Joining a Windows Client or Server to a Domain: Difference between revisions

From SambaWiki
m (moved Configuring a windows client for AD to Joining a Windows Client to a Domain: Giving the document a better name.)
(Complete rewrite of the 'Join a Win Client' documentation.)
Line 1: Line 1:
= Introduction =
= Configure a Windows Client to join our Samba Active Directory =


Computers, that should be part of a Domain, have to join it. After this process they are members of the joined domain and able to access domain resources. During the join, an account for the machine will be created. This allows the computer to authenticate itself in the domain.
Active Directory is a powerful administration service which enables an Administrator to centrally manage a network of Windows 2000, Windows XP Pro, Windows 2003, Windows Vista Business Edition, and Windows 7 Professional (and up) effectively. To test the real Samba capability, we use Windows XP Pro as testing environment (Windows XP Home doesn't include Active Directory functionality and won't work).


This documentation describes the join process for Windows clients. It is the same for NT4-style and Active Directory domains.
To allow Samba 4 Active Directory or Microsoft Active Directory to manage a computer, we need to join the computer into the active directory.
It involves:


# Configuring DNS Settings
# Configuring Date & Time and Time Zone
# Joining the domain








= System Requirements =


== Windows Version ==
== Step 1: Configure DNS Setting for Windows ==

To join a Domain, the Windows version requires the necessary capabilities. The following Windows version are able to join Domains:

* Windows 8/8.1
** Pro
** Enterprise

* Windows 7
** Professional
** Ultimate
** Enterprise

* Windows Vista
** Business
** Ultimate
** Enterprise

* Windows XP
** Professional

* Windows 2000
** Professional

* Windows NT4 ''(can only join NT4-style domains)''



== Permissions ==

To join a client to a domain, you require
* local Administrator permissions on the computer you want to join
* knowledge of credentials of a Domain account, that is allowed to join machines to the domain.
** At least the Domain Administrator account can join computers to a domain, but it's possible that the permissions are [[Delegating_Administration_Permissions#Delegating_.27Joining_Computers_to_the_domain.27-permissions|delegated to other accounts]], too.
** In an Active Directory, [https://support.microsoft.com/kb/243327/en authenticated user accounts are allowed per default to join up to 10 machines] to the domain, if this wasn't changed or disabled by the Domain Administrator.

Ask your Domain Administrator for details.





= DNS Setting =

The client requies to have at least one DNS server configured, that is able to resolve names of the Domain it should join.


See [[DNS_Configuration_Windows|DNS Configuration on Windows]].
See [[DNS_Configuration_Windows|DNS Configuration on Windows]].
Line 22: Line 63:




== Step 2: Configure Date & Time and Time Zone ==
= Date And Time Settings =

''If you're joining an NT4-style domain, this step is optional. But a correct system time is always recommended.''

Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than [http://technet.microsoft.com/en-us/library/cc779260%28v=ws.10%29.aspx 5 minutes] (default setting in an AD) to your Domain Controller.

* Open the Control Panel.

* Navigate to „Clock, Language and Region“.

* Click „Date and Time“.
:[[Image:Date_and_Time_Settings.png]]

* Check your date, time and time zone settings.



Active Directory uses Kerberos as the backend for authentication. Kerberos requires that the system clocks on the client and server be synchronized to within a few seconds of each other. If they are not synchronized, then authentication will fail for apparently no reason.






= Joining A Windows Client To A Domain =
=== Configure the Date & Time ===
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.
# Change the Date and Time so the client matches the server to the minute, and click OK
#:[[Image:Samba4time.jpg]]


The procedure is for all Windows versions the same. It just differs in the ways opening the „System Properties“ window.


* Windows 8 / 8.1
:Search on the Modern UI screen for „System“ and click the icon.
:[[Image:Join_Win8_Search_System.png]]


* Windows 7
=== Configure the Time Zone ===
:Right-click to „Computer“ (e. g. on your desktop or in the start menu) and choose „Properties“.
# Right-Click on the Time display in the system notification area, Select Adjust Date/Time.
:[[Image:Join_Win7_Computer_Properties.png]]
# Click on the Time Zone Tab
# Change the Time Zone to match the Time Zone on the server.
#:[[Image:Samba4timezone.jpg]]


* Click „Change settings“ in the „Computer name, domain and workgroup settings“ area.
:[[Image:Join_Change_Settings.png]]


* In the „System properties“ window, click the „Change...“ button.
:[[Image:Join_System_Properties_Window.png]]


* Choose „Domain“ and enter the Domain name.
:[[Image:Join_Enter_Domain_Name.png]]
:''Note: If your client is able to resolve the NetBIOS name of your domain, you can use the this one (e. g. „samdom“). Otherwise you have to enter the full DNS name of your Domain (e. g. samdom.example.com).''


