Unfortunately, there's no easy way around it--joining Windows clients to a domain (assuming, of course, they were not a member of a domain previously) is a hands-on job. If you're lucky enough to be working with a single client across all users, then perhaps a HOWTO could be constructed and circulated, but most administrators are not so blessed. The difficult issue in a mixed-client environment is finding any sort of consistant approach. Every time Microsoft releases a new version of Windows, they also seem to introduce a new way to configure networking. A new dialog here, an extra checkbox there, some systems require you to go through the Control Panel, others by right-clicking on My Computer--all of which makes for a lot of confusion from the user perspective.
The process is actually relatively painless and mechanical, but it does differ across the gamut of Windows releases. With that in mind, the best approach is to "divide and conquer", which is exactly what we've done here.
To join a Windows 95/98/ME client to the domain:
- First check that Client for Microsoft Networks is installed; if not, install it (Control Panel > Network > Client for Microsoft Networks). To install, place your Windows CD in the drive and select Add from the afforementioned dialog, then: Client > Add... > Microsoft > Client for Microsoft Networks.
- Make sure Client for Microsoft Networks is the primary network protocol (Control Panel > Network > Primary Network Logon).
- Next, go to Control Panel > Network > Client for Microsoft Networks > Properties > Logon to NT Domain.
- If you've employed the add
user scriptoption, select the checkbox Create a Computer Account in the Domain; otherwise you'll need to ensure a machine account already exists for the client.
- Fill in the domain, and click OK.
Under Windows NT:
- Go to Control Panel > Network > Identification > Change option. If the machine is currently configured under the Workgroup option, select the Domain radio button and enter the domain name.
- Select Create a Computer Account in the Domain as necessary.
- Now, logon to the domain using the username root and the appropriate password. This is necessary to initialize the "secret" between the server and client machines. From here forward, any authenticated user can logon from this machine.
- A message should appear welcoming you to the domain_name domain.
The steps are the same for Windows 2000 except the network settings are found under Control Panel > System > Network Identification (or right-click the My Computer icon on your desktop, choose Properties, Computer Name, and select the Change button).
Enter Windows XP, and the most complex beast of the lot. But first a word of warning for those unaware: Windows XP Home Edition cannot join a Windows domain. For domain functionality, you must use Windows XP Professional. Second, sometimes joining an XP machine to a Samba PDC involved all the steps below; on other occasions, however, you can get away with just the registry patch. Don't ask--I haven't a clue.
To join a Windows XP machine to a domain:
- Open the Local Security Policy editor (Start > All Programs > Administrative Tools > Local Security Policy).
- Locate the entry "Domain member: Digitally encrypt or sign secure channel (always)". Disable it.
- Locate the entry "Domain member: Disable machine account password changes". Make sure it's disabled as well.
- Locate the entry "Domain member: Require strong (Windows 2000 or later) session key". Disable it.
- Next, download the WinXP_SignOrSeal registry patch from www.samba.org or collect it from the Resources section at the end of this tutorial. Apply it by double-clicking and answering Yes to the dialog prompt.
- Now join the domain the same as you would for Windows NT or 2000. Right-click My Computer, select Properties, Computer Name, and Change. Or click the Network ID button and run the Network Wizard.