In this article, we will see how make Computer offline domain Join without connecting to the Corporate Network.
Tested the Offline domain Join (ODJ) and it is working as expected.
Requirements:
Required Client OS Versions :Windows 8 and Above Versions
DC Requirements : Server 2008 r2 and above.
Admin access : user must have permission to join computers in the domain and destination workstation admin privileges for ODJ
Readiness:
Domain should be completely ready to add computers using the Offline Domain Join (ODJ). For more details , Please see Microsoft Articles for Offline domain join and Direct Access based offline domain join Cmdlets:
Two commends we need to run to get this done
Create computer Object in the respective OU Path and add the computers in the appropriate security Groups.
Command must run in the domain joined computer in the elevated mode to create the metadata file
Djoin.exe –% /provision /domain windowstechpro.com /machine desktop-8jukk2f /savefile odj.txt /rootcacerts /policynames “DirectAccesssettings” /certtemplate “Workstation”
Copy the file meta file to the destination computer and Command should be run in the destination computer in the elevated mode
Djoin.exe –% /requestodj /loadfile ODJ.txt /windowspath %SystemRoot% /localos
Restart the computer to get the DA Policies applied and then it allows users to login without contacting the domain controllers physically for the authentications.
Benefits :
No Physical connectivity to the domain required
Password reset on direct access connected machine is possible
Cmdlets are simple and easily portable to the destination computers.
DA Policies are getting transferred along with NRPT Tables.
DJOIN is the only command line tool required which is default in the Windows machines.
GPOs can be applied /refreshed through the Direct access.
Risks:
The file should be transferred in the secured way
During the import, there is no requirements for domain admins, only local system admin access is enough, hence there could be chances for the misuse.
The cmdlets can be executed in the any domain joined computers to bring the new computers obejects in the domain and metafile can be imported without contacting the Domain controllers.
Metafile (blob) file is highly sensitive as it contains the computer’s password, the computer’s certificate and Direct Access GPO.
Issues noticed :
If user resets password using the direct access connected machine(using ctrl+alt+del), that is syncing back to AD wherein noticed that it is taking sometime to replicate through the Direct access channel.
Windows 7 and below machines are not tested as of now, We will do test soon the compatibility of Windows 7 for ODJ.
During the testing, the destination computer is not at all connected to the Corporate network. But able to login using any user accounts and password reset tested.