IT tutorials
 
Technology
 

Active Directory 2008 : Creating Computers and Joining the Domain (part 3) - Offline Domain Join

8/15/2013 11:20:52 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Offline Domain Join

Windows Server 2008 R2 and Windows 7 introduce a new option for joining computers to a domain, called offline domain join. As the name of the feature suggests, offline domain join allows you to join a server or client to the domain even if the computer does not have network connectivity or cannot currently contact a domain controller. You use a new command, Djoin.exe, in a process that is detailed later in this section, to inject the Windows directory of a workgroup computer with the information it requires to join the domain at startup.

Offline domain join is an important feature for datacenters, virtual desktop infrastructures, and other wide-scale machine deployments. In such environments, physical or virtual machines are often provisioned on demand, in large numbers, and using automated methods.

If a machine runs an earlier version of Windows, the machine must be started in workgroup configuration, joined to the domain, and then restarted. If a machine runs Windows 7 or Windows Server 2008 R2, its disk can be injected with the domain join information, and it will be a member of the domain at startup. By eliminating a restart, the total cost of ownership of these environments is reduced.

Offline domain join is also useful when a computer is deployed in a lab or other disconnected environment. When the computer is connected to the domain network and started for the first time, it will already be a member of the domain. This also helps to ensure that Group Policy settings are applied at the first startup.

Four major steps are required to join a computer to the domain by using offline domain join:

  1. Log on to a computer in the domain that is running Windows Server 2008 R2 or Windows 7 with an account that has permissions to join computers to the domain.

  2. Use the DJoin command to provision a computer for offline domain join. This step prepopulates Active Directory with the information that Active Directory needs to join the computer to the domain, and exports the information called a blob to a text file.

  3. At the offline computer that you want to join the domain use DJoin to import the blob into the Windows directory.

  4. When you start or restart the computer, it will be a member of the domain.

Each of these steps is examined in detail in the sections that follow.

Prepare for Offline Domain Join

To perform an offline domain join, you must have the right to join computers to the domain. The Domain Admins group has this right by default. If you are not a member of the Domain Admins group, a member of the Domain Admins group must complete one of the following actions to allow you to join workstations to the domain:

  • Use Group Policy to grant you the required user rights After you have been granted the right to join computers to the domain through Group Policy, you can create a computer account anywhere in the domain, and join a computer to the domain.

  • Edit the access control list (ACL) of the default computers container for the domain After you have been assigned the Create Child - Allow permission for computer objects on the default Computers container, you can perform offline domain join and computers will be created in the default Computers container. You learned in an earlier topic that, by default, the Computers container is CN=Computers,dc=domain, and that you can use the RedirCmp command to change the default to any OU in the domain.

  • Edit the ACL of any OU and use the /machineOU parameter After you have been assigned the Create Child – Allow permission for computer objects in an OU, you can provision computers for offline domain join by using the /machineOU parameter of the DJoin command.

Before you can proceed to provision a computer for offline domain join, you must log on as an account that has the right to join computers to the domain. The computer to which you log on must be running either Windows Server 2008 R2 or Windows 7. DJoin is not available in earlier versions of Windows.

Provision a Computer in Active Directory for Offline Domain Join

Run Djoin.exe from an elevated Command Prompt to provision the computer account in Active Directory. The basic syntax of DJoin is as follows:

djoin.exe /provision /domain DomainDNSName /machine ComputerName /savefile Filename

where:

  • The /provision parameter creates a new computer account in Active Directory. If the computer account already exists, add the /reuse parameter to provision the existing computer account for offline domain join.

  • DomainDNSName is the DNS name of the domain—for example, contoso.com.

  • ComputerName is the name of the computer to create or reuse.

  • Filename is the path and name of a text file that will be created. The file will contain the blob of metadata that can be used by the computer to join the domain.

For example, to create a new computer account for COMPUTER007 in the contoso.com domain, and to export its offline domain join blob to a file named COMPUTER007_Join.txt on the desktop, run the following command:

djoin.exe /provision /domain contoso.com /machine COMPUTER007 /savefile COMPUTER007_Join.txt

DJoin accepts several parameters, the most commonly used of which are the following:

  • /machineOU OU specifies the OU in which to create the computer account, where OU is the distinguished name of the OU—for example, OU=Client Computers,DC=contoso,DC=com.

  • /dcname domainControllerName specifies the DC on which to create the computer account. By default, the domain controller location process selects a domain controller automatically. With this switch, you can select a particular DC.

  • /downlevel specifies that the domain controller runs a version of Windows earlier than Windows Server 2008 R2.

The computer account is provisioned in Active Directory, and account metadata is exported as a base64-encoded blob to the file specified by the /savefile parameter. Although the information is encrypted, it is highly sensitive. It contains the machine account password and information about the domain including the domain name, the name of a domain controller, and the SID of the domain. Therefore, the blob and the file that contains it should be treated just as securely as a plaintext password. Care must be taken when transferring the information.

Perform an Offline Domain Join

The account metadata that was exported in a blob to a text file by using Djoin.exe /provision can be imported to a computer, after which the computer will become a domain member at the next startup.

On a computer that is already running Windows, you can import the account metadata by using the DJoin command, which uses the following syntax:

djoin.exe /requestODJ /loadfile Filename /windowspath %SystemRoot% /localos

where:

  • /requestODJ specifies that you want to perform an offline domain join operation.

  • Filename is the path and file name of the text file that contains the account metadata blob. This is the file that you created by using Djoin.exe /provision.

  • %SystemRoot% is the built-in Windows variable that represents the directory in which Windows is installed. Alternately, you can use the variable %WinDir%.

  • /localos specifies that you are injecting the domain join information into the local computer.

For example, on COMPUTER007, run the following command:

djoin.exe /requestODJ /loadfile COMPUTER007_Join.txt /windowspath %SystemRoot% /localos

On a computer that is installed but not started, you can inject the account metadata into the Windows folder of the system. Consider a scenario in which you have deployed a new physical or virtual machine by applying a standardized, corporate image. The new computer has not yet been started.

In this scenario, you must mount the disk drive of the new computer to an existing computer by using one of several procedures, described later. When you mount the disk drive, it appears as an additional volume on the existing computer. You can then run DJoin with the following syntax:

djoin.exe /requestODJ /loadfile Filename /windowspath PathToWindowsFolder

where:

  • /requestODJ specifies that you want to perform an offline domain join operation.

  • Filename is the path and file name of the text file that contains the account metadata blob. This is the file that you created by using Djoin.exe /provision.

  • PathToWindowsFolder is the path to the Windows folder of the offline computer. The path you enter must be the path as it is seen on the computer that you are using to run DJoin.

For example, let’s assume that you are logged on to a computer named DESKTOP101 that is running Windows 7. You have just applied an image to a new computer that is named COMPUTER007. You mount COMPUTER007’s hard disk, and it appears as the D:\ drive. You open an elevated Command Prompt and run the following command:

djoin.exe /requestODJ /loadfile COMPUTER007_Join.txt /windowspath PathToWindowsFolder

If the computer you want to join the domain is a physical computer, you can mount the hard disk drive of the computer as an additional disk for a computer that is already running Windows. For example, you could put the new computer’s disk into an external disk enclosure and attach it to a computer with a USB cable.

If the computer you want to join the domain is a virtual machine, you can mount its virtual disk to a virtual machine that is already running Windows. The steps for mounting a virtual disk to an existing virtual machine vary depending on the virtualization software that you are using.

If the computer you want to join the domain is a Hyper-V virtual machine, you can mount its virtual disk to a physical computer that is already installed. In the Computer Management console, first select Disk Management, then right-click Disk Management, and then choose Attach VHD.

In each of these scenarios, the computer you use to mount the disk of the new computer must be running Windows 7 or Windows Server 2008 R2 so that you can use the DJoin command.

Practice Creating Computers and Joining the Domain

In this practice, you implement best practices for creating computers and joining systems to the domain. You begin by creating an OU structure to host new computer objects. You then create prestaged computer objects and delegate permission to join the computers to the domain. You delegate permission to create computer objects, and you redirect the default computer container. Finally, you provision a computer account for offline domain join.

Before performing the exercises, you must have certain objects in the contoso.com domain. If the objects already exist, move them to the locations indicated.

  • A first-level OU named Admins with a sub-OU named Groups.

  • A global security group in the Admins\Groups OU named Server Admins.

  • A global security group in the Admins\Groups OU named Help Desk.

  • A first-level OU named User Accounts.

  • A user in the User Accounts OU named Jeff Ford. The user is a member of Domain Users and Server Admins. Ensure that the account has a password and is enabled.

  • A user in the User Accounts OU named Linda Mitchell. The user is a member of Domain Users and Help Desk. Ensure that the account has a password and is enabled.

In addition, if a computer object for DESKTOP101 already exists, delete it. Finally, in this and other practices in this training kit, you will log on to the domain controller with user accounts that are not a member of Domain Administrators or the domain’s Administrators group. Therefore, you must give all user accounts the right to log on locally to the domain controllers in your practice environment. Follow the steps in the article, “Grant a Member the Right to Logon Locally,” at http://technet.microsoft.com/en-us/library/ee957044(WS.10).aspx to grant the Allow Logon Locally right to the Administrators and Domain Users groups. If you will use Remote Desktop Services to connect to the domain controller—rather than logging on locally—grant the Allow Logon Through Remote Desktop Services right. Reboot the server or otherwise refresh Group Policy. This is for the practice environment only. In a production environment, you should not grant users the right to log on to domain controllers.

