Active Directory

Performing an Offline Domain Join in Active Directory

How do you perform an offline domain join in Active Directory?

Microsoft introduced the offline domain join tool (Djoin.exe) in Windows 7 and Server 2008 R2, allowing system administrators to join Windows server or client operating systems to an Active Directory (AD) domain when there’s no connectivity to a domain controller (DC). There are a couple of scenarios where this can come in handy. First, domain join operations don’t always work reliably over wide-area network connections, even when there is connectivity to a remote domain controller. Second, offline domain joins can be performed as part of an unattended Windows installation. You should note that use of the offline domain tool is not supported on VMs that use differencing disks generated from a master Windows image.

There are two steps to the offline domain join process: provisioning a computer account in AD (djoin /provision) and then joining the desired computer to AD (djoin /requestODJ). To provision a computer account in AD, you must have connectivity to a DC. The Djoin.exe tool can only be run on Windows 7 and Server 2008 R2 (or later).

Provision a computer account in AD

  • Logon to any Windows 7 or Windows Server 2008 R2 (or later) computer that is a member of the domain. The account you logon with must have permission to add workstations to the domain — for instance, a Domain Administrator.
  • Open a command prompt and run the following command: djoin /provision /domain “AD” /machine “WIN8” /savefile win8blob.txt

Replace AD with the netbios name of your domain, then replace WIN8 with the machine name of the computer you want to join to the domain. The BLOB file that Djoin saves is required by the machine that you want to join to the domain and should be named appropriately. If you don’t have any Server 2008 R2 (or later) DCs in your domain, you need to additionally specify the /downlevel switch.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

If the djoin /provision command completes successfully, you’ll see a new computer account in the Computers container in AD. Before you can join your offline machine to the domain, it must have access to the BLOB file created by the djoin /provision command.

Perform an offline domain join

  • Logon to the machine that you want to join to the domain with a local administrator account and open a command prompt with elevated privileges.
  • Run the following command and replace win8blob.txt with the name of the BLOB file you created with the djoin /provision command: djoin /requestODJ /loadfile win8blob.txt /windowspath %systemroot% /localos
  • Reboot the machine.

 

The /localos switch is required when running djoin /requestODJ on an online image. Offline domain joins can also be performed against offline virtual hard drive (VHD) images.

Once the machine has rebooted, if you go to System Information in the Control Panel, you’ll see that the computer is now a member of your domain. Remember that you’ll only be able to logon with a domain account for the first time if there’s connectivity to a DC.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Performing an Offline Domain Join in Active Directory”

  1. <p>Thank you so much, Russell! I struggled with getting a Windows 10 Enterprise joined to a 2012 domain and know the DNS, WINS, and local network adapter IP settings were right on.</p><p><br></p><p>Your method did the trick. Great job!</p>

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: