Pre-staging a computer account in Active Directory

Joining computers to your domain is going to be a very normal task for any IT professional, enough that all of you are probably familiar with the process of doing so. What you may not realize, though, is that when you join computers or servers to your domain, they get lumped automatically into a generic Computers container inside AD. Sometimes this doesn't present any problem at all and all of your machines can reside inside this Computers container folder forever. Most of the time, however, organizations will set up policies that filter down into the Computers container automatically. When this is the case, these policies and settings will immediately apply to all computers that you join to your domain. For a desktop computer, this might be desired behavior. When configuring a new server, though, this can present big problems.

Let's say you are interested in turning on a new remote access server that is going to be running DirectAccess. You have a domain policy in place that disables the Windows Firewall on computers that get added to the Computers container. In this case, if you turned on your new remote access server and simply joined it to the domain, it would immediately apply the policy to disable Windows Firewall, because it is no different than a regular client computer in your network. DirectAccess requires Windows Firewall to be enabled, and so you have effectively broken your server before you even finish configuring it! You would eventually realize this mistake and move the server into a different OU that doesn't have the firewall squash policy; however, this doesn't necessarily mean that all the changes the policy put into place will be reversed. You may still have trouble with that server on an ongoing basis.

The preceding example is the reason why we are going to follow this recipe. If we pre-stage the computer account for our new remote access server, we can choose where it will reside inside Active Directory even before we join it to the domain. Pre-staging is a way of creating the computer's object inside Active Directory before you go to the actual server and click Join. When you do this, as soon as the request to join the domain comes in, Active Directory already knows exactly where to place that computer account. This way, you can make sure that the account resides inside an OU that is not going to apply the firewall policy and keep your new server running properly.

Getting ready

We will use a Server 2016 DC to pre-stage the computer account. Following the preceding example, we will use a second server that we are going to join to our domain, which we plan to turn into a remote access server in the future.

How to do it…

To pre-stage a computer account so that it resides inside AD, perform the following steps:

  1. Open the Active Directory Users and Computers tool on a DC.
  2. Choose a location in which you want to place this new server. I am going to use an OU that I created called RemoteAccessServers.
  3. Right-click on your OU and navigate to New | Computer.
  4. Enter the name of your new server. Make sure this matches the hostname you are going to assign as you build this new server, so that when it joins the domain, it matches up with this entry in AD. Take note on this screen that you also have the ability to determine which user or group has permission to join this new machine to the domain, if you want to set a restriction here.

    How to do it…

  5. Click OK, and that's it! Your object for this new server is entered into AD, waiting for a computer account to join the domain that matches the name.
  6. The last step is building the RA1 server and joining it to the domain, just like you would with any computer or server. When you do so, it will utilize this pre-existing account in the Remote Access Servers OU, instead of placing a new entry into the generic Computers container.

How it works…

Pre-staging computer accounts in Active Directory is an important function when building new servers. It is sometimes critical to the long-term health of these servers for them to steer clear of the default domain policies and settings that you apply to your regular computer accounts. By taking a quick 30 seconds prior to joining a new server to the domain to pre-stage its account in AD, you ensure the correct placement of the system so that it fits your organizational structure. This will keep the system running properly as you continue to configure it for whatever job you are trying to accomplish.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.143.17