Join a computer to a domain

Joining a server or client device to a domain is an essential step for achieving centralized management and improved security within an organization's network. Whether you're configuring a new device or optimizing your network setup, follow this guide for a seamless integration into your domain environment.

Prerequisites

Server requirements

Your Windows Server device must have the Active Directory Domain Services role installed to use the Active Directory Users and Computers (ADUC) tool. To learn more, see Install or Uninstall Roles, Role Services, or Features.

You must be a member of the Administrators group or have administrative privileges on both the local account and domain account.

Client requirements

The user account must have administrative privileges on the local machine to join a domain.

Your client device must have one of the following versions of Windows installed:

• Enterprise
• Enterprise N
• Pro
• Pro N
• Pro Education
• Pro Education N
• Pro for Workstations
• Pro N for Workstations

Note

To keep time synchronized, organizations often use the Windows Time Service or a Network Time Protocol (NTP) server. Within a domain, computers typically sync their clocks with the Domain Controller, which should be aligned with a dependable time source. This process ensures consistent time settings across all devices in the domain, minimizing potential issues with Kerberos authentication.

Prestage a device using ADUC

This step is optional and not mandatory for joining a device to a domain. However, prestaging a device in Active Directory can streamline the process by pre-assigning the computer account to the appropriate organizational unit (OU) and ensuring proper permissions are in place before the device joins the domain.

1. In Server Manager, select the Tools button from the top right menu.

2. In the drop-down menu, select Active Directory Users and Computers.

3. In the left pane, navigate to and select the appropriate organizational unit (OU).

4. Select the Actions tab, select New, then select Computer.

5. Enter the computer name and configure which user or group the device should belong to.

6. Select OK This can help prepare for when the client is ready to join the domain.

Join a device to a domain

Joining a device to a domain can be done using either graphical user interface (GUI) methods or command-line tools, depending on your preference and the needs of your environment. Both approaches ensure integration into the domain.

Server Manager method

1. In Server Manager, select Local Server, under Workgroup, select the workgroup or domain name hyperlink.

2. Under the Computer Name tab, select Change.

3. Under Member of, select Domain, type the name of the domain that you wish the computer to join, and then select OK.

4. Provide the credentials needed to join the domain, then select OK.

5. After the device successfully joins the domain, a notification confirms the device's domain membership. Select OK, and you're prompted to restart your device.

Control Panel method

1. Select Start, type Control Panel, and then press ENTER.

2. Ensure that from the View by drop-down menu at the top right is set to Category.

3. Navigate to System and Security, then select System.

4. Select Domain or workgroup, under the Computer Name tab, select Change.

5. Under Member of, select Domain, type the name of the domain that you wish the computer to join, and then select OK.

6. Provide the credentials needed to join the domain, then select OK.

7. After the device successfully joins the domain, a notification confirms the device's domain membership. Select OK, and you're prompted to restart your device.

1. Select Start, type Control Panel, and then press ENTER.

2. Ensure that from the View by drop-down menu at the top right is set to Category.

3. Navigate to System and Security, then select System.

4. Select Advanced system settings, then select Change settings.

5. Under the Computer Name tab, select Change. '

6. Under Member of, select Domain, type the name of the domain that you wish the computer to join, and then select OK.

7. Provide the credentials needed to join the domain, then select OK.

8. After the device successfully joins the domain, a notification confirms the device's domain membership. Select OK, and you're prompted to restart your device.

1. Select Start, type Control Panel, and then press ENTER.

2. Ensure that from the View by drop-down menu at the top right is set to Category.

3. Navigate to System and Security, then select System.

4. Under Computer name, domain, and workgroup settings, select Change settings.

5. Under the Computer Name tab, select Change. '

6. Under Member of, select Domain, type the name of the domain that you wish the computer to join, and then select OK.

7. Provide the credentials needed to join the domain, then select OK.

8. After the device successfully joins the domain, a notification confirms the device's domain membership. Select OK, and you're prompted to restart your device.

Settings app method

1. Select Start, select Settings, then select Accounts.

2. Select Access work or school, then select Connect.

3. Select Join this device to a local Active Directory domain.

4. Enter the domain name, select Next, and the account credentials, then select OK.

5. Restart the device.

Command line method

Adding a device to a domain can be performed through the command prompt or PowerShell.

Command Prompt

1. Open an elevated command prompt window.

2. Run the following command replacing YourDomainName and DomainUsername with your values:

   netdom join %COMPUTERNAME% /domain:YourDomainName /userd:DomainUsername /passwordd:*
   

3. The system prompts you to enter the password for the specified domain user account.

4. Reboot your device. Once you sign in, you're joined to the domain.

PowerShell

1. Open an elevated PowerShell window.

2. Run the following command replacing YourDomainName with your value:

   Add-Computer -DomainName "YourDomainName" -Credential (Get-Credential)
   Restart-Computer
   

3. You're prompted to enter the domain credentials.

Your device restarts after entering the domain credentials to join the domain.

Rejoin a disjoined device to a domain

In cases where a client or server device is disjoined from the domain, you can restore its trust relationship by removing the device from the domain and then rejoining it. This process re-establishes the connection between the device and the domain. The process in leaving a domain is similar to joining one.

Rejoin a domain using Server Manager

To leave a domain using the Server Manager, follow the previous steps to join the domain until you reach the System Properties window.

1. Under Member of, select Workgroup, type the name of a workgroup to temporarily join, and then select OK.

2. Select OK again and then reboot your device.

3. Once you sign back into the local account, repeat the steps to join your device to the domain it was disjoined from previously.

Rejoin a server to a domain using Control Panel

To leave a domain using the Control Panel, follow the previous steps to join the domain until you reach the System Properties window.

1. Under Member of, select Workgroup, type the name of a workgroup to temporarily join, and then select OK.

2. Select OK again and then reboot your device.

3. Once you sign back into the local account, repeat the steps to join your device to the domain it was disjoined from previously.

Rejoin a client to a domain using Control Panel

To leave a domain using the Control Panel, follow the previous steps to join the domain until you reach the System Properties window.

1. Under Member of, select Workgroup, type the name of a workgroup to temporarily join, and then select OK.

2. Select OK again and then reboot your device.

3. Once you sign back into the local account, repeat the steps to rejoin your device to the domain it was disjoined from previously.

Rejoin a domain using Settings

To leave a domain using the Settings app, follow the previous steps to join the domain until you reach the Access work or school window.

1. Under your account, select Disconnect, then select Yes.

2. Reboot your device.

3. Once you sign back into the local account, repeat the steps to rejoin your device to the domain it was disjoined from previously.

Rejoin a domain using the command line

To leave a domain using the command line, follow these steps:

Command Prompt

1. Open an elevated command prompt window.

2. Run the following command replacing YourDomainName and DomainUsername with your values:

   netdom remove %COMPUTERNAME% /domain:YourDomainName /userd:DomainUsername /passwordd:*
   

3. The system prompts you to enter the password for the specified domain user account.

4. After your device reboots, sign into the local account.

5. Follow the steps provided in Command line method to rejoin the domain.

PowerShell

1. Open an elevated PowerShell window.

2. Run the following command:

   Remove-Computer -UnjoinDomainCredential (Get-Credential) -PassThru -Verbose -Restart
   

3. You're prompted to enter the domain credentials. Your device restarts after entering the domain credentials.

4. Sign into your device and follow the steps provided in Command line method to rejoin the domain.

Repair domain trust relationship

You might encounter the following error when the secure channel between a domain-joined computer and the domain controller is disrupted:

The trust relationship between this workstation and the primary domain failed.

This error typically occurs when the machine's password isn't synchronized with the domain database. It can also happen if the computer account in the domain was deleted or became corrupt. You can resolve the trust relationship issue between the device and the domain using the command line.

Command Prompt

1. Sign in with the local administrator account.

2. Open an elevated command prompt window.

3. Test the secure channel by running the following command replacing ComputerName and YourDomainName with your values:

   netdom verify ComputerName /domain:YourDomainName
   

4. Reset the machine password by running the following command replacing DomainControllerName and Domain\Username with your values:

   netdom resetpwd /server:DomainControllerName /userd:Domain\Username /passwordd:*
   

   You're prompted to provide the password for the account.

5. Run the following command replacing YourDomainName and DomainUsername with your values to reset the secure channel:

   netdom reset /domain:YourDomainName /userd:DomainUsername /passwordd:*
   

   You're prompted to provide the password for the account.

6. Restart your device for changes to take effect. Follow the steps provided in Command line method to rejoin the domain.

PowerShell

1. Sign in with the local administrator account.

2. Open an elevated PowerShell window.

3. Test the secure channel by running the following command:

      Test-ComputerSecureChannel
   

   If the test returns True, the secure channel is intact, and the problem might be elsewhere such as with the Domain Name System (DNS) or other network issue. If False, continue with the next steps.

4. Attempt to repair the secure channel directly using the following command and provide the credentials when prompted:

   Test-ComputerSecureChannel -Repair -Credential (Get-Credential)
   

5. Run the following command to reset the computer account password and enter the domain credentials when prompted:

   $credential = Get-Credential
   Reset-ComputerMachinePassword -Credential $credential
   Restart-Computer -Force
   

6. After your device reboots, follow the steps provided in Command line method to rejoin the domain.