Windows 7 / Networking

Windows 7 Offline Domain Join

Offline domain join is a new feature in Windows 7 and Windows Server 2008 R2 that lets you join a computer to a domain without contacting a domain controller directly. This feature can add computers to a domain when network connectivity is not available. When a computer joins a domain, trust relationships change between both the computer and the Active Directory domain. Prior to Windows 7 and Windows Server 2008 R2, there was no application to make these relationship changes on the computer unless it was directly connected to the domain controller at the time it joined the domain. Windows 7 and Windows Server 2008 R2 include the application djoin.exe located on %SystemDrive\Windows\System32\djoin.exe to perform this task. The general process for using offline domain join is simple:

  1. Create the computer account on the Active Directory.
  2. Force the replication of the secrets of the computer that is going to join the domain.
  3. Use djoin.exe to output the relevant state information that the computer will use to connect to the domain to a text file.
  4. Run the text file on the computer using djoin.exe and when it reboots, it will be joined to the domain.

This tool can be used to deploy Windows 7 computers using the unattended .xml file as it now includes a section for offline domain join.

Djoin.exe must be run with an elevated command prompt. Running djoin. exe /? will display the available commands. As the examples show, to provision a computer account to a domain, you will need to use djoin.exe /PROVISION /DOMAIN <DomainName> /MACHINE <ComputerName> /SAVEFILE <FilePath> on a computer that is on the domain or the domain controller itself. Ensure the computer name has been added to the domain. Then on the local machine that is offline or on the domain run in an elevated command prompt: djoin.exe /requestodj / loadfile <filepath> /windowspatch <%WindowsDirectory%>

Warning The text file that is generated from djoin.exe must be kept in a secure location as it may allow unauthorized computers to join the domain. Due to this feature being relatively new, attackers have not yet exploited it; so, use caution when moving the text file.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Windows 7 in a Domain
  2. The Domain
  3. What is Wrong with Workgroups
  4. The Domain Concept
  5. Active Directory
  6. Domain Security
  7. Joining a Domain
  8. Windows 7 Offline Domain Join
  9. Browsing the Domain
  10. Searching the Domain
  11. Custom Searches
  12. Assigning Permissions to Domain Members
  13. The Double-Thick Security Trick
  14. Creating a Test Bed
  15. Creating a Domain
  16. Installing Windows Server 2008 on vPC
  17. Configuring a Windows Server 2008 Server
  18. Promoting a Server to a Domain Controller
  19. Joining Windows 7 to a Domain
  20. Authentication vs Authorization
  21. Authentication
  22. Authorization
  23. Built-in Groups
  24. Organizing Users with Groups
  25. Group Scope and Group Type
  26. Creating Users and Groups in a Domain
  27. Using HomeGroup with a Domain-Based Computer
  28. Identifying and Resolving Logon Issues
  29. Hardware vs. Network
  30. Using Cached Credentials
  31. Password Expiration
  32. Determining Logon Context
  33. Logon Hours Compliance
  34. Restricting Computer Access
  35. Time Synchronization
  36. Understanding User Profiles
  37. Standard Profiles
  38. Roaming Profiles
  39. Implementing Roaming Profiles
  40. Mandatory Profiles
  41. Super-Mandatory User Profiles
  42. Modifying the Default User Profile
  43. Configuring Settings with Scripts
  44. Anti-Malware Software
  45. Microsoft Windows 7 Defender
  46. Third-Party Anti-malware Software