RE: Remotely adding a machine to a domain

[Puckett, Richard]

Henry,

There are two ways that I know of.  In Windows 2000, there is a new
Net32 API called 'NetJoinDomain' that you can call with Win32::API.  It
basically has the capability of doing remote computer joins, but it
doesn’t take care of additional registry edits on the target host that
identify the new Domain.  You'll find that it's better to prepopulate
some of this data (like Winlogon's DomainCache, CachePrimaryDomain and
DefaultDomainName parameters, and TCPIP's Domain and NV Domain
parameters).  The upside of this API is that it's a single call, the
downside of this API is that it can be sensitive to latency and -
because it wraps approximately 13 separate API calls to both the target
domain and host - it can leave you with less control over the individual
API calls (for things like troubleshooting).   

The second method you might use is with the existing LSA and Net32 APIs
and possibly the ADSI COM object (for AD environments).  You'd need to
first create a computer object in your target Domain (using ADSI or
Net32 APIs) and retrieve (among other things) the Domain SID and/or GUID
(depending on the domain type), then connect to the target host (with
local administrator-equivalency), use an LsaOpenPolicy call, then call
LsaSetInformationPolicy and LsaStorePrivateData (to set the default
machine account password - the $machine.acc value) to reset the target's
secure session channel to the new domain.  Depending on the Domain type
you are setting up, you'll need to use either the POLICY_DNS_DOMAIN_INFO
(for Active Directory) or POLICY_PRIMARY_DOMAIN_INFO (for NT4 Domains)
with your LsaSetInformationPolicy call.  If you want to mirror the
method that MSFT uses, you're also going to need to remotely add Domain
Users to local Users, and Domain Admins to local Admins, and again,
you've got the registry settings to do as well.  Additionally, there are
issues if the host has never been joined to a domain before, so you'll
need to remotely check and set the Netlogon registry service START
parameter to make sure it's set to 0x2 (automatic startup). 

Finally there's all of the remote error-handling.  Also, you might
consider creating a temporary local administrative account on the target
host, just in case the remote join fails midstream and you have to logon
locally to get the box back on net.  You can always delete it after
you've successfully moved the box.

Regards,
Richard



> -----Original Message-----
> From: henry isham [mailto:[EMAIL PROTECTED]] 
> Sent: Thursday, August 29, 2002 3:13 PM
> To: [EMAIL PROTECTED]
> Subject: Remotely adding a machine to a domain
> 
> 
> Hi all,
>  
> Is there a way to remotely add a machine into a domain? I 
> have all the necessary id's and passwords (admin on the 
> domain, and admin on the remote machine). I'm just trying to 
> save my self a trip to a whole bunch of machines. I've 
> already looked at Win32:NetAdmin and Win32:Lanman, but 
> nothing jumped out at me. 
> Any hints would be greatly appreciated. Thanks.
>  
> -Henry
> =
> Z)  fyXXh'`)Ŋlzry+Z(:.˛
> mmඟ+-1
bjoj)fj˛
> 
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs