Wednesday, January 14, 2015

Offline Domain Join

Offline Domain Join

Offline Domain Join is a new process for a computers running Windows 7 and Windows Server 2008 R2 that can use to join a Domain without contacting Domain Controller. This makes possible for Computers to join to a Domain in location where their is no connectivity to corporate network. 

A Domain Join establishes trust relationship between computer running Windows and Operating System and Active Directory Domain. This operation requires state changes to Active Directory Domain Services (AD DS) and state changes on computer that is joining in Domain. To join a computer in Domain in Past requires that Computer that joined in Domain is connected to Network and should be contactable to Domain Controller.


Advantages:-


# Active Directory State Changes are completed without any Network traffic to the computer.

# The Computer state changes are completed without any Network traffic to a Domain Controller.

# Each set of changes can be completed at different time.


 Requirements:-

To Perform Offline Domain join run command by using new tool Djoin.exe. Run Djoin.Exe to provision computer account data in to AD DS. You also need to insert Computer account data into windows directory of destination computer, Computer which you want to join in domain. The Offline Domain join does not required to complete in a specific period of time. The Computer account which is provisioned can remain in AD DS till administrator intervenes. 

Operating System:-


Note: You can run Djoin.exe only on a computer running Windows 7 and Windows Server 2008 R2.  The Computer that you want to join in a Domain must also be running Windows 7 or Windows Server 2008 R2. By Default Djoin.exe command target Domain Controller running Windows Server 2008 R2. If you want to target Domain running previous version of Windows Server than Windows Server 2008 R2, you need to specify optional /downlevel  parameter.


Credentials:-

To perform Offline Domain Join, You must have rights that requires to join workstation to Domain. Domain Admin Group members have this rights by default.

You can use Group Policy Management Console (GPMC)  to modify domain policy or to create new policy that has settings to grant User rights to join PC to Domain.


Steps to assign rights to user to join workstation to domain:-


1. Click Start, Administrative Tools and Click Group Policy Management.

2. Double Click name of Forest, Double Click name of Domain to which u want to join a computer. Right Click on Default Domain Policy and Click on Edit.

3. Double Click Computer Configuration, Double Click Policies, Double Click Windows Settings, Double Click Security Settings, Double Click Local Policies and Double Click User Rights Assignment.

4. In Details Pane, Double Click on Add Workstations to Domain.

5. Select Define these policy settings check box and Click Add User or Group.

6. Type name of account that you want to grant rights to add workstation to Domain and Click OK twice.


Steps to perform for Offline Domain Join:-

1. Run Djoin.exe/provision command to create computer account metadata for destination computer ( Computer which you want to join in Domain). You must specify name of Domain that you want computer to join as a part of this command.

2. Run Djoin.exe/requestODJ command to insert computer account metadata into windows directory of destination computer.

3. When u start destination computer after installing OS, Computer will be join in Domain which you specify.