Offline Domain Join (ODJ) using the Direct Access 2012

In this article,  we will see how make Computer offline domain Join without connecting to the Corporate Network.

Tested the Offline domain Join (ODJ) and it is working as expected.

Requirements:

Required Client OS Versions : Server 2012, Windows 8 and Above Versions

DC Requirements : Server 2008 r2 and above.

Admin access : user must have permission to join computers in the domain and  destination workstation admin privileges for ODJ

Readiness:

Domain should be completely ready to add computers using the Offline Domain Join (ODJ). For more details , Please see Microsoft Articles for Offline domain join and  Direct Access based offline domain join
Cmdlets:

Two commends we need to run to get this done

  1. Create computer Object in the respective OU Path and add the computers in the appropriate security Groups.
  2. Command must run in the domain joined computer in the elevated mode to create the metadata file
    1. Djoin.exe –% /provision /domain windowstechpro.com /machine desktop-8jukk2f /savefile odj.txt /rootcacerts /policynames “DirectAccesssettings” /certtemplate “Workstation”
  3. Copy the file meta file to the destination computer and Command should be run in the destination computer in the elevated mode
    1. Djoin.exe –% /requestodj /loadfile ODJ.txt /windowspath %SystemRoot% /localos
  4. Restart the computer to get the DA Policies applied and then it allows users to login without contacting the domain controllers physically for the authentications.

Benefits :

  1. No Physical connectivity to the domain required
  2. Password reset on direct access connected machine is possible
  3. Cmdlets are simple and easily portable to the destination computers.
  4. DA Policies are getting transferred along with NRPT Tables.
  5. DJOIN is the only command line tool required which is default in the Windows machines.
  6. GPOs can be applied /refreshed  through the Direct access.

Risks:

  1. The file should be transferred in the secured way
  2. During the import, there is no requirements for domain admins, only local system admin access is enough, hence there could be chances for the misuse.
  3. The cmdlets can be executed in the any domain joined computers to bring the new computers obejects in the domain and metafile can be imported without contacting the Domain controllers.
  4. Metafile (blob) file is highly sensitive as it contains the computer’s password, the computer’s certificate and Direct Access GPO.

Issues noticed :

  1. If user resets password using the direct access connected machine(using ctrl+alt+del), that is syncing back to AD wherein noticed that it is taking sometime to replicate through the Direct access channel.
  2. Windows 7 and below machines are not tested as of now, We will do test soon the compatibility of Windows 7 for ODJ.

During the testing, the destination computer is not at all connected to the Corporate network. But able to login using any user accounts and password reset tested.

Author Bio

Radhakrishnan Govindan

Leave a Reply

Your email address will not be published. Required fields are marked *