Offline domain join in Active Directory

Since the era of Windows 7 and Windows Server 2008 R2, Microsoft has added offline domain join to the administrator’s tools.

In short, using the djoin.exe command-line tool, you can create (provision) a computer or server in Active Directory and then use an encoded file to join it to the domain without a direct communication between the computer/server and the Domain Controller.

Offline domain join in Active Directory

Offline domain join is mainly used in Direct Access implementations and in unattended installations, but also in cases where there is no satisfactory connectivity between a branch office and the central ones, making the classic online domain join difficult.

In summary, the procedure is as follows.

  • In a Domain Controller, we run the appropriate djoin /provision command which produces an encoded txt file.
  • We copy the file to the computer or server we are about to join into the domain and run the appropriate djoin /requestODJ command.
  • After restarting, the offline domain join process will be completed.

So let’s see how it’s done in the following steps. For this example, I have used Windows Server 2016 as a Domain Controller to create the file and an RODC on a branch office to join the domain.

Settings in the Domain Controller

In a Domain Controller, open the command prompt with Administrator privileges and type the following command.

djoin /provision /domain "meraki.edu" /machine "MRK-KVA-RODC" /savefile C:\RODC.txt

Where,
in the /domain parameter, type the name of the AD domain
in the /machine parameter, type the computer name
in the /savefile parameter, type the file’s (.txt) location in the disk

Offline domain join in Active Directory

The process of creating the file is instantaneous and by opening it you can see that the data it contains is encoded.

Offline domain join in Active Directory

Also, since the computer has been provisioned in Active Directory, you can confirm that the computer object has been created in the Computers container of the Active Directory Users and Computers console.

Offline domain join in Active Directory

Settings on the computer/server

Next, you’ll need to transfer the previously created file to your computer or server to join the domain. In our example, the file exists in C:\RODC.txt.

Open a command prompt window with administrator privileges and type the following command.

djoin /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos

where in the /loadfile parameter, type the location where the file is located.
The rest of the parameters remain unchanged.

Offline domain join in Active Directory

If you see the error The offline domain join request failed. Error 0xa9d., Then add –% (two dashes) after djoin. That is, it will be something like that.

djoin --% /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos

After running the command and successfully completing, you will need to restart the computer to complete the offline domain join process.

That’s it! Of course, do not forget that to log in using domain credentials, you need to have a DC or RODC connection to verify them. Otherwise, if the computer is not communicating to any of these, you can only log on using a local user account.

About Dimitris Tonias 144 Articles
My name is Dimitris Tonias, IT Pro, G(r)eek, focused on Server, Virtualization, and Cloud technologies.

6 Comments on Offline domain join in Active Directory

  1. Hi Dimitris
    When I tried these steps and “forced” join, my client pc was blocked from the internet. Perhaps my issue is related to the Windows 10 build of V1803.

  2. Hi friends,
    I tend to join a win 10 client to windows server 2016,my client can join to AD while I enter user name and password,it reply me the user name and password is incorrect.
    am sure my username and password is correct.
    whats the problem?

Leave a Reply

Your email address will not be published.


*