Friday, August 1, 2014

Offline Domain Join (Djoin.exe) Step-by-Step Guide

Applies To: Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
This guide explains the steps that you complete to perform an offline domain join. During an offline domain join, a computer is configured to join a domain without contacting a domain controller. This guide includes the following sections:

Offline domain join scenario overview

Offline domain join is a new process that computers that run Windows® 7 or Windows Server® 2008 R2 can use to join a domain without contacting a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network.
For example, an organization might need to deploy many virtual machines in a datacenter. Offline domain join makes it possible for the virtual machines to be joined to the domain when they initially start after the installation of the operating system. No additional restart is required to complete the domain join. This can significantly reduce the overall time that is required for wide-scale virtual-machine deployments.
A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory® domain. This operation requires state changes to Active Directory Domain Services (AD DS) and state changes on the computer that is joining the domain. To complete a domain join in the past using previous Windows® operating systems, the computer that joined the domain had to be running and it had to have network connectivity to contact a domain controller. Offline domain join provides the following advantages over the previous requirements:
  • The Active Directory state changes are completed without any network traffic to the computer.
  • The computer state changes are completed without any network traffic to a domain controller.
  • Each set of changes can be completed at a different time.
The following sections explain some of the benefits that offline domain join can provide.

Reduced total cost of ownership in data centers

Offline domain join can reduce the total cost of ownership for computers by reducing the startup time that is required for each server and by increasing the reliability of domain join operations in production environments.
Data centers commonly have a provisioning server that configures an image and then sends that image to be deployed on a production computer. The production computer is set up, joined to the domain, and restarted. If there are any problems associated with the domain join, such as network connectivity problems or problems that are associated with necessary servers that are offline, the problems have to be diagnosed and resolved at that time. In this situation, an offline domain join helps prevent problems that can arise with the communication between the production computer and a domain controller by configuring the domain join information during the setup for the production computer. The total amount of time to set up each server is reduced by eliminating the additional restart that is required to complete an online domain join.

Improved experience for performing domain joins using an RODC

In Windows Server 2008, there is a mechanism to perform domain join operations against a read-only domain controller (RODC). However, to perform a domain join operation an RODC you have to complete the following multiple steps:
  1. Precreate the computer account in the directory, and set some additional attributes using scripts.
  2. If necessary, modify the Password Replication Policy (PRP) of the RODC to allow the password for the computer that you want to join to the domain to be cached by the RODC.
  3. Force replication of the secrets of the computer that is to join to the domain.
  4. Communicate the password offline to the computer that is about to join to the domain.
  5. Run a custom script that targets the RODC to complete the join.
When you use offline domain join, the steps for performing domain join operations against an RODC are simplified, as follows:
  1. Precreate the account in AD DS.
  2. Force replication of the secrets of the computer that is to join to the domain.
  3. Send the relevant state information that the domain-joining computer needs to consume to a text file.
  4. The computer consumes the information in the text file; then, when it starts it is joined to the domain.

Rapid enterprise deployments

By using deployment tools, such as Windows System Image Manager, you can perform an unattended domain join during an operating system installation by providing information that is relevant to the domain join in an Unattend.xml file. Using the same Unattend.xml file, you can supply the information that is necessary for the computers that run Windows 7 and Windows Server 2008 R2 to perform offline domain join.
The Unattend.xml file for Windows 7 and Windows Server 2008 R2 includes a new section to support offline domain join.

Requirements for offline domain join

To perform an offline domain join, you run commands by using a new tool named Djoin.exe. You use Djoin.exe to provision computer account data into AD DS. You also use it to insert the computer account data into the Windows directory of the destination computer, which is the computer that you want to join to the domain. The following sections explain operating system requirements and credential requirements for performing an offline domain join.
The offline domain join does not have to be completed within a specific time period. The computer account that is provisioned remains in AD DS unless an administrator intervenes. However, many organizations run scripts every 30 to 60 days to clean up stale or unused computer accounts.

Operating system requirements

You can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also be running Windows 7 or Windows Server 2008 R2.
By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2. However, you can specify an optional /downlevel parameter if you want to target a domain controller that is running a version of Windows Server that is earlier than Windows Server 2008 R2.

Credential requirements

To perform an offline domain join, you must have the rights that are necessary to join workstations to the domain. Members of the Domain Admins group have these rights by default. If you are not a member of the Domain Admins group, a member of the Domain Admins group must complete one of the following actions to enable you to join workstations to the domain:
  • Use Group Policy to grant you the required user rights. This method allows you to create computers in the default Computers container and in any organizational unit (OU) that is created later (if no Deny access control entries (ACEs) are added).
  • Edit the access control list (ACL) of the default Computers container for the domain to delegate the correct permissions to you.
  • Create an OU and edit the ACL on that OU to grant you the Create child – Allow permission. Pass the /machineOU parameter to the djoin /provision command.
The following procedures show how to grant the user rights with Group Policy and how to delegate the correct permissions.

Granting user rights to join workstations to the domain

You can use the Group Policy Management Console (GPMC) to modify the domain policy or create a new policy that has settings that grant the user rights to add workstations to a domain.
Membership in Domain Admins, or equivalent, is the minimum required to grant user rights. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To grant rights to join workstations to a domain
  1. Click Start, click Administrative Tools, and then click Group Policy Management.
  2. Double-click the name of the forest, double-click Domains, double-click the name of the domain in which you want to join a computer, right-click Default Domain Policy, and then click Edit.
  3. In the console tree, double-click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.
  4. In the details pane, double-click Add workstations to domain.
  5. Select the Define these policy settings check box, and then click Add User or Group.
  6. Type the name of the account that you want to grant the user rights to, and then click OK twice.

Delegating permissions to join workstations to the domain

You can use a tool such as Ldp.exe to delegate permissions to join workstations to a domain. As a best practice, you should delegate permissions to a group, and then add users to the group or remove them as needed.
Membership in Domain Admins, or equivalent, is the minimum required to delegate permissions. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
To delegate permissions to join workstations to a domain
  1. Click Start, click Run, type ldp, and then click OK.
  2. Click Connection, click Connect, and in Server type the name of a domain controller. If you are logged on to a domain controller, you can type localhost. When you are done, click OK.
  3. Click Connection, and then click Bind. If you are logged on as a member of the Domain Admins group, click Bind as currently logged on user. If you are logged on as a different user, click Bind with credentials, and then type the name, password, and domain of an account that is a member of the Domain Admins group. Click OK.
  4. Click View, click Tree, select DC=, and then click OK.
  5. In the console tree, double-click DC=, right-click CN=Computers,DC=, click Advanced, click Security Descriptor, and then click OK.
  6. Click ACE, click Add ACE, type the name of the account that you want to be able to join workstations to the domain, select the Create child check box, and then select the Inherit check box. In Object type, select computer – class (you might have to type computer to select computer – class), click OK, and then click Update.

Offline domain join process and Djoin.exe syntax

Run Djoin.exe at an elevated command prompt to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer or you can save the computer account metadata in an Unattend.xml file and then specify the Unattend.xml file during an unattended operating system installation of the destination computer.
For more information about the NetProvisionComputerAccount function that is used to provision the computer account during an offline domain join, see NetProvisionComputerAccount Function (http://go.microsoft.com/fwlink/?LinkId=162426). For more information about the NetRequestOfflineDomainJoin function that runs locally on the destination computer, see NetRequestOfflineDomainJoin Function (http://go.microsoft.com/fwlink/?LinkId=162427).

Djoin.exe syntax

This section describes the syntax for Djoin.exe.
djoin /provision /domain  /machine  /savefile  [/machineou ] [/dcname ] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate ] [/policynames ] [/policypaths ]
djoin /requestodj /loadfile  /windowspath  /localos
noteNote
The /rootcacerts, /certtemplate, /policynames, and /policypaths parameters are valid only on Windows Server 2012. They allow administrators to provide mobile users who never connect to corporate networks (physically or through VPN) with the ability to join a computer to the domain and configure it with DirectAccess policies.

