Automating the Domain Join
Updated: May 8, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2
By default, all operating system installations using Windows Deployment Services result in a client computer that is joined to a domain. In order for the join to be successful, the user account must have permissions to join the domain and rights to create computer objects in Active Directly Domain Services (AD DS). For more information, see Required Permissions. This topic contains information about how to configure a domain join as part of an unattended installation.
The domain join process uses the image unattend file to pass data that is collected within Windows PE to the subsequent phases of Setup. If an image is associated with an image unattend file, the domain join and computer name settings will be made directly to this file. However, for this to occur, you must format the file correctly (see the Sample Unattend Files). Specifically, this means as follows:
For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 images. The image unattend file (ImageUnattend.xml) must have the setting <UnsecureJoin>true</UnsecureJoin> in the Microsoft-Windows-UnattendedJoin component. Additionally, the Microsoft-Windows-Shell-Setup component for the <specialize> unattended pass must exist, even if it is empty.
For Windows XP and Windows Server 2003 images. The image unattend file in the $OEM$ structure (Sysprep.inf) must have the setting DoOldStyleDomainJoin=Yes, and it must have (at a minimum) the [Networking] and [UserData] sections, even if they are empty.
For more information about creating unattend files, see Automating Setup. If the image unattend file does not contain the proper formatting, Windows Deployment Services will not edit the unattend file with the required information. If a selected image does not have an associated image unattend file, a template unattend file will be used to pass domain join (and computer naming) information throughout the installation process.
For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 images, this file exists within the image itself at \System32\WDSUnattendTemplate.xml. Therefore, after the image is applied, the template file will be located offline on the disk.
For Windows XP and Windows Server 2003 images, this file exists in the \RemoteInstall\Templates\Sysprep.inf folder on the server when the server is first initialized. After the image is applied, Windows Deployment Services will copy the template Sysprep.inf into the offline image and then edit it as appropriate. This file is copied from the server into the offline image as C:\Sysprep\Sysprep.inf.
There are two permissions methods for providing credentials to enable a computer to join a domain: unsecure join and secure join. Both of these methods are described in the following table.
|Unsecure join||Secure join|
This method resets the computer account to a known, shared computer password and joins the computer to a domain without credentials. For Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 images, this shared computer password is a dynamically generated, strong password that is set by Windows Deployment Services. The password is inserted into the ImageUnattend.xml file as the <MachinePassword> setting. For images from an earlier version of Windows, this shared computer password is the computer name.
To implement an unsecure join, set UnsecureJoin = TRUE and ensure that the Microsoft-Windows-Shell-Setup component exists for the specialize phase.
This method is secure in the sense that it requires credentials (user name, domain, and password) before you can reset the account and perform the domain join. However, in practice this method is actually less secure because the credentials reside in the ImageUnattend.xml file in plain text.
To implement a secure join, add the following to the unattend file: