[edit] Joining a machine to Active Directory
- Make sure your hostname matches your PC name. An easy way to verify is by visiting ipchicken.com. It will be helpful for you to choose a standard naming scheme.
- Verify that cwru.edu is the primary suffix and that it does not change. To get to this screen, right-click on My Computer, Properties, Computer Name tab, Change button, More button
- This is a matter of preference, but I always open port 445 (Samba) and 3389 (Remote Desktop) in the XP Firewall.
- I open 445 so that users can easily share printers and files. It is relatively simple to give explicit privileges to other ADS users, so the problem of everyone opening up their PC with insecure file shares is almost non-existent now.
- I open 3389 so that Remote Desktop is ready to go for my users. I do not turn on Remote Desktop for every user, but if they ask I can point them in the right direction on the phone and they do not have to touch the firewall.
- If you do not have Novell installed, please skip to the next step.
- If you do have Novell installed, this step is very important. If Novell is installed without any registry changes, Novell will not give you the option to log in to INS.CWRU.EDU at the boot-up/logon screen. This is necessary to log in to your ADS account.
- The Case ADS site says that Novell is not supported in this release. Please ignore this. It works fine with the following registry change. Search the registry for "GinaDLL". Change the value from "NWGina.dll" to "MSGina.dll" and you are ready to go.
- How this affects your logon is this:
- A) You will log into Windows/ADS
- B) Immediately after the Windows/ADS logon, the NetWare logon screen will appear and you can log into NetWare or hit Cancel
- Note that if your Case password and your netware password match, you will not get the NetWare prompt and it will log into NetWare automatically. (although this slightly more difficult than it sounds because 8 characters is the minimum # for your Case password and the maximum # for your NetWare password)
- Next, we need to configure the macine to authenticate with Case's Kerberos server using KSetup.exe and the batch file KSetup.bat. Download both to the same directory and then execute the batch file. It runs very quickly (a second or two).
- You should be running Windows XP SP2 (or later) which includes a patch to handle the way Case implemented Kerberos in combination with Active Directory. If you are interested in the details or need to download the patch for an earlier version of Windows, please see MS article 825081.
- Reboot!
- Before a machine can be added to Active Directory, the machine name must be created in Active Directory. If this is your VERY FIRST machine to join the domain, the Case ADS team did this for you.
- If this is your second or third machine, use Active Directory Users and Computers from the Windows Server 2003 Administration Tools to create the computer name in the proper OU (Organization Unit). You can only use Active Directory Users and Computers on a machine that is already a member of Active Directory and if you are logged into your OU Admin account.
- To create a new computer object in your OU, right click on the OU and click New - Computer.
- Note that User or Group has been changed to my OU Admins group: OPP OU Admins. You will need to change this to your corresponding Admin group.
- Ignore this screen. Click Next, and then Finish.
- Do not reboot yet. Well, you can but I find it helpful not to. Go to Control Panel, User Accounts. Add the OU Admin Account and add the ADS user account to that machine.
- Reboot and have the new user log in using their Case ID and Case password. I believe the password must meet standard complexity requirements and be new within the last two years. If they know for sure they are using the correct password but they can not log in, have them change their Case password to meet the complexity requirements and they will likely be able to log in OK. (8 characters or more, upper and lower case, at least one number, and not similar to a previous passwords).
