Jump to content
RESET Forums (homeservershow.com)
Drashna Jaelre

Install Connector and Skip Domain Join

Recommended Posts

Drashna Jaelre

Article here: http://social.technet.microsoft.com/Forums/en-US/winserveressentials/thread/aa40963c-7235-40f7-85f5-8f8d030a7c13

Quoted for ease

This post describes a tempory solution that allows client computers to connect to Windows Server 2012 Essentials without joining the Windows Server 2012 Essentials domain. Please read the following Notes carefully before you take any actions.

 

Description

 

 

When deploying Pro/Enterprise/Ultimate Windows client computers in a Windows Server 2012 Essentials network, joining the Windows Server 2012 Essentials domain is mandatory. If the client computer is already joined to another domain, you are required to manually leave the existing domain; otherwise, the client deployment process will be blocked.

 

Currently we have received requests from customers asking for the option to skip domain joining in a client deployment. As a result, in this article we provide a solution so that the client can connect to the server and utilize the majority of client features without joining the domain.

Before you take any action, please read the following note.

 

Note:

 

If you skip joining the domain, the following areas will be impacted:

•All features that require that you be joined to the domain will not be available, including domain credentials, Group Policy, and VPN.

•Any third-party add-ons and applications that require that you join the domain will not be working properly.

•Skipping domain joining in an off-premises client deployment is not supported.

•This solution is only supported on the following Windows client versions:

•Windows 7 Professional

•Windows 7 Enterprise

•Windows 7 Ultimate

•Windows 8 Pro

•Windows 8 Enterprise

To skip joining the domain during a client deployment

 

 

1.On your client computer, go to Start and search for command prompt "cmd".

2.In the search results, find cmd.exe and run as administrator.

3.Type the following command prompt:

reg add "HKLM\SOFTWARE\Microsoft\Windows Server\ClientDeployment" /v SkipDomainJoin /t REG_DWORD /d 1

4.Complete the steps on the Connect Computers to the Server Help topic.

Share this post


Link to post
Share on other sites
ikon

Doesn't apply to me, but this could be useful for people who bring work domain-joined computers home and want to access their personal WSE2012. I wonder if it would permit backing up the client to the WSE2012?

 

And just what does "Skipping domain joining in an off-premises client deployment is not supported." actually mean?

Share this post


Link to post
Share on other sites
Drashna Jaelre

Doesn't really apply to me other than my parents computer, but it's nice to have the option.

 

And no idea what that was supposed to mean.

 

Sent from my HTC Sensation 4G using Tapatalk 2

Share this post


Link to post
Share on other sites
Andne

One of the new features I remember seeing for WS2012E is the ability to join a client computer without being on the same network. I'm guessing that it refers to it.

 

See the bullet-point Remote Client Join and Connection Monitoring.

 

http://windowsteamblog.com/windows/b/windowshomeserver/archive/2012/08/30/windows-server-2012-essentials-release-candidate-is-now-available.aspx

Share this post


Link to post
Share on other sites
Guest no-control

Doesn't apply to me, but this could be useful for people who bring work domain-joined computers home and want to access their personal WSE2012. I wonder if it would permit backing up the client to the WSE2012?

 

I still cannot fathom why anyone would want their work PC to access anything other than wifi. Even still once on the LAN, presumably via a separate network profile (home) couldn't you just browse to via network to the server and use credentials to access shares?

 

And just what does "Skipping domain joining in an off-premises client deployment is not supported." actually mean?

 

An off-prem domain join is just when a computer is configured to join a domain without actually contacting a DC. Try it out ;) djoin.exe

 

Doesn't really apply to me other than my parents computer, but it's nice to have the option.

 

But do your parents really care if they on a domain or not? Would they even notice? Would they pay $425 over the $50 for 2011?

 

To me this would create a huge hole in the security of the network. That maybe a little extreme, but at the very least now you have a system(s) that have none of the benefits of AD/GP and all of the hassles of setting up Share and NTFS permissions in the ACL. No thanks I'll take the simple check box interface of 2012e and a domain. For the end user, especially the tech ignorant only the logon is an issue and let be honest. EVERYONE regardless of how clueless they are, should be required to logon with a base level password.

Share this post


Link to post
Share on other sites
Andne

For a general purpose PC, I agree that logon's should be required. For my media center PC, I don't want a logon. I (finally) have a remote to use the media center, and want be able to turn it on and have media center start up. I have auto-logon enabled on that computer in order to make this happen. That said, the auto-logon account is a specific account for media center usage that can't actually modify anything on the network. It has read-only access to those file shares that it uses, and even those are only the shares that have media on them - my documents folder, software folder, etc... do not allow that account to access them. While this means that I have to log out and log into my account in order to install new versions of MyMovies, I can live with that requirement. This may mean that my environment is slightly less secure, but I think that only having a very limited account allowing this is still secure enough for my needs, compared to enabling guest access on several of my shares in order to let the media center PC contact them to play movies and such.

Share this post


Link to post
Share on other sites
jmwills

Okay, you are going to be in a Domain, so create a special OU for the HTPC's and apply a group policy that weakens the default password policy and apply it to that OU. No other machines will be affected.

Share this post


Link to post
Share on other sites
Drashna Jaelre
But do your parents really care if they on a domain or not? Would they even notice? Would they pay $425 over the $50 for 2011?
As I live with my parents (due to various financial/medical issues), no, they don't care about what it's connected to. THe only thing they care about is is being able to log into their computer easily. Which is why I wouldn't want it joined to a domain in the first place. As for would they notice? Definitely. Both of my parents have suffered minor strokes. Any big changes would have them confused for weeks, if not months. Not to mention, trying to get them to use, let alone REMEMBER a secure password. I'm just happy the wife actually does.

 

Also, for HTPCs, it's important. If you're one of those weirdos that still uses WIndows Media Center and extenders... joining a domain will break the Extender sessions. Unless you want to get into some really heavy GPO stuff, or just add the media center to the Domain Controller OU. While I'd personally create a new OU and set a new GPO for it, not everyone will want to do this or even know how to. While MSFT is basically backtracking and saying that 2012 Essentials isn't meant to be a "Home Server", they've sure made it very "home friendly". (eg, media streaming)

 

To me this would create a huge hole in the security of the network. That maybe a little extreme, but at the very least now you have a system(s) that have none of the benefits of AD/GP and all of the hassles of setting up Share and NTFS permissions in the ACL. No thanks I'll take the simple check box interface of 2012e and a domain. For the end user, especially the tech ignorant only the logon is an issue and let be honest. EVERYONE regardless of how clueless they are, should be required to logon with a base level password.

I'll agree with the AD part. But as for the shares? Seriously? Just make sure the computer uses the same username and password as an account on the domain (or vice versa) and it will work just fine. I was running WHSv1 with AD for years and it work like that. And I'm running my HTPC not joined to the SBSe2011 domain and it works just fine.

 

Other than no GPOs, I don't really see the issue for a home user.

 

Okay, you are going to be in a Domain, so create a special OU for the HTPC's and apply a group policy that weakens the default password policy and apply it to that OU. No other machines will be affected.

It's more than that. If you use Media Center and extenders, you have to change logon rights and a few other policies to get the extender session to even work. The Domain Controller OU works, but that's not really a great idea....

Share this post


Link to post
Share on other sites
jmwills

Wiht GPO's, you can basically turn those HTPC's into workgroup mimicking machines. Autologons, no password policies, etc

 

I prefer not to hack something just to beat a system....work with what is there. But everyone is different

  • Like 1

Share this post


Link to post
Share on other sites
ikon

Thanks for the interesting debate guys. Lots of good points of view to consider.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...