Since the era of Windows 7 and Windows Server 2008 R2, Microsoft has added offline domain join to the administrator’s tools.
In short, using the djoin.exe command-line tool, you can create (provision) a computer or server in Active Directory and then use an encoded file to join it to the domain without a direct communication between the computer/server and the Domain Controller.
Offline domain join in Active Directory
Offline domain join is mainly used in Direct Access implementations and in unattended installations, but also in cases where there is no satisfactory connectivity between a branch office and the central ones, making the classic online domain join difficult.
In summary, the procedure is as follows.
- In a Domain Controller, we run the appropriate djoin /provision command which produces an encoded txt file.
- We copy the file to the computer or server we are about to join into the domain and run the appropriate djoin /requestODJ command.
- After restarting, the offline domain join process will be completed.
So let’s see how it’s done in the following steps. For this example, I have used Windows Server 2016 as a Domain Controller to create the file and an RODC on a branch office to join the domain.
Settings in the Domain Controller
In a Domain Controller, open the command prompt with Administrator privileges and type the following command.
djoin /provision /domain "meraki.edu" /machine "MRK-KVA-RODC" /savefile C:\RODC.txt |
Where,
in the /domain parameter, type the name of the AD domain
in the /machine parameter, type the computer name
in the /savefile parameter, type the file’s (.txt) location in the disk
The process of creating the file is instantaneous and by opening it you can see that the data it contains is encoded.
Also, since the computer has been provisioned in Active Directory, you can confirm that the computer object has been created in the Computers container of the Active Directory Users and Computers console.
Settings on the computer/server
Next, you’ll need to transfer the previously created file to your computer or server to join the domain. In our example, the file exists in C:\RODC.txt.
Open a command prompt window with administrator privileges and type the following command.
djoin /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos |
where in the /loadfile parameter, type the location where the file is located.
The rest of the parameters remain unchanged.
If you see the error The offline domain join request failed. Error 0xa9d., Then add –% (two dashes) after djoin. That is, it will be something like that.
djoin --% /requestODJ /loadfile C:\RODC.txt /windowspath %systemroot% /localos |
After running the command and successfully completing, you will need to restart the computer to complete the offline domain join process.
That’s it! Of course, do not forget that to log in using domain credentials, you need to have a DC or RODC connection to verify them. Otherwise, if the computer is not communicating to any of these, you can only log on using a local user account.
This is very convenient for me & my virtual machines.
Hi Dimitris
When I tried these steps and “forced” join, my client pc was blocked from the internet. Perhaps my issue is related to the Windows 10 build of V1803.
Hi friends,
I tend to join a win 10 client to windows server 2016,my client can join to AD while I enter user name and password,it reply me the user name and password is incorrect.
am sure my username and password is correct.
whats the problem?
Thank you for sharing this. Do you have any idea how we can provision multiple computers?
Hey – may I ask, what does adding the –% actually do? Why does it work doing that?
it is very useful and i have fixed one machine