Since Windows NT4, clients who wanted to join a domain always needed a direct connection to the domain, either via VPN, dial-in or direct connection. New in Windows 2008 R2 is the option for an offline domain join.. how does this work.. ? read on!
A new program is introduced called djoin.exe. We can use djoin.exe to join a computer to the domain without actually having a connection to it.
How does this work?
1. Logon to a system that already is a member of the domain with an account that is allowed to join computers to the domain
2. Use djoin.exe to create a text file (the blob) that contains all information for the computer to join the domain when it is online.
3. On the new computer use djoin.exe to import the blob
4. Reboot the new computer when it’s connected to the network
By default, computer accounts are created in the Computers OU, however we might not want the new machines to be placed in that OU. If this is the case, create a new OU and make sure the account that you run djoin under has sufficient rights to it. To provision a new computer, use the following command: djoin /provision /domain <domainname> /machine <machinename> /savefile blob.txt
The command will create a new computer object and a file called blob.txt.
Optionally you can specify the OU using the parameter /Machineou <OUname> else the default Computers OU is used.
If the computer account object is already created, you can use the /reuse option.
If your domain controller is not yet running Windows Server 2008 R2, use the /downlevel command.
Copy the created blob file to the new client and run the import command. Even though it is a text file, the blob is not really human readable, it’s certainly not in xml format…
The command to import the blob is: djoin /requestODJ /loadfile blob.txt /windowspath %systemroot% /localos
Now the /localOs option can be a bit scary. If you accidentally run this command on a domain controller, it will result in a broken Active Directory Domain Controller that you can only demote/promote to bring it back to where it was.
Our client machine has a base install of Windows 7 and is renamed to CL2 in this case before using the new command:
Make sure your start the command prompt with Administrative privileges, otherwise the join will fail:
After a (manual) reboot, the computer joined the domain:
The main question if off course: why would you want this?
The procedure involves a non-human readable blob, and no passwords. You can easily pre-create all the blob files and distribute them to for example supplier of workstations. They can provision the laptops for you. You would not have to give them accounts and you do not have to give them access to your environment.
And Microsoft's reason:
For example, an organization might need to deploy many virtual machines in a datacenter. Offline domain join makes it possible for the virtual machines to be joined to the domain when they initially start after the installation of the operating system. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.
Now if you want to deploy computers using a Unattend.xml file, you can also specify the Offline Domain join in there:
<Component>
<Component name="Microsoft-Windows-UnattendedJoin">
<Identification>
<Provisioning>
<AccountData>Blob.txt</AccountData>
</Provisioning>
</Identification>
</Component>