Joining a domain

D

Dooma

I learned in MS AD class that you do not need to join a windows 2000 AD
domain but the workstation will join the domain, automatically, once you
log on with AD username and password. If this is correct, I tried to logon
from a windows 2000 pro machine and it did not. Any idea?

Thanks in advance.
 
C

Chris Knapp

Get a refund.
Windows 9x/Me computers cannot be members of a domain. (however, to be able
to access resources, they don't need to )
However for NT, 2K, XP, & 2k3, the computers have to have matching "computer
accounts" in AD.
No matter what kind of computer you are using, you must have a valid "user
account" to access resources. (assuming guest account is disabled)

None of this is done automatically for you. Its all very deliberate. . .
 
S

Scott Harding - MS MVP

Not correct. You have make it join the domain and supply a username and
password with rights to let computers join a domain. Where did you take this
class? I find it insane that someone who is teaching a class about AD would
tell you this. Probably a misunderstanding........
 
D

Dooma

I just finished the class @ new Horizon. I remember the trainer saying that
with 2000 pro machine anybody can join the domain w/o administrative
permission.
 
C

Chris Knapp

Well, technically that statement is true. However, you have to be an
administrator on the Domain, as well as on the Workstation.
The process goes as follows:

Login to the 2000 desktop as a local administrator
add it to the domain.
It will ask for a username & password. Use the login & pwd of someone with
administrator privileges on the domain you are joining. (the domain
administrator account for example.)

You just have to remember that local users on your workstation are
completely separate from domain users, even after you join that workstation
to the domain.
 
R

Roland Hall

:
: I just finished the class @ new Horizon. I remember the trainer saying
that
: with 2000 pro machine anybody can join the domain w/o administrative
: permission.

If an administrator creates a computer account in ADUC, they can specify who
can add THAT computer to the domain. There is also a check box to allow all
PRE-W2K computers to use that account. Perhaps this is what your trainer
was eluding to. I would verify that with him/her.

You do not have uncontrollable rights to add any computer to a domain, at
will.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
 
D

Dooma

I just joint a win2000 AD domain using a regular user domain user name. I
logged in to the machine as local admin. I joined the domain. I typed a
regular AD domain username and password and it joint the domain. I am sure
the user name I typed is not part of the admin group only part of the domain
users group.
 
R

Roland Hall

:
: I just joint a win2000 AD domain using a regular user domain user name. I
: logged in to the machine as local admin. I joined the domain. I typed a
: regular AD domain username and password and it joint the domain. I am sure
: the user name I typed is not part of the admin group only part of the
domain
: users group.

Yes, you joined a domain by passing domainuser and password to authenticate.
It tells you that if you want to add that computer to the domain, then you
have to provide credentials with an account that has those rights, which you
did. This is not what I was speaking of.

I said there is a way for the Domain Admin to give rights to someone to add
their computer to the domain with their credentials, not by passing
credentials for a domain admin. Your local admin or local/global user does
not have rights to do that unless express rights have been given, as I
mentioned in my original post.

In NT 4, a Domain Admin could add a computer account to the domain prior to
the computer even existing. Then when the system was built, anyone could
add that computer to the domain because the account had already been created
on the domain. There were times over the years when trying to add a
workstation to a domain, on NT 4, by passing credentials didn't work so the
workaround was to add the computer account through server manager, let it
synchronize or force a domain synchronization and then go to the workstation
and tell it to add the computer to the domain. Since the account already
existed, the computer was added automatically without requiring Admin
credentials to be passed from the client. These might have been issues that
were fixed in an SP or a hot fix.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Joining a Domain Problem 1
Has anyone had problems joining 2003 domain/ mac book running/bootcamp/ running vista 4
joining domain 2
Difficulty joining domain across site to site VPN 1
Trust relationship between this workstation and Primary Domain Fai 5
after joining domain c:\ is not accessible access is denied 1
Client connects once to Domain, but not after rebooting! 2
Joining a 2003 domain 2

Top