Instructions for Joining Machines to CalNetAD

Updated: 02/19/2004 Version 2.04

I.   Pre-create Computer Account
II.  Enable NTLM v2 Support
     A.  Windows 2000
     B.  Windows Server 2003 and XP
III.  Additional Windows XP/Server 2003 Policy Settings
IV.  Join the Machine to the Campus domain
V. Troubleshooting

I. Pre-create the Computer Account

Assumptions:

• User is logged on with a CalNetAD administrator account in the target domain, campus.berkeley.edu domain.
• This script must be run from a machine that is a member of the target domain, campus.berkeley.edu.
• You will need the fully qualified domain name (FQDN) of the machine (example: na1.coe.berkeley.edu) to be joined to the campus domain.

Steps: Follow these steps to pre-create your computer account in CalNetAD.

1. Login to the campus domain using your CalNetAD administrator account.
2. Download and unzip the create-computer.wsf script for creating a computer account.
3. Create the computer account using the syntax indicated below. For example, when creating the myserver.coe.berkeley.edu computer account in the Computers OU under the COE top-level OU, the syntax should be:

   cscript create-computer.wsf /host:myserver.coe.berkeley.edu /ou:ou=computers,ou=coe

Instructions for the running create-computer.wsf script can be found here.

II.  Configure NTLM v2 Support

For security reasons, CalNetAD supports only two authentication protocols, Kerberos v5 and NTLM v2. By default, Kerberos authentication is used by machines running Windows 2000 or higher that are members of the Campus.Berkeley.Edu domain.  NTLM v2 support is enabled to allow downlevel Windows clients and standalone Windows 2000/XP/Server 2003 machines to authenticate and/or join CalNet AD.

Assumptions:

•   You are logged on as local administrator of the machine.
•   The machine is a member of a workgroup, not a domain.
•   The machine is running on Windows 2000 or higher.

  A.   Windows 2000

1. Log in to the machine using an account with local Administrator privileges.
2. Open the Local Security Policy console in the Administrative Tools program group.
3. Drill down to Local Policies -> Security Options.
4. Double-click the LAN Manager Authentication Level setting.
5. Verify that Send NTLMv2 response only is selected.
6. Open a command prompt and issue apppriate policy refresh command as listed below:

   secedit /refreshpolicy machine_policy

B.  Windows Server 2003 and XP

1. Log in to the machine using an account with local Administrator privileges.
2. Open the Local Security Policy MMC in the Administrative Tools program group.
3. Drill down to Local Policies -> Security Options.
4. Double-click the Network Security: LAN Manager Authentication Level setting.
5. Verify that Send NTLMv2 response only is selected.
6. Open a command prompt and issuepolicy refresh command as listed below:

gpupdate

III. Additional Server 2003/XP Settings

Server 2003 and XP machines by default allows computer startup or user logon without waiting for full network initialization.  This allows for faster boot up or user logon.  This setting on Windows 2003 and XP has introduced intermittent issues related to GPO settings, such as software installation to computers, as well as other issues related to user logon, such as expired credentials.  To avoid potential issues, it is important toconfigure Server 2003 and XP machines to wait for full network initialization before computer startup and user logon.  Note that Windows 2000 machines, by default, waits for complete network initialization before computer startup or logon.   

Assumptions:

•   You are logged on as local administrator of the machine.
•   The machine is a member of a workgroup, not a domain.
•   The machine is running on Windows 2003 or XP.
  

  Steps:

  1. Click Start, and then click Run.
  2. In the Open box, type mmc, and then click OK.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Add.
  5. Under Available Stand-alone Snap-ins, click Group Policy, and then click Add.
  6. Click Finish.
  7. Click Close, and then in the Add/Remove Snap-in dialog box, click OK.
  8. Expand Local Group Policy.
  9. Open Computer Configuration.
  10. Go to Administrative Templates/System/Logon.
  11. Double-click on the setting "Always wait for network on computer startup or user logon".
  12. Make sure that you enable this setting.
  13. Close the Group Policy Object Editor console.
  14. Refresh the policy by issuing the gpupdate command from the command line.

