Today on microsoft.public.windows.server.active_directory newsgroup somebody came with a question how he can remove and add workstations to domain, without performing this operation manually on every workstation?
Because of some DR situation he had 250 workstations which were a member of non-existing domain and new AD, and wanted to add them back to domain. The same may happen when somebody will perform reset on this workstation's account in AD or it will lost its connectivity with domain somehow. How we can do this?
We will need three resources:
- Old (1.8) version of NETDOM.EXE tool which was originally released with Windows NT 4.0 Resources Kit. Now You can get it from Microsoft FTP server.
- Latest version of NETDOM.EXE which is a part of support tools.
- PSEXEC.EXE and PSSHUTDOWN.EXE tools from PSTools. First of them will allow us to execute command remotely and second will allow us to perform reboot of the remote machine after operation.
As a first step we need to pull the workstations out from domain. We can do this with old version of NETDOM.EXE (let's call it netdom18.exe), as it allows us to move workstation to WORKGROUP. We will use PSEXEC to perform this operation remotely:
psexec \\STACJA -u STACJA\Administrator -c netdom18.exe MEMBER \\STACJA /JOINWorkgroup WORKGROUP
With -c switch our tool will get copied on remote machine before execution. This command will join workstation named STACJA to workgroup WORKGROUP. Now we have to perform remote reboot of this workstation as old version of NETDOM can't do this automatically:
psshutdown.exe -r -u STACJA\Administrator \\STACJA
Now we have to add this workstation back to domain. If its account exists in domain maybe we should think about performing reset on this account. To add workstation to domain we will use current version of NETDOM.EXE:
psexec \\STACJA -u STACJA\Administrator -c netdom.exe JOIN STACJA /DOMAIN:W2K.PL /UserD:W2k\Administrator /passwordD:* /UserO:Administrator /PasswordO:* /Reboot
This time reboot will be performed by NETDOM tool. And this is basically it. What is worth to remember is that NETDOM allows us not only to add workstation to domain using specific OU, but also we can do this on specific DC in the domain.
Wouldn't the * used with the passwords wait for a password to be manually provided? I think one would have to hardcode the password in the command to prevent it been prompted for. Especially if he is doing 250 machines 😉
Yes, You are right but I think everybody will figure it out quickly. My fault – I've copied it from my command line and I'm used to not provide passwords directly in command line. So for batch scripts when password is required * should be replaced with correct password.