Active Directory - Adding machines April 22, 2004

An important first concept with Active Directory is that computers have accounts in the directory, just as people (users) have accounts. User accounts are typically created automatically by the ACS Amaint system, but computer accounts can only be created manually, and only by someone authorized to do so.

Computers use their accounts to automatically "log in" to the directory at startup, in the background. At this time, a number of things happen, including any computer specific Group Policy being applied and Kerberos keys being exchanged.

Adding machines to the directory is one of the initial steps in getting started with Active Directory and this page will document the needed steps.

First, an Organizational Unit (OU) within SFU's AD must be created and configured. Configuration involves

creating a Global group containing one or more people that will act as administrators
creating a Domain Local group with a single member, the above named Global group
giving the Domain Local group full control of the newly created OU
making the the Global group a member of SFU Lan Admins group (this allows members of the group to create Group Policy, something that is strangely not possible even with full control of an OU)

Contact the AD Domain Administrator to have these steps performed.

Once the OU has been created and configured, you can add machines to the directory. This is a two step process.

Step One - Create a computer object in your OU.

Note: This can be done from any machine with a web browser.

Go to the Add Computer Objects to Active Directory page.
Fill in your CCN ID (aka UNIX ID), your password, and your CCN ID again.
Select your OU from the list.
Fill in the fully qualified DNS names of the machine that you wish to become members of Active Directory. The input box will take a list of machines, but for now, just specify one.
Click Add Hosts.

All going well, you will get a message informing you that the machine was successfully added to AD.

It should be noted that no checking is done on the validity of the machine name by the above step. Type the machine name in incorrectly, or type in the name of a non-existent machine and you will still a success message. Something will be created in AD, but things just won't work later, or will work erractically. Be sure you have the machine name typed/pasted in correctly.

It is now very important to allow enough time for the newly created object to be replicated to all the domain controllers before proceeding with Step Two below !

Failure to do so could result in all manner of problems, some difficult to track down. For example, a second object with a seemingly identical name will be created in the Computers OU, and THIS is the "actual" object associated with the computer. The object you think you have created in your OU and you think you are applying Group Policy to is an orphan, and unrelated to the machine you think you are working on.

The time to wait could be up to 15 minutes. The easiest way to check if enough time has elapsed is to use Active Directory Users and Computers, connected to ADSERVER28.AD.SFU.CA Since the web page above uses either ADSERVER21 (by default) and ADSERVER24 (if server1 has some problem), if ADSERVER28 knows about the object in your OU, replication must have occurred.

Step Two (a) - Windows 7 only.

Microsoft changed something with Windows 7 and an additional step required over those required with XP/Win2k. Go to

Control Panel
Network and Sharing
   Local Area Connection
    Properties
     IPV4 Properties
      Advanced
       DNS

and add

ad.sfu.ca

as a DNS suffix to append.

Step Two (b) Link the actual machine to the object created above.

Log in as administrator to the machine.
Go to

Control Panel

System

Network Identification

Properties

Ensure that the Full computer name is correct (i.e., exactly matches the record in the DNS)
Leave Computer Name alone. This is the NetBIOS name, and NetBIOS is still used by a number of AD functions. The NetBIOS name is derived from the DNS name and must be unique throughout all of SFU. The DNS naming standard ensures uniqueness of NetBIOS names, so leave the Computer name alone.
Click More.
Ensure that the Primary DNS suffix is correct (you may have to fill it in)
If there is a checkmark beside Change Primary DNS suffix ..., remove it.
Click OK if you've made a change here, Cancel if you haven't.
In the Member of area, select Domain
Fill in ad.sfu.ca
Click OK
Fill in your CCN ID and password and click OK.
After a delay, you should the message "Welcome to the ad.sfu.ca domain". Click OK.
You will be warned to reboot. Click OK.
Click OK to close the System Properties page.
Click Yes to reboot.

Logging in

In the Username field of the Log on to Windows dialog, fill in your ID in the form username@sfu.ca. In my case, it would be alan@sfu.ca Notice that the moment you type in the @ character, the Log on to: field goes grey. The @ symbol implies a domain logon and it means that the logon information will be retrieved from a Global Catalog server.

Alternately you could simply fill in your ID without the @sfu.ca and then pick ADSFU from the Log on to: list, but getting your users in the habit of typing username@sfu.ca is not a bad thing.

Notes:

See the SFU Active Directory Guide for more information on OUs and their significance within SFU.