MCITP 70-640: Offline Domain Join
Articles,  Blog

MCITP 70-640: Offline Domain Join


In this video from IT Free Training I will
look at offline domain join. Offline domain join allows you to join a computer to a domain
without the need for the computer to contact a Domain Controller. This video shows a number
of different ways offline domain join can be used to join computers to the domain. Offline
domain join tends to suggest the network needs to be unavailable to be used, but some of
the scenarios looked at can be used when the network is available, the end result is additional
options for the network administrator when deploying new computers. In most cases you will have a Domain Controller
available to join a computer to the domain. In some cases this may not be the case and
a tool like offline domain join can come in handy. If you were setting up a new office
and the network had not been installed as yet, offline domain join would allow you to
join these computer so they would be ready to operate on the domain as soon as the connection
is established. Offline domain join is also useful for computers
where the networking has not been installed yet. For
example, if you are installing a virtual computer, often additional software will need to be
installed which has the additional drivers for devices like networking. By using offline
domain join you can join the computer to the domain as soon as it has finished installing,
in other words before the device drivers for the networking have been installed. This saves
you an extra reboot. This is useful if you need to get the virtual computer up as soon
as possible. The next use of offline domain join is with
automated installs of Windows 7. If you create an unattend file to install Windows with,
you can use offline Domain Join with the unattend file. This means that the computer can automatically
be added to the domain when the operating system is installed without a network connection
being available. The next question is, could offline domain
join be used when there is a network connection available? The answer yes. There are two times
where you may want to use it. If you consider a small network that has a read only domain
controller. A read only Domain Controller has a read only copy of the Active Directory
database and cannot be used to add computers to the domain. The read only Domain Controller
will replicate changes from a writeable domain controller and store these in a read only
database. Thus the only way a change can be made using a read only Domain Controller is
for the read only Domain Controller to pass the change onto to a writeable Domain Controller
and then wait for the change to be replicated. If there is an outage, offline domain join
can be used to join the computers to the domain. Keep in mind that the client will not be able
to authenticate off the read only Domain Controller until a replication has occurred with a writeable
Domain Controller. In some cases this may be acceptable, for example, in a very secure
environment replication to a writeable domain controller may be strictly controlled and
happen very rarely. Using offline domain join, the computer accounts can be created ahead of time,
replication still need to occur between the read only Domain Controller and the writeable domain
controller. The advantage is once the data has replicated to the read only Domain
Contorller the writeable Domain Controller does not need to be available when
the computer is added to the domain. The next use for offline domain join is when
you want the person joining the computer to do so without the need for a username and
password. In a previously video I looked at allowing any user in the domain to add a computer
to the domain using a pre-staged computer account. The benefit of offline domain join
is that you can allow a non-administrator to add a computer to the domain without a
username and password. Before doing this, remember that the text file that offline domain
joins creates contains sensitive information about the domain and thus it should be protected.
To put another way, the person that you are giving the offline domain file to should be
trusted. To start using offline domain join, you first
need to meet a number of requirements. The first one is that the client needs to be running
Windows 7 or Windows Server 2008 R2. For the domain, offline domain join supports earlier
Domain Controllers than Windows Server 2008 R2. By default, offline domain join will attempt
to contact a Windows Server 2008 R2 domain controller. If you experience any problems,
you can use the DownLevel switch. This will force offline domain join to use an earlier
Domain Controller than Windows Server 2008 R2.
Since offline domain join supports earlier Domain Controllers, you do not need to raise
the domain or forest function levels in order to use offline domain join. The only requirement
that you will need to worry about using offline domain join is that offline domain join is
being run on a computer that is running Windows 7 or Windows Server 2008 R2.
I will now change to my Windows Server 2008 R2 member server to look at how to use offline
domain join. Offline domain join is a command line utility
so I will first open a command prompt from the start menu to execute the command. From
the command prompt run the command DJoin with the following parameters.
The first parameter is provision. This indicates that a new computer account is to be created
in Active Directory. This computer account needs to be present in Active Directory before
offline domain join can be used to join the computer to the domain.
The next parameter is domain followed by the domain name that the computer account is going
to be created in. Following this is the machine parameter followed
by the computer name for the computer that is to be added to the domain. In this case,
the computer name is WS2. The last parameter is SaveFile will allows
a file name to be given where the offline domain join data will be saved.
The command does not take too long to run. Once run, the computer account for WS2 will
be created in Active Directory. If I now open Active Directory Users and Computers and navigate
into computers, you will notice that the computer account for WS2 have been created.
If I open the properties for the computer account WS2, notice that when I go to the
operating system tab none of the details have been filled in. Until I run DJoin on the other
computer, these details will remain blank. Now that the computer account has been created,
I can now change to the my client operating system.
First of all I will open networking and sharing center from the start menu. You can see here
that no network cards are installed on this computer and thus it is not connected to any
networks. This computer could not normally be joined to a domain until a network card
has been installed and configured. To add the computer to the domain, once again
I will use DJoin from the command prompt. When opening the command prompt make sure
that it is opened with administrator rights. This time when DJoin is run, the first parameter
will be RquestODJ rather than provision used last time. After this is the parameter LoadFile
followed by the filename of the file saved previously. The file itself is only small.
In order to access the file on this computer I have copied it to a floppy disk. I copied
the file from the server to the floppy disk when you were not looking.
The next parameter is WindowsPath followed by the directory where Windows is located.
You can enter in a path like C:Windows but since I am logged into the computer that I
am changing I will enter in %WinDir%.This is an environment variable which will substitute
the current windows directory. The final parameter is LocalOS. This tells
DJoin that the computer that is to be joined to the domain in the local computer.
Djoin does not take long to join the computer to the domain. Once complete, the computer
needs to be restarted so I will now restart the computer. This computer is now part of
the domain and will be able to take part in the domain just like any other computer that
was joined to the domain using an online Domain Controller.
Once the computer has rebooted, from the login screen I will be able to login to the domain.
Since there is no networking adapter installed on this computer, I will get an error message
saying that no available logon servers are available but you can see the computer is
part of the domain. Well that’s it for offline domain join.
Thanks for watching anther video from IT Free Training. Please see are web page or YouTube
channel for more free videos for this and other course. See you next time.

16 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *