{"id":2838,"date":"2014-02-15T15:27:27","date_gmt":"2014-02-15T07:27:27","guid":{"rendered":"http:\/\/rmohan.com\/?p=2838"},"modified":"2014-02-15T15:27:27","modified_gmt":"2014-02-15T07:27:27","slug":"2012-offline-domain-join-concept","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=2838","title":{"rendered":"2012 Offline Domain Join – Concept"},"content":{"rendered":"

t involves 2 steps:
\n1. Provisioning (On Domain Controller)
\n2. Offline Domain Join (On Client Machine)<\/p>\n

Provisioning<\/strong>
\nIn this process, it will create an account for the client machine in Active Directory and will provide a file (BLOB) which will have the complete information about the domain controller and the domain which the client machine requires to join to the domain<\/p>\n

We will use\u00a0DJoin\u00a0<\/strong>Utility (Inbuilt in Windows 2008)
\nRun the following command on the domain controller<\/p>\n

DJoin \/Provision \/Domain <Domain Name> \/Machine <Name of Client Machine> \/SaveFile <File Name + Location><\/p>\n

DJoin \/Provision \/Domain\u00a0ds.com \/Machine\u00a0WinXP-DS \/SaveFile C:\\Offline.txt<\/p>\n

The file “Offline.txt” will now have all the necessary information required by the client to join itself to the domain<\/p>\n

Offline Domain Join\u00a0<\/strong>
\nIn this process, the text file (BLOB) that is created while provisioning is used on the client machine to join that client machine to the domain even in the absence of network connectivity between the client and the domain controller
\nRun the following command on the Client Machine or on the Member Server<\/p>\n

DJoin \/Requestobj \/Loadfile <File Name + Location> \/WindowsPath %SystemRoot%\\LocalOS<\/p>\n

DJoin \/Requestobj \/Loadfile\u00a0C:\\Offline.txt \/WindowsPath %SystemRoot%\\LocalOS<\/p>\n

(In some cases, you might get an error after running the above command. The error could be “Error 57: File not Found”. In that situation, do not use .txt as the extension to save the file. Instead, use .djoin extension while saving the file on the DC and then using the same file with .djoin extension on the client machine)<\/p>\n

In case of any errors, do check the Netsetup Log<\/p>\n

Note: You cannot join a domain controller using this method. You can only join a client machine or a member server suing offline domain join<\/p>\n

 <\/p>\n

\n
Offline domain join overview<\/a><\/p>\n
\n
\n<\/div>\n<\/div>\n
\n

Introduced in Windows Server 2008 R2, domain controllers include a feature called Offline Domain Join. A command line utility named Djoin.exe lets you join a computer to a domain without physically contacting a domain controller while completing the domain join operation. The general steps for using Djoin.exe are:<\/p>\n

    \n
  1. Run\u00a0djoin \/provision<\/strong>\u00a0to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.<\/li>\n
  2. Run\u00a0djoin \/requestODJ<\/strong>\u00a0to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.<\/li>\n
  3. Reboot the destination computer, and the computer will be joined to the domain.<\/li>\n<\/ol>\n

    <\/a><\/p>\n

    \n
    Offline domain join with DirectAccess policies scenario overview<\/a><\/p>\n
    \n
    \n<\/div>\n<\/div>\n
    \n

    DirectAccess offline domain join is a process that computers running Windows Server 2012 and Windows 8can use to join a domain without being physically joined to the corporate network, or connected through VPN. This makes it possible to join computers to a domain from locations where there is no connectivity to a corporate network. Offline domain join for DirectAccess provides DirectAccess policies to clients to allow remote provisioning.<\/p>\n

     <\/p>\n

    A domain join creates a computer account and establishes a trust relationship between a computer running a Windows operating system and an Active Directory\u00ae domain.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n

    \n
    Prepare for offline domain join<\/a><\/p>\n
    \n
    \n<\/div>\n<\/div>\n
    \n
      \n
    1. Create the machine account.<\/li>\n
    2. Inventory the membership of all security groups to which the machine account belongs.<\/li>\n
    3. Gather the required computer certificates, group policies, and group policy objects to be applied to the new client(s).<\/li>\n<\/ol>\n

      . The following sections explain operating system requirements and credential requirements for performing a DirectAccess offline domain join using Djoin.exe.<\/p>\n

      \n
      Operating system requirements<\/a><\/p>\n
      \n
      \n<\/div>\n<\/div>\n
      \n

      You can run Djoin.exe for DIrectAccess only on computers that run Windows Server 2012 or Windows 8. The computer on which you run Djoin.exe to provision computer account data into AD\u00a0DS must be running Windows Server 2012 or Windows 8. The computer that you want to join to the domain must also be running Windows Server 2012 or Windows 8.<\/p>\n<\/div>\n<\/div>\n

      \n
      Credential requirements<\/a><\/p>\n
      \n
      \n<\/div>\n<\/div>\n
      \n

      To perform an offline domain join, you must have the rights that are necessary to join workstations to the domain. Members of the Domain Admins group have these rights by default. If you are not a member of the Domain Admins group, a member of the Domain Admins group must complete one of the following actions to enable you to join workstations to the domain:<\/p>\n