Difference between revisions of "Joining a Windows Client or Server to a Domain"

m (Reverted edits by Mmuehlfeld (talk) to last revision by Rixter)
(Reverting changes of a wrong edit/rollback)
Line 1: Line 1:
= Configure a Windows Client to join our Samba Active Directory =
+
= Introduction =
Active Directory is a powerful administration service which enables an Administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, Windows Vista Business Edition, and Windows 7 Professional (and up) effectively. To test the real Samba capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).
 
  
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.
+
Computers, that should be part of a Domain, have to join it. After this process they are members of the joined domain and able to access domain resources. During the join, an account for the machine will be created. This allows the computer to authenticate itself in the domain.
It involves:
 
  
# Configuring DNS Settings
+
This documentation describes the join process for Windows clients. It is the same for NT4-style and Active Directory domains.
# Configuring Date & Time and Time Zone
 
# Joining the domain
 
  
== Step 1: Configure DNS Setting for Windows ==
 
  
Before we configure the DNS settings, verify that you are able to ping the server's IP address. If you are not able to ping the server, double check your IP address, firewall, routing, etc.
 
  
Once you have verified network connectivity between the Samba server and client,
 
  
# Right Click My Network Places, Select Properties
 
# Right Click Local Area Network, Select Properties
 
# Double click TCP/IP
 
# Use a static DNS server, add the Samba server's IP address inside the Primary DNS Server Column.
 
#:[[Image:Samba4dnsclient.jpg]]
 
# Press OK on all opened windows.
 
# Open a command prompt, type 'ping samdom.example.com' (as per your provision).
 
  
If you get replies, then it means that your Windows settings are correct for DNS, and the Samba server's DNS service is working as well.
+
= System Requirements =
  
== Step 2: Configure Date & Time and Time Zone ==
+
== Windows Version ==
  
Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, then authentication will fail for apparently no reason.
+
To join a Domain, the Windows version requires the necessary capabilities. The following Windows version are able to join Domains:
  
=== Configure the Date & Time ===
+
* Windows 8/8.1
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.
+
** Pro
# Change the Date and Time so the client matches the server to the minute, and click OK
+
** Enterprise
#:[[Image:Samba4time.jpg]]
 
  
=== Configure the Time Zone ===
+
* Windows 7
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.
+
** Professional
# Click on the Time Zone Tab
+
** Ultimate
# Change the Time Zone to match the Time Zone on the server.
+
** Enterprise
#:[[Image:Samba4timezone.jpg]]
 
  
== Step 3: Joining Windows Clients to the Domain ==
+
* Windows Vista
 +
** Business
 +
** Ultimate
 +
** Enterprise
  
Now your Windows computer is ready to join the Active Directory (AD) domain,
+
* Windows XP
 +
** Professional
  
As an Administrator:
+
* Windows 2000
 +
** Professional
  
# Right Click My Computer -> Properties
+
* Windows NT4 ''(can only join NT4-style domains)''
# Choose the Computer Name tab, click Change...
+
 
# Click option 'Domain', insert SAMDOM.EXAMPLE.COM. If this fails, try SAMDOM.
+
 
#:[[Image:Samba4joindomain.jpg]]
+
 
# When it requests a username and password, type '''Administrator''' as the username, and '''p4$$word''' as the password.
+
== Permissions ==
# You should get a message box stating "Welcome to the SAMDOM.EXAMPLE.COM domain."
+
 
# Click OK on this message box and the Properties window, and you will be instructed to restart your computer.
+
To join a client to a domain, you require
# After restarting, you should be presented with the normal logon dialog.
+
* local Administrator permissions on the computer you want to join
# Change the domain to SAMDOM and type '''Administrator''' as the username, and '''p4$$word''' as the password.
+
* knowledge of credentials of a Domain account, that is allowed to join machines to the domain.
#:[[Image:Samba4logindomain.jpg]]
+
** At least the Domain Administrator account can join computers to a domain, but it's possible that the permissions are [[Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions|delegated to other accounts]], too.
 +
** In an Active Directory, [https://support.microsoft.com/kb/243327/en authenticated user accounts are allowed per default to join up to 10 machines] to the domain, if this wasn't changed or disabled by the Domain Administrator.
 +
 
 +
Ask your Domain Administrator for details.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= DNS Setting =
 +
 
 +
The client requies to have at least one DNS server configured, that is able to resolve names of the Domain it should join.
 +
 
 +
See [[DNS_Configuration_Windows|DNS Configuration on Windows]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Date And Time Settings =
 +
 
 +
''If you're joining an NT4-style domain, this step is optional. But a correct system time is always recommended.''
 +
 
