Offline Domain Join is a feature of Active Directory Domain Services introduced in Windows Server 2008R2/Windows 7. This allow us to prestaged computer accounts in our Active Directory, and turn on the computer later.
The typical use case is when you have a partner that deploy your operating system corporate image without any connection to your network. The computers will join the Active Directory domain later when it’s connected to your network. This work with a blob file, you need to create one for each computer when you are connected to your corporate network, and then paste it on each computer that will join the domain.
Offline Domain Join – Blob creation
First, we need to create the blob, from PowerShell :
djoin.exe --% /provision /domain domain.itfordummies.net /machine Windows10 /savefile blobWindows10.txt
The ‘–%’ operator allow you to pass complex parameters to an executable file from PowerShell.
This will generate a text file named “BlobWindows10.txt”.
Note : Treat this file as sensitive data, indeed, this text file contains the computer password for joining the domain.
The data in the blob is “obfuscated” :
Once the blob created, you will noticed that it created a computer account in your Active Directory :
Offline Domain Join – Joining the domain
Now, it’s time to securely transport the blob file to the computer that will join the domain.
From PowerShell :
djoin.exe --% /requestodj /loadfile blobWindows10.txt /windowspath %SystemRoot% /localos
This will apply the blob, require a reboot, and then, your computer will be domain joined !
Offline domain join is a great feature, it allow you to be more agile for your computer deployments.
Offline Domain Join – Over Direct Access
Direct Access is a remote access feature introduced in Windows Server 2008R2/Windows 7 that work at the computer level. Indeed, when your computer boot, before you logon, it’s already connected to your corporate network through an HTTPS connection. This will allow your remote users to logon just like if they were on your LAN, with GPO, mapped drive and everything.
Since Windows Server 2012/Windows 8, you can combine offline domain join and Direct Access to join your computers to your domain even if the computer never saw a domain controller. For this to work, you need to use a more complicated line than before to include in the blob the Direct Access GPO and the computer’s certificate :
Djoin.exe --% /provision /domain domain.itfordummies.net /machine Windows10 /savefile blobWindows10.txt /rootcacerts /policynames "DirectAccess Client Settings" /certtemplate "Computer-DA"
Note : When specifying the computer’s certificate template, you need to be sure about the name, you can verify it with : certutil.exe -template
Note : As previously, treat the blob file as highly sensitive as it contains the computer’s password, the computer’s certificate and your Direct Access GPO.
Once the blob file on the computer, you need to use the same line as before, reboot, and your computer will be domain joined, even if you do it from home, or a remote location without any network connectivity to your domain controllers.