EXERCISE 1 Create OUs for Client and Server Computer Objects

Before you can create computer accounts, you must create OUs for the objects. In this exercise, you create OUs for server and computer objects. If the Clients and Servers OUs already exist, you can skip this exercise.

  1. Log on to SERVER01 as Administrator.

  2. Open the Active Directory Users And Computers snap-in and expand the domain.

  3. Right-click the contoso.com domain, point to New, and then click Organizational Unit.

  4. Type Clients and click OK.

  5. Right-click the contoso.com domain, point to New, and then click Organizational Unit.

  6. Type Servers and click OK.

EXERCISE 2 Create Computer Objects

After creating an OU for computer objects, you can prestage accounts for computers that will join the domain. In this exercise, you prestage an account for a client and an account for a server and delegate the ability to join the computers to the domain.

  1. Right-click the Clients OU, point to New, and then click Computer.

  2. The New Object – Computer dialog box appears, as shown in Figure 3.

  3. Type the computer’s name in the Computer Name box: DESKTOP101.

  4. Click Change next to the User Or Group box.

  5. In the Select User Or Group dialog box that appears, type the name of the user or group that will be allowed to join the computer to the domain: Help Desk. Click OK.

  6. Click OK to close the New Object – Computer dialog box.

  7. Right-click the Servers OU, point to New, and then click Computer.

  8. The New Object – Computer dialog box appears, as shown in Figure 3.

  9. Type the computer’s name in the Computer Name box: SERVER15.

  10. Click Change next to the User Or Group box.

  11. In the Select User Or Group dialog box that appears, enter the name of the user or group that will be allowed to join the computer to the domain: Server Admins. Click OK.

  12. Click OK to close the New Object – Computer dialog box.

EXERCISE 3 Delegate the Ability to Create Computer Objects

You must have permission to create computer objects to create accounts as you did in Exercise 2, “Create Computer Objects.” The Administrator account has such permissions, but you might want to delegate the ability to create computer accounts to other groups. In this exercise, you delegate least-privilege permissions to create computer objects.

  1. On SERVER01, open the Active Directory Users And Computers snap-in.

  2. Click the View menu and ensure that Advanced Features is selected.

  3. Right-click Clients and choose Properties.

  4. On the Security tab, click Advanced.

  5. Click Add.

  6. Type Help Desk and click OK.

  7. On the Object tab, in the Apply To drop-down list, choose This Object And All Descendant Objects.

  8. In the Permissions list, select the Allow check box next to the Create Computer Objects permission.

  9. Click OK three times to close all dialog boxes.

  10. Optionally, you can test your delegation by running Command Prompt .

    To run Command Prompt as another user, hold the Shift key and right-click Command Prompt in the Start menu, and then click Run As Different User. In the credentials dialog box, enter the user name and password for Linda Mitchell.

EXERCISE 4 Redirect the Default Computer Container

It is recommended that you redirect the default computer container so that any new computer objects generated by joining a computer to the domain without a prestaged account will be created in a managed OU rather than in the Computers container. In this exercise, you use Redircmp.exe to redirect the default computer container.

  1. On SERVER01, open Command Prompt.

  2. Type the following command and press Enter:

    redircmp "OU=Clients,DC=contoso,DC=com"

EXERCISE 5 Provision a Computer for Offline Domain Join

In this exercise, you use the DJoin command to provision a computer account for offline domain join.

  1. On SERVER01, open Command Prompt.

  2. Type the following command and press Enter:

    djoin.exe /provision /domain contoso.com /machine LAPTOP101
    /machineOU "OU=Clients,DC=contoso,DC=com"
    /savefile "C:\Users\Administrator\Desktop\LAPTOP101_Join.txt"

  3. Open the LAPTOP101_Join.txt file on the desktop.

    The account metadata is base64 encoded.
 
Others
 
- Active Directory 2008 : Creating Computers and Joining the Domain (part 2) - Joining a Computer to the Domain, Secure Computer Creation and Joins
- Active Directory 2008 : Creating Computers and Joining the Domain (part 1) - The Computers Container and OUs
- Exchange Server 2010 : Using the Exchange Management Shell
- Exchange Server 2010 : Using the Exchange Management Shell - Working with Cmdlets
- Exchange Server 2010 : Using the Exchange Management Shell - Using Windows PowerShell
- Administration of Microsoft Lync Server 2010 : Topology Model
- Administration of Microsoft Lync Server 2010 : Role-Based Access Control
- Administration of Microsoft Lync Server 2010 : Lync Server Management Shell
- Administration of Microsoft Lync Server 2010 : Lync Server Control Panel
- Windows 8 : Managing Mobile Networking and Remote Access - Wireless Networking
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us