A computer account is an Active Directory object that identifies a network computer. The account in Active Directory is associated with a specific hardware device. To identify a specific computer, two processes are required:
- Create a computer account in Active Directory.
- Join the computer to the domain.
You can perform these processes in the following ways:
| Method | Description |
| Pre-stage accounts | Pre-stage a computer account to create the computer account in an OU.
|
| Manual join | From the computer you are adding to the domain, edit the System properties to join the domain. The computer contacts the domain controller and a computer account is created in Active Directory.
|
| Redirection | Redirection puts computer accounts normally created in the Computers container into a specified OU. To redirect, enter the redircmp command and OU name at the command prompt. Make sure you are in the C:\Windows\System32 directory. For example, to redirect a computer to an OU named Desktops in Northsim.com, enter the following at the command prompt:
|
| Offline domain join | During the domain join process, the workstation must communicate with a domain controller. In situations where a network connection does not exist, you can use the offline domain join feature to join the computer to the domain. To perform an offline join, use Djoin as follows:
You can also use an Unattend.xml file and the blob file during installation to join the computer to the domain during the install process.
|
Be aware of the following facts about computer accounts and joining a domain:
- The members of the following groups can create a computer account:
- Account Operators
- Domain Admins
- Enterprise Admins
- After a computer account is created, you must join the computer to the domain before the computer receives Group Policy settings or before Active Directory receives workstation-specific information.
- To join a computer to a domain, you must be a member of the Administrators group on the local computer or be given the necessary rights.
- Use the dsadd and netdom utilities to join a domain from the command line as follows:
- Use dsadd to create a computer account.
- Use netdom to rename a computer account.
- Use netdom join to join a computer to a domain.
Each computer has a password that is automatically generated when the computer joins the domain.
- When the computer boots, this password is used to authenticate the computer to the domain and establish a secure channel between the computer and the domain controller.
- The password is saved on the local computer and in Active Directory. By default, the password is changed automatically every 30 days.
- If the two passwords become unsynchronized, the computer will not be able to connect to the domain. An error indicating that the computer failed to authenticate is generated. This problem will occur if you have turned off the computer for an extended period, rebuilt the computer, or if you are replacing the computer with another one using the same computer account name.
- When computer logon fails, reset the computer account using one of the following methods:
- Run the netdom reset command followed by the computer account name and the domain.
- In Active Directory Users and Computers, right-click the computer account and select Reset Account.
After resetting the computer account, you must rejoin the computer to the domain.