70-410 Objective 5.2 – How To Offline Domain Join a Workstation on Windows Server 2012 R2
In this video for Objective 5.2 Creating and Managing User and Computer account we will look at how to Offline Domain Join a computer. Although Windows Server 2012 R2 was used for this lab, the process is exactly the same for Windows 7, Windows 8, Windows 8.1 and Windows 10 Workstations.
You may ask why offline domain join? I can only give one example, but there are many others I just haven’t thought of yet. In one particular scenario I need to have external clients authenticate with Firewall and Advanced Security. This was so that a KMS server could activate the client on the Internet, but would not activate every computer on the Internet. These work at home users would never have their computers inside the network, but in order for the Firewall rule the computer would need to authenticate its account. So offline domain joining is useful in this particular scenario.
You may ask yourself, if a computer never contacts the domain after being joined will its account get stale? The answer is no, client computers will attempt every 30 days to contact a domain controller to change its password. If it can’t contact a DC it will continue to operate as normal.
The basic principle behind an offline domain join is creating the account in Active Directory. So a Computer object is created with a computer name and password. This is exported to a text file that on the client computer is imported in. So now the Active Directory domain have a matching computer name and password with the client computer.
We start by creating the computer account in Active Directory using the djoin.exe utility. We will then transfer the exported file that contains the account information over to our workstation; in this case it’s Server 2. We then use the djoin.exe utility on Server 2 to import the information into the computer’s Local Security Account Security System LSASS and reboot. When the server reboots it will believe it is joined to the Contoso.com domain.
Introduction – 0:10
Setup of the lab – 0:20
Why use Offline Domain Joining – 0:35
Provisioning of the computer account with Djoin.exe – 1:05
Examining the exported account file and AD – 1:50
Switching to Server 2 our client – 2:10
Using Djoin.exe to join Server 2 to the domain – 2:28
Rebooting Server 2 – 3:35
Verifying Server 2 is part of the Contoso.com domain – 3:50
Explanation of what happened – 4:00