Automating the Domain Join

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

By default, all operating system installations using Windows Deployment Services result in a client computer that is joined to a domain. In order for the join to be successful, the user account must have permissions to join the domain and rights to create computer objects in Active Directly Domain Services (AD DS). For more information, see Required Permissions. This topic contains information about how to configure a domain join as part of an unattended installation.

In This Topic

  • Modifying Your Unattend Files

  • Choosing a Permissions Method

Modifying Your Unattend Files

The domain join process uses the image unattend file to pass data that is collected within Windows PE to the subsequent phases of Setup. If an image is associated with an image unattend file, the domain join and computer name settings will be made directly to this file. However, for this to occur, you must format the file correctly (see the Sample Unattend Files). Specifically, this means as follows:

  • For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 images. The image unattend file (ImageUnattend.xml) must have the setting <UnsecureJoin>true</UnsecureJoin> in the Microsoft-Windows-UnattendedJoin component. Additionally, the Microsoft-Windows-Shell-Setup component for the <specialize> unattended pass must exist, even if it is empty.

  • For Windows XP and Windows Server 2003 images. The image unattend file in the $OEM$ structure (Sysprep.inf) must have the setting DoOldStyleDomainJoin=Yes, and it must have (at a minimum) the [Networking] and [UserData] sections, even if they are empty.

For more information about creating unattend files, see Automating Setup. If the image unattend file does not contain the proper formatting, Windows Deployment Services will not edit the unattend file with the required information. If a selected image does not have an associated image unattend file, a template unattend file will be used to pass domain join (and computer naming) information throughout the installation process.

  • For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 images, this file exists within the image itself at \System32\WDSUnattendTemplate.xml. Therefore, after the image is applied, the template file will be located offline on the disk.

  • For Windows XP and Windows Server 2003 images, this file exists in the \RemoteInstall\Templates\Sysprep.inf folder on the server when the server is first initialized. After the image is applied, Windows Deployment Services will copy the template Sysprep.inf into the offline image and then edit it as appropriate. This file is copied from the server into the offline image as C:\Sysprep\Sysprep.inf.

Choosing a Permissions Method

There are two permissions methods for providing credentials to enable a computer to join a domain: unsecure join and secure join. Both of these methods are described in the following table.

Unsecure join Secure join

This method resets the computer account to a known, shared computer password and joins the computer to a domain without credentials. For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 images, this shared computer password is a dynamically generated, strong password that is set by Windows Deployment Services. The password is inserted into the ImageUnattend.xml file as the <MachinePassword> setting. For images from an earlier version of Windows, this shared computer password is the computer name.

  • Advantages: This method does not require you to place credentials in plain text in the unattend file.

  • Disadvantages: For Windows XP and Windows Server 2003 images, it is possible for a malicious user to join the domain between the time the computer account was reset (in Windows PE) and when the actual domain join occurs (on first boot of the applied image). This risk is mitigated when the password is dynamically generated.

To implement an unsecure join, set UnsecureJoin = TRUE and ensure that the Microsoft-Windows-Shell-Setup component exists for the specialize phase.

This method is secure in the sense that it requires credentials (user name, domain, and password) before you can reset the account and perform the domain join. However, in practice this method is actually less secure because the credentials reside in the ImageUnattend.xml file in plain text.

  • Advantages: This method uses a simplified permissions model because you can use a single account throughout your organization to perform all domain join operations.

  • Disadvantages: Credentials are stored in plain text in the image unattend file, which is located on a shared folder on the Windows Deployment Services server.

To implement a secure join, add the following to the unattend file:

  1. Set UnsecureJoin = FALSE.

  2. Specify the credentials for performing the domain join, and the domain that you want to join the computer to.

  3. Ensure that the Microsoft-Windows-Shell-Setup component exists for the specialize phase.

  4. Set the <ComputerName> value to %MACHINENAME%. During installation, Windows Deployment Services will retrieve the name of the prestaged computer from AD DS and replace the %MACHINENAME% string with the actual computer name.