By default, all operating system installations using Windows Deployment Services result in a client computer that is joined to a domain. If a client computer is prestaged in Active Directly Domain Services (AD DS), the client will be joined to the domain as the prestaged computer. In order for the join to be successful, the user account must have permissions to join the domain and rights to create computer objects in AD DS (this is required if you are not using prestaged computer objects).For more information, see Required Permissions.

In This Topic

Modifying Your Unattend Files

The domain join process uses the image unattend file to pass data that is collected within Windows PE to the subsequent phases of Setup.exe. If an image is associated with an image unattend file, the domain join and computer name settings will be made directly to this file. However, for this to occur, you must properly the file correctly (see the Sample Unattend Files). Specifically, this means as follows:

  • For Windows Vista or Windows Server 2008 images. The image unattend file (ImageUnattend.xml) must have the setting <UnsecureJoin>true</UnsecureJoin> in the Microsoft-Windows-UnattendedJoin component. Additionally, the Microsoft-Windows-Shell-Setup component for the <specialize> unattended pass must exist, even if it is empty.

  • For Windows XP and Windows Server 2003 images. The image unattend file in the $OEM$ structure (Sysprep.inf) must have the setting DoOldStyleDomainJoin=Yes, and it must have (at a minimum) the [Networking] and [UserData] sections, even if they are empty.

If the image unattend file does not contain the proper formatting, Windows Deployment Services will assume that you have chosen to override or avoid the domain join and computer name functionality and therefore will not edit the unattend file. If a selected image does not have an associated image unattend file, a template unattend file will be used to pass domain join (and computer naming) information throughout the installation process.

  • For Windows Vista or Windows Server 2008 images, this file exists within the image itself as \System32\WDSUnattendTemplate.xml. Therefore, after the image is applied, the template file will be located offline on the disk.

  • For Windows XP and Windows Server 2003 images, this file exists in the \RemoteInstall\Templates\Sysprep.inf folder on the server when the server is first initialized. After the image is applied, Windows Deployment Services will copy the template Sysprep.inf into the offline image and then edit it as appropriate. This file is copied from the server into the offline image as C:\Sysprep\Sysprep.inf.

Choosing a Permissions Method

For providing credentials in an unattend file, there are two permissions methods, that enable a computer to join a domain: unsecure join and secure join. Both of these methods are described in the following table.

Unsecure join Secure join

This method involves resetting the computer account to a known, shared computer password and enabling the computer to join a domain without credentials. For Windows Vista and Windows Server 2008 images, this shared computer password is a dynamically generated, strong password that is set by Windows Deployment Services. The password is inserted into the ImageUnattend.xml file as the <MachinePassword> setting. For images from an earlier version of Windows, this shared computer password is the computer name.

  • Advantages: This method does not require placing unattend credentials in plain text in the unattend file.

  • Disadvantages: It is possible for a malicious user to join the domain between the time the computer account was reset (in Windows PE) and when the actual domain join occurs (on first boot of the applied image). This particular attack is effectively mitigated with Windows Vista and Windows Server 2008 images because the password is dynamically generated.

To implement an unsecure join, set UnsecureJoin = TRUE and ensure that the Microsoft-Windows-Shell-Setup component exists for the specialize phase.

This method is secure in the sense that it requires credentials (user name, domain, and password) before you can reset the account and perform the domain join. However, in practice this method is actually less secure because the credentials reside in the ImageUnattend.xml file in plain text.

  • Advantages: This method uses a simplified permissions model because a single account is used throughout the enterprise to perform all domain join operations.

  • Disadvantages: Credentials are stored in plain text in the image unattend file, which is located on a shared folder on the Windows Deployment Services server.

To implement a secure join, do the following to the unattend file:

  1. Set UnsecureJoin = FALSE.

  2. Specify the credentials for performing the domain join, and the domain that you want to join the computer to.

  3. Ensure that the Microsoft-Windows-Shell-Setup component exists for the specialize phase.

  4. Set the <ComputerName> value to %MACHINENAME%. During installation, Windows Deployment Services will retrieve the name of the prestaged account from AD DS and replace the %MACHINENAME% string with the actual computer name.