Tuesday, June 2, 2009

Offline Domain Join for Windows Systems

Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network.

One of the latest and greatest features for Admins as I’d term it, it makes the System Administration Process simple and straightforward. Not that it wasn’t straightforward before, but in the sense that it reduces administrative overhead to some extent, AND this is the best way to provision a system in case it’s a remote site that you are administering and use a skinny wan link to connect to a DC or ADC.

Requirements for offline domain join

To perform an offline domain join, you run commands by using a new tool named Djoin.exe. You use Djoin.exe to provision computer account data into AD DS. You also use it to insert the computer account data into the Windows directory of the destination computer, which is the computer that you want to join to the domain. The following sections explain operating system requirements and credential requirements for performing an offline domain join.

Operating system requirements

You can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also be runnning Windows 7 or Windows Server 2008 R2.

By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2. However, you can specify an optional /downlevel parameter if you want to target a domain controller that is running a version of Windows Server that is earlier than Windows Server 2008 R2.

Please note that you MUST be part of the Domain Admins group and have sufficient permissions in order to carry out the Offline Domain Join procedure.

Offline domain join process


Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer or you can save the computer account metadata in an Unattend.xml file and then specify the Unattend.xml file during an unattended operating system installation of the destination computer.

Djoin.exe syntax

This section describes the syntax for Djoin.exe :

djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob]
djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos

Steps for performing an offline domain join:

The offline domain join process includes the following steps:


  1. Run the djoin.exe /provision command to create computer account metadata for the destination computer (the computer that you want to join to the domain). As part of this command, you must specify the name of the domain that you want the computer to join.


  2. Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windows directory of the destination computer.


  3. When you start the destination computer, either as a virtual machine or after a complete operating system installation, the computer will be joined to the domain that you specify.

Performing an offline domain join using different physical computers

To perform an offline domain join using physical computers, you can complete the following steps. The best practice in this case is to have one domain controller, one domain-joined computer to use as a provisioning server, and one client computer that you want to join to the domain.

1. On the provisioning server, run the following command to provision the computer account: 
djoin /provision /domain <domain to be joined> /machine <name of the destination computer> /savefile blob.txt

  • Copy the blob.txt file to the client computer

  • On the client computer, run the following command to request the domain join:

    djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos



  • Once you reboot the client computer, the computer will be joined to the domain.

    Technical References from : http://technet.microsoft.com

    • Posted by Abhishek Pradhan a.k.a. HACKATAC at 12:34 PM
    Labels: , , , , , , , , ,
    Reactions: 

    0 comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)