Today
will share a nice feature of windows server 2008 R2 i.e. offline domain
join.With the help of this new feature you can join any system in the
domain without contacting the domain controller that mean if the client
is not in contact with the DC , still it can be added into the Active
directory.
Offline
domain join is a new process that computers that run Windows 7 or
Windows Server 2008 R2 can use to join a domain without contacting a
domain controller. This makes it possible to join computers to a domain
in locations where there is no connectivity to a corporate network
Requirements
You
can run Djoin.exe only on computers that run Windows 7 or Windows
Server 2008 R2. The computer on which you run Djoin.exe to provision
computer account data into AD DS must be running Windows 7 or Windows
Server 2008 R2. The computer that you want to join to the domain must
also be running Windows 7 or Windows Server 2008 R2.
By
default, Djoin.exe commands target the domain controller that runs
Windows 2k8 R2.However we can also use optional /downlevel parameter if
we have to target the DC that is running older version than 2008 R2.
Two steps
There
are basically two steps necessary to offline domain join a computer.
First, you have to create the computer account in Active Directory. This
process is called “provisioning.” The easiest way to do that is on an
R2 domain controller. Djoin will create a base 64-encoded metadata as
text file. This file then has to be used to offline domain join the
Windows 7 machine.
Provisioning
The command to provision the computer account on an R2 domain controller looks like this:
C:\Users\Administrator\Desktop>djoin /provision /domain dc1.com /machine client1 /savefile domain_join.txt
This command will add a computer account named client1 in the AD database that can be seen on AD console.
NOTE:-If
you don’t have a Windows Server 2008 R2 domain controller, you can run
djoin.exe with the /downlevel parameter on a Windows 7 machine that is
already a domain member.
Offline domain join
Then you have to copy that txt to the computer that has to be joined to the domain and launch this command:
C:\Users\Administrator\Desktop>djoin /requestODJ /loadfile domain_join.txt /windowspath %SystemRoot% /localos
Note:Issuing
the above command on a domain controller will result in a broken Active
Directory Domain Controller with the only option left is
demote/promote.
After issuing the above command you need to reboot the system and the system will be in the domain now.
You can get more parameters by using djoin help
Usage: djoin.exe [/OPTIONS]
/PROVISION - Provision a computer account in the domain
/DOMAIN <Name> - <Name> of the domain to join
/MACHINE <Name> - <Name> of the computer joining the domain
/MACHINEOU <OU> - Optional <OU> where the account is created
/DCNAME <DC> - Optional <DC> to target for account creation
/REUSE - Reuse any existing account (password will be reset)
/SAVEFILE <FilePath> - Save provisioning data to a file at <FilePath>
/NOSEARCH - Skip account conflict detection, requires DCNAME (faster)
/DOWNLEVEL - Support using a Windows Server 2008 DC or earlier
/PRINTBLOB - Return base64 encoded metadata blob for an answer file
/DEFPWD - Use default machine account password (not recommended)
/REQUESTODJ - Request offline domain join at next boot
/LOADFILE <FilePath> - <FilePath> specified previously via /SAVEFILE
/WINDOWSPATH <Path> - <Path> to the Windows directory in an offline image
/LOCALOS - Allows /WINDOWSPATH to specify the locally running OS.
This command must be run as a local Administrator.
This option requires a reboot for changes to be applied.
No comments:
Post a Comment