Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows Server 2016

Join Windows Server 2016 Nano to a Domain

Tutorial Hero

In this Ask the Admin, I’ll show you how to add Windows Server 2016 Technical Preview 4 Nano Server to an Active Directory domain using the Offline Domain Join (djoin) tool.

At the tail end of last year, I showed you how to deploy Nano Server TP4 to an Azure virtual machine in Install Nano Server in Microsoft Azure on the Petri IT Knowledgebase. Since then, Microsoft’s new management portal for Azure, codenamed Ibiza, reached general availability; so I’ll write all future articles relating to Azure using the new portal. For more information on installing VMs using the new portal, see Deploy VMs Using Azure Resource Manager on Petri.

Before starting, it goes without saying that you’ll need a domain controller that your Nano server can communicate with. I’m performing this demo in Microsoft Azure, but your DC could be running in the cloud or an external network connected to Azure using a VPN.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Configure Nano DNS

For the purposes of this article, I’m going to assume that your domain controller (DC) is also providing the domain with DNS services, and that the DC and DNS server share the same IP address. To join Nano to the domain, we need to configure DNS on the Nano server.

If you are not running Nano in Azure, see Connect to Nano Server using PowerShell Remoting below and then run the following command in an interactive remote session to set the DNS server address in Nano manually.

Replace Ethernet with the name of the network interface on the Nano server, and 10.0.0.4 with the IP address of your domain controller. If you don’t know the name of the network interface installed in Nano, use netsh interface ip show interfaces to list the installed interfaces.

​netsh interface ip set dnsservers name="Ethernet" static 10.0.0.4 primary

Otherwise, you can follow the instructions below for setting the DNS server address in Nano using Azure. Because Azure doesn’t support setting static IP addresses in the server operating system, we must configure Azure to assign Nano the correct DNS server settings using DHCP.

  • Log in to the Azure portal.
  • Click Virtual Machines in the panel on the left.
  • Click your Nano server in the list of VMs.
  • In the Settings panel, click Network interfaces.
Configure DNS in Azure (Image Credit: Russell Smith)
Configure DNS in Azure (Image Credit: Russell Smith)
  • Click the network interface in the list, and in the Settings panel click DNS servers.
  • In the DNS servers panel, enter the IP address of your domain controller in the Primary DNS server field and click Save.
  • Click Virtual Machines in the panel on the left again, and then select the … menu to the far right of your Nano server and select Start, or Restart if your server is already running, from the menu.

Create domain-join blob

Before we can use the Offline Domain Join tool (djoin) to join Nano to the domain, we need to create a blob file that contains the domain information. You will need to run the tool from a computer that’s already joined to the domain and be logged in as a Domain Admin or have the right to join workstations to the domain. The tool is available in Windows 7, Windows Server 2008 R2, and later OSes.

Create the djoin blob (Image Credit: Russell Smith)
Create the djoin blob (Image Credit: Russell Smith)

Open a PowerShell prompt and run the command below, replacing ad.contoso.com with the FQDN of your AD domain, and nanosrv1 with the DNS name of your Nano server.

​djoin.exe /provision /domain ad.contoso.com /machine nanosrv1 /savefile c:\temp\odjblob

If you don’t already have a TEMP directory, create one using the New-Item cmdlet:

​New-Item -ItemType directory -Path c:\temp

Connect to Nano Server using PowerShell Remoting

Now we need to connect to Nano, transfer the blob file we just created using djoin, and finally run djoin on the Nano server. Because Nano isn’t yet a trusted member of the domain, we’ll need to add the Nano server to the Windows Remote Management (WinRM) trusted hosts list on the server from which we want to make the remote connection.

Add the Nano server to the local WinRM trustedhosts list (Image Credit: Russell Smith)
Add the Nano server to the local WinRM trustedhosts list (Image Credit: Russell Smith)

Open a PowerShell prompt on the server from which you’ll connect to Nano, and run the command below, replacing 10.0.0.5 with the IP address of your Nano server. Type Y and press ENTER to confirm the operation when prompted. The -Concatenate parameter adds the value to the trustedhosts list, rather than overwrite it.

​Set-Item WSMan:\localhost\Client\TrustedHosts  "10.0.0.5" -Concatenate

Transfer the djoin blob to Nano

Now we’ll establish a remote session to the Nano server and transfer the file to Nano using PowerShell Remoting with the Set-Content cmdlet in a script block using the Invoke-Command cmdlet. Variables defined locally that need to be passed to the remote Nano server are defined in the -ArgumentList parameter. Note that the file path for the djoin blob is the same on both local and remote servers.

​$filePath = 'c:\temp\odjblob' 
$fileContents = Get-Content -Path $filePath -Encoding Unicode

Enter credentials for the Nano server when prompted. The username should be in the form of computername\username.

​$session = New-PSSession -ComputerName 10.0.0.5 -Credential nanosrv1\username

Invoke-Command -Session $session -ArgumentList @($filePath,$fileContents) -ScriptBlock {

    param($filePath,$data)

    New-Item -ItemType directory -Path c:\temp

    Set-Content -Path $filePath -Value $data -Encoding Unicode

}

The djoin blob is encoded in UCS-2 (UTF-16) Little Endian, but the Get-Content and Set-Content cmdlets automatically convert the encoding to ASCII if you don’t specify otherwise. Setting the -Encoding value to unknown would also prevent the file encoding being changed to ASCII.

Join Nano to the domain

Now let’s enter a remote session interactively and run the djoin tool on the Nano server to join it to the domain. In this version of Nano, reusing the $session variable defined above throws an error, so we have to specify the Nano Server’s IP address and credentials again.

Run djoin on Nano to complete the domain join operation (Image Credit: Russell Smith)
Run djoin on Nano to complete the domain join operation (Image Credit: Russell Smith)
​Enter-PSSession -ComputerName '10.0.0.5'  -Credential nanosrv1\username

The command prompt will now change to indicate that commands are running in a remote session [10.0.0.5] instead of locally. Run the djoin command as shown below, then reboot the Nano server to complete the operation using the shutdown command. If you don’t want to wait the default 20 secs before the server reboots, you can type Exit-PSSession and press ENTER in the remote command prompt to return to local control.

​djoin /requestodj /loadfile c:\temp\odjblob /windowspath c:\windows /localos

shutdown /r

 

 

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: