By default, all operating system installations using Windows Deployment Services result in a client computer that is joined to a domain. If a client computer is prestaged in Active Directly Domain Services (AD DS), the client will be joined to the domain as the prestaged computer. In order for the join to be successful, the user account must have permissions to join the domain and rights to create computer objects in AD DS (this is required if you are not using prestaged computer objects).For more information, see Required Permissions.
In This Topic
Modifying Your Unattend Files
The domain join process uses the image unattend file to pass data that is collected within Windows PE to the subsequent phases of Setup.exe. If an image is associated with an image unattend file, the domain join and computer name settings will be made directly to this file. However, for this to occur, you must properly the file correctly (see the Sample Unattend Files). Specifically, this means as follows:
- For Windows Vista or Windows Server 2008
images. The image unattend file (ImageUnattend.xml) must have
the setting <UnsecureJoin>true</UnsecureJoin> in
the Microsoft-Windows-UnattendedJoin component.
Additionally, the Microsoft-Windows-Shell-Setup component
for the <specialize> unattended pass must exist, even
if it is empty.
- For Windows XP and Windows
Server 2003 images. The image unattend file in the $OEM$
structure (Sysprep.inf) must have the setting
DoOldStyleDomainJoin=Yes, and it must have (at a minimum)
the [Networking] and [UserData] sections, even if
they are empty.
If the image unattend file does not contain the proper formatting, Windows Deployment Services will assume that you have chosen to override or avoid the domain join and computer name functionality and therefore will not edit the unattend file. If a selected image does not have an associated image unattend file, a template unattend file will be used to pass domain join (and computer naming) information throughout the installation process.
- For Windows Vista or Windows Server 2008
images, this file exists within the image itself as
\System32\WDSUnattendTemplate.xml. Therefore, after the image is
applied, the template file will be located offline on the disk.
- For Windows XP and Windows
Server 2003 images, this file exists in the
\RemoteInstall\Templates\Sysprep.inf folder on the server when the
server is first initialized. After the image is applied, Windows
Deployment Services will copy the template Sysprep.inf into the
offline image and then edit it as appropriate. This file is copied
from the server into the offline image as
C:\Sysprep\Sysprep.inf.
Choosing a Permissions Method
For providing credentials in an unattend file, there are two permissions methods, that enable a computer to join a domain: unsecure join and secure join. Both of these methods are described in the following table.
Unsecure join | Secure join |
---|---|
This method involves resetting the computer account to a known, shared computer password and enabling the computer to join a domain without credentials. For Windows Vista and Windows Server 2008 images, this shared computer password is a dynamically generated, strong password that is set by Windows Deployment Services. The password is inserted into the ImageUnattend.xml file as the <MachinePassword> setting. For images from an earlier version of Windows, this shared computer password is the computer name.
To implement an unsecure join, set UnsecureJoin = TRUE and ensure that the Microsoft-Windows-Shell-Setup component exists for the specialize phase. |
This method is secure in the sense that it requires credentials (user name, domain, and password) before you can reset the account and perform the domain join. However, in practice this method is actually less secure because the credentials reside in the ImageUnattend.xml file in plain text.
To implement a secure join, do the following to the unattend file:
|