Discusión en las Crónicas de la Constitución de 1824

170 CHAPTER 5 SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

you’ve got an even better idea and hand him an RBDG floppy. You tell him to boot it, press F12 when prompted, then log in to the Client Installation Wizard and choose the Standard Productivity Desktop option, an image that you’ve built with all of the company’s standard desktop software— Office, Palm’s HotSync software, and Lotus Organizer.

Now, if Joe goes back and tries this, he’ll see an error message like this:

The user Joe currently logged in to this computer does not

have the permissions needed to create a computer account

or modify the computer account NEWPC (NEWPC$) within

the domain apex.com.

This error may also indicate that the server CADOTNET supporting

this client cannot contact the directory service to perform

the operation.

Restart this computer and try again. If the problem persists,

contact your network administrator for assistance.

What’s going on here is that, in the process of installing the RIS image on Joe’s machine, RIS must also create a machine account—remember, in domains, machines have accounts just as people do— and not just any old user can create machine accounts. By the way, he also has to be able to delete machine accounts, as there’s probably already a machine account floating around that has the same name as the one he’s about to create, as well as a few other machine permissions.

But what permissions does he need? Joining a machine to a domain is actually sort of complicated. Here’s what’s going on:

◆ First, not just anyone can tell a given workstation that it’s going to join a domain. Only some- one with a local administrator account can tell a machine to join a domain. Therefore, if you’ve got a machine that’s already installed and you want to join it to a domain, you should first log on as someone who’s a member of the machine’s local Administrators group. And remember that just because you’re an administrator on one machine, you may not be one on another. ◆ Second, it’s one thing for a machine to want to join a domain; it’s quite another for a domain

to be willing to accept that machine as a member. Joining a machine to a domain, then, requires help from someone with a certain amount of administrative power not on the machine, but on the domain. That’s why when you’re joining a machine to a domain the machine will pop up a dialog box asking you to log in. What it’s saying here is, “Okay, I [the machine] accept that you have the authority to tell me to join this domain, but this isn’t going to work unless you have the authority to tell the domain to accept me; can you give me the name and password of a domain account that can do that?”

Those are the basics. But in many cases we’re not just installing, we’re reinstalling. That adds a subtle but important wrinkle.

Suppose you have a workstation named MYPC. It’s gone south and you decide that just blowing up the system and reinstalling it is the way to go. You’ve got a RIS-bootable system, and so you kick off a RIS boot. Now, by default RIS comes up with some goofy machine name for you automatically, but you don’t like that, and so you modify RIS’s scripts (I’ll show you how in a bit) to let you specify a particular machine name. Of course, you choose MYPC. The RIS install goes all right for a while, but then it stops and says that it can’t join you to the domain. To make things even stranger, it occurs

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES 171

to you that you first installed this system with RIS and gave your system the name MYPC at the time, and RIS took that without a complaint.

What’s different?

What’s different is that the first time, RIS only had to create a brand new machine account named “MYPC$.” (Remember that machines get account names equal to the machine name with a $ tacked on the end.) That only required the power to create a new machine account. And, as it turns out, regular old nonadministrative users have the ability to create 10 machine accounts in their lifetime. (Don’t ask me why Microsoft set it up that way, I have no idea.)

But they don’t have the power to delete machine accounts. Or change the passwords on machine accounts. When you tried to reinstall an OS on MYPC and tried to join a domain as MYPC, then the domain looked around and said to itself, “Hmmm, that’s not right… there’s already a MYPC account. I don’t want to overwrite some poor machine’s account,” and denied the request. What you were really asking the domain to do was to first delete the MYPC account (or simply change its pass- word, depending on what OS you’re using), and your regular old user account didn’t have the power to do either of those things.

But you can change that. If you like, you can create a whole new group called Installers. Then we’ll give the group the power to change machine passwords and delete machine accounts. Then, when Joe wants to reinstall his computer, all you have to do is to just put him in the Installers group for the day. When his system is reinstalled, just take him out of the Installers group.

Now, creating the Installers group will be a bit of a lengthy procedure, but you’ll only have to do it once.

Note This is a neat example of something that you’re going to learn in an upcoming chapter about Active Directory.

Active Directory lets you create groups of administrators with sets of powers that you can control very finely. It’s part of a process called delegation, and we’ll take it up in detail in the Active Directory chapter.