Windows NT4 WS joining an NT Domain
You have an NT workstation, which is to be
connected to an NT4 Domain server.
While it is technically possible to access data on an NT4 Domain
server using workgroup access, on most systems the security
policies will require you to "Join the NT Domain"
to gain access to the data ( The procedure to join a Windows 2000 Domain is almost identical )
(if you are connecting via a Router to
the domain-server, you will first to handle the TCP/IP
routing and naming issues, see : Connection via a Router to
a NT Domain Server )
When loading up (installing) the NT4 workstation software on a PC
and configuring the
network, you will have already the
option to join the Domain:
My experience (also confirmed by the
suggestion in the Microsoft NT4 Server / Workstation training
kit, with the 120 day trail-versions of NT4 WS and NT4 Server):
DO NOT JOIN THE DOMAIN DURING
THE INITIAL NETWORK INSTALLATION !
Please, select at this time "Workgroup"
and I suggest to enter as workgroup-name the name of the Domain,
which you like to join later.
(If you attempt to join at this stage
the domain, you will NOT become a fully qualified Domain member,
some security items will not be install properly and you can get
very strange and un-explainable problems later)
NT4 workstation is installed properly, you get
the NT4 Logon-prompt:
||Ok, it is a fake
I was not able to make a screen-dump
from the real logon screen.
||You are operating as a
"Workgroup", not yet as
a member of the Domain.
||Make sure, that you can see the
NT4 Domain server in your
(and the NT4 Domain server has
to be able to see your NT4 workstation)
This is also an important diagnostic check,
since you are now at least sure,
that the network card is working, that the cabling is working and
have installed to proper protocol.
||make sure, that you have made the Logon
to this NT4 workstation as a user with
administrator rights on this system:
You require to have Administrator rights
the following change of the network configuration !
In the Control-Panel Network-Applet,
select now to "Change..."
||Select now to be a "Member
and enter the name of the NT Domain
(NOT the name of the NT Domain Server
DO NOT YET CLICK
ON "OK" !
Please, read/continue first the next
While a Windows95/98 system can simply join the Domain, the advanced Security system on NT requires, that on
the Domain-server a "Computer Account" is created for
this NT4 workstation.
NOTE: in my experience, this "Computer
Account" should only be created, once the NT4 workstation is
configured for Workgroup-networking and the NT4 Domain server is
able to see the NT4 workstation on the network
("= see it in the Network
There are now 3 possible methods to create the
1) on the NT4 workstation
if you are yourself the administrator of the NT4 Domain server
(or at least know the password of the
||Put the Check-mark on:
"Create a Computer
Account in the Domain"
and identify yourself to be entitled for this
activity by entering the User-name and
Password of the NT4-Domain Server
Administrator (or a user entitled to
2) on the NT4 Domain-Server
usually, a regular user will NOT know the password of the Domain
Administrator, and if the administrator is not present, then it
is now the time to give the Domain Administrator a call, who uses
now the "Server
In this example,no NT4 system has yet been defined as member of
Note: Windows 95/98 system are
not defined (not listed) as member of a domain!
||Select from the Menu: "Computer"
to "Add to Domain..."
||you are adding an NT4 workstation,
and enter the name of the system.
Please, note that the icon for the newly added NT4 system is gray.
that system has successfully joined the Domain, that icon will
3) From a Windows95/98 system using
"Windows NT Server Tools"
During the installation, a Security
Number (SID) is generated.
It is a random number, which is stored as part of the
If a system gets replaced (because
you upgrade to a newer/faster model)
or it had to be reloaded (a new
disk due to a disk-crash),
then this replaced
system will have a different SID.
Even if the Computer-Name is made identical, the system
will NOT be able
to connect to the Domain due to the mis-match of the SID.
In such cases, you first must delete on the Domain the
(and it will take 20-30 min
before a deleted account disappears from the list)
and then the Computer-Account can be re-created.
The computer account is
created or defined , now you are ready to click the
"OK" button on the window "Identification Changes":
||If the computer account was properly
you will now be member of the Domain.
||On "Close", you will have
After the reboot and pressing "Ctrl-Alt-Del", a new
version of the Logon Windows is displayed (and it is a fake, since I could not make a
screendump of the real one):
You can now decide, on which User-Database to use for your Logon:
||the users defined ONLY on your local
NT4 Workstation ("P120NT4")
(which you may need to do to get
the right of being a local Administrator
to be able to modify the configuration)
||the User Database defined on the
(but since in most cases you will NOT be the Domain
Server Administrator, you will
not be able to make a change to the configuration of the
Now, you need to have a Username (and
password), which is defined in
the User-Manager of the Domain, to be able to logon:
You are now a member of the Domain, with it access-right (able to
access data stored on the NT server), but also with its policies
(="limitations") imposed for security reasons by the
When loging on to a Domain, a Logon Script could be
Often, a Home-Directory is assigned to you.