Joining computers to your domain is going to be a very normal task for any IT professional, enough that all of you are probably familiar with the process of doing so. What you may not realize, though, is that when you join computers or servers to your domain, they get lumped automatically into a generic Computers
container inside AD. Sometimes this doesn't present any problem at all and all of your machines can reside inside this Computers
container folder forever. Most of the time, however, organizations will set up policies that filter down into the Computers
container automatically. When this is the case, these policies and settings will immediately apply to all computers that you join to your domain. For a desktop computer, this might be desired behavior. When configuring a new server, though, this can present big problems.
Let's say you are interested in turning on a new remote access server that is going to be running DirectAccess. You have a domain policy in place that disables the Windows Firewall on computers that get added to the Computers
container. In this case, if you turned on your new remote access server and simply joined it to the domain, it would immediately apply the policy to disable Windows Firewall, because it is no different than a regular client computer in your network. DirectAccess requires Windows Firewall to be enabled, and so you have effectively broken your server before you even finish configuring it! You would eventually realize this mistake and move the server into a different OU that doesn't have the firewall squash policy; however, this doesn't necessarily mean that all the changes the policy put into place will be reversed. You may still have trouble with that server on an ongoing basis.
The preceding example is the reason why we are going to follow this recipe. If we pre-stage the computer account for our new remote access server, we can choose where it will reside inside Active Directory even before we join it to the domain. Pre-staging is a way of creating the computer's object inside Active Directory before you go to the actual server and click Join. When you do this, as soon as the request to join the domain comes in, Active Directory already knows exactly where to place that computer account. This way, you can make sure that the account resides inside an OU that is not going to apply the firewall policy and keep your new server running properly.
We will use a Server 2016 DC to pre-stage the computer account. Following the preceding example, we will use a second server that we are going to join to our domain, which we plan to turn into a remote access server in the future.
To pre-stage a computer account so that it resides inside AD, perform the following steps:
RA1
server and joining it to the domain, just like you would with any computer or server. When you do so, it will utilize this pre-existing account in the Remote Access Servers OU, instead of placing a new entry into the generic Computers
container.Pre-staging computer accounts in Active Directory is an important function when building new servers. It is sometimes critical to the long-term health of these servers for them to steer clear of the default domain policies and settings that you apply to your regular computer accounts. By taking a quick 30 seconds prior to joining a new server to the domain to pre-stage its account in AD, you ensure the correct placement of the system so that it fits your organizational structure. This will keep the system running properly as you continue to configure it for whatever job you are trying to accomplish.
18.119.143.17