Chapter 18 Connecting Windows and Mac Clients

You’ve built your server, created users, and shared network resources. Now you need to configure your client systems to connect to the network and use those resources. In this chapter, we’ll show you how to set up various client systems with networking components, how to log on to the network, how to find and connect to shared resources, how to manage your passwords, and, when applicable, how to find and connect to Active Directory.

We also cover ways to connect your Mac clients to your Windows Server 2012 network and how to access various features such as file shares and printers from the Mac.

In this chapter, you’ll learn to:

Verify your network configuration
Join a client computer to a domain
Change user passwords
Connect to network resources
Prepare Active Directory for Mac OS X clients
Connect a Mac to the domain
Connect to file shares and printers
Use Remote Desktop from a Mac client

What to Know Before You Begin

Before you connect workstations to the domain, you should know a few things about client computers and the network environment. If you are new to Microsoft networks, you may want to review some other chapters before attempting to configure clients:

Chapter 2, “Installing and Upgrading to Windows Server 2012 R2,” covers the basics of networking software and security.
Chapter 4, “Windows Server 2012 R2 Networking Enhancements,” and Chapter 20, “Advanced IP: Routing with Windows,” deal with TCP/IP and infrastructure. Microsoft networks almost universally use TCP/IP.
Chapter 8, “Creating and Managing User Accounts,” shows you how to set up user accounts and computer accounts.
Chapter 29, “Installing, Using, and Administering Remote Desktop Services,” covers connecting clients to domain resources using Remote Desktop.

If you’ve read these chapters or are generally familiar with the concepts, then read on to learn more about the client networking stack and about the kinds of accounts you’ll need.

Throughout this chapter, we’ll connect to the same server, on the same domain, and with the same user account:

The username is kevinb (if acting as a regular user) or bigadmin (if acting as a domain administrator).

The domain name is bigfirm.com.
There is a Windows Server 2012 domain controller on the network called bf1.bigfirm.com.
There are several client machines on the network, representing the client operating systems we will deal with in this chapter. Their names are:
- WIN8CLIENT
- WIN7CLIENT

Understanding Client-side Software Requirements

In the past, for each client you would have to configure three basic software components: a driver for the network interface card (NIC), a network protocol, and a network client. The good news is that, these days, everything you need is built in except on a rare occasion you will need to install an NIC driver.

So that you will have a clear understanding of the underlining technology that makes all of this work, we will review these three basic components.

The NIC driver allows the operating system to communicate with the NIC. Before loading any network protocol or client software, the operating system must recognize the network card and load the appropriate driver. Because of the advancement of Universal Plug and Play (UPnP) and built-in driver libraries, most of the client systems discussed in this chapter can automatically detect the NIC and load a driver included with the OS. If the driver is not included with the OS or if your client system fails to detect the network card, you must use the driver and installation instructions for your OS that are provided by the manufacturer.

The network protocol, built into the operating system, allows nodes on the same network to communicate with each other. To communicate, the nodes must all use the same protocols. TCP/IP is the de facto standard for Microsoft networks today. Since most networks use IPv4, we’ll use that version throughout this chapter. Having a good understanding of IPv6 is becoming much more relevant in today’s networks and we recommend that you become knowledgeable on this subject.

Windows RT

Outside of the overall networking components and protocols, the IT pro also needs to understand how to connect other versions of Windows, such as Windows RT and how connections in Windows RT work. These devices are designed as preconfigured versions of the Windows operating system, and any additions are done through the Microsoft Store.

Windows RT is an ARM-based system that was designed specifically for tablet devices that need to be light and sleek and have long battery life. (More information on ARM is available at http://tinyurl.com/c18WinRTARM.)

Since Windows RT devices have an operating system that cannot be changed, enterprises are unable to customize their Windows image on these devices and thus they cannot join a Windows domain. We will discuss some of the connection options of Windows RT as we move through this chapter. The following link will provide you with some additional information on Windows RT: http://windows.microsoft.com/en-US/windows/rt-welcome.

Windows Server 2012 Support for IPv6

In Windows Server 2012 and Windows 8, IPv6 is installed and enabled by default. For more information on this protocol and configuring it for your environment, refer to Chapter 4, “Windows Server 2012 R2 Networking Enhancements.”

The clients in the examples throughout this chapter will obtain a unique IP address and other necessary protocol configuration information from a Dynamic Host Configuration Protocol (DHCP) server on the network. Most servers in production will have a static IP address. Workstations, however, most often have dynamically assigned IP addresses. Not only does a DHCP server assign IP addresses to client workstations, but it can also supply all of the other values required in your particular TCP/IP environment (including a subnet mask, DNS servers to use, the default gateway to route through, and the domain suffix to apply to the connection). DHCP also keeps track of IP assignments and updates clients dynamically when you want to make IP configuration changes. (There will be cases where you won’t use a DHCP server to assign address information to the client. This chapter will also cover how to set this information manually for each client operating system.)

The network client locates network resources and connects to them. For any given flavor of file-mounting, printer-sharing software that runs on a server, there is a client connection counterpart.

Domain Accounts and Local Accounts

Two kinds of accounts are key to using a client workstation and getting to network resources: domain accounts and local accounts. In general, domain accounts are used to authenticate access to shared domain resources, and local accounts are used to authenticate access to use or manage the local computer.

A domain is a logical grouping of computers, user accounts, and related network resources, all with a common security database called Active Directory. Domains provide centralized security, along with the resource grouping function of workgroups. Domain user accounts permit people to use a single login name to log on to any workstation and access resources on any server that belongs to the domain (provided that the user has permission to access the resources). All Microsoft operating systems can join domains with the exception of the Tablet RT version of Windows (http://windows.microsoft.com/en-US/windows/rt-welcome). A user account that is not a member of the domain or a member of a trusted domain cannot access network resources protected by domain security. For more information about domains, see Chapter 7, “Active Directory in Windows Server 2012 R2.”

A workgroup is a logical grouping of computers with no central security database but organized under a single name. Although today’s operating systems can join workgroups, this isn’t common in production environments; even in smaller offices, domains are typically built for security purposes. It’s much harder to manage access to workgroup resources, and they lack the discoverability that Active Directory provides.

Workgroup access is the method by which Windows RT devices access each other or broadcast out to the network. Since Windows RT devices can not join an Active Directory domain, they are left in a workgroup, which is the default.

Although domain membership is key to accessing centralized resources, local accounts also have their purposes: you need them for the local management of the workstation. All current Microsoft operating systems maintain local security databases. The configuration changes you are about to perform require administrative privileges, so you must log on using the local Administrator account (or an account in the local Administrators group) to make the changes.

Giving Users Rights to Administer a Client Computer

In the past, it was commonplace for administrators to add a user’s Domain User account as a member of the local Administrators group on a client computer so they could perform certain tasks with elevated permissions.

These days, it is best practice to avoid giving users administrative access this way, and instead, you can take advantage of the new advanced security and delegation options (Dynamic Access Control, for example) in Windows Server 2012 R2 to give users the control they need. It’s best to try to follow a least-privilege approach as opposed to giving users access to everything.

Verifying Your Network Configuration

The first step in joining a domain is to connect to the domain’s network so the client computer can communicate with the domain controller. The steps for connecting to a network are basically the same for each of the client operating systems we discuss in this chapter:

1. Install a working network interface card and driver on the client computer.

2. Configure the NIC with the appropriate settings to communicate on the network.

We will address any UI (or other) differences between client operating systems as we go, but for now let’s get ready to join a domain.

Log on to the system using a local Administrator account. Before trying to join the domain, it’s good to verify that the NIC and its associated driver were installed correctly, and you’ll need administrative rights to check everything.

Devices that your computer detects show up in Device Manager. To get there, go to Control Panel and open Device Manager (you can open the Start menu, start typing “Control Panel,” as shown in Figure 18.1, and then select Control Panel, and it will open). The Computer Management console will open. The left side of your screen will show a list of all devices; expand the Network Adapters folder, and your NIC should be there.

