What's New in AD DS: Offline Domain Join
Updated: January 9, 2009
Applies To: Windows Server 2008 R2
Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join.
You can use offline domain join to join computers to a domain without contacting a domain controller over the network. You can join computers to the domain when they first start up after an operating system installation. No additional restart is necessary to complete the domain join. This helps reduce the time and effort required to complete a large-scale computer deployment in places such as datacenters.
For example, an organization might need to deploy many virtual machines within a datacenter. Offine domain join makes it possible for the virtual machines to be joined to the domain when they initially start following the operating system installation. No additional restart is required to complete the domain join. This can significantly reduce the overall time required for wide-scale virtual machine deployments.
A domain join establishes a trust relationship between a computer running a Windows operating system and an Active Directory domain. This operation requires state changes to AD DS and state changes on the computer that is joining the domain. To complete a domain join in the past using previous Windows operating systems, the computer that joined the domain had to be running and it had to have network connectivity to contact a domain controller. Offline domain join provides the following advantages over the previous requirements:
- The Active Directory state changes are completed without any network traffic to the computer.
- The computer state changes are completed without any network traffic to a domain controller.
- Each set of changes can be completed at a different time.
The following sections explain some of the benefits that offline domain join can provide.
Offline domain join can reduce the total cost of ownership for computers by reducing the startup time that is required for each server and by increasing the reliability of domain join operations in production environments. Datacenters today commonly have a provisioning server that configures an image and then sends that image to be deployed on a production computer. The production computer is set up, joined to the domain, and restarted. If there are any problems associated with the domain join, such as network connectivity problems or problems associated with necessary servers that are offline, the problems have to be diagnosed and resolved at that time. In this situation, offline domain join helps prevent problems that can arise with the communication between the production computer and a domain controller by configuring the domain join information during the setup for the production computer. The total amount of time to set up each server is reduced by eliminating the additional restart that is required to complete an online domain join.
In Windows Server 2008, there is a mechanism to perform domain join operations against a read-only domain controller (RODC). However, a domain join operation that is performed against an RODC involves the following multiple steps:
- Precreate the computer account in the directory, and set some additional attributes using scripts.
- If necessary, modify the Password Replication Policy (PRP) of the RODC to allow the password for the computer that you want to join to the domain to be cached by the RODC.
- Force replication of the secrets of the computer that is to join to the domain.
- Communicate the password offline to the computer that is about to join to the domain.
- Run a custom script that targets the RODC to complete the join.
When you use offline domain join, the steps for performing domain join operations against an RODC are simplified, as follows:
- Precreate the account in AD DS.
- Send the relevant state information that the domain-joining computer needs to consume to a text file.
- The computer consumes the information in the text file and then, when it starts, it is joined to the domain.
By using deployment tools, such as Windows System Image Manager, you can perform an unattended domain join during an operating system installation by providing information that is relevant to the domain join in an Unattend.xml file. Using the same Unattend.xml file, you can supply the information necessary for the computers that run Windows 7 and Windows Server 2008 R2 to perform offline domain join.
The Unattend.xml file for Windows 7 and Windows Server 2008 R2 includes a new section to support offline domain join.
The following groups might be interested in these changes:
- Active Directory administrators
- Network architects
- System builders
- Security administrators
- Datacenter administrators
You can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7 or Windows Server 2008 R2. The computer that you want to join to the domain must also run Windows 7 or Windows Server 2008 R2.
By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2. However, you can specify an optional /downlevel parameter if you want to target a domain controller that is running a version of Windows Server that is earlier than Windows Server 2008 R2.
To perform an offline domain join, you must have the user rights that are necessary to join workstations to the domain. By default, members of the Domain Admins group have the user rights to join workstations to a domain. If you are not a member of the Domain Admins group, you must either be granted or delegated these user rights. For more information about how to delegate these user rights, see the Offline Domain Join Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=134704).
This feature is available in all editions.
Djoin.exe is included in both Windows 7 and Windows Server 2008 R2, and it is available in both 32-bit and 64-bit versions. However, the 64-bit-encoded BLOB that results from the provisioning command is architecture independent. Therefore, you can run Djoin.exe on either a 32-bit computer or a 64-bit computer to provision computer account data in AD DS. You can run Djoin.exe again on either a 32-bit computer or a 64-bit computer to request the offline domain join.