You may have noticed something to do with
computer accounts while reading about client naming policy in the
previous section. WDS will join to a domain the computers that it
builds. You can control exactly how this is done.
Specifying Computer Account Location
You can manage how WDS joins computers to Active
Directory by opening the properties of the WDS server in the WDS
console and navigating to the AD DS tab. The computer account location policy can be configured, once per WDS server, with one of four possible settings:
Same Domain As The Windows Deployment Services Server
This is the default policy. WDS will join the
newly built machine to the same Active Directory domain as the WDS
server. The computer object will be created in the default location,
which is usually the Computers container. This location might not be
appropriate. The user may be a member of a different domain in the
forest and their computer should be in the same domain as they are. Or
administrators may want to create computer objects in an organizational
unit (OU) so that they can inherit configured Group Policy Objects.
Same Domain As The User Performing The Installation
With this policy enabled, the computer will be
joined to the same domain as the user who logged into the WDS client.
This policy can be beneficial in a multidomain organization. The
computer account will be created in the default location for that
domain, which is usually the Computers container. This strategy may not
be desired if there are policies that must be inherited.
Same Organizational Unit As The User Performing The Installation
The new computer object will be created in the
same OU as the user who logged into the WDS client. If this is an end
user, this strategy can be effective. The computer object is created
where it will inherit the appropriate policies and where delegated
administration has been set up. However, this approach will not be
useful if an administrator is building the computer because the
computer object will be created in an administrative OU rather than in
a user's OU. It would also be inappropriate if you use dedicated OUs
for computer objects.
The Following Location
This policy allows you to specify a domain (in
the forest) and OU/ container where the new computer object will be
created. This is useful if you plan to have one location for all
computer objects that will be created by a WDS server. However, a very
large site may have different OUs or domains for users and computers.
This policy will only allow you to select one location that must suit
every machine that the WDS server will be used to prepare.
There is no one policy that will suit everyone. You
should evaluate your organization's requirements for computer account
location and then choose the policy that best meets those needs.
The WDS server will require some rights to create or
manage computer accounts in the specified Active Directory locations.
You can do this in Active Directory Users And Computers by
right-clicking the required OU and selecting Delegate Control. You will
specify Computers under Object Types and enter the computer name of the
WDS server. Select Create A Custom Task To Delegate. Click Create
Selected Objects In This Folder and select Computer Objects. Grant the
Full Control permission. The WDS server will have rights to create
computer objects in the OU when you complete the wizard.
|
Imagine that the company Deploy.com is a multinational organization with offices in three different countries:
San Francisco, USA New Orleans, USA Beijing, China Shanghai, China Dublin, Ireland Galway, Ireland
The company has built a single-domain Active Directory called deploy.com. An organizational unit architecture has been set up as follows:
[domain] Deploy.com [OU] The Company [OU] The Company => San Francisco [OU] The Company => San Francisco => Users [OU] The Company => San Francisco => Groups [OU] The Company => San Francisco => Computers [OU] The Company => New Orleans [OU] The Company => New Orleans => Users [OU] The Company => New Orleans => Groups [OU] The Company => New Orleans => Computers
This pattern continues to provide OUs for the
remaining offices in the company. A WDS server is deployed in each
office. Any computer objects that are created should be joined to the
Computers child OU for the relevant location.
The computer account location policy will be
configured to use the setting The Following Location. Each WDS server
will be configured to join computers to the relevant Computers OU for
its location. For example, the New Orleans WDS server will create
computer objects in the The Company => New Orleans => Computers OU.
This approach ensures that computer objects are
created in an OU where delegated Active Directory administrators will
have permissions to access them and that the computers will inherit
policy that is relevant to their logical location in the company.
|
1. Advanced Domain Controller Settings
In extremely large Active Directory environments,
you may need to control which domain controllers the WDS server will
work with. You can manage the domain controller settings by opening the
properties of the WDS server in the WDS console and navigating to the
Advanced tab, shown in Figure 1.
By default, the WDS server will use any domain
controller that it discovers by normal methods. This is perfectly valid
in most environments. In some scenarios, such as where there is a
massive load on production domain controllers, you may need to
configure the WDS server to use specific domain controllers that won't
impact on line-of-business services.
You can select the Windows Deployment Services
Should Use The Following Services option and then select a specific
domain controller and global catalog replica that WDS should use.
