Creating Computer Objects
Because an AD DS forest uses a centralized directory, there has to be some means of tracking the actual computers that are part of the domain. To do this, Active Directory uses computer accounts, which are realized in the form of computers objects in the Active Directory database. You might have a valid Active Directory user account and a password, but if your computer is not represented by a computer object, you cannot log on to the domain using that system.
Computer objects are stored in the Active Directory hierarchy just like user objects are; they possess many of the same capabilities, such as the following:
- Computer objects consist of properties that specify the computer's name, where it is located, and who is permitted to manage it.
- Computer objects inherit group policy settings from container objects such as domains, sites, and OUs.
- Computer objects can be members of groups and inherit permissions from group objects.
When a user attempts to log on to an Active Directory domain, the client computer establishes a connection to a domain controller to authenticate the user's identity. Before the user authentication occurs, the two computers perform a preliminary authentication by using their respective computer objects to ensure that both systems are part of the domain. The Net- Logon service running on the client computer connects to the same service on the domain controller, and then each one verifies that the other system has a valid computer account. When this validation is completed, the two systems establish a secure communications channel between them, which they can then use to begin the user authentication process.
The computer account validation between the client and the domain controller is a genuine authentication process using account names and passwords, just as when a user authenticates to the domain. The difference is that the passwords used by the computer accounts are generated automatically and kept hidden. Administrators can reset computer accounts, but they do not have to supply passwords for them.
What this means for administrators is that, in addition to creating user accounts in the domain, they also have to make sure that the network computers are part of the domain. Adding a computer to an AD DS domain consists of two steps:
- Creating a computer account:
You create a computer account by creating a new computer object in Active Directory and assigning the name of an actual computer on the network. - Joining the computer to the domain:
When you join a computer to the domain, the system contacts a domain controller, establishes a trust relationship with the domain, locates (or creates) a computer object corresponding to the computer's name, alters its security identifier (SID) to match that of the computer object, and modifies its group memberships.
How these steps are performed and who performs them depends on the way in which you deploy computers on your network. There are many ways to create new computer objects, and how administrators elect to do this depends on several factors, including the number of objects they need to create, where they will be when creating the objects, and what tools they prefer to use.
Generally speaking, you create computer objects when you deploy new computers in the domain. Once a computer is represented by an object and joined to the domain, any user in the domain can log on from that computer. For example, you do not have to create new computer objects or rejoin computers to the domain when employees leave the company and new hires start using their computers. However, if you reinstall the operating system on a computer, you must create a new computer object for it (or reset the existing one), because the newly installed computer will have a different SID.
The creation of a computer object must always occur before the corresponding computer can join the domain, although it might not appear that way. There are two basic strategies for creating Active Directory computer objects, which are as follows:
- Create the computer objects in advance by using an Active Directory tool, so that the computers can locate the existing objects when they join the domain.
- Begin the joining process first and let the computer create its own computer object.
In either case, the computer object exists before the joining takes place. In the second strategy, the joining process appears to begin first, but the computer creates the object before the actual joining process begins.
When there are a number of computers to deploy, particularly in different locations, administrators can conceivably create the computer objects in advance. For large numbers of computers, it is even possible to automate the computer object creation process by using command-line tools and batch files, although many use a third-party tool for this task. The following sections examine the tools you can use for computer object creation.
Creating computer objects by using Active Directory Users And Computers
As with user objects, you can create computer objects by using the Active Directory Users And Computers console. To create computer objects in an Active Directory domain by using the Active Directory Users And Computers console or by using any tool, you must have the appropriate permissions for the container in which the objects will be located.
By default, the Administrators group has permission to create objects anywhere in the domain, and the Account Operators group has the special permissions needed to create computer objects in and delete them from the Computers container and from any new OUs you create. Members of the Domain Admins and Enterprise Admins groups can also create computer objects anywhere. An administrator can also explicitly delegate control of containers to particular users or groups, enabling them to create computer objects in those containers.
The process of creating a computer object in Active Directory Users And Computers is similar to that of creating a user object. You select the container in which you want to place the object and, from the Action menu, select New, Computer. The New Object - Computer Wizard starts.
The Properties sheet for Computer objects in the Active Directory Users and Computers console shows relatively few attributes and, in most cases, you will likely just supply them with a name, which can be up to 64 characters long. This name must match the name of the computer joined with the object.
Creating computer objects by using Active Directory Administrative Center
As with users, you can also create computer objects in the Active Directory Administrative Center. To create a computer object, you choose a container and then select New, Computer from the Tasks list to open the Create Computer dialog box.
Creating computer objects by using Dsadd.exe
As with users, the graphical tools provided with Windows Server 2012 R2 are good for creating and managing single objects, but many administrators turn to the command line when they have to create multiple objects.
The Dsadd.exe utility enables you to create computer objects from the command line, just as you created user objects earlier in this lesson. You can create a batch file of Dsadd. exe commands to generate multiple objects in one process. The basic syntax for creating a computer object by using Dsadd.exe is as follows:
dsadd computer <ComputerDN>
The <ComputerDN> parameter specifies a distinguished name for the new computer object you want to create. The DNs use the same format as those in CSV files, as discussed earlier.
Creating computer objects by using Windows PowerShell
Windows PowerShell includes the New-ADComputer cmdlet, which you can use to create computer objects with the following basic syntax. This cmdlet creates computer objects, but it does not join them to a domain.
new-ADComputer -Name <computer name> -path <distinguished name>