IV. Join the Machine to the Campus domain

When joining your machine to the domain, we recommend pre-creating the computer account first. For instructions on using the CalNetaAD script for creating computers, please refer to Section I: Pre-create the computer account.

Once the machine account has been created, follow the step-by-step guide below for manually joining machines to the domain.

For machines running on Windows 2000 or higher, there is a script that automates the join process. Instructions for using the joindomain.cmd script can be found here.  Due to the countless number of possible machine configurations, it is not 100% guaranteed that this script will work. For cases where the script fails, following the step-by-step process below should allow you to join the machine to the Campus domain.

Assumptions:

• User has a local administrator rights on the machine to be joined to the CAMPUS domain.
• The machine is a member of a workgroup, not a domain.
• The machine is running Windows 2000 or XP.
• You can also join downlevel Windows clients, Windows 95, 98 and Windows NT 4, to the campus domain. However, the CalNetAD service does not provide any support for these machines. Also, most of the Active Directory features such as Group Policy will not be available for these machines.
  •   For help in configuring NTLM v2 for dowlevel machines, refer to the Microsoft Knowledge Base Article 147706.
  •   We also recommend installing the Active Directory Client Extension so the client machines can support some of the Active Directory features as listed here.
• The TCP/IP NetBIOS Helper service must be running. Otherwise, you will get the error message: "Network Location Cannot be Reached" Error Message When You Try to Join a Domain".
• The machine should use ns1.berkeley.edu and ns2.berkeley.edu as primary and secondary DNS servers:

  ns1.berkeley.edu -> 128.32.136.9, 128.32.206.9
  ns2.berkeley.edu -> 128.32.136.12, 128.32.206.12

• If you created the machine account manually, you should follow the steps to verify machine account attributes.

Steps:

1. Log in with local Administrator privileges.
2. Right click on My Computer and select Properties from the menu.
3. For Windows 2000, select the Network Identification tab.  On Windows XP/2003 machines, select the Computer Name.
4. For Windows 2000, click the Properties button.  On Windows XP/2003 machines, click the Change button.
5. On the Identification Changes screen (Computer Name Changes screen for Windows XP/2003), click the More… button.
6. If you used the create-computer.wsf script for Calnet Admins to create a computer account before joining the campus.berkeley.edu domain, follow step 6a.

   For your first machine in the OU, the machine account has been created for you by the Enterprise Administrators and you should follow 6a.

   If you created the computer account manually, follow step 6b.

6a. On the DNS Suffix and NetBIOS Computer Name screen, verify the Change primary DNS suffix when domain membership changes box is unchecked.



6b. On the DNS Suffix and NetBIOS Computer Name screen, verify the Change primary DNS suffix when domain membership changes box is checked.



7. Select the OK button.

8. On the Identification Changes screen(Computer Name Changes screen for Windows XP/2003), the Computer name should match the name assigned to the machine by CNS. Then select Domain and enter in the box, the name of the domain the computer is joining followed by .berkeley.edu, <Windows_domain>.berkeley.edu for example. Since you are joining the campus domain, this should be campus.berkeley.edu.



9. Select the OK button.

10. The system will prompt for the username and password of an account authorized to add the computer to the domain, use your OU administrator account for the OU the computer will join.

11. When prompted, reboot the computer to join the domain.

12. The domain GPO will automatically set the Kerberos settings on the local workstation.

13. Users can run kerbtray.exe to view their issued tickets.

14. To have administrative rights on the machine, logon as local administrator and add the OU admins group(e.g. coe-ou admins-gs) to the administrators group on the local machine.

15. If you used the create-computer.wsf script to create a computer account before joining the campus.berkeley.edu domain, you are done. If not, you should verify the machine account attributes as shown here.
    

III. Troubleshooting

Refer to the troubleshooting page for help in resolving issues encountered when joining machines to the domain or when a user tries to logon to the Campus domain.