The procedure for entering into the domain of a computer located outside the perimeter of your corporate environment is not complicated and is a matter of a few steps that must be performed on the client and any server within the domain of your organization. The article shows how to join domain remotely using the Direct Access service.
1. Creating an Answer File for Offline Domain Join of a PC to a Domain
Connect to the server console using Remote Desctop Protocol and launch the command line or powershell console. Use what you like best. In the example, I will use the command line. To do this, I will run the cmd utility as an administrator. To do this, right-click on the Command Line and select Run as administrator in the appeared window.
2. Using the Command Line Interface, Enter the Following Command
Djoin.exe / provision / domain EXAMPLE.COM / machine COMPUTER NAME / rootcacerts / machineou "ou = desktops, dc = EXAMPLE, dc = COM" / policynames "DirectAccess Client Settings" / savefile C: \ FILE NAME.txt
3. Help for Working with the Djoin.Exe Utility
/ PROVISION– Prepare a computer account in the domain.
/ DOMAIN name– the name of the domain to which you want to join.
/ MACHINE name– is the name of the computer joined to the domain.
/ MACHINEOU OU– An optional parameter defining the Organizational Unit of the OU in which the account is created.
/ DCNAME DC– An optional parameter that defines the target DC domain controller for which an account is created.
/ REUSE– Reuse any existing account (its password will be reset).
/ SAVEFILE path_to_file—Saves the preparation data in the file specified as path_to the file. / NOSEARCH – Skip account conflict detection; DCNAME is required (better performance).
/ DOWNLEVEL– Support using a domain controller Windows Server 2008 or earlier.
/ PRINTBLOB– Return a base64-encoded binary binary metadata object for an answer file.
/ DEFPWD– Use the default computer account password (not recommended).
/ REQUESTODJ– Request autonomous domain join at next boot.
/ LOADFILE path_to_file– is the name and path to the file specified earlier in the / SAVEFILE parameter.
/ WINDOWSPATH path– the path to the directory with the offline image of Windows.
/ LOCALOS– Allows you to specify the local OS in / WINDOWSPATH.
djoin command should be run as administrator. Preparing an account for joining a domain should be performed in the context of an account with domain administrator privileges. A restart is required to apply the changes on the computer being joined.
As a result of executing the command with the above parameters, we will get a response file that already contains the necessary certificates for Direct Access, a list of direct access policies, the DNS namespace is needed.
4. Entering the Computer Domain via Direct Access
We transfer the received text file to the user’s workplace and run it from the command line:
djoin / requestODJ / loadfile C: \ FILE NAME.txt / windowspath% SystemRoot% / localos
This completes the process of remote computer input to the domain. In the invitation window, enter the name of the domain user and his password.
Consider Using Action1 to Join Domain Remotely if:
- You need to perform an action on multiple computers simultaneously.
- You have remote employees with computers not connected to your corporate network.