Figure 18.1 Using the Windows 8 Start screen to access Control Panel

If you have problems with the NIC, such as a driver issue, you will know it clearly because the network adapter will be missing or could be “banged out” (the device will be there but will have a yellow exclamation point next to it). The NIC could also be banged out and located in the Other Devices folder. Refer to the NIC manufacturer’s documentation and the operating system’s Help and Support features to help you resolve hardware problems.

Verifying Local Area Connection Settings

If you accept the typical network settings during the installation, Setup will install and create a software representation of the NIC, called a local area connection. The installation will also install the following local area connection components:

TCP/IP Allows the computer to communicate with other network nodes and devices.

Client for Microsoft Networks Allows a computer to access resources on a Microsoft network.

QoS Packet Scheduler The QoS (Quality of Service) Packet Scheduler provides network traffic control and prioritization services for data transmitted to and from the local device.

By default the local area connection will be configured to obtain the following configuration settings from a DHCP server:

IP Address Version 4 (TCP/IPv4) The address of the computer as it relates to the network it is joining. Every node on the network must have a unique IP address.

IP Address Version 6 (TCP/IPv6) This is the latest version of the Internet Protocol. It is slowly being adopted by larger organizations, and many Microsoft Server products and features require it to enable their functionality. The Microsoft Unified Access Gateway (UAG) is one of these products. Having IPv6 enabled for DHCP will not cause any issues in your configuration, and it is enabled by default. A typical IPv6 address looks like this: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

Subnet Mask A number that logically segments a larger network into separate subnetworks (the communication between these smaller subnetworks must be passed by a router).

Default Gateway The IP address of the router that will route communications between nodes located in different subnetworks or other networks.

Domain Name System Server The IP address of a DNS server on the network.

DNS Suffix (Optional) The Active Directory domain name to which the computer is or will be joined (in this chapter it is bigfirm.com).

The fastest way to tell whether your NIC obtained the appropriate settings automatically is to open a command prompt and type the following:

ipconfig /all

You should get results similar to those shown in Figure 18.2.

Figure 18.2 ipconfig command results

The lines from these results that will tell you that your NIC is configured properly are located in the Ethernet Adapter Local Area Connection Ethernet Adapter LAN section:

DHCP Enabled If this is set to Yes, then the NIC is set to obtain IP address information from a DHCP server. If it is set to No, then you will need to manually configure an IP address for your local area connection.

Autoconfiguration Enabled This is set to Yes and is present only if the NIC is set to obtain IP addresses automatically from the DHCP server.

IPv4 Address This is the unique IP address assigned to the local area connection.

Subnet Mask This is the subnetwork to which the node belongs.

Default Gateway This is the router that will route traffic between your assigned subnet and other subnets and networks.

DNS Servers DNS servers resolve IP addresses to computer names. You need to have a DNS server assigned, or you will not be able to join a domain. In most cases, the DNS server address is supplied by the DHCP server.

If the ipconfig results come up empty, then you may not have a DHCP server to allocate IP addresses, in which case you will need to configure your local area connection settings manually. To do this, you will need to open the local area connection associated with the NIC and enter the information by hand. For now, assume that the ipconfig results show that the NIC has the address information assigned.

Testing Network Connectivity with the ping Command

To be absolutely certain that your network card and TCP/IP are working properly and that the IP information assigned to the NIC is correct, open a command prompt, and use the ping command to test basic network connectivity.

If you are unfamiliar with ping, you can review the command and all the common switches here: http://tinyurl.com/c18PingCommand.

Here are typical ping commands that you can use to test network connectivity:

ping 127.0.0.1 This pings your computer (this address always specifies the node you are pinging from and is called the loopback address).

ping localhost -4 This pings your computer. It tells you that the local area connection is able to send and receive information. Use the -4 option to receive results in IPv4 format.

ping x.x.x.x This pings another node (replace x.x.x.x with an IP address).

ping DNSNAME.DOMAIN.SUFFIX This pings a node using its fully qualified domain name (the name stored in DNS that is mapped to an IP address). An example is ping bf1.bigfirm.com.

Verifying and Setting Local Area Connection Information Using the GUI

Knowing how to get to the client local area connection is important for these reasons:

You can verify the local area connection configuration using the GUI.
You can set the local area connection information manually if you do not have a DHCP server from which to obtain these settings automatically.

Local Area Connections in Windows 8

To locate the local area connections on a Windows 8 client, select Start, type Control Panel, click Control Panel, and select Network and Sharing Center (shown in Figure 18.3).

Figure 18.3 The Windows 8 Local Area Connection icon in the Network and Sharing Center

The local area connection information will be the same on your Windows RT devices. The Windows networking interfaces are common across the Windows 8, RT, and Windows Server 2012 operating systems.

If you do not see a Local Area Connection icon in your active networks, your NIC may not have been properly detected. Use Device Manager to isolate the problem, or try to add the network adapter manually using the Add Hardware Wizard in Control Panel.

1. Click the Local Area Connection link to open the Local Area Connection Status window, as shown in Figure 18.4.

Figure 18.4 The Windows 8 Local Area Connection Status window

Here you can see that the connection is enabled (Media State is set to Enabled).

2. Click the Details button to open the Network Connection Details window, as shown in Figure 18.5.

Figure 18.5 The Windows 8 Network Connection Details window

The data found here is a subset of the data retrieved by using the ipconfig command.

The network connection details show that the local area connection is DHCP enabled, so you know it is getting its configuration from a DHCP server. The connection is configured with the DNS suffix bigfirm.com, the IP address 192.168.1.132, the subnet mask 255.255.255.0, the default gateway address 192.168.1.1, and DNS server address 192.168.1.125. You can also see when the DHCP information was given out (by the date in the Lease Obtained value) and when it will expire (the date in the Lease Expires value).

Manually Configuring Local Area Connection Settings in Windows 8

Close the Network Connection Details window and click the Properties button on the Local Area Connection Status page to open the Local Area Connection/Ethernet Properties page shown in Figure 18.6.

Figure 18.6 The Windows 8 Local Area Connection Properties page

The Local Area Connection Properties page shows which NIC it’s associated with, as well as the components it uses. This is where you would manually give the local area connection a static IP address should you need to do so. Follow these steps:

1. Select Internet Protocol Version 4 (TCP/IPv4), and click Properties.

The Internet Protocol Version 4 (TCP/IPv4) Properties page opens, as shown in Figure 18.7.

Figure 18.7 The Windows 8 Internet Protocol Version 4 (TCP/IPv4) Properties page

2. Select “Use the following IP address.”

3. Enter the IP address, subnet mask, and default gateway address.

4. Click “Use the following DNS server addresses,” and enter the preferred and alternate DNS server addresses.

5. Click the Advanced button, click the DNS tab, and enter the DNS suffix you want appended to the name of this computer (to create the FQDN).

6. Select the “Validate settings upon exit” setting to run the Network Diagnostics applet.

The applet will run when you exit the Local Area Connection Properties page and will validate your IP settings. If there is a problem, you will be notified and given information to help you solve the issue.

7. Click OK twice, and then close the remaining windows.

Local Area Connections in Windows 7

To locate the local area connections on a Windows 7 client, select Start Control Panel Network and Internet, and go to the Network and Sharing Center (shown in Figure 18.8). To get there faster, type the word Network in the search area at the bottom of the Start menu, and then click Network and Sharing Center in the top portion of the Programs menu.

Figure 18.8 The Windows 7 Local Area Connection icon in the Network and Sharing Center

If you do not see a Local Area Connection icon, your NIC may not have been properly detected. Use Device Manager to isolate the problem, or try to add the network adapter manually using the Add Hardware Wizard in Control Panel.

1. Click the Local Area Connection link to open the Local Area Connection Status window, as shown in Figure 18.9.

Figure 18.9 The Windows 7 Local Area Connection Status window

Here you can see that the connection is enabled (Media State is set to Enabled).

2. Click the Details button to open the Network Connection Details window, as shown in Figure 18.10.

Figure 18.10 The Windows 7 Network Connection Details window

The data found here is a subset of the data retrieved from using the ipconfig command.

Manually Configuring Local Area Connection Settings in Windows 8

Close the Network Connection Details window and click the Properties button on the Local Area Connection Status page to open the Local Area Connection/Ethernet Properties page shown in Figure 18.6.

