A domain is created by installing Advanced Server and designating the computer as a primary domain controller. Other computers then can be added to the domain.
Before a computer running Advanced Server, Windows NT Server, or Windows NT Workstation can be a domain member and participate in domain security, it must be added to the domain. When a computer is added to a domain, Advanced Server creates a computer account for it. If the added computer is a backup domain controller, it requests a copy of the domain directory database.
To add a computer to a domain, you must be logged on to a user account that has the appropriate user rights.
With the appropriate rights, users can add workstations and servers to domains during or after installation.
Note
A primary domain controller cannot be added to an existing domain.
There are four ways to add a computer to a domain:
A member of the Administrators or Account Operators group can use the Advanced Server joindomain command to reconfigure an Advanced Server computer to be a backup domain controller in an existing domain without reloading the server software. For this procedure to take effect, the primary domain controller must be running in the domain that is being joined. For more information, type man joindomain at the Advanced Server command prompt.
A Windows NT Workstation or Windows NT Server computer running as a member server can be added to a domain during installation of Windows NT and an Advanced Server or a Windows NT Server domain controller can be added to a domain during installation, but only if the installations are performed by a member of the Administrators or Account Operators group.
A member of the Administrators or Account Operators group, or a user who has the "Add workstation to domain" right, can add an existing Windows NT Workstation or Windows NT Server computer running as a member server to a domain using the Network option of that workstation’s Control Panel. However, a Windows NT backup domain controller cannot be added to the domain in this way.
A member of the Administrators or Account Operators group can use Server Manager’s Add To Domain command to add a computer account to the domain’s security database. A Windows NT Workstation or a Windows NT Server running as a member server then can use the Network option of the computer’s Control Panel to join the domain under that computer account.
Note
Be sure to protect the security of an added computer name. Until the intended computer joins the domain, it is possible for a user to give a different computer that name and then have it join the domain using the computer account you have just created. If the added computer is a backup domain controller, when it joins it receives a copy of the domain’s security database.
For more information about adding a computer to a domain, see "Adding a Computer to the Domain" in Server Manager Help.
You can remove workstations, backup domain controllers, and member servers from a domain but you cannot remove the primary domain controller until you promote a backup domain controller.
When you remove a computer running Windows NT Workstation or Windows NT Server as a member server from an Advanced Server domain, use Server Manager to delete the computer’s account from the directory database so that the computer cannot participate in domain security.
After a computer account has been removed from the domain, a user of the computer must move the computer to a new workgroup or domain using the Network option in Control Panel.
Warning
To remove a Windows NT backup domain controller from a domain, you must delete the computer account and reinstall Windows NT Server or Windows NT Workstation on that computer, indicating the new domain. Do not continue to use a backup domain controller that has been removed from a domain until you have reinstalled the operating system. An Advanced Server backup domain controller does not need to be reinstalled. It can be moved from one domain to another using the joindomain command.
For information about the joindomain command, type man joindomain at the Advanced Server command prompt.
For more information about removing a Windows NT computer from a domain, see "Removing a Computer from the Domain" in Server Manager Help.
Administrators and users identify domains by domain names. Internally, however, Advanced Server identifies each domain by its security identifier (SID), a unique number assigned to the domain. This requires that administrators exercise a degree of caution when adding servers to a domain as illustrated in the following example.
A domain named Sales.dom has a primary domain controller named SALES1, and no other Advanced Server computers. The SALES1 server becomes inactive and you install the Advanced Server on another computer, SALES2, and configure it to be the primary domain controller for Sales.dom.
The effect of this operation is to create a new domain named Sales.dom that is entirely separate from the original Sales.dom — a new SID will have been generated for Sales.dom on the SALES2 server that will not match the SID for Sales.dom on the SALES1 server. This means that any Windows NT Workstation computers that had been members of Sales.dom while SALES1 was the primary domain controller will not be able to support user logons to the domain Sales.dom when SALES2 is the primary domain controller. Furthermore, if the SALES1 server is restarted when the SALES2 server is active, the Net Logon service will not start on the SALES1 server because Advanced Server software will detect two different domain SIDs with the same domain name.
To configure both servers to work properly in the original Sales.dom, you need to run the joindomain command on the SALES2 server while the SALES1 server is running. The joindomain command obtains the SID for Sales.dom from the SALES1 server and uses it to configure the SALES2 server as a backup domain controller in the original Sales.dom domain.
This same procedure should be used to move an Advanced Server computer from one domain to another. The joindomain command would be executed on the computer that is changing its domain. When it is executed, the primary domain controller must be running in the domain that is to be joined so that joindomain can obtain the SID of that domain.
To change the name of an Advanced Server computer, use the Advanced Server setservername command.
For information about the setservername command, type man setservername at the Advanced Server command prompt.
To change the name of a Windows NT computer, first use Server Manager to create a computer account for the computer under its new name. Then, change the computer name at the server or workstation using the Network option in Control Panel. After the computer name has been changed, use Server Manager to remove the old computer account from the domain.
If you are changing the name of a backup domain controller, make sure the new computer account has been added to the directory database before deleting the old computer account from the directory database. Use Server Manager to synchronize the directory database.
For more information, see "Adding a Computer to the Domain" and "Changing a Computer Name" in Server Manager Help.
For information about how to synchronize domain controllers, see "Synchronizing a Backup Domain Controller with the Primary Domain Controller" in Server Manager Help.
To change the name of an Advanced Server domain, use the setdomainname command on every Advanced Server computer in the domain. Use the Network option in the Control Panel to change the domain name on every Windows NT Workstation and Windows NT Server computer in the domain. Then, reestablish existing trust relationships. The domain security identifier (SID) does not change.
You can use this procedure to change the domain name of every computer in a domain. You cannot use it to move a domain controller from one domain to another. Also, you cannot use this procedure to split a domain into two separate domains or to join two separate domains into a single domain.
For information about the setdomainname command, type man setdomainname at the Advanced Server command prompt.
To change the domain to which an Advanced Server computer belongs, use the joindomain command.
For information about the joindomain command, type man joindomain at the Advanced Server command prompt.
A Windows NT backup domain controller cannot change domains unless Windows NT Server is reinstalled. Member servers and computers running Windows NT Workstation can change domains without requiring Windows NT to be reinstalled.
To move a workstation or member server from one Advanced Server domain to another, remove the computer from the old domain and add it to the new one.
For information about on to move a Windows NT computer from one domain to another, see "Removing a Computer from the Domain" and "Adding a Computer to the Domain" in Server Manager Help.
