Pre-staging a computer account in Active Directory

Joining computers to your domain is going to be a very normal task for any IT professional, enough that you are probably familiar with the process of doing so. What you may not realize, though, is that when you join computers or servers to your domain, they get lumped automatically into a generic Computers OU inside AD. Sometimes, this doesn't present any problem at all and all of your machines can reside inside this Computers OU forever. Most of the time, however, organizations will set up policies that filter down into the Computers container automatically. When this is the case, these policies and settings will immediately apply to all the computers that you join to your domain. For a desktop computer, this might be desired behavior. When configuring a new server, though, this can present big problems.

Let's say you are interested in turning on a new web server that is going to be running IIS. You have a domain policy in place that blocks inbound HTTP traffic for all computers that get added to the Computers container. In this case, if you turned on your web server and simply joined it to the domain, it would immediately apply the policy to disable blocking the traffic because it is no different than a regular client computer in your network. IIS requires the firewall to permit HTTP traffic (it is, after all, a web server) and so you have effectively broken your server before you've even finished configuring it! You would eventually realize this mistake and move the server into a different OU that doesn't have the firewall policy; however, this doesn't necessarily mean that all the changes the policy put into place will be reversed. You may still have trouble with that server on an ongoing basis.

The preceding example is the reason why we are going to follow this recipe. If we pre-stage the computer account for our new web server, we can choose where it will reside inside Active Directory, even before we join it to the domain. Pre-staging is a way of creating the computer's object inside Active Directory before you go to the actual server and click Join. When you do this, as soon as the request to join the domain comes in, Active Directory already knows exactly where to place that computer account. This way, you can make sure that the account resides inside an OU that is not going to apply the firewall policy and keep your new server running properly.

Getting ready

We will use the Active Directory Users and Computers tool to pre-stage the computer account. This can be done on the domain controller itself, or on a Windows 10 machine that has the appropriate RSAT tools installed. Following this, we will use a second server that we are going to join to our domain, which we plan to turn into a web server in the future.

How to do it…

To pre-stage a computer account so that it resides inside AD, perform the following steps:

1. Open Active Directory Users and Computers
2. Choose a location where you want to place this new server. I am going to use the OU we created earlier, that is, Servers\Web Server.
3. Right-click on your OU and navigate to New | Computer.
4. Enter the name of your new server. Make sure this matches the hostname you are going to assign as you build this new server so that when it joins the domain, it matches up with this entry in AD. Note that, on this screen, you also have the ability to determine which user or group has permission to join this new machine to the domain, if you want to set a restriction here:
   

   Figure 2.25 – Creating a new Computer object in the Active Directory Users and Computers console

5. Click OK, and that's it! Your object for this new server has been entered into AD, waiting for a computer account to join the domain that matches the name.
6. The last step is building the WEB01 server and joining it to the domain, just like you would with any computer or server. When you do so, it will utilize this pre-existing account in the Web Servers OU, instead of placing a new entry into the generic Computers container.
7. The PowerShell for this one requires the ActiveDirectory module and will use the New-ADComputer cmdlet:

   Import-Module ActiveDirectory

   New-ADComputer -Name WEB01 -Path 'OU=Web Server,OU=Servers,DC=ad,DC=cookbook,DC=packt,DC=com'

As in the previous PowerShell commands that involves OUs, you will need to know your LDAP Distinguished Name for the OU you wish to use.

How it works…

Pre-staging computer accounts in Active Directory is an important function when building new servers. It is sometimes critical to the long-term health of these servers for them to steer clear of the default domain policies and settings that you apply to your regular computer accounts. By taking a quick 30 seconds prior to joining a new server to the domain to pre-stage its account in AD, you ensure the correct placement of the system so that it fits your organizational structure. This will keep the system running properly as you continue to configure it for whatever job you are trying to accomplish.