:</u>
 +
* Windows 10: Pro, Enterprise, and Education
 +
* Windows 8 and 8.1: Pro and Enterprise
 +
* Windows 7: Professional, Ultimate, and Enterprise
 +
* Windows Vista: Business, Ultimate, and Enterprise
 +
* Windows XP: Professional
 +
* Windows 2000: Professional
 +
* Windows NT4 ''(only NT4 domain support)''
  
 +
<u>Server (all editions):</u>
 +
* Windows Server 2019
 +
* Windows Server 2016
 +
* Windows Server 2012 and 2012R2
 +
* Windows Server 2008 and 2008R2
 +
* Windows Server 2003 and 2003R2
 +
* Windows Server 2000
  
  
== Step 2: Configure Date & Time and Time Zone ==
 
  
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other.  If they are not synchronized, then authentication will fail for apparently no reason.
+
== Permissions ==
  
 +
To join a machine to a domain you require:
 +
* local administrator permissions on the computer you want to join
 +
* credentials of a domain account that is enabled to join machines to the domain. For example:
 +
** the domain administrator account
 +
** an account with [[Delegation/Joining_Machines_to_a_Domain|delegated permissions]] (AD only)
 +
: Note, that in an AD authenticated user accounts are enabled to join up to 10 machines to the domain, if the administrator has not disabled the feature. See https://support.microsoft.com/kb/243327/en
  
  
=== Configure the Date & Time ===
 
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.
 
# Change the Date and Time so the client matches the server to the minute, and click OK
 
#:[[Image:Samba4time.jpg]]
 
  
 +
== Required Settings for NT4 Domains ==
  
 +
If you are joining the host to a Samba NT4 domain, some Windows operating systems require modifications. See [[Required_Settings_for_Samba_NT4_Domains|Required Settings for Samba NT4 domain]].
  
=== Configure the Time Zone ===
 
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.
 
# Click on the Time Zone Tab
 
# Change the Time Zone to match the Time Zone on the server.
 
#:[[Image:Samba4timezone.jpg]]
 
  
  
  
  
 +
= DNS Settings (AD only) =
  
== Step 3: Joining Windows Clients to the Domain ==
+
In an Active Directory (AD), a working DNS configuration is indispensable. AD uses DNS to locate domain controllers (DC), resolve host names, and for many other tasks. Ensure that the client has at least one DNS server configured, that is able to resolve the AD DNS zone. For further information, see [[Windows_DNS_Configuration|DNS Configuration on Windows Hosts]].
  
Now your Windows computer is ready to join the Active Directory (AD) domain,
 
  
As an Administrator:
 
  
# Right Click My Computer -> Properties
+
 
# Choose the Computer Name tab, click Change...
+
 
# Click option 'Domain', insert SAMDOM.EXAMPLE.COM.  If this fails, try SAMDOM.
+
= Date and Time Settings (AD only) =
#:[[Image:Samba4joindomain.jpg]]
+
 
# When it requests a username and password, type '''Administrator''' as the username, and '''p4$$word''' as the password.
+
Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default), the client is not able to access domain resources for security reasons.
# You should get a message box stating "Welcome to the SAMDOM.EXAMPLE.COM domain."
+
 
# Click OK on this message box and the Properties window, and you will be instructed to restart your computer.
+
Before you join the domain, check the time configuration:
# After restarting, you should be presented with the normal logon dialog.
+
 
# Change the domain to SAMDOM and type '''Administrator''' as the username, and '''p4$$word''' as the password.
+
* Open the <code>Control Panel</code>.
#:[[Image:Samba4logindomain.jpg]]
+
 
 +
* Navigate to <code>Clock, Language and Region</code>.
 +
 
 +
* Click <code>Date and Time</code>.
 +
 
 +
* Verify the date, time, and time zone settings. Adjust the settings, if necessary.
 +
 
 +
* Click <code>OK</code> to save the changes.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Joining a Windows Client or Server to a Domain =
 +
 
 +
* Open the <code>Control Panel</code>.
 +
 
 +
* Navigate to <code>System and Security</code> / </code>System</code>.
 +
 
 +
* Click <code>Change settings</code>, next to the computer name.
 +
 
 +
* On the <code>Computer Name</code> tab, click the <code>Change</code> button.
 +
 
 +
* Verify the computer name. If you rename the computer, reboot before joining the domain.
 +
 
 +
* Select <code>Domain</code>, enter the name of your domain, and click <code>OK</code>.
 +
:[[Image:Join_Enter_Domain_Name.png]]
 +
: Active Directory (AD) only: You can enter the NetBIOS name of the domain, if your client is able to resolve it. For example: <code>samdom</code> instead of <code>samdom.example.com</code>.
 +
 
 +
* Enter the credentials of an account that is able to join a computer to the domain. For example, the domain administrator account. Click <code>OK</code> to continue.
 +
 
 +
* Reboot the computer after the computer successfully joined the domain.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
----
 +
[[Category:Active Directory]]
 +
[[Category:Domain Members]]
 +
[[Category:NT4 Domains]]

Latest revision as of 11:53, 4 May 2020

Introduction

After setting up a Samba Active Directory (AD) or an Samba NT4 domain, you have to join machines to the domain. Only machines joined to the domain are enabled to use domain resources. During the join, a machine account is created in the domain to authenticate the computer as a member.

In case, you are joining a Windows Server as a domain controller (DC) to an AD, see:

Use this documentation for joining a Windows client or server operating system to a Samba AD or Samba NT4 domain as a domain member.



System Requirements

Supported Windows Versions

To join a domain, the Windows edition requires the corresponding capabilities. You can join the following Windows operating systems as a domain member:

Workstation editions:

  • Windows 10: Pro, Enterprise, and Education
  • Windows 8 and 8.1: Pro and Enterprise
  • Windows 7: Professional, Ultimate, and Enterprise
  • Windows Vista: Business, Ultimate, and Enterprise
  • Windows XP: Professional
  • Windows 2000: Professional
  • Windows NT4 (only NT4 domain support)

Server (all editions):

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 and 2012R2
  • Windows Server 2008 and 2008R2
  • Windows Server 2003 and 2003R2
  • Windows Server 2000


Permissions

To join a machine to a domain you require:

  • local administrator permissions on the computer you want to join
  • credentials of a domain account that is enabled to join machines to the domain. For example:
Note, that in an AD authenticated user accounts are enabled to join up to 10 machines to the domain, if the administrator has not disabled the feature. See https://support.microsoft.com/kb/243327/en


Required Settings for NT4 Domains

If you are joining the host to a Samba NT4 domain, some Windows operating systems require modifications. See Required Settings for Samba NT4 domain.



DNS Settings (AD only)

In an Active Directory (AD), a working DNS configuration is indispensable. AD uses DNS to locate domain controllers (DC), resolve host names, and for many other tasks. Ensure that the client has at least one DNS server configured, that is able to resolve the AD DNS zone. For further information, see DNS Configuration on Windows Hosts.



Date and Time Settings (AD only)

Active Directory uses Kerberos for authentication. Kerberos requires that the domain member and the domain controllers (DC) are having a synchronous time. If the difference exceeds 5 minutes (default), the client is not able to access domain resources for security reasons.

Before you join the domain, check the time configuration:

  • Open the Control Panel.
  • Navigate to Clock, Language and Region.
  • Click Date and Time.
  • Verify the date, time, and time zone settings. Adjust the settings, if necessary.
  • Click OK to save the changes.



Joining a Windows Client or Server to a Domain

  • Open the Control Panel.
  • Navigate to System and Security / System.
  • Click Change settings, next to the computer name.
  • On the Computer Name tab, click the Change button.
  • Verify the computer name. If you rename the computer, reboot before joining the domain.
  • Select Domain, enter the name of your domain, and click OK.
Join Enter Domain Name.png
Active Directory (AD) only: You can enter the NetBIOS name of the domain, if your client is able to resolve it. For example: samdom instead of samdom.example.com.
  • Enter the credentials of an account that is able to join a computer to the domain. For example, the domain administrator account. Click OK to continue.
  • Reboot the computer after the computer successfully joined the domain.