What actually happens when I join a windows machine to an Active Directory domain

active-directory

I haven't been able to find this info anywhere, and I don't really have the time to set up a AD server myself to play around with. I'm not an expert on AD so if some of my terminology is off, forgive me.

When a user tries to join a Windows (we'll say Windows 7) machine to a AD controlled domain, what actually happens? Meaning what permissions and accounts are checked by the AD server? From what I've been able to scrounge up it seems like a computer object HAS to exist in AD with the specific computer name. And then it also looks like if the current computer is in the domain, and the user is trying to change the name, then the old computer is deleted from the domain? (not sure).

I'm really asking to figure out where "joining a domain" would fail, in the process of joining a domain.

So something like: AD checks for the existence of the computer name, then checks these user permissions, then checks these attributes, etc, up to "the computer is allowed to join the domain with the specified name".

I figured this would be helpful for a lot of other people based on the number of "problems joining AD domain" threads I've found online with half-responses.

Best Answer

Assuming this is a new computer which does not map to an old computer name that was previously in the domain...

At a very high level: You supply creds in the domain join operation. On the AD side it checks to see if a computer account exists for the computer name of the machine you are joining, which in this scenario it does not. So it goes ahead and creates a new one (subject to perms & throttling on the part of the credentials supplied for the join operation). At this point the computer acct & the DC do a few operations to set key properties (not the least of which is the secret, aka the password on the computer account) & local state on the machine joining is manipulated...SIDs remembered, secrets stored, etc. At the conclusion you are told to reboot.

If the previous assumption is incorrect and a comp acct already exists, it reuses an existing computer account rather than creating a new one. But it ensures you can write a new secret to the computer acct which is required as part of domain join (which in the 99% case maps to owns the comp acct since few people have re-acl'd their computer accounts to allow just this permission).

That's what's going on at a high level anyway. :) If you want to go deep on it, enable netlogon logging and do a join, then check out the log. And if you want to go deeper still, check out the AD protocol documentation which will go VERY deep.

Related Solutions

What are the differences between LDAP and Active Directory

Active Directory is a database based system that provides authentication, directory, policy, and other services in a Windows environment

LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory, which supports a form of LDAP.

Short answer: AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.

C# Active Directory: Get domain name of user

This article helped me much to understand how to work with the Active Directory.
Howto: (Almost) Everything In Active Directory via C#

From this point forward, if you require further assitance, please let me know with proper questions in comment, and I shall answer them for you to the best of my knowledge.

EDIT #1

You had better go with this example's filter instead. I have written some sample code to briefly show how to work with the System.DirectoryServices and System.DirectoryServices.ActiveDirectory namespaces. The System.DirectoryServices.ActiveDirectory namespace is used to retrieve information about the domains within your Forest.

private IEnumerable<DirectoryEntry> GetDomains() {
    ICollection<string> domains = new List<string>();

    // Querying the current Forest for the domains within.
    foreach(Domain d in Forest.GetCurrentForest().Domains)
        domains.Add(d.Name);

    return domains;
}

private string GetDomainFullName(string friendlyName) {
    DirectoryContext context = new DirectoryContext(DirectoryContextType.Domain, friendlyName);
    Domain domain = Domain.GetDomain(context);
    return domain.Name;
}

private IEnumerable<string> GetUserDomain(string userName) {
    foreach(string d in GetDomains()) 
        // From the domains obtained from the Forest, we search the domain subtree for the given userName.
        using (DirectoryEntry domain = new DirectoryEntry(GetDomainFullName(d))) {
            using (DirectorySearcher searcher = new DirectorySearcher()){
                searcher.SearchRoot = domain;
                searcher.SearchScope = SearchScope.Subtree;
                searcher.PropertiesToLoad.Add("sAMAccountName");
                // The Filter is very important, so is its query string. The 'objectClass' parameter is mandatory.
                // Once we specified the 'objectClass', we want to look for the user whose login
                // login is userName.
                searcher.Filter = string.Format("(&(objectClass=user)(sAMAccountName={0}))", userName);

                try {
                    SearchResultCollection  results = searcher.FindAll();

                    // If the user cannot be found, then let's check next domain.
                    if (results == null || results.Count = 0)
                        continue;

                     // Here, we yield return for we want all of the domain which this userName is authenticated.
                     yield return domain.Path;
                } finally {
                    searcher.Dispose();
                    domain.Dispose();
                }
            }
}

Here, I didn't test this code and might have some minor issue to fix. This sample is provided as-is for the sake of helping you. I hope this will help.

EDIT #2

I found out another way out:

You have first to look whether you can find the user account within your domain;
If found, then get the domain NetBIOS Name; and
concatenate it to a backslash (****) and the found login.

The example below uses a NUnit TestCase which you can test for yourself and see if it does what you are required to.

[TestCase("LDAP://fully.qualified.domain.name", "TestUser1")] 
public void GetNetBiosName(string ldapUrl, string login)
    string netBiosName = null;
    string foundLogin = null;

    using (DirectoryEntry root = new DirectoryEntry(ldapUrl))
        Using (DirectorySearcher searcher = new DirectorySearcher(root) {
            searcher.SearchScope = SearchScope.Subtree;
            searcher.PropertiesToLoad.Add("sAMAccountName");
            searcher.Filter = string.Format("(&(objectClass=user)(sAMAccountName={0}))", login);

            SearchResult result = null;

            try {
                result = searcher.FindOne();

                if (result == null) 
                    if (string.Equals(login, result.GetDirectoryEntry().Properties("sAMAccountName").Value)) 
                        foundLogin = result.GetDirectoryEntry().Properties("sAMAccountName").Value
            } finally {
                searcher.Dispose();
                root.Dispose();
                if (result != null) result = null;
            }
        }

    if (!string.IsNullOrEmpty(foundLogin)) 
        using (DirectoryEntry root = new DirectoryEntry(ldapUrl.Insert(7, "CN=Partitions,CN=Configuration,DC=").Replace(".", ",DC=")) 
            Using DirectorySearcher searcher = new DirectorySearcher(root)
                searcher.Filter = "nETBIOSName=*";
                searcher.PropertiesToLoad.Add("cn");

                SearchResultCollection results = null;

                try {
                    results = searcher.FindAll();

                    if (results != null && results.Count > 0 && results[0] != null) {
                        ResultPropertyValueCollection values = results[0].Properties("cn");
                        netBiosName = rpvc[0].ToString();
                } finally {
                    searcher.Dispose();
                    root.Dispose();

                    if (results != null) {
                        results.Dispose();
                        results = null;
                    }
                }
            }

    Assert.AreEqual("FULLY\TESTUSER1", string.Concat(netBiosName, "\", foundLogin).ToUpperInvariant())
}

The source from which I inspired myself is:
Find the NetBios Name of a domain in AD

Best Answer

Related Solutions

What are the differences between LDAP and Active Directory

C# Active Directory: Get domain name of user

Related Topic