Offline Domain Join In Active Directory - Dimitris Tonias

Since the era of Windows 7 and Windows Server 2008 R2, Microsoft has added offline domain join to the administrator’s tools.

In short, using the djoin.exe command-line tool, you can create (provision) a computer or server in Active Directory and then use an encoded file to join it to the domain without a direct communication between the computer/server and the Domain Controller.

Offline domain join in Active Directory

Offline domain join is mainly used in Direct Access implementations and in unattended installations, but also in cases where there is no satisfactory connectivity between a branch office and the central ones, making the classic online domain join difficult.

In summary, the procedure is as follows.

• In a Domain Controller, we run the appropriate djoin /provision command which produces an encoded txt file.
• We copy the file to the computer or server we are about to join into the domain and run the appropriate djoin /requestODJ command.
• After restarting, the offline domain join process will be completed.

So let’s see how it’s done in the following steps. For this example, I have used Windows Server 2016 as a Domain Controller to create the file and an RODC on a branch office to join the domain.

Settings in the Domain Controller

In a Domain Controller, open the command prompt with Administrator privileges and type the following command.

djoin /provision /domain "meraki.edu" /machine "MRK-KVA-RODC" /savefile C:\RODC.txt

djoin /provision /domain "meraki.edu" /machine "MRK-KVA-RODC" /savefile C:\RODC.txt

Where, in the /domain parameter, type the name of the AD domain in the /machine parameter, type the computer name in the /savefile parameter, type the file’s (.txt) location in the disk

The process of creating the file is instantaneous and by opening it you can see that the data it contains is encoded.

Also, since the computer has been provisioned in Active Directory, you can confirm that the computer object has been created in the Computers container of the Active Directory Users and Computers console.

Settings on the computer/server

Next, you’ll need to transfer the previously created file to your computer or server to join the domain. In our example, the file exists in C:\RODC.txt.

Open a command prompt window with administrator privileges and type the following command.

djoin /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos

djoin /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos

where in the /loadfile parameter, type the location where the file is located. The rest of the parameters remain unchanged.

If you see the error The offline domain join request failed. Error 0xa9d., Then add –% (two dashes) after djoin. That is, it will be something like that.

djoin --% /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos

djoin --% /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos

After running the command and successfully completing, you will need to restart the computer to complete the offline domain join process.

That’s it! Of course, do not forget that to log in using domain credentials, you need to have a DC or RODC connection to verify them. Otherwise, if the computer is not communicating to any of these, you can only log on using a local user account.

Tags: AD DomainWindows 10Windows Server 2016