 

Parameter
Description
/provision
Creates a computer account in AD DS.
/domain
Specifies the name of the domain to join.
/machine
Specifies the name of the computer that you want to join to the domain.
/machineou
Specifies the name of the organizational unit (OU) in which you want the computer account to be created. By default, the computer account is created in the Computers container. This parameter is ignored if /reuse is specified.
/dcname
Specifies the name of a specific domain controller that will create the computer account. If you do not specify a domain controller, the domain controller Locator (DC Locator) process is used to select a domain controller.
/reuse
Specifies the reuse of any existing computer account. The password for the computer account will be reset.
/downlevel
Supports the use of a domain controller that runs a version of Windows Server that is earlier than Windows Server 2008 R2.
/savefile
Saves provisioning data to a file.
/defpwd
Uses the default machine account password (not recommended).
/nosearch
Skips account conflict detention. Requires the /DCName parameter.
/printblob
Return a base64-encoded metadata blob for an answer file.
/rootcacerts
This parameter is only available on Windows Server 2012.
Optionally include root Certificate Authority certificates.
/certtemplate
This parameter is only available on Windows Server 2012.
Optional of machine certificate template. Includes root Certificate Authority certificates.
/policynames
This parameter is only available on Windows Server 2012.
Optional semicolon-separated list of Group Policy object (GPO) names. Each name is the displayName of the GPO in AD DS.
/policypaths
This parameter is only available on Windows Server 2012.
Optional semicolon-separated list of policy paths. Each path is a path to a registry.pol file.
GPOs store registry-based configuration settings in registry.pol files. To include registry-based configuration settings in the blob data, specify the path and file name using any of the following formats:
  • /POLICYPATHS mypolicy.xyz
  • /POLICYPATHS .\mypolicy2.xyz
  • /POLICYPATHS c:\tmp\mypolicy3.xyz
  • /POLICYPATHS \\server\share\mypolicy4.xyz
  • /POLICYPATHS mypolicy.xyz;.\mypolicy2.xyz;c:\tmp\mypolicy3.xyz;\\server\share\mypolicy4.xyz
For more information about registry.pol files, see Registry.pol.
/NetBIOS
Applies to computers that run versions of Windows beginning with Windows Server 2012 R2 and Windows 8.1.
Optional NetBIOS name of the computer joining the domain.
/psite
Applies to computers that run versions of Windows beginning with Windows Server 2012 R2 and Windows 8.1.
Optional name of the persistent site to put the computer joining the domain in.
/dsite
Applies to computers that run versions of Windows beginning with Windows Server 2012 R2 and Windows 8.1.
Optional name of the dynamic site to initially put the computer joining the domain in.
/primarydns
Applies to computers that run versions of Windows beginning with Windows Server 2012 R2 and Windows 8.1.
Optional name of primary DNS domain of the computer joining the domain.
/requestodj
Requests an offline domain join at the next start.
/Loadfile
Specifies the output from a previous provisioning command.
/windowspath
Specifies the path to the Windows directory of the offline image. If you are using the /localos parameter, specify %systemroot% or %windir% as the value of the /windowspath parameter.
/localos
Targets the local operating system installation, instead of an offline image, with the domain join information. If you use this parameter, the value that you specify for /windowspath should be %systemroot% or %windir%. Run this parameter only on a destination computer that you want to join to the domain. This parameter is blocked from being run on a domain controller. Because this parameter injects the blob data into the locally running operating system image, you must restart the computer to complete the domain join operation, as you must also do for an online domain join.

Steps for performing an offline domain join

The offline domain join process includes the following steps:
  1. Run the djoin.exe /provision command to create computer account metadata for the destination computer (the computer that you want to join to the domain). As part of this command, you must specify the name of the domain that you want the computer to join.
  2. Run the djoin.exe /requestODJ command to insert the computer account metadata into the Windows directory of the destination computer.
  3. When you start the destination computer, either as a virtual machine or after a complete operating system installation, the computer will be joined to the domain that you specify.
The following sections explain different ways for you to perform these steps. You can use the Windows Server 2008 Hyper-V™ virtualization feature to create virtual machines, you can use different physical computers, or you can run an unattended setup to perform an operating system installation on the destination computer. In any of these cases, the computer where you run the provisioning command and the computer where you run the request command must be running Windows 7 or Windows Server 2008 R2.
You can also perform these steps using a dual-boot computer. In this case, follow the steps to perform an offline domain join using Hyper-V, but substitute the virtual machines with physical partitions that are running Windows 7 or Windows Server 2008 R2.

Performing an offline domain join by using Hyper-V

To perform an offline domain join using Hyper-V, create the following virtual machines:
  • VM1: A domain controller that runs Windows Server 2008 R2.
  • VM2: A domain-joined computer that runs Windows 7 or Windows Server 2008 R2. This computer will serve as a provisioning server on which you can run the djoin /provision command. As an alternative, you can complete these steps without using this virtual machine by running the djoin /provision command on the domain controller that is VM1. This additional VM2 is shown to provide a more realistic example of how computers are provisioned in production environments, where a domain-joined computer is used typically as a provisioning server.
  • VM3: A computer that runs Windows 7 or Windows Server 2008 R2 that you want to join to the domain.
noteNote
Do not use differencing disks from the same parent virtual hard disk (VHD) for these virtual machines. The differencing disk will not start correctly after you complete the steps to perform the offline domain join. You should also not use copies of the same VHD, because it will cause one virtual machine to be disabled when you try to mount it from the other virtual machine.

Complete the following steps to perform the offline domain join:
  1. Log on to VM2 as a user who has rights to add workstations to a domain.
  2. Type the following command to provision the destination computer:

    djoin /provision /domain  /machine  /savefile 
    
    securitySecurity Note
    The base64-encoded metadata blob that is created by the provisioning command contains very sensitive data. It should be treated just as securely as a plaintext password. The blob contains the machine account password and other information about the domain, including the domain name, the name of a domain controller, the security ID (SID) of the domain, and so on. If the blob is being transported physically or over the network, care must be taken to transport it securely.
  3. Shut down VM3 and VM2, and then mount VM3 from VM2.

    To do this in Hyper-V, right-click VM2, and then click Settings. Click IDE Controller, and then click Add. Select Virtual hard disk (.vhd) file, click Browse, navigate to the location of the .vhd file for VM3, click Open, and then click OK.
  4. Restart VM2, and then use Windows Explorer to locate the drive where VM3 is mounted. At an elevated command prompt, type the following command to request the offline domain join data:

    djoin /requestODJ /loadfile  /windowspath 
    
  5. Shut down VM2, and then unmount VM3 from VM2. To do this in Hyper-V, right-click VM2, and then click Settings. Click the integrated device electronics (IDE) controller that corresponds to VM3, and then click Remove.
  6. Start VM3. The computer will be joined to the domain after it starts.
If you experience any problems running the Djoin.exe commands, you can view the log file on VM2 at %windir%\debug\netsetup.log for more information.

Performing an offline domain join using different physical computers

To perform an offline domain join using physical computers, you can complete the following steps. The best practice in this case is to have one domain controller, one domain-joined computer to use as a provisioning server, and one client computer that you want to join to the domain.
  1. On the provisioning server, open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. Type the following command to provision the computer account:

    djoin /provision /domain  /machine  /savefile blob.txt
    
  3. Copy the blob.txt file to the client computer.
  4. On the client computer, open an elevated command prompt, and then type the following command to request the domain join:

    djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos
    
    CautionCaution
    You cannot run this command with the /localos parameter on a domain controller.
  5. Reboot the client computer. The computer will be joined to the domain.

Performing an offline domain join by using an unattended operating system installation

To perform an offline domain join during an operating system installation, you must first run Djoin.exe to provision the computer account metadata. Then, you create an Unattend.xml file and include a new section in it for the offline domain join data. In the new section, you can insert the computer account metadata.
The component name for the new section is Microsoft-Windows-UnattendJoin/Identification/Provisioning, and it includes the following structure:


  •      
  •           
  •                Base64Encoded Blob
  •           


  •      




  • You have to insert the computer account metadata within the and tags. After you create the Unattend.xml file, start the computer that you want to join to the domain in Safe Mode or start the computer in Windows Preinstallation Environment (Windows PE), and then run the setup command with an answer file, as shown in the following example:
    setup /unattend:
    

    See Also

    1 comment:

    1. I am grateful for this blog to distribute knowledge about this significant topic. Here I found different segments and now I am going to use these new instructions with new enthusiasm. Download Office professional product key

      ReplyDelete