 +
Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default setting in an AD) to your Domain Controller.
 +
 
 +
* Open the Control Panel.
 +
 
 +
* Navigate to „Clock, Language and Region“.
 +
 
 +
* Click „Date and Time“.
 +
:[[Image:Date_and_Time_Settings.png]]
 +
 
 +
* Check your date, time and time zone settings.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Joining A Windows Client To A Domain =
 +
 
 +
The procedure is for all Windows versions the same. It just differs in the ways opening the „System Properties“ window.
 +
 
 +
* Windows 8 / 8.1
 +
:Search on the Modern UI screen for „System“ and click the icon.
 +
:[[Image:Join_Win8_Search_System.png]]
 +
 
 +
* Windows 7
 +
:Right-click to „Computer“ (e. g. on your desktop or in the start menu) and choose „Properties“.
 +
:[[Image:Join_Win7_Computer_Properties.png]]
 +
 
 +
* Click „Change settings“ in the „Computer name, domain and workgroup settings“ area.
 +
:[[Image:Join_Change_Settings.png]]
 +
 
 +
* In the „System properties“ window, click the „Change...“ button.
 +
:[[Image:Join_System_Properties_Window.png]]
 +
 
 +
* Choose „Domain“ and enter the Domain name.
 +
:[[Image:Join_Enter_Domain_Name.png]]
 +
:''Note: If your client is able to resolve the NetBIOS name of your domain, you can use the this one (e. g. „samdom“). Otherwise you have to enter the full DNS name of your Domain (e. g. samdom.example.com).''
 +
 
 +
* Click „OK“
 +
 
 +
* If the computer is able to connect to the Domain Controller / PDC, you will be prompted for credentials that are allowed to join to the domain.
 +
:[[Image:Join_Enter_Credentials.png]]
 +
 
 +
* Click „OK“.
 +
 
 +
* If the join succeeded, you will be welcomed in the domain.
 +
:[[Image:Join_Welcome.png]]
 +
 
 +
* Reboot to take changes effect.

Revision as of 08:53, 28 December 2014

Introduction

Computers, that should be part of a Domain, have to join it. After this process they are members of the joined domain and able to access domain resources. During the join, an account for the machine will be created. This allows the computer to authenticate itself in the domain.

This documentation describes the join process for Windows clients. It is the same for NT4-style and Active Directory domains.



System Requirements

Windows Version

To join a Domain, the Windows version requires the necessary capabilities. The following Windows version are able to join Domains:

  • Windows 8/8.1
    • Pro
    • Enterprise
  • Windows 7
    • Professional
    • Ultimate
    • Enterprise
  • Windows Vista
    • Business
    • Ultimate
    • Enterprise
  • Windows XP
    • Professional
  • Windows 2000
    • Professional
  • Windows NT4 (can only join NT4-style domains)


Permissions

To join a client to a domain, you require

Ask your Domain Administrator for details.



DNS Setting

The client requies to have at least one DNS server configured, that is able to resolve names of the Domain it should join.

See DNS Configuration on Windows.



Date And Time Settings

If you're joining an NT4-style domain, this step is optional. But a correct system time is always recommended.

Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than 5 minutes (default setting in an AD) to your Domain Controller.

  • Open the Control Panel.
  • Navigate to „Clock, Language and Region“.
  • Click „Date and Time“.
File:Date and Time Settings.png
  • Check your date, time and time zone settings.



Joining A Windows Client To A Domain

The procedure is for all Windows versions the same. It just differs in the ways opening the „System Properties“ window.

  • Windows 8 / 8.1
Search on the Modern UI screen for „System“ and click the icon.
File:Join Win8 Search System.png
  • Windows 7
Right-click to „Computer“ (e. g. on your desktop or in the start menu) and choose „Properties“.
File:Join Win7 Computer Properties.png
  • Click „Change settings“ in the „Computer name, domain and workgroup settings“ area.
File:Join Change Settings.png
  • In the „System properties“ window, click the „Change...“ button.
File:Join System Properties Window.png
  • Choose „Domain“ and enter the Domain name.
Join Enter Domain Name.png
Note: If your client is able to resolve the NetBIOS name of your domain, you can use the this one (e. g. „samdom“). Otherwise you have to enter the full DNS name of your Domain (e. g. samdom.example.com).
  • Click „OK“
  • If the computer is able to connect to the Domain Controller / PDC, you will be prompted for credentials that are allowed to join to the domain.
File:Join Enter Credentials.png
  • Click „OK“.
  • If the join succeeded, you will be welcomed in the domain.
File:Join Welcome.png
  • Reboot to take changes effect.