1. Select Internet Protocol Version 4 (TCP/IPv4), and click Properties.

The Internet Protocol Version 4 (TCP/IPv4) Properties page opens, as shown in Figure 18.7.

2. Select “Use the following IP address.”

3. Enter the IP address, subnet mask, and default gateway address.

4. Click “Use the following DNS server addresses,” and enter the preferred and alternate DNS server addresses.

5. Click the Advanced button, click the DNS tab, and enter the DNS suffix you want appended to the name of this computer (to create the FQDN).

6. Select the “Validate settings upon exit” setting to run the Network Diagnostics applet.

7. Click OK twice, and then close the remaining windows.

Local Area Connections in Windows 7

1. Click the Local Area Connection link to open the Local Area Connection Status window, as shown in Figure 18.9.

Here you can see that the connection is enabled (Media State is set to Enabled).

2. Click the Details button to open the Network Connection Details window, as shown in Figure 18.10.

The data found here is a subset of the data retrieved from using the ipconfig command.

The network connection details show that the local area connection is DHCP enabled, so you know it is getting its configuration from a DHCP server. The connection is configured with the DNS suffix bigfirm.com, the IP address 192.168.20.102, the subnet mask 255.255.255.0, the default gateway address 192.168.20.1, and DNS server address 192.168.20.10. You can also see when the DHCP information was given out (by the date in the Lease Obtained value) and when it will expire (the date in the Lease Expires value).

Manually Configuring Local Area Connection Settings in Windows 7

Close the Network Connection Details window and click the Properties button on the Local Area Connection Status page to open the Local Area Connection Properties page shown in Figure 18.11.

Figure 18.11 The Windows 7 Local Area Connection Properties page

1. Select Internet Protocol Version 4 (TCP/IPv4), and click Properties.

The Internet Protocol Version 4 (TCP/IPv4) Properties page opens, as shown in Figure 18.12.

Figure 18.12 The Windows 7 Internet Protocol Version 4 (TCP/IPv4) Properties page

2. Select “Use the following IP address.”

3. Enter the IP address, subnet mask, and default gateway address.

4. Click “Use the following DNS server addresses,” and enter the preferred and alternate DNS server addresses.

5. Click the Advanced button, click the DNS tab, and enter the DNS suffix you want appended to the name of this computer (to create the FQDN).

6. Select the “Validate settings upon exit” setting to run the Network Diagnostics applet.

7. Click OK twice, and then close the remaining windows.

Joining the Domain

To join a domain from any Windows operating system, you’ll need the following information:

The fully qualified domain name or NetBIOS name of the domain
The name and password of an account with permission to join the domain

Joining a domain is easy. The main places you’re likely to run into trouble are not knowing the right domain credentials and supplying the wrong computer name. Local administrators can’t join computers to the domain, and you shouldn’t join a computer to the domain using the same name as a different computer that previously joined and that has a computer account object in Active Directory. In replacement scenarios, utilizing the same computer account can be acceptable; for example, if a laptop has its hard drive replaced, the computer names are asset numbers, and you would want to use this name again. Using the Active Directory Users and Computers Snap-In to properly delete the old computer object is the best practice for this. Additionally, making sure you have given the system enough time to replicate the change to other domain controllers so you have no conflict in the name can be equally important. Make sure that the computer name is unique and that you have the right credentials to join the domain.

By default, Windows Server 2012 domains allow regular domain users to join up to 10 computers to a domain. Beyond that, domain admin accounts, of course, can add computers to a domain, and you can also delegate this right to other users via Group Policy. For information on how to delegate this right, see http://technet.microsoft.com/library/dd392267(WS.10).aspx.

Client computers always start out belonging to a workgroup called WORKGROUP. That’s the beginning setting for all client operating systems discussed in this chapter.

Adding Domain Accounts to Local Computer Groups

To log on and use a computer using a domain account, domain user accounts have to be added to a local group on the computer. This is true for all Windows 8, Windows 7, and older Windows versions back to Windows 2000/XP client computers that join a domain.

When a computer is joined to a domain, the Domain Admins group gets added to the local Administrators group on the computer. Domain admins are now administrators of the local computer and can fully manage the machine (can add or remove hardware, install software, and so on). Likewise, the Domain Users group gets added to the local Users group on the computer. Domain users are now afforded the normal local user rights on the computer (non-management tasks, such as using software, accessing network resources, and so on).

Joining a Domain from Windows 8

Typically, you’ll join the domain from a computer connected to it, but Windows 7 and Windows 8 support both online joins and offline joins.

Joining the Domain While Online

To join a domain from Windows 8 when connected to the network, follow these steps:

1. Open the System applet: To access this click the Start button and begin typing Control Panel. Once you reach Control Panel select System.

You should see a dialog box like the one in Figure 18.13.

Figure 18.13 System information for the Windows 8 client

In this example, the computer hasn’t yet joined the domain, so it’s in the default workgroup (called WORKGROUP) that all Windows computers start in.

2. Click the “Change settings” link to open the System Properties dialog box, as shown in Figure 18.14.

Figure 18.14 System Properties dialog box

3. The simplest way to join a domain is to click the Change button to open the dialog box shown in Figure 18.15.

Figure 18.15 Type the domain name to join the domain.

4. Type the name of the domain (either the NetBIOS name or the FQDN), and click OK.

When you click OK, you’ll be prompted for the username and password of an account with permission to join the domain, as shown in Figure 18.16.

Figure 18.16 Provide credentials to join the domain.

5. Type the credentials. Remember, local administrators can’t join computers to the domain. You must supply a domain account and click OK.

You should see a dialog box welcoming you to the bigfirm domain.

6. Click OK, and you’ll see first a warning that you’ll need to reboot.

7. Click OK again. Then you will be prompted to reboot the computer.

8. Reboot to complete the join.

If you don’t join successfully, check the credentials you used.

Windows RT and Accessing Resources

Windows RT is a different type of operating system than Windows 8, but it carries many of the same feature sets and access capabilities. While you cannot join an Active Directory domain, as stated earlier, you can access resources on the network.

Microsoft’s System Center Configuration Manager 2012 SP1 does support the management and configuration of Windows RT devices through its advanced mobile device management (MDM) services.

The more common way of accessing resources is via Windows File Explorer; you can use this tool to manage files and folders the same way you can on the non-RT desktop OSs. Through File Explorer you can map your network drives, access shares, and access enterprise storage devices. To access the network resources, Windows RT fully supports many connection types exactly the same way as Windows 8 devices do. Following are a few examples of accessing resources:

Wireless Networks You must manually set the connection and configurations on these networks, so having the appropriate SSID, connection accounts, and security details for that connection are imperative. Depending on your organization’s security practices, you may have only have limited access to resources in your environment.

Wired Networks Many manufacturers provide an Ethernet port adapter. Most organizations utilize DHCP, so you will not be required to configure your network. If you do need to configure an IP address and subnet, you can do so following the same steps you would for Windows 8 via Control Panel.

Proxy Servers Since no group policies are applied because of the lack of domain joining, you have to manually configure your proxy settings. If you need to detect the presence of an internal proxy server you must enable the Web Proxy Autodiscovery Protocol on your corporate network. This involves configuring specific DHCP options as well as a web server, but as more companies move to bring-your-own-device (BYOD) scenarios, you might consider this as an option.

VPN Connectivity Windows RT devices can utilize VPN connections to establish a more domain-connected feel to your organization’s network. Many IT pros like to utilize this option because it helps with security and access control. Since many VPN options are available for Windows RT, you should review the Windows RT VPN overview provided by Microsoft at http://tinyurl.com/c18RTVPN.

Joining the Domain While Offline with djoin.exe

Domain joining has one problem: what if you can’t get to the domain controller to create the computer account or you can’t write to it? You may also not be able to contact a domain controller if you’re staging a group of client computers before deploying them or installing a client OS while offline.

Introduced in Windows 7 and available still in Windows 8 and Windows Server 2012 is the djoin.exe utility, which lets you join a computer to a domain even when the client computer can’t communicate with the domain controller.

This section will show you how to use djoin.exe to join a new Windows 8 client computer (WIN8CLIENT) to the domain bigfirm.com when the client is offline.

