t involves 2 steps:
1. Provisioning (On Domain Controller)
2. Offline Domain Join (On Client Machine)
Provisioning
In this process, it will create an account for the client machine in Active Directory and will provide a file (BLOB) which will have the complete information about the domain controller and the domain which the client machine requires to join to the domain
We will use DJoin Utility (Inbuilt in Windows 2008)
Run the following command on the domain controller
DJoin /Provision /Domain <Domain Name> /Machine <Name of Client Machine> /SaveFile <File Name + Location>
DJoin /Provision /Domain ds.com /Machine WinXP-DS /SaveFile C:\Offline.txt
The file “Offline.txt” will now have all the necessary information required by the client to join itself to the domain
Offline Domain Join
In this process, the text file (BLOB) that is created while provisioning is used on the client machine to join that client machine to the domain even in the absence of network connectivity between the client and the domain controller
Run the following command on the Client Machine or on the Member Server
DJoin /Requestobj /Loadfile <File Name + Location> /WindowsPath %SystemRoot%\LocalOS
DJoin /Requestobj /Loadfile C:\Offline.txt /WindowsPath %SystemRoot%\LocalOS
(In some cases, you might get an error after running the above command. The error could be “Error 57: File not Found”. In that situation, do not use .txt as the extension to save the file. Instead, use .djoin extension while saving the file on the DC and then using the same file with .djoin extension on the client machine)
In case of any errors, do check the Netsetup Log
Note: You cannot join a domain controller using this method. You can only join a client machine or a member server suing offline domain join
Introduced in Windows Server 2008 R2, domain controllers include a feature called Offline Domain Join. A command line utility named Djoin.exe lets you join a computer to a domain without physically contacting a domain controller while completing the domain join operation. The general steps for using Djoin.exe are:
- Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.
- Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.
- Reboot the destination computer, and the computer will be joined to the domain.
DirectAccess offline domain join is a process that computers running Windows Server 2012 and Windows 8can use to join a domain without being physically joined to the corporate network, or connected through VPN. This makes it possible to join computers to a domain from locations where there is no connectivity to a corporate network. Offline domain join for DirectAccess provides DirectAccess policies to clients to allow remote provisioning.
A domain join creates a computer account and establishes a trust relationship between a computer running a Windows operating system and an Active Directory® domain.
- Create the machine account.
- Inventory the membership of all security groups to which the machine account belongs.
- Gather the required computer certificates, group policies, and group policy objects to be applied to the new client(s).
. The following sections explain operating system requirements and credential requirements for performing a DirectAccess offline domain join using Djoin.exe.
You can run Djoin.exe for DIrectAccess only on computers that run Windows Server 2012 or Windows 8. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows Server 2012 or Windows 8. The computer that you want to join to the domain must also be running Windows Server 2012 or Windows 8.
To perform an offline domain join, you must have the rights that are necessary to join workstations to the domain. Members of the Domain Admins group have these rights by default. If you are not a member of the Domain Admins group, a member of the Domain Admins group must complete one of the following actions to enable you to join workstations to the domain:
- Use Group Policy to grant the required user rights. This method allows you to create computers in the default Computers container and in any organizational unit (OU) that is created later (if no Deny access control entries (ACEs) are added).
- Edit the access control list (ACL) of the default Computers container for the domain to delegate the correct permissions to you.
- Create an OU and edit the ACL on that OU to grant you the Create child – Allow permission. Pass the /machineOU parameter to the djoin /provision command.
The following procedures show how to grant the user rights with Group Policy and how to delegate the correct permissions.
You can use the Group Policy Management Console (GPMC) to modify the domain policy or create a new policy that has settings that grant the user rights to add workstations to a domain.
Membership in Domain Admins, or equivalent, is the minimum required to grant user rights. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
- Click Start, click Administrative Tools, and then click Group Policy Management.
- Double-click the name of the forest, double-click Domains, double-click the name of the domain in which you want to join a computer, right-click Default Domain Policy, and then click Edit.
- In the console tree, double-click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-clickLocal Policies, and then double-click User Rights Assignment.
- In the details pane, double-click Add workstations to domain.
- Select the Define these policy settings check box, and then click Add User or Group.
- Type the name of the account that you want to grant the user rights to, and then click OK twice.
Run Djoin.exe at an elevated command prompt to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a binary file that you specify as part of the command.
For more information about the NetProvisionComputerAccount function that is used to provision the computer account during an offline domain join, seeNetProvisionComputerAccount Function (http://go.microsoft.com/fwlink/?LinkId=162426). For more information about the NetRequestOfflineDomainJoin function that runs locally on the destination computer, see NetRequestOfflineDomainJoin Function (http://go.microsoft.com/fwlink/?LinkId=162427).
The offline domain join process includes the following steps:
- Create a new computer account for each of the remote clients and generate a provisioning package using the Djoin.exe command from an already domain joined computer in the corporate network.
- Add the client computer to the DirectAccessClients security group
- Transfer the provisioning package securely to the remote computers(s) that will be joining the domain.
- Apply the provisioning package and join the client to the domain.
- Reboot the client to complete the domain join and establish connectivity.
There are two options to consider when creating the provisioning packet for the client. If you used the Getting Started Wizard to install DirectAccess without PKI, then you should use option 1 below. If you used the Advanced Setup Wizard to install DirectAccess with PKI, then you should use option 2 below.
Complete the following steps to perform the offline domain join:
- At a command prompt of your Remote Access server, type the following command to provision the computer account:
Djoin /provision /domain <your domain name> /machine <remote machine name> /policynames DA Client GPO name /rootcacerts /savefile c:\files\provision.txt /reuse
- At a command prompt of your Remote Access server, type the following command to provision the computer account:
Djoin /provision /machine <remote machine name> /domain <Your Domain name> /policynames <DA Client GPO name> /certtemplate <Name of client computer cert template> /savefile c:\files\provision.txt /reuse
- On your Domain Controller, from Start screen, type Active and select Active Directory Users and Computers from Apps screen.
- Expand the tree under your domain, and select the Users container.
- In the details pane, right-click DirectAccessClients, and click Properties.
- On the Members tab, click Add.
- Click Object Types…, select Computers, and then click OK.
- Type the client name to add, and then click OK.
- Click OK to close the DirectAccessClients Properties dialog, and then close Active Directory Users and Computers.
- Copy the provisioning package from c:\files\provision.txt on the Remote Access Server, where it was saved, to c:\provision\provision.txt on the client computer.
- On the client computer, open an elevated command prompt, and then type the following command to request the domain join:
Djoin /requestodj /loadfile C:\provision\provision.txt /windowspath %windir% /localos
- Reboot the client computer. The computer will be joined to the domain. Following the reboot, the client will be joined to the domain and have connectivity to the corporate network with DirectAccess.
Recent Comments