Sdílet prostřednictvím

New Djoin.exe utility in Windows Server 2008 R2

  • Článek

Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain join. The general steps for using Djoin.exe are:

  1. Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.
  2. Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.
  3. Start the destination computer, and the computer will be joined to the domain.

The computer where you run djoin /provision and the destination computer both need to run Windows Server 2008 R2 or Windows 7. We have a step-by-step guide published at https://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx and appreciate any feedback you have.

This posting is provided "AS IS" with no warranties, and confers no rights.

Comments

  • Anonymous
    January 01, 2003
    The entire process for joining the domain offline seem to work flawlessly, however, once you have joined the domain and restarted you are still stuck in as much as you can't login as you have no cached credentials, and the only way to get thenm is if you have access to a domain controller to process the logon.  This requires you to be physically connected to the domain. Hence, you might as well wait until you are locally network attached to the domain and join in the normal manner. If I'm missing something here please let me know.

  • Anonymous
    January 01, 2003
    PingBack from http://windows7live.info/?p=15000

  • Anonymous
    January 01, 2003
    Appriciate your quick response. MS supporting community Rocks!!!

  • Anonymous
    January 01, 2003
    Hi Manishju, Thanks for your question. The Djoin.exe developers said that the tool itself does not require the offline domain join to be completed within a specific time period. The secure channel password reset is initiated by the client machine so that will not become an issue. The domain controller will not expire or cleanup the account by itself.  An administrator would have to intervene, but many organizations run scripts every 30 to 60 days in order to clean up stale or unused computer accounts. I will add this to the topic. I hope that helps, Justin [MSFT] Active Directory Documentation Team

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    December 08, 2010
    hi this might be a noob question but long long will this process take if had to install over a newwork ?

  • Anonymous
    July 29, 2011
    The comment has been removed

  • Anonymous
    August 04, 2011
    The comment has been removed

  • Anonymous
    January 11, 2012
    Hi Justin, Thanks for the Blog. We are re-imaging Windows XP machines with a fresh Windows 7 install.  We are keeping the XP and Win 7 machines in separate OUs, meaning that somewhere in the provisioning process, the existing account would need to be moved to the Win 7 OU.  We've developed vbscripts to do this with inconsistent results.  Taking care of the domain join process on the "front-end" sounds like a promising way of assuring the process goes more smoothly. My hope is that we could use djoin with the /reuse and /machineOU parameters to "prep" the existing account AND relocate it to the new OU using the /machineOU parameter.  Is this scenario feasible? Thanks in Advance for your help! -Ben

  • Anonymous
    May 18, 2015
    Hi Justin,

    I thought this djoin had a real world purpose for me, as I wanted to create a mechanism where staff in rural parts of the world could re-connect to a corporate domain without having to travel 8+ hours to get into an office (so that they would pass our VPN authentication checks), I am now stuck where the rest of the people in this thread seem to be, where you get 99% of the way through just to get "no logon servers available" when trying to connect whilst off the network. Is there any extra switch that could be used to get around this, or any future plans to make this tool so much more powerful?

    Thanks,
    Josh

  • Anonymous
    May 19, 2015
    The comment has been removed

  • Anonymous
    May 19, 2015
    Thanks for the quick and valuable response Jay,
    I will look into this, it sounds like it could be exactly what I am after.

    Apprecaited,
    Josh