In a nutshell, djoin.exe provisions a computer account in AD and then exports the data (called a blob, which is needed for the computer with that computer name to join the domain) to a text file. The offline computer then imports the blob and joins the domain. The blob can also be added to an unattended setup answer file in order to join a computer to a domain (offline) as part of the OS installation.

One thing about the blob: if you provision the computer account in AD using djoin.exe and then open the resulting text file expecting to read it, you will be disappointed because it’s not human-readable. However, it contains sensitive data, such as the machine account password and other important domain information.

These are the steps to join an offline computer to the domain:

1. Run djoin on a Windows 8 or Windows Server 2012 machine that can communicate with the DC.

This will create a computer account in AD for the computer name specified and create the text file used in step 3.

2. Move that file to the offline client computer (securely).

3. Run djoin on the offline machine, and import the text file.

djoin Requirements

You can run djoin only on Windows 7 and above and Windows Server 2012 computers. It’s possible to use djoin to join a Windows 8 or Windows Server 2012 computer to a down-level DC (via the /downlevel parameter), but the example in this chapter will join a Windows 8 client to a Windows Server 2012 domain.

There are a few other general requirements as well. First, the user who runs djoin on the provisioning machine must have the right to add computers to the domain. Again, domain users have this permission although they can add only up to 10 computers to the domain by default.

You should also be familiar with the djoin parameters to understand the commands issued in the following example. Table 18.1 describes these parameters.

Table 18.1: djoin Parameters

Parameter	Description
/provision	Creates the computer account in Active Directory
/domain	Specifies the domain the computer will be joining
/machine	Specifies the name of the computer that will be added to ADDS and that you want to join the domain
/savefile <filepath>	Specifies the location and file to save the provisioning metadata
/dcname (optional)	Specifies the name of a specific DC you want to use to create the computer account
/reuse (optional)	Reuses an existing machine account (the machine account password will be reset)
/downlevel (optional)	Provides support for using a DC that runs Windows 2008 or older
/printblob (optional)	Creates a blob correctly encoded for use in an unattended answer file
/defpwd (optional)	Uses the default machine account password—not recommended
/requestodj	Requests an offline domain join (ODJ) on reboot
/loadfile <filepath>	Specifies the file (created with the /savefile parameter) to be imported to the offline computer
/windowspath	Specifies the path of the Windows directory in an offline image, typically %systemroot% or %windir%
/localos	Specifies a local OS as opposed to an offline image (requires a reboot)

Adding the Computer to the Domain While Offline

To use djoin to join a computer to the domain, you will need to execute djoin commands on two different machines. In this example, they are as follows:

win8client.bigfirm.com This machine is already joined to the domain and can communicate with the DC. This machine will be used to provision the new computer account in AD (we refer to it as the provisioning machine).

win8client2 This is a newly created Windows 8 client that is in a workgroup and cannot communicate with a DC.

Running djoin.exe Using a Regular User Account

To avoid confusion, it’s best to use an account that is a member of the Domain Admins group to run the djoin.exe command or to use an account that has been delegated the right to add computers to the domain. Regular users can run the djoin.exe command and create computer accounts, but only up to 10 times (because by default regular users are limited to joining no more than 10 computers to the domain). After that, the user will be denied, as shown in the following code:

Djoin djoin /provision /domain bigfirm.com /machine win7client11
/savefile c:\join.txt

Provisioning the computer account...

Failed to provision [win8client11] in the domain [bigfirm.com]: 0x216d.

Computer account provisioning failed: 0x216d.
Your computer could not be joined to the domain. You have exceeded
the maximum number of computer accounts you are allowed to create
in this domain. Contact your system administrator to have this
limit reset or increased.

From then on you will need to use a domain admin account or delegate this right to others (via Group Policy).

First, log onto the client computer win8client.bigfirm.com with a domain administrator account, and start an elevated command prompt. Then run the following command to create a computer account in Active Directory and also to create the provisioning text file:

C:\Users\bigadmin>djoin /provision /domain bigfirm.com
/machine win7client2 /savefile c:\join.txt

The results of this command are as follows:

Provisioning the computer account...

Successfully provisioned [win8client2] in the domain [bigfirm.com].
Provisioning data was saved successfully to [c:\join.txt].

Computer account provisioning completed successfully.
The operation completed successfully.

Active Directory Users and Computers on the DC (bf1) will now contain the computer account win8client2 stored in the default Computers folder, as shown in Figure 18.17.

Figure 18.17 Running djoin adds a computer account to AD DS.

Next, move the resulting text file join.txt from the provisioning computer (win8client) to the computer you want to join (win8client2). In this example, the file is placed in the root of the C drive. Then on the client computer (win8client2), open a command prompt with elevated permissions, and type the following:

Djoin /requestODJ /loadfile c:\join.txt /windowspath %systemroot% /localos

Reboot the computer, and when it comes back up, it will be joined to the domain.

For more information on using djoin with unattended setups and delegating the right to join computers to the domain, refer to http://technet.microsoft.com/en-us/library/ff793312.aspx.

Joining a Domain with PowerShell

The additions to PowerShell in Windows Server 2012 and the fact that Windows 8 has a solid foundation everywhere PowerShell is used are very valuable to an IT pro. It is uncommon that you would be sitting at a client computer and joining it to the domain via PowerShell, but since you can run this command remotely and might want to have it as part of a script, we’ll review the process.

To join a computer to the domain from PowerShell, you will be using the Add-Computer cmdlet:

1. Open a PowerShell console as an administrator.

2. Type in Add-Computer -DomainName Bigfirm.com.

3. Provide credentials with rights to join a machine to the domain (an example is shown in Figure 18.18).

Figure 18.18 Add-Computer PowerShell cmdlet and authentication box

For more information on the Add-Computer cmdlet see http://tinyurl.com/c18PSAdd.

Changing Domain User Passwords

Good security practice demands that passwords be changed regularly and known only to the user. The operating system users employ to connect to a Windows Server 2012 domain requires user intervention to change the passwords.

Although most of this book is geared toward the administrator, this section has information that the administrator will need to convey to the user population so they can do it themselves. The good news is that changing passwords is extremely simple, and the UI gives all the guidance the user needs:

If policy requires a user to change their password when they first use an account, they’ll be prompted to do this.
If policy demands a user to change a password because the password will soon expire, they’ll be prompted to do so, told how to do it, and told how long they have until the password expires.
If the password they type does not meet the security standards defined in Group Policy, they’ll be told what those standards are so they can follow them.

If a user forgets their old password, they will not be able to change it themselves, and if the administrator has followed best security practices, they won’t know the password either. The administrator will need to update the password on the domain user account and then set the password to be changed at first logon.

Password Policies and Advanced Features

Windows Server 2012 provides the same user password policies that have existed since Windows Server 2008 and 2008 R2. Windows Server 2012 expands the available features such as fine-grained passwords.

Windows Server 2008 introduced fine-grained passwords to allow IT and security groups to have multiple security principals in the same domain or forest. Previously in Active Directory you could manage only one default password policy for your entire domain. Setting fine-grained passwords in Windows Server 2008 was quite a tedious task and wasn’t very intuitive.

Windows Server 2012 has made this feature much more intuitive and allows you to perform configurations in Server Manager, or you can utilize the full-feature capabilities from PowerShell 3.0.

The Windows Server 2012 Default Domain Group Policy enforces regular password changes and password complexity rules. The Group Policy setting is located at Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy.

The default password policy settings are as follows:

Enforce Password History This requires users to use a certain number of unique passwords before an old password can be reused. The default number is 24 passwords.

Maximum Password Age This is the number of days a password can be used before the user must change it. The default is 42 days.

Minimum Password Age This is the minimum number of days a password must be used before the user can change it. The default is one day.

Minimum Password Length This is the minimum number of characters a password must contain. The default is 7.

Password Must Meet Complexity Requirements Enabled by default, this setting enforces several rules about how a password must be created. For example, a password must not contain more than two consecutive characters that are part of the user’s full name.