* Click „OK“


* If the computer is able to connect to the Domain Controller / PDC, you will be prompted for credentials that are allowed to join to the domain.
== Step 3: Joining Windows Clients to the Domain ==
:[[Image:Join_Enter_Credentials.png]]


* Click „OK“.
Now your Windows computer is ready to join the Active Directory (AD) domain,


* If the join succeeded, you will be welcomed in the domain.
As an Administrator:
:[[Image:Join_Welcome.png]]


* Reboot to take changes effect.
# Right Click My Computer -> Properties
# Choose the Computer Name tab, click Change...
# Click option 'Domain', insert SAMDOM.EXAMPLE.COM. If this fails, try SAMDOM.
#:[[Image:Samba4joindomain.jpg]]
# When it requests a username and password, type '''Administrator''' as the username, and '''p4$$word''' as the password.
# You should get a message box stating "Welcome to the SAMDOM.EXAMPLE.COM domain."
# Click OK on this message box and the Properties window, and you will be instructed to restart your computer.
# After restarting, you should be presented with the normal logon dialog.
# Change the domain to SAMDOM and type '''Administrator''' as the username, and '''p4$$word''' as the password.
#:[[Image:Samba4logindomain.jpg]]

Revision as of 23:50, 16 August 2014

Introduction

Computers, that should be part of a Domain, have to join it. After this process they are members of the joined domain and able to access domain resources. During the join, an account for the machine will be created. This allows the computer to authenticate itself in the domain.

This documentation describes the join process for Windows clients. It is the same for NT4-style and Active Directory domains.



System Requirements

Windows Version

To join a Domain, the Windows version requires the necessary capabilities. The following Windows version are able to join Domains:

  • Windows 8/8.1
    • Pro
    • Enterprise
  • Windows 7
    • Professional
    • Ultimate
    • Enterprise
  • Windows Vista
    • Business
    • Ultimate
    • Enterprise
  • Windows XP
    • Professional
  • Windows 2000
    • Professional
  • Windows NT4 (can only join NT4-style domains)


Permissions

To join a client to a domain, you require

Ask your Domain Administrator for details.



DNS Setting

The client requies to have at least one DNS server configured, that is able to resolve names of the Domain it should join.

See DNS Configuration on Windows.



Date And Time Settings

If you're joining an NT4-style domain, this step is optional. But a correct system time is always recommended.

Active Directory uses Kerberos for authentication, which relies on a fairly consistent time across the network. This makes it necessary, that, before you can join the client to the Domain, the time on the client does not differ more than 5 minutes (default setting in an AD) to your Domain Controller.

  • Open the Control Panel.
  • Navigate to „Clock, Language and Region“.
  • Click „Date and Time“.
File:Date and Time Settings.png
  • Check your date, time and time zone settings.



Joining A Windows Client To A Domain

The procedure is for all Windows versions the same. It just differs in the ways opening the „System Properties“ window.

  • Windows 8 / 8.1
Search on the Modern UI screen for „System“ and click the icon.
File:Join Win8 Search System.png
  • Windows 7
Right-click to „Computer“ (e. g. on your desktop or in the start menu) and choose „Properties“.
File:Join Win7 Computer Properties.png
  • Click „Change settings“ in the „Computer name, domain and workgroup settings“ area.
File:Join Change Settings.png
  • In the „System properties“ window, click the „Change...“ button.
File:Join System Properties Window.png
  • Choose „Domain“ and enter the Domain name.
Join Enter Domain Name.png
Note: If your client is able to resolve the NetBIOS name of your domain, you can use the this one (e. g. „samdom“). Otherwise you have to enter the full DNS name of your Domain (e. g. samdom.example.com).
  • Click „OK“
  • If the computer is able to connect to the Domain Controller / PDC, you will be prompted for credentials that are allowed to join to the domain.
File:Join Enter Credentials.png
  • Click „OK“.
  • If the join succeeded, you will be welcomed in the domain.
File:Join Welcome.png
  • Reboot to take changes effect.