Part One: Offline Domain Joining
Require
[IT Expert Network Exclusive Article] Djoin can be found in all Windows 7 and Windows Server 2008 R2. Users do not need to upgrade the performance level of their Active Directory domains to Windows Server R2, and users do not need to use R2 domain controllers because djoin is compatible with previous versions of domain controllers. Since Djoin requires administrator privileges, users need to use this tool from an elevated command prompt. Of course, users also need an account with sufficient permissions to create a domain computer account.
two steps
Joining a computer to an offline domain mainly consists of two steps. First, the user creates a computer account in Active Directory. This process is called service provisioning. The easiest thing to do is to complete this process on the R2 domain controller. Djoin will create a 64-bit encoded metadata blob as a text file. This data blob is used to join the Windows 7 computer to the offline domain.
Service provision
This command prepares a computer account on the R2 domain controller, like this:
djoin /provision /domain <domain to be joined> /machine <name of the computer to be joined> /savefile blob.txt
If the user does not need a Windows Server 2008 R2 domain controller, they can run the djoin.exe command with the /downlevel parameter on a Windows 7 computer. This Windows 7 should have become a domain member.
Offline domain joining
The user should copy the bob.txt file to be added to the domain on the computer and issue the following command:
djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos
It is necessary to run the djoin command on that computer using the localos parameter. You can also run the djoin command on the computer used to determine the Windows path parameters that point to the root file of the target computer system. If the user wants to join an offline virtual machine to the domain, this method can be used. This way, once the virtual machine is started, it is already a domain member and does not need to request a restart.
There are a lot of other features we haven't talked about here. Below is the complete list of all djoin parameters. Afterwards, we'll discuss how offline domain joining works without an unattended installation, and the circumstances under which this feature can be used.
Command description:
djoin.exe [/OPTIONS]
/PROVISION – Prepare a computer account in the domain
/DOMAIN <Name> – the name of the domain being added
/MACHINE <Name> – the name of the starting domain
/MACHINEOU <OU> – The optional (OU) is where the account is created
/DCNAME <DC> – optional <DC> locks account creation
/REUSE - Reuse any existing account, the account password will be reset
/SAVEFILE <FilePath> – Prepare data for file saving in <FilePath>
/NOSEARCH - Skip account conflict checking and quickly request DCNAME
/DOWNLEVEL – supports the use of Windows Server 2008 or earlier domain controllers
/PRINTBLOB – Returns a 64-bit encoded metadata blob as the answer file
/DEFPWD – Use default computer account password
/REQUESTODJ – Request an offline domain join on next boot
/LOADFILE <FilePath> – Pre-specify <FilePath> via /SAVEFILE
/WINDOWSPATH <Path> – Path to Windows Directory when offline
/LOCALOS – Allows /WINDOWSSPATH to specify the operating system running locally. This command must be run as a local administrator.
Changes will not be applied until reboot.
Part 2: Offline domain joining when no one is around
It's one thing to complete the first part, but it's another thing to deploy a large number of computers that are already domain members when the computers first boot up.
It is possible to join a computer to an offline domain without anyone installing it. First, the user needs to complete two steps in the first part, such as creating a computer account in the domain and a metadata blob. Then add the following section to unattend.xml:
<Component>
<Component name=Microsoft-Windows-UnattendedJoin>
<Identification>
<Provisioning>
<AccountData>Base64Encoded Blob</AccountData>
</Provisioning>
</Identification>
</Component>
"Base64Encoded Blob" is to be replaced by the contents of the blob.txt file. Check out the screenshots below to get an idea of the metadata blob.
Possible use of offline domain joining
When I read about the offline domain function, my first thought was that it would be a great improvement for large enterprises that purchased computers with Windows 7 pre-installed. Users only need to send an operating system image that is already domain-joined to the computer manufacturer. Once the new computers are connected to the vendor's network, they can be used without the need to join the new computers to the vendor's Active Directory domain.
However, since each computer requires a different metadata blob, the operating system image itself cannot do this. Users need to create the blob file first, and then the computer manufacturer must confirm that each computer has received its own metadata blob. The problem lies with the metadata group that must be included in unattend.xml. Therefore, the process is a bit more complicated than automatically assigning names to multiple computers because users cannot specify numbers consecutively or use the computer's MAC address as its name.
Instead, users need a central store to hold all blob files to ensure that each computer receives the correct unattend.xml. Therefore, computer manufacturers need to prepare for this process - and this does not seem to be realistic yet.
Nonetheless, I hope there will soon be a third-party solution that can solve this problem. Of course, users can also write a solution for themselves to implement offline domain joining for newly installed computers.
Small businesses, of course, perform manual operations. The advantage of offline domain joining is that there is no need for administrators to perform operations locally when deploying new computers; relatively speaking, there is no need for netdom scripts with explicit text passwords.
Another use case for using the offline domain join feature is when automatically deploying virtual machines. As mentioned before, users only need to mount a virtual disk to join a virtual machine to the domain. In this way, users can use scripts to complete the deployment of a large number of virtual machines without the need to constantly restart during the deployment process.
Summarize
This feature is just as useful as the new offline domain feature, but I would have liked a solution that didn't require a special blob per computer. This is technically possible. Computer names can be added when no one is operating. Also, once the computer is started for the first time, the computer account can be created in Active Directory. In this way, the Provisioning step we mentioned in the first part can be discarded.
The author believes that such a solution can improve the way new computers are added to Active Directory. Considering that new mapping technology has pushed users to buy computers with Vista pre-installed in the past, it seems like such a solution is worth a try. However, Microsoft may not be interested in making such technical improvements after Vista received negative publicity from the media.