It’s an even better idea to encourage users to use passphrases instead of mere passwords. A passphrase is a combination of words that together, in the exact right order, form the password. A passphrase as a whole still has to meet password policy complexity requirements but is generally longer and can contains spaces, so the passphrase can be much harder for the bad guys to figure out. Combined with vowel substitution (substituting some letters, namely vowels, for numbers), users can create very complex passphrases. For instance, a good passphrase could be My g00d d0g c4tch3s fr1sb33s! This is easy to remember but is long (29 characters long), complex (because of the use of multiple words, spaces, and vowel substitution), and would be difficult to crack.

See Chapter 9, “Group Policy: AD’s Gauntlet and Active Directory Delegation,” for an example of creating a complex password GPO.

Security considerations should require that you never allow two people to use the same account. Even if those two people never use the account at the same time (if they do, then doubling up on account usage will cause you all kinds of grief from lost profile changes), it’s a bad idea. If more than one person uses an account, then you will never know who is using what on the network—or attempting to use resources that they’re not authorized to touch. Security auditing requires a model of one account and one password for each user.

Incidentally, this advice about unique passwords for each user applies not just to ordinary users. To enable security auditing, all Windows Server administrators should have their own basic user account (instead of all administrators using the Administrator account). Best practice is to have a separate admin user account; here’s an example:

Normal User Account: KevinB Kevin would use this user account to log in to all of his basic enterprise resources, email, and personal files.

Admin User Account: A-KevinB Kevin would use this account for logging in to servers, making domain changes, or performing any tasks that require escalated permissions.

You should also use Group Policy to require regular password changes. Although this model requires more account management, it allows you to track which server administrator did what and allows you to easily disable administrative access when someone leaves the company, without having to change the administrative passwords for everybody. Password policies are domain-wide, so it makes sense to follow best practices for everyone in the domain.

Changing Domain Passwords from Windows 8 and Windows 7

Most often, users will change passwords under two circumstances:

When the administrator has just reset their domain account password and requires that it be changed
When Group Policy is forcing the password to expire

Windows 7 and Windows Vista follow the same process and have the same GUI for this, so we’ll combine the information about changing domain passwords for these two operating systems in the following sections.

Changing Passwords at First Logon

When the administrator forces a password reset (for security reasons or on a new account), the user will be prompted for the new password when they attempt to log on for the first time, as shown in Figure 18.19. The default password applied by the administrator is simply to prevent a user account from being unprotected before it’s used.

Figure 18.19 Changing the password before logging on for the first time

When the user clicks OK, they’ll be prompted for the new password, as shown in Figure 18.20.

Figure 18.20 Changing to the new password

The user fills in the old password and types a new password. According to the Default Domain Group Policy the new password cannot be the same as the old password and must meet length and complexity requirements, or else the user will be nagged for a password that meets the security guidelines and told how to meet them. When the user has successfully changed the password, they’ll see a message telling them that the password has been changed. When they click OK, they’ll be able to log on with the new password. That’s it. After the password is changed, the user can log on normally.

Changing Passwords on Demand

When a password is about to expire, users will start seeing messages a few days ahead of time telling them that their passwords are about to expire and telling them how to change them. A user might also want to change their password on demand. The simplest way to change a password is to press Ctrl+Alt+Del to open the Windows Security GUI and choose the “Change a password” option, as shown in Figure 18.21. You can also get to this screen from the Windows Security button located in the Start menu.

Figure 18.21 Changing a password from the Security GUI

When the user chooses to change a password, they’ll see the Change a Password screen, as shown in Figure 18.22, prompting them to type the old password and the new one. Again, if the new password does not meet the security requirements, then they’ll see an error message advising them of the password policies. Once the user enters their old and new password (twice) and clicks the arrow button, the password is changed.

Figure 18.22 The change password form

Avoid Repeat Password Prompts after a Password Change

If a user has more than one computer and is logged into both (for example, if they have both a laptop and a desktop computer), then they should log out and log back in on both computers after changing the password. The session will still work, but because their domain password will have changed, this can lead to repeated password prompts for network resources such as Exchange servers, SharePoint sites, and other applications requiring authentication. They can keep typing in their passwords when prompted, but it’s simplest just to log in with the new password to avoid the prompts.

Connecting to Network Resources

One of the main reasons to join a domain is to access resources on the domain, such as the printer down the hall or some documents that you need to work on. You could access company photos, slide shows, and other media needed to make a marketing campaign. Whatever your need, the point is that you don’t need to have these items and devices hooked or stored directly on your client machine. In fact, having them stored on the network is ideal because they are more secure there (access is centrally controlled, and ideally the files are backed up regularly). Examples of network resources include the following:

Printers
Shared folders and files
Wireless devices (such as wireless printers)
Services (such as Web Services)
Company applications

Connecting to shared resources is easy for users, thanks to many of the changes in Active Directory and Group Policy. You can still use features like Network Discovery as a way for your computer to find resources on the network easily, although in most enterprises this is not recommended. With the introduction to Group Policy: Preference Policies, IT pros can now publish resources more easily for employees or departments through Group Policy objects and membership in domain groups. Users can continue to search Active Directory for published resources they may need. This means that the user doesn’t need to know where the device is installed or contained. The user might not even know the exact name of a shared folder or printer or the server where it’s stored. As long as the resource is published to Active Directory, with a little searching the user will most likely be able to find and utilize the resource.

There are several ways to access shared resources. This section will expand on these more common ways for each of the client operating systems addressed in this chapter:

Resources are published to you through Group Policy objects.
You can search for and access resources that are published in Active Directory.
You can attach to shared network resources (for example, shared folders and printers) from the command line.
You can create a mapped drive to network folder shares.
You can use Windows Explorer to connect to uniform naming convention (UNC) paths that describe the path to a network location in the form of \\computername\sharename.

The following examples will access resources located on the bigfirm.com domain. Table 18.1 lists those resources and their locations on the network.

Table 18.1: Network Resources Used in This Section’s Examples

Network Resource Type	Network Resource Path	Network Resource Machine Location
Marketing file share	\\bf1\BF_Marketing	bf1.bigfirm.com
Black-and-white printer	\\bf1\BF_Main_Printer	bf1.bigfirm.com

Publishing Resources with Group Policy Objects

Starting with Windows 2008’s version of Active Directory, you are able to publish all the most common resources to client (and server) devices in a centralized way. The new feature as discussed in Chapter 9 is Group Policy: Preference Policies. These policies allow you to perform such operations as setting up drive mappings, creating shortcuts, and configuring environment settings, as shown in Figure 18.23. You can do this for both users and computers that are located in specific organizational units (OUs) or domain groups.

Figure 18.23 Group Policy Management Editor with Preference Policies

Configuration of resources in any organization should be managed centrally and controlled by the membership of Active Directory groups. Once you have these groups established, you can then manage the access to file shares, printers, and applications with policies. The approaches of the past of allowing Network Discovery and sharing resources on local computers have gone away because security and compliance requirements are audited in organizations. In the next section we will be walking through the creation and publishing of some resources to our workstations. In the next examples we will be focusing on the Marketing department of bigfirm.com and publishing the required resources to the WIN8CLIENT device that is used by the marketing team.

Usually, domain administrators keep company files in centralized, secure, and fault-tolerant locations that can be backed up easily (that is, not stored on individual computers). To gain access to these resources, you need to make sure that the appropriate Active Directory (AD) groups are applied to the file shares and begin to configure your Group Policy objects (GPO) for publishing.

Publishing a Network File Share

The following example will walk you through giving published resources to an end user. You’ll begin this process by making a Groups OU and a Marketing Active Directory group. This example assumes you understand how to create organizational units and domain global groups. If you are unfamiliar with these processes, please see Chapter 7, “Active Directory in Windows Server 2012 R2.”

1. Open Active Directory Users and Computers, and create an OU called Groups.

2. Select the Groups OU and create a new global group called Marketing. See Figure 18.24 for an example of what this would look like.

Figure 18.24 Active Directory OU and group setup

3. Open up your Marketing group and add employee KevinB to this group.

4. Click Apply and your Marketing user will be added, and you can start the configuration of your Group Policy object.

5. To create the GPO, first open Administrative Tools

Group Policy Management.

