Djoin.exe – Offline domain join in Windows 7 and Windows Server 2008 R2

• Author
• Recent Posts

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

Latest posts by Michael Pietroforte (see all)

• Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
• Pip install Boto3 - Thu, Mar 24 2022
• Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022

Requirements

Djoin comes with every Windows 7 and Windows Server 2008 R2 installation. You don't have to raise the functional level of the Active Directory domain to Windows Server R2, and you don't need an R2 domain controller since djoin also works with earlier domain controller versions. Because Djoin requires administrator privileges, you have to use the tool on an elevated command prompt. Of course, you also need an account that has sufficient rights to create domain computer accounts.

Two steps

There are basically two steps necessary to offline domain join a computer. First, you have to create the computer account in Active Directory. This process is called "provisioning." The easiest way to do that is on an R2 domain controller. Djoin will create a base 64-encoded metadata blob as text file. This blob then has to be used to offline domain join the Windows 7 machine.

Provisioning

The command to provision the computer account on an R2 domain controller looks like this:

djoin /provision /domain <domain to be joined> /machine <name of the computer to be joined> /savefile blob.txt

If you don't have a Windows Server 2008 R2 domain controller, you can run djoin.exe with the /downlevel parameter on a Windows 7 machine that is already a domain member.

Offline domain join

Then you have to copy bob.txt to the computer that has to be joined to the domain and launch this command:

djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos

The localos parameter is necessary to run djoin on the computer that is supposed to join the computer. You can also run djoin from a second machine making sure the windowspath parameter points to the system root folder of the destination computer. This is useful if you want to domain join a virtual machine (VM) that is offline. Once the VM boots up, it is already a domain member without requiring a reboot.

There are some additional features which I didn't discuss in this article. Below is a complete list of all djoin parameters. In my next article, I will discuss how offline domain join in unattended installations works and in what ways this new feature could be used.

Usage: djoin.exe [/OPTIONS]

/PROVISION  - Provision a computer account in the domain
/DOMAIN <Name> - <Name> of the domain to join
/MACHINE <Name> - <Name> of the computer joining the domain
/MACHINEOU <OU> - Optional <OU> where the account is created
/DCNAME <DC> - Optional <DC> to target for account creation
/REUSE - Reuse any existing account (password will be reset)
/SAVEFILE <FilePath> - Save provisioning data to a file at <FilePath
/NOSEARCH - Skip account conflict detection, requires DCNAME (faster
/DOWNLEVEL - Support using a Windows Server 2008 DC or earlier
/PRINTBLOB - Return base64 encoded metadata blob for an answer file
/DEFPWD - Use default machine account password (not recommended)

/REQUESTODJ  - Request offline domain join at next boot
/LOADFILE <FilePath> - <FilePath> specified previously via /SAVEFILE
/WINDOWSPATH <Path> - <Path> to the Windows directory in an offline
/LOCALOS - Allows /WINDOWSPATH to specify the locally running OS.
This command must be run as a local Administrator.
This option requires a reboot for changes to be applied.