Windows Server 2008 R2 and Windows 7 introduce a new option for joining computers to a domain, called offline domain join.
As the name suggests, this features lets you join a computer to the domain if there is no network connectivity or the computer cannot contact the domain controller.
For this, we will be using a command called Djoin.exe on a computer which is part of a workgroup with the information required to join to the domain.
When would you use Offline Domain join feature?
This is an important that can be used for datacenters, virtualized desktop environments, where the machines are built and provisioned on demand.
It can also be used when the machine is built and used in a lab environment usually disconnected from the actual network. So when the machine is first started up when part of the network, it will already be a member of the domain. This also helps apply the required Group Policy at the start up.
What are the steps to be performed for Offline Domain Join?
Basically there are four major steps that need to be performed to join a computer to the domain using the Offline Domain Join method.
- Log on to the Windows Server 2008 R2 running the Active Directory Domain Services or Windows 7 machines running RSAT tools with the account having permission to add computers to the domain. (Domain Admins group has this permission by default)
- Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.
- At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.
- When you start or restart the computer, it will be a member of the domain.
Now that you understand the requirements to perform the Offline Domain join of a computer, ;ets dig in further to see how will you go about doing the same.
NOTE: The user who will perform this actions need to be a part of Domain Admins Group or should have equivalent permissions to add computers to domain.
Provision a Computer in Active Directory for Offline Domain Join
Run Djoin.exe from an elevated Command Prompt to provision the computer account in Active Directory. The basic syntax of DJoin is as follows:
djoin.exe /provision /domain DomainDNSName /machine ComputerName /savefile Filename
/provison parameter creates new computer account in Active Directory. You can also /reuse parameter if the computer account already exists in AD.
DomainDNSName is the DNS name of the domain. In our case it will be enterprisedaddy.com
ComputerName will be the name of the computer to be created or reused.
Filename will be the path and name of the File that we will output the blob to.
Now let us see an example of the command that we will be using in our demo here.
djoin.exe /provision /domain enterprisedaddy.com /machine CLIENT02 /savefile C:\CLIENT02_Join.txt /machineOU “OU=NewComputers,dc=enterprisedaddy,dc=com”
Note that I have given an extra parameter called machineOU which will create a computer account in the OU called NewComputers under root domain.
Similarly you can use switches like /dcname domainControllerName to define which DC you want to create the account in.
Moving ahead, the computer account called CLIENT02 will be created in NewComputers OU and information will be exported to the path C:\CLIENT02_Join.txt
So we have completed the steps that need to performed in Active Directory. Now this information needs to be injected in the computer that has to joined by the offline method.
Perform an Offline Domain Join
The account metadata that was exported in a blob to a text file by using Djoin.exe /provision can be imported to a computer, after which the computer will become a domain member at the next startup.
The command that you will run on the computer and its syntax can be seen below:
djoin.exe /requestODJ /loadfile Filename /windowspath %SystemRoot% /localos
/requestODJ specifies that you want to perform an offline domain join operation.
Filename is the path and file name of the text file that contains the account metadata blob. This is the file that you created by using Djoin.exe /provision.
%SystemRoot% is the built-in Windows variable that represents the directory in which Windows is installed.
/localos specifies that you are injecting the domain join information into the local computer.
In our case, the command will be below assuming we have copied the file to the C drive of the local machine:
djoin.exe /requestODJ /loadfile C:\CLIENT02_join.txt /windowspath %SystemRoot% /localos
That’s it! Now when the computer is connected to the domain and is started, it will automatically add itself to the domain and be a member of the domain.
Hope this was informative and thank you for reading!