6. Select the Group Policy Objects folder and right-click it. Create a new GPO, as shown in Figure 18.25.

Figure 18.25 Creating a new Group Policy object

7. For this example, name the GPO BigFirm_Marketing.

8. Double-click the BigFirm_Marketing GPO.

You will see the first tab of the Group Policy dialog called Scope. In the Scope section you need to set the Marketing group to be applied to the GPO.

9. Click Add under the Security Filtering section, type in Marketing, and click OK.

10. Now select all other groups and then click Remove.

The only group that should have this GPO applied is the Marketing team.

11. Right-click the BigFirm_Marketing policy in the left pane and select Edit.

12. The Group Policy Management Editor will now open. Here select the User Configuration section.

13. Expand User Configuration\Preferences\Windows Settings. You will see all the basic preferences you can modify for a user.

14. Select Drive Maps, right-click, and select New, Mapped Drive.

The New Drive Properties dialog will open. Figure 18.26 shows the basics of this configuration.

Figure 18.26 Creating the new drive-mapping preference policy

In the Action field, select Create.
In the Location field, enter your Universal Naming Convention (UNC) drive mapping: \\bf1\BF_Marketing.
Check the Reconnect box.
In the “Label as” field, enter how you want the drive to appear to your end users. We’re using Marketing for our example.
Click the “Use first available, starting at:” option for your drive letter. You can also click the Use: option and select a drive in the drop-down box.
We are leaving all other options at their defaults, but you can modify these to fit your environment as needed.

15. Click Apply and OK to return to the Drive Maps section.

You should now see the E drive mapping appear in the right pane.

Now that you have the GPO created and a policy for drive mappings defined, you need to link it to bigfirm.com so you can start to use this policy, as shown in Figure 18.27. Having this Group Policy object linked to bigfirm.com allows Marketing users, no matter what child OU they are in, to have the policy applied to them.

Figure 18.27 GPO applied to bigfirm.com

The next steps are all on the client side. You need to make sure that the Group Policy objects are applied to the user. Logging into WIN8CLIENT you can utilize the command prompt to force a Group Policy update. Follow these steps to update your policy on the workstation:

1. Open an elevated command prompt.

2. Type in GPUPDATE.EXE /FORCE.

You will be prompted to log off the computer because the settings you created are user specific. See Figure 18.28.

Figure 18.28 Group Policy update with user settings

3. Type Y to say yes, and it will log you out of the system.

4. Log back in to the WIN8CLIENT to see the drive mapping appear on your computer, as shown in Figure 18.29.

Figure 18.29 Marketing drive mapped to Computer folder

Adding a Network Printer

You can add a network printer by searching for a device from the GUI, using the command-line tools, or with the Network applet.

Finding a Printer by Searching for a Device

In Windows 8 searching for devices and media has been greatly simplified by the addition of the “Access media” icon in File Explorer. As shown in Figure 18.30, you can select “Access media” and it will search the network for any shared or published device, be it a printer or a media share.

Figure 18.30 “Access media” icon in File Explorer

In the Find drop-down list, choose Printers. If there are multiple domains on the network, you can make the search more specific by choosing your domain name from the drop-down list (located to the right of the Find drop-down list). If the list of printers is likely to be long, you can search by name or keyword or use the Advanced tab to search by other properties. Once you’ve set your search criteria, click Find Now. All printers published to Active Directory that meet your search criteria will appear in the Results window.

To add a found printer to your computer, right-click the printer and choose Connect. The printer will install, and you will see it in your Printers folder.

Adding a Network Printer from the Command Line

If you know the name of the printer you want and the print server it’s attached to, you can add it from the command line with the start command. For instance, to add the printer called bf_main_printer located on server bf1 to a Windows 7 or Windows 7 client, open a command prompt and type the following:

start \\bf1\bf_main_printer

When the printer installs, the print queue for that printer will open, and the printer will be listed for use in the Devices and Printers applet.

Adding a Network Printer Using the Network Applet

To add a network printer to a Windows 8 or Windows 7 client machine, open the Network applet, and click the Add a Printer link on the toolbar of the Network Folder dialog box. Clicking the link will initiate the Add Printer Wizard. This is the same wizard you get when you add a printer from the Devices and Printers button (located on the Start menu in Windows 7) and the Printers applet (located in Control Panel in Windows Vista). Remember, you can get to operating system features in many ways.

Like all previous versions of the Add Printer Wizard, this version allows you to add local printers, Bluetooth printers, and printers that are located on the network. This section will concentrate on network resources, which comprise cabled or wireless network printers. To add a network printer, click “Add a network, wireless or Bluetooth printer,” and click Next. As soon as you click this option, the wizard will search for printers on the network and return any it finds.

To add one of these printers, simply click the printer and click Next; then click Next again on the Results screen. The default configuration is to make this printer the default printer, but you can change this by deselecting the “Set as default printer” box. Click the “Print a test page” button to send a test page to the printer, and click Finish.

The options are to do the following:

Search Active Directory for published network printers
Enter a printer location and name (in the form of \\servername\printername)
Specify a printer using its hostname or its TCP/IP address (often called a TCP/IP printer)

The option “Find a printer in the directory, based on location and feature” opens the Find Printers window. You search Active Directory for printers by specifying certain printer criteria (such as a name or a printer model) or a printing feature (such as the ability to print double-sided). Click the Find Now button, and the wizard returns printers that match the specified criteria, as shown in Figure 18.31. You can also enter no criteria, and the search will return all printers in Active Directory.

Figure 18.31 The Find Printers dialog box searches Active Directory for printers matching specified criteria.

The wizard in our example returned one result. Once you find the printer, select it, click OK, and the wizard will add the printer. Click Next on the following Results screen. Click “Print a test page” to test printing to the printer, and then click Finish.

Instead of searching Active Directory for a printer, you can also add a shared printer by name. Select the option “Select a shared printer by name” and then either enter the network path and name of the printer in the form \\servername\printername or click the Browse button to locate a printer on a specific computer on the network. Once the printer name is added, click Next, click Next again on the information screen, and then click Finish.

Lastly, choose the option “Add a printer using a TCP/IP address or hostname” to add a TCP/IP printer. Enter the IP address of the printer in the “Hostname or IP address” input box. The port name will automatically mimic the IP address (you can change this if you want to use something more descriptive). The Device type defaults to AutoDetect. You should leave this setting alone unless you know the device type to specify. Click Next, and the wizard will attempt to locate the printer and install it.

Adding Wireless Devices to Your Windows Client Computer

Windows 7 and Windows 8 have the ability to add wireless devices, such as Bluetooth keyboards and mice, wireless phones, Bluetooth modems, or Bluetooth printers. These aren’t exactly network resources (ideally, your users don’t have to share a mouse with someone else), but for the sake of completeness, we’ll briefly discuss this option.

To add a wireless device to a Windows 7 or Windows 8 client computer, open the Network applet, and click the “Add a wireless device” link located on the toolbar. Clicking the link will initiate the Add a Wireless Device to the Network Wizard (in Windows 7 you can also invoke this wizard from the Devices and Printers applet). The wizard will automatically search for wireless devices for you.

If you have trouble adding a wireless network device to your client system, here are a few tips to help you:

Make sure the wireless device is on and already connected to the wireless network.
Check the network firewall to make sure it’s not blocking the discovery process.
Make sure Network Discovery is enabled on the client computer.
Make sure you are not getting interference from other wireless appliances such as microwaves or cordless phones.
Make sure the device is in wireless range of the computer (6 feet for Bluetooth devices, 100 feet for Wi-Fi devices).

Mapping a Drive to a Shared Folder

Sometimes it’s easier to use a drive letter than a UNC path to connect to a network share, especially if you’re browsing from the command line. Some applications demand it; they won’t save to or execute from UNC paths. Therefore, you can add network shares to drive letters—at least until you run out of letters. In Windows 7 and Windows 8, you can do this from the GUI, from the command line, or by creating network location shortcuts.

To map a drive to a shared network folder, follow these steps:

1. Open the Network applet, and click Search Active Directory.

2. In the Search Active Directory window, select Shared Folders in the Find drop-down menu.

3. Click Find Now, and shared folders that are published to Active Directory will appear in the Results window.

4. To connect to these shared folders, right-click the folder, and choose Map Network Drive, as shown in Figure 18.32.

Figure 18.32 Mapping a drive to shared folders found in Active Directory

Every mapped drive needs to have a unique drive letter. The resulting Map Network Drive dialog box (shown in Figure 18.33) is already populated with an unused drive letter and automatically fills in the folder location. Mapped drives will be persistent unless you deselect the “Reconnect at logon” check box. By default, the current username and password will be used.

Figure 18.33 Map Network Drive dialog box

5. Click a different username link to specify a different account to use for the connection.

The link “Connect to a Web site that you can use to store your documents and pictures” opens the Add Network Location Wizard, which is discussed later in the “Adding Network Location Shortcuts” section.

6. Click Finish.

To access the mapped drive, select Start Computer, and double-click the mapped drive listed under the Network Location section of the main window. You can also click and drag a shortcut to the mapped drive and drop it on your desktop for fast access later. To disconnect from a mapped drive, simply right-click the drive and choose Disconnect.

Some shared folders might not be listed in Active Directory. To map a drive to an unpublished share on the network, follow these steps:

1. Open the Start menu, right-click Computer, and choose Map Network Drive.

2. Choose an unused drive letter from the Drive drop-down box.

3. Now you must give the location to the folder using one of these methods:

Type in the UNC path to the share; for instance, type \\BF1\BF_Marketing.
Click the Browse button, and visually locate shared folders by expanding the computer the share is located on, selecting the share, and clicking OK.

4. Click Finish, and the mapped drive will be listed in the Computer window under the Network Location section.

It’s also possible to map drives from the command line with the net use command if you know the path to the share. In fact, administrators often create login scripts to automatically map drives for users when they log on to their computers. For instance, to map a drive to the bf_marketing share on server bf1, you would issue the following command:

net use M: \\bf1\bf_marketing /PERSISTENT:YES

Here’s a breakdown of the parameters used in this example:

M: This represents the drive letter to which the drive will be mapped.

\\bf1\bf_marketing This is the UNC path to the share.

/PERSISTENT:YES This makes the mapped drive reconnect automatically each time the user logs on to this computer.

To get a full list of parameters for the net use command, open a command prompt and type net use /?.

But what if you don’t know what’s out there to connect to via CLI? No problem. You can use the net view command to get a list of shared resources on the network. Run it once, and you’ll get a list of computers that are visible on the network. Now digging further, you can issue the net view command against a computer on the network to get a list of its shared resources. To delete a mapped drive from the command line, type net use X: /delete, where X is the drive letter of the mapped drive you want to delete.

Creating a Network Folder

You’ve learned how to map a drive in Windows 8 in ways very similar to older operating systems. But there is another way to access shared folders (and other network locations): by creating a network folder (basically a shortcut) to the shared location from within your Computer window. Why would you do this as opposed to just mapping a drive? There are both positive and negative differences between mapped drives and network location shortcuts. On one hand, a mapped drive acts like a local drive on the computer. Applications that need to access items from drives will treat the network location as a local drive. However, you can’t map a drive letter to other kinds of locations such as FTP sites and web shares. So, there are reasons to utilize both access techniques.

A network location includes shared folders, web shares, FTP sites, and UNC paths. You can add links to these network places in your Computer window by using the Add Network Location Wizard. The Add Network Location Wizard is a menu option in XP’s My Network Places. My Network Places has since been morphed into the Network and Sharing Center in Windows 7 and Windows 8—Network Location Wizard is no longer a feature of that applet.

To open the Add Network Location Wizard in Windows 7 and Windows 8, follow these steps:

1. Select Start

Computer.

2. Right-click in the resulting window, and choose “Add a network location,” as shown in Figure 18.34.

Figure 18.34 Starting the Add Network Location Wizard from the Computer window

3. The Welcome screen will appear. Click the Next button, select “Choose a custom network location,” and click Next.

4. Now you can either enter a location path if you know it (the UNC path to a network share, the FTP address of an FTP site, the URL of a web share), or you can click the Browse button to help you locate a folder share. (The Browse button will allow you to search the network only for folder shares, not other kinds of locations.)

5. Click Next. Figure 18.35 shows entering the URL for the bigfirm.com company FTP site: ftp://ftp.bigfirm.com.

Figure 18.35 Enter the path to the network location or browse the network to locate a network location.

By default, the wizard allows for anonymous access to the FTP site. If you want to change this, follow these steps:

1. Deselect “Log on anonymously,” and then type in a username you want to use to log on.

2. Click the Next button, and name the location (for example ftp.bigfirm.com).

3. Click the Next button, and then click Finish.

The network location will open, and the network location will be listed in the Network Location section of the Computer window, as shown in Figure 18.36.

Figure 18.36 The network location is added to the Computer window.

To disconnect a network location, simply right-click the network location, and select Delete.

Connecting Mac OS X Clients

More and more organizations are integrating Apple Macintosh computers into their Active Directory networks each year. This is being facilitated both by Apple, including better networking features, and by Microsoft adding federation services that make it easier for diverse network clients to take advantage of Active Directory.

In the past, the process of connecting a Mac client to a Windows Server machine required additional software to let the Mac understand the Server Message Block (SMB) file protocols used by Windows. In Mac OS X, all the necessary pieces are included with the operating system. This is because Apple has included a version of Samba with OS X. Samba lets Unix-like operating systems, such as Linux and OS X, speak the native SMB dialects that are used by Windows operating systems. So, the issue in connecting your Mac clients is more a matter of authentication than one of basic connectivity.

Even though Macs can speak SMB, Windows Server 2012 expects a certain default level of security for SMB communication that OS X cannot provide natively, namely, SMB packet signing. Packet signing helps a Windows server and client communicate more securely by digitally signing every packet that is sent by SMB. This technique can relieve some of the risk of the packets being intercepted and manipulated in a so-called man-in-the-middle attack.

To let your Mac clients communicate effectively with Windows Server 2012 Active Directory environments, you will need to disable the requirement for SMB packet signing. But in the interest of network security, you don’t want to do away with packet signing altogether. Fortunately, the setting you want to use will enable SMB packet signing for clients that support it but not require it for clients (such as Macs) that don’t.

To enable Mac clients running OS X to connect to your Active Directory domain, you must use the following Group Policy settings:

Microsoft network server: Digitally sign communications (always).
Set this policy to Disable: to turn off the requirement for SMB packet signing on client-to-server communications.
Microsoft network server: Digitally sign communications (if client agrees).
Set this policy to Enable: to allow Windows clients to still use SMB packet signing when communicating with Windows servers.
Network security: LAN Manager authentication level.
Set this policy to Send LM & NTLM; use NTLMv2 session security if negotiated. This policy will provide access to Mac clients while still permitting Windows clients to negotiate a higher security level.

You can set these policies in the local policies for domain controllers, which will enable access for Mac clients across the network. To set these policies, follow these steps:

1. Open Group Policy Management. You can do so in the following ways:

Select Start Administrative Tools Group Policy Management.
In Server Manager, expand Features, and then click Group Policy Management.

2. Open the Default Domain Policy.

3. In Server Manager, expand Group Policy Management, expand your forest, expand Domains, and expand your domain.

4. Right-click Default Domain Policy, and then click Edit.

5. If you are prompted at this point, click OK.

6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, as shown in Figure 18.37.

Figure 18.37 Using the Group Policy Management Editor

7. Scroll down to “Microsoft network server.”

8. Double-click the “Microsoft network server: Digitally sign communications (always)” policy.

9. Click “Define the policy setting,” and then select Disabled.

10. Click OK.

11. Double-click the “Microsoft network server: Digitally sign communications (if client agrees)” policy.

12. Click “Define the policy setting,” and then select Enabled.

13. Click OK.

14. Scroll down to “Network security.”

15. Double-click the “Network security: LAN Manager authentication level” policy.

16. Click “Define this policy.”

17. Use the drop-down list to select “Send LM & NTLM; use NTLMv2 session security if negotiated.”

18. Click OK.

Connecting a Mac to the Domain

Before you can bind your Mac OS X client to Active Directory, you must complete some preparatory steps. Some of them may be completed already if the clients receive their IP configuration through the Dynamic Host Configuration Protocol (DHCP). Before you try to bind your Mac client to Active Directory, ensure the following items are configured on your Mac:

IP address
DNS server address
Default gateway

The Domain Name System (DNS) server address is the critical part. In most organizations using Active Directory, the DNS servers will likely be domain controllers, or at least they will be integrated with Active Directory. This is important because the Mac client will perform a DNS query to find the Lightweight Directory Access Protocol (LDAP) server responsible for the domain name. An Active Directory integrated DNS server will respond with the IP address of a domain controller, which is what you want in order to join the domain.

These are some additional bits of information you will need to provide during the bind process:

User credentials with permission to add a computer to the domain
Your Mac’s computer name as it will appear in Active Directory
Fully qualified domain name (such as bigfirm.com)
Distinguished path to the organization unit where the computer account should be created
Administrator account credentials for your Mac

With this information in hand, or at least in mind, you are ready to join your Mac client to your Active Directory domain. Log on to your Mac OS X computer, and perform the following steps:

1. Open System Preferences.

2. Select Users & Groups under the System section.

3. Select Login Options; if it is grayed out, you need to click the lock on the bottom to allow changes to the system to happen.

4. Click the Network Account Server: Join button.

5. Click Open Directory Utility.

You may be required to click the lock again to make changes.

6. The Directory utility will open. Enter your information in the following fields:

Active Directory Forest
Active Directory Domain
Computer ID

7. In Active Directory Domain, type the fully qualified domain name, such as bigfirm.com.

8. In Computer ID, type the name for the Mac client computer; do not include dashes in the name.

9. Click Bind. When prompted, provide your Mac administrator name and password to permit the change. Click OK.

10. Provide the distinguished name for an account with permission to add the Mac client account to Active Directory, such as administrator@bigfirm.com.

11. Enter the password for the account.

12. Verify the distinguished path to the OU where this computer account will be created, as shown in Figure 18.38. Click OK.

Figure 18.38 Providing the distinguished path to the OU

13. Click OK to save the Active Directory settings.

14. When prompted, enter your Mac administrator credentials, and click OK.

The Directory Services utility also allows you to configure and join Active Directory domains or forests from the command line. To configure your Mac from the command line, you need to use the dsconfigad utility to work through this example:

1. Open up Terminal.

2. Select a domain controller and type in the following command:

dsconfigad -preferred bf1.bigfirm.com -a "COMPUTERNAME" -domain bigfirm.com -u administrator -p "password"

3. Select Login Options; if it is grayed out, you need to select the lock on the bottom to allow changes to the system to happen.

Once you have bound your Mac to the domain, you can use additional commands to get more advanced information. The next step is to use dsconfigad to set administrative options that are available via Active Directory.

4. In your Terminal session type in the following command:

Dsconfigad -alldomains enable -groups domain BigAdmin@Bigfrim.com, Enterprise BigAdmins@bigfirm.com

The commands require you to use cleartext passwords, so if your Active Directory domain does not allow that, you will have to set this up to be enabled for Directory Services logging. Another tool that is commonly used is odutil. This command will look at the internal state of directory services and records, allowing you to enable logging and change your statistics.

5. Run the following command:

odutil set log debug

This command will set logging on the device to Debug mode, so if you have any issues connecting to your Active Directory domain, you can run debugging–event depth get detailed logs. The logs for odutil are stored at /var/log/opendirectoryd.log.

Connecting to File Shares

Once your Mac client is part of the Active Directory domain, connecting to shared folders is almost the same process as connecting to an OS X server. The single exception is that you must specify that the Finder will use the SMB protocol to connect to the share. Use the format smb://servername/sharename to define the path, similar to Figure 18.39.

Figure 18.39 Defining the path to the Windows server

To connect your Mac client to a Windows Server 2012 shared folder, follows these steps:

1. In the Finder, click the Go menu, and then click Connect to Server.

2. Type the path to the shared folder using the format smb://servername/sharename.

3. Optionally, click the plus sign (+) to add this server to your list of favorite servers. If you do, you will be able to click the server name in the list, and then click Connect.

4. Click Connect.

5. Provide your Active Directory user credentials, and click OK.

Connecting to Printers

Like connecting to shared folders, connecting to network printers that are published in Active Directory is a relatively straightforward task. Once the Mac client has joined the Active Directory domain, published printers will be displayed on the Default tab when adding a printer on the Print & Fax page in System Preferences, similar to Figure 18.40.

Figure 18.40 Adding a printer from Active Directory

To add a printer that is published in Active Directory, follow these steps:

1. Open System Preferences.

2. Click Print & Scan.

3. Click the plus sign (+) to add a new printer.

4. On the Default tab, click the name of the printer you want to add.

5. Click Add.

To add printers in a Windows workgroup environment, the process is similar. You would still use the Print & Scan page of System Preferences to add the new printer, but instead of finding the Active Directory printers listed on the Default tab, you would use the Windows tab and browse for them.

Through the Print and Scan section of System Preferences you can also add IP-based printers and any fax machines that might be available to you.

Using Remote Desktop from a Mac Client

Now that you have added your OS X client to your Active Directory domain and you can access file shares and printers, how can you administer your network? Fortunately, Microsoft has created a Remote Desktop client for OS X that lets you access your Windows Server 2012 computers from your Mac. You can download the Remote Desktop Connection for Mac (RDC) for OS X for free from either Microsoft’s (www.microsoft.com/downloads) or Apple’s (www.apple.com/downloads) download sections. Search the sites for “Remote Desktop Connection.”

To install the Remote Desktop Connection client, follow these steps:

1. Download the latest version of Remote Desktop Connection. The disk image package will automatically mount and start the setup. Click Continue.

2. Review the Read Me information, and then click Continue.

3. Review the license, and then click Continue. Click Agree if you accept the license.

4. Click Install to perform a standard installation, and the Remote Desktop Connection for the Mac 2 icon will be placed in your Applications folder on your primary hard disk.

You can change the install destination by clicking Change Install Location.

5. Click Install. Figure 18.41 shows the Installation Type page.

Figure 18.41 Selecting the location to install RDC

6. Provide your Mac administrator password to approve the installation, and then click OK.

7. When the installation process finishes, click Close to exit the installer.

Using the RDC is similar to using Remote Desktop in Windows, except that the interface has been changed somewhat to match the OS X style. The initial window contains only a space to enter the name of the computer to which you want to connect. To supply logon credentials and adjust any preferences, use the RDC menus at the top of the screen. Just like the Windows version of Remote Desktop, when you first connect to a remote computer, you will be prompted to provide your username, password, and domain name. RDC does save you some time by letting you store your Windows credentials in the Preferences screen and then save them in your Keychain. Having your Mac joined to an Active Directory domain is not a requirement to use the Remote Desktop client. If the Mac you are using is getting DHCP and DNS information from the network, you will be able to access servers and Windows workstations just as you would on any standard Windows Desktop.

Troubleshooting

In this section, we offer some troubleshooting tips that will come in handy if you experience these issues while trying to bind your Mac client to Active Directory:

You have an issue with AD domains ending in .local. Many people have reported issues connecting to an Active Directory domain that ends with .local (such as is often used with Windows Small Business Server networks). Bonjour, Apple’s implementation of Multicast DNS, does not see .local as a valid top-level domain and assumes that it should be resolved through Bonjour. Because of this, the Mac client will not query the DNS server to retrieve an IP address for any host in a .local domain. You can enable your Mac to look up .local domain addresses by adding local to your list of search domains, as shown in Figure 18.42.

Figure 18.42 Adding local to your search domain order

Active Directory does not respond when binding. If you receive an error that the Active Directory domain failed to respond when you tried to bind your Mac to the domain, there are a few things to check:

Verify that your network settings specify a valid DNS server in the domain.
Verify that SMB packet signing has been set correctly in Active Directory.

Active Directory stops responding. Various versions of OS X have had challenges connecting to Active Directory. Make sure you have the latest updates for the operating system. If your Mac client loses contact with Active Directory, try unbinding from the domain and then binding again.