In this article, we will see how make Computer offline domain Join without connecting to the Corporate Network.
Tested the Offline domain Join (ODJ) and it is working as expected.
Requirements:
Required Client OS Versions :Windows 8 and Above Versions
DC Requirements : Server 2008 r2 and above.
Admin access : user must have permission to join computers in the domain and destination workstation admin privileges for ODJ
Readiness:
Domain should be completely ready to add computers using the Offline Domain Join (ODJ). For more details , Please see Microsoft Articles for Offline domain join and Direct Access based offline domain join Cmdlets:
Two commends we need to run to get this done
- Create computer Object in the respective OU Path and add the computers in the appropriate security Groups.
- Command must run in the domain joined computer in the elevated mode to create the metadata file
- Djoin.exe –% /provision /domain windowstechpro.com /machine desktop-8jukk2f /savefile odj.txt /rootcacerts /policynames “DirectAccesssettings” /certtemplate “Workstation”
- Copy the file meta file to the destination computer and Command should be run in the destination computer in the elevated mode
- Djoin.exe –% /requestodj /loadfile ODJ.txt /windowspath %SystemRoot% /localos
- Restart the computer to get the DA Policies applied and then it allows users to login without contacting the domain controllers physically for the authentications.
Benefits :
- No Physical connectivity to the domain required
- Password reset on direct access connected machine is possible
- Cmdlets are simple and easily portable to the destination computers.
- DA Policies are getting transferred along with NRPT Tables.
- DJOIN is the only command line tool required which is default in the Windows machines.
- GPOs can be applied /refreshed through the Direct access.
Risks:
- The file should be transferred in the secured way
- During the import, there is no requirements for domain admins, only local system admin access is enough, hence there could be chances for the misuse.
- The cmdlets can be executed in the any domain joined computers to bring the new computers obejects in the domain and metafile can be imported without contacting the Domain controllers.
- Metafile (blob) file is highly sensitive as it contains the computer’s password, the computer’s certificate and Direct Access GPO.
Issues noticed :
- If user resets password using the direct access connected machine(using ctrl+alt+del), that is syncing back to AD wherein noticed that it is taking sometime to replicate through the Direct access channel.
- Windows 7 and below machines are not tested as of now, We will do test soon the compatibility of Windows 7 for ODJ.
During the testing, the destination computer is not at all connected to the Corporate network. But able to login using any user accounts and password reset tested.