One of the interesting features of the new Windows 7 / Windows Server 2008 R2 is the possibility of performing an offline domain join of computers with the command line tool djoin.exe. Here, offline means that there is no network connection to the Active Directory at the time when the client joins the domain. I tried the tool and was a little disappointed because its handling in large environments seems to be a bit cumbersome to me. In this post, I will give you a short introduction into djoin's usage and in my next post, I will discuss possible usage scenarios.
- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Djoin comes with every Windows 7 and Windows Server 2008 R2 installation. You don't have to raise the functional level of the Active Directory domain to Windows Server R2, and you don't need an R2 domain controller since djoin also works with earlier domain controller versions. Because Djoin requires administrator privileges, you have to use the tool on an elevated command prompt. Of course, you also need an account that has sufficient rights to create domain computer accounts.
There are basically two steps necessary to offline domain join a computer. First, you have to create the computer account in Active Directory. This process is called "provisioning." The easiest way to do that is on an R2 domain controller. Djoin will create a base 64-encoded metadata blob as text file. This blob then has to be used to offline domain join the Windows 7 machine.
The command to provision the computer account on an R2 domain controller looks like this:
djoin /provision /domain <domain to be joined> /machine <name of the computer to be joined> /savefile blob.txt
If you don't have a Windows Server 2008 R2 domain controller, you can run djoin.exe with the /downlevel parameter on a Windows 7 machine that is already a domain member.
Offline domain join
Then you have to copy bob.txt to the computer that has to be joined to the domain and launch this command:
djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos
The localos parameter is necessary to run djoin on the computer that is supposed to join the computer. You can also run djoin from a second machine making sure the windowspath parameter points to the system root folder of the destination computer. This is useful if you want to domain join a virtual machine (VM) that is offline. Once the VM boots up, it is already a domain member without requiring a reboot.
There are some additional features which I didn't discuss in this article. Below is a complete list of all djoin parameters. In my next article, I will discuss how offline domain join in unattended installations works and in what ways this new feature could be used.
Usage: djoin.exe [/OPTIONS]
/PROVISION - Provision a computer account in the domain
/DOMAIN <Name> - <Name> of the domain to join
/MACHINE <Name> - <Name> of the computer joining the domain
/MACHINEOU <OU> - Optional <OU> where the account is created
/DCNAME <DC> - Optional <DC> to target for account creation
/REUSE - Reuse any existing account (password will be reset)
/SAVEFILE <FilePath> - Save provisioning data to a file at <FilePath
/NOSEARCH - Skip account conflict detection, requires DCNAME (faster
/DOWNLEVEL - Support using a Windows Server 2008 DC or earlier
/PRINTBLOB - Return base64 encoded metadata blob for an answer file
/DEFPWD - Use default machine account password (not recommended)
/REQUESTODJ - Request offline domain join at next boot
/LOADFILE <FilePath> - <FilePath> specified previously via /SAVEFILE
/WINDOWSPATH <Path> - <Path> to the Windows directory in an offline
/LOCALOS - Allows /WINDOWSPATH to specify the locally running OS.
This command must be run as a local Administrator.
This option requires a reboot for changes to be applied.