Join Windows 11 to an Active Directory domain

• Author
• Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

• Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
• Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
• Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023

For the foreseeable future, most company PCs will belong to an on-prem Active Directory domain to simplify the management of devices and user accounts.

Connection to Azure AD

The now widespread integration into Azure AD is mostly done via a hybrid join, where PCs still join a local AD. The two directories are linked on the server side using AAD Connect, so this process is transparent to the clients.

Connecting a PC to Azure AD in a hybrid environment

Prerequisites for domain join

As in previous versions of Windows, there are still some prerequisites that must be met before a machine can join a domain. This includes a proper edition of the operating system; at least Windows 11 Pro is required.

In addition, the computer should use a DNS server that connects it to the domain controller (DC) via an SVR record. This is always the case if the domain name service is provided by Active Directory.

Advanced system properties GUI

In Windows 10, the Settings app took over an increasing number of control panel tasks. In earlier releases, this also included joining the computer to a domain. However, this option disappeared later on.

With Windows 11, the Settings app still does not offer a domain join function. The Domain or workgroup link under System > About opens the System Properties applet, which can also be started directly by entering sysdm.cpl.

The Settings app opens the System Properties applet for domain joining

You can also rename the PC there, which is usually necessary with new computers to comply with the company's naming convention.

PowerShell cmdlet Add-Computer

If you add a computer to a domain via the GUI, its account is automatically created in the Computer container, unless you have already prepared an account for the computer in the intended organizational unit (OU).

PowerShell, however, can join a PC to a domain, rename it, and assign it to an OU in one go. The Add-Computer cmdlet is responsible for this. Pass it the OU as a distinguished name:

Add-Computer -DomainName contoso.com -NewName Win11 `
-OUPath "OU=Marketing,DC=contoso,DC=com" -Credential contoso\admin

The required reboot can also be achieved by adding the -Restart switch.

Join computers to a domain using PowerShell

Add-Computer can also join remote computers to a domain via the ComputerName parameter. If you want to add several devices to the domain at the same time, pass the names to the command as a comma-separated list. However, with PCs that do not yet belong to a domain, you have to deal with notorious WinRM connection issues.

Netdom

If you prefer to use the netdom.exe utility instead of PowerShell, you can also use it to join a PC to a domain. Unlike Add-Computer, it is only available after installing RSAT on a workstation. A command might look something like this:

netdom join <computername> /domain:contoso.com /UserD:<AuthorizedDomainUser> /PasswordD:* /OU:OU=finance,DC=contoso,DC=com

As you can see from this example, netdom can also create the computer account in a specific OU.

For the domain join, the program expects an authorized user from the domain for the UserD parameter. You can either pass the password to PasswordD or leave it there with a "*". Then, netdom queries the password interactively.

Provisioning package

Windows 10 introduced a new way to customize the operating system. The Imaging and Configuration Designer (ICD), a tool included with the Windows ADK, saves the settings for the so-called runtime provisioning in PPKG files.

Windows Setup automatically executes them during the OOBE phase, or alternatively, users can import them at runtime afterwards.

Such packages also handle the initial setup, which involves renaming the computer and joining a domain. You can do this by clicking the Deploy Desktop Devices tile after starting the ICD, entering the name and location of the project, and then traversing the wizard in five steps.

Create a provisioning package for domain join

Under Account management, you can then enter the data for the domain join, including the authorized account and its password. However, assignment to an OU is not possible.

The PPKG file uses a binary format and can be secured with a password at the end.

Join the domain by running the PPKG file

The obvious advantage of this method is that you can, for example, send the package to remote users to join their PCs to the domain. However, for this task, they must be able to contact a Domain Controller over a VPN.

Offline join

If there is no connection between the PC and the domain controller, you still have the option of joining the domain offline. To do so, create the computer account in advance in Active Directory using djoin.exe, and save the result in a file:

djoin /provision /domain contoso.com /machine Win11pro /savefile Win11pro.odj

If necessary, you can use machineou to specify the OU in which the account should be created.

The second step is to import the ODJ file to the relevant client:

djoin /requestodj /loadfile .\Win11pro.odj /windowspath c:\windows /localos

The localos switch tells the program that you want to join the live system to the domain.

unattend.xml

With the exception of a provisioning package, all procedures are intended for domain joining of a live system. However, it is often the case that PCs need to be automatically added to an AD domain during deployment.

An answer file is useful for this task. If you create it with the Windows System Image Manager (Windows SIM), the relevant setting is found under amd64_Microsoft-Windows-UnattendedJoin_10.0.22621.1_neutral.

Drag this component to the specialize section of the answer file. Then enter the domain under Identification and the credentials under Credentials in the Properties window.

Create an answer file for joining an AD domain with Windows SIM

The result is the XML file below, which you can also use directly without running Windows SIM. Of course, you have to change the domain and credentials according to your environment:

<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="specialize">
        <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
            <Identification>
                <Credentials>
                    <Domain>contoso.com</Domain>
                    <Password>P@ssw0rd</Password>
                    <Username>admin</Username>
                </Credentials>
                <JoinDomain>contoso.com</JoinDomain>
            </Identification>
        </component>
    </settings>
    <cpi:offlineImage cpi:source="wim:c:/users/public/install.wim#Windows 11 Pro" xmlns:cpi="urn:schemas-microsoft-com:cpi" />
</unattend>

The file should be named unattend.xml. After mounting the Windows image with DISM, copy it to the \Windows\Panther directory.

Summary

Joining a local AD domain is still a standard procedure for corporate PCs. The connection to Azure AD, e.g., for endpoint management using Intune, usually takes place via synchronization between the AD DS and the Cloud.

Microsoft provides different methods for joining a PC, depending on the scenario. The control panel applet and the command line (Add-Computer, Netdom.exe) are used for the interactive domain join.

Provisioning packages are an interesting option because they can be used both on a live system and in a deployment image. An answer file automates the domain join during installation, and djoin.exe is available for purely offline scenarios.