RE: Remotely adding a machine to a domain

[Craig Dayton]

Don't overlook the possibility of just executing some of the utilities found in the 
Windows Resource Kit.  Some of the utilities are distributed freely and others may 
require  purchasing the Windows Resource Kit.

-Craig

-----Original Message-----
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]] On Behalf Of Puckett, Richard
Sent: Thursday, August 29, 2002 2:29 PM
To: 'henry isham'; [EMAIL PROTECTED]
Subject: RE: Remotely adding a machine to a domain




Henry,

There are two ways that I know of.  In Windows 2000, there is a new Net32 API called 
'NetJoinDomain' that you can call with Win32::API.  It basically has the capability of 
doing remote computer joins, but it doesn’t take care of additional registry edits 
on the target host that identify the new Domain.  You'll find that it's better to 
prepopulate some of this data (like Winlogon's DomainCache, CachePrimaryDomain and 
DefaultDomainName parameters, and TCPIP's Domain and NV Domain parameters).  The 
upside of this API is that it's a single call, the downside of this API is that it can 
be sensitive to latency and - because it wraps approximately 13 separate API calls to 
both the target domain and host - it can leave you with less control over the 
individual
API calls (for things like troubleshooting).   

The second method you might use is with the existing LSA and Net32 APIs and possibly 
the ADSI COM object (for AD environments).  You'd need to first create a computer 
object in your target Domain (using ADSI or Net32 APIs) and retrieve (among other 
things) the Domain SID and/or GUID (depending on the domain type), then connect to the 
target host (with local administrator-equivalency), use an LsaOpenPolicy call, then 
call LsaSetInformationPolicy and LsaStorePrivateData (to set the default machine 
account password - the $machine.acc value) to reset the target's secure session 
channel to the new domain.  Depending on the Domain type you are setting up, you'll 
need to use either the POLICY_DNS_DOMAIN_INFO (for Active Directory) or 
POLICY_PRIMARY_DOMAIN_INFO (for NT4 Domains) with your LsaSetInformationPolicy call.  
If you want to mirror the method that MSFT uses, you're also going to need to remotely 
add Domain Users to local Users, and Domain Admins to local Admins, and again, you've 
got the registry settings to do as well.  Additionally, there are issues if the host 
has never been joined to a domain before, so you'll need to remotely check and set the 
Netlogon registry service START parameter to make sure it's set to 0x2 (automatic 
startup). 

Finally there's all of the remote error-handling.  Also, you might consider creating a 
temporary local administrative account on the target host, just in case the remote 
join fails midstream and you have to logon locally to get the box back on net.  You 
can always delete it after you've successfully moved the box.

Regards,
Richard



> -----Original Message-----
> From: henry isham [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 29, 2002 3:13 PM
> To: [EMAIL PROTECTED]
> Subject: Remotely adding a machine to a domain
> 
> 
> Hi all,
>  
> Is there a way to remotely add a machine into a domain? I
> have all the necessary id's and passwords (admin on the 
> domain, and admin on the remote machine). I'm just trying to 
> save my self a trip to a whole bunch of machines. I've 
> already looked at Win32:NetAdmin and Win32:Lanman, but 
> nothing jumped out at me. 
> Any hints would be greatly appreciated. Thanks.
>  
> -Henry
> =
> Z)  fyXXh'`)Ŋlzry+Z(:.˛
> mmඟ+-1
bjoj)fj˛
> 
_______________________________________________
Perl-Win32-Admin mailing list [EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs

_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs