MCITP 70-640: Offline Domain Join

Uploaded by itfreetraining on 06.09.2012

In this video from IT Free Training I will look at offline domain join. Offline domain
join allows you to join a computer to a domain without the need for the computer to contact
a Domain Controller. This video shows a number of different ways offline domain join can
be used to join computers to the domain. Offline domain join tends to suggest the network needs
to be unavailable to be used, but some of the scenarios looked at can be used when the
network is available, the end result is additional options for the network administrator when
deploying new computers.
In most cases you will have a Domain Controller available to join a computer to the domain.
In some cases this may not be the case and a tool like offline domain join can come in
handy. If you were setting up a new office and the network had not been installed as
yet, offline domain join would allow you to join these computer so they would be ready
to operate on the domain as soon as the connection is established.
Offline domain join is also useful for computers where the networking has not been installed
yet. For example, if you are installing a virtual computer,
often additional software will need to be installed which has the additional drivers
for devices like networking. By using offline domain join you can join the computer to the
domain as soon as it has finished installing, in other words before the device drivers for
the networking have been installed. This saves you an extra reboot. This is useful if you
need to get the virtual computer up as soon as possible.
The next use of offline domain join is with automated installs of Windows 7. If you create
an unattend file to install Windows with, you can use offline Domain Join with the unattend
file. This means that the computer can automatically be added to the domain when the operating
system is installed without a network connection being available.
The next question is, could offline domain join be used when there is a network connection
available? The answer yes. There are two times where you may want to use it. If you consider
a small network that has a read only domain controller. A read only Domain Controller
has a read only copy of the Active Directory database and cannot be used to add computers
to the domain. The read only Domain Controller will replicate changes from a writeable domain
controller and store these in a read only database. Thus the only way a change can be
made using a read only Domain Controller is for the read only Domain Controller to pass
the change onto to a writeable Domain Controller and then wait for the change to be replicated.
If there is an outage, offline domain join can be used to join the computers to the domain.
Keep in mind that the client will not be able to authenticate off the read only Domain Controller
until a replication has occurred with a writeable Domain Controller. In some cases this may
be acceptable, for example, in a very secure environment replication to a writeable domain
controller may be strictly controlled and happen very rarely. Using offline domain join,
the computer accounts can be created ahead of time, replication still need to occur between the read only
Domain Controller and the writeable domain controller. The advantage is once the
data has replicated to the read only Domain Contorller the writeable Domain Controller does
not need to be available when the computer is added to the domain.
The next use for offline domain join is when you want the person joining the computer to
do so without the need for a username and password. In a previously video I looked at
allowing any user in the domain to add a computer to the domain using a pre-staged computer
account. The benefit of offline domain join is that you can allow a non-administrator
to add a computer to the domain without a username and password. Before doing this,
remember that the text file that offline domain joins creates contains sensitive information
about the domain and thus it should be protected. To put another way, the person that you are
giving the offline domain file to should be trusted.
To start using offline domain join, you first need to meet a number of requirements. The
first one is that the client needs to be running Windows 7 or Windows Server 2008 R2. For the
domain, offline domain join supports earlier Domain Controllers than Windows Server 2008
R2. By default, offline domain join will attempt to contact a Windows Server 2008 R2 domain
controller. If you experience any problems, you can use the DownLevel switch. This will
force offline domain join to use an earlier Domain Controller than Windows Server 2008
R2. Since offline domain join supports earlier
Domain Controllers, you do not need to raise the domain or forest function levels in order
to use offline domain join. The only requirement that you will need to worry about using offline
domain join is that offline domain join is being run on a computer that is running Windows
7 or Windows Server 2008 R2. I will now change to my Windows Server 2008
R2 member server to look at how to use offline domain join.
Offline domain join is a command line utility so I will first open a command prompt from
the start menu to execute the command. From the command prompt run the command DJoin with
the following parameters. The first parameter is provision. This indicates
that a new computer account is to be created in Active Directory. This computer account
needs to be present in Active Directory before offline domain join can be used to join the
computer to the domain. The next parameter is domain followed by the
domain name that the computer account is going to be created in.
Following this is the machine parameter followed by the computer name for the computer that
is to be added to the domain. In this case, the computer name is WS2.
The last parameter is SaveFile will allows a file name to be given where the offline
domain join data will be saved. The command does not take too long to run.
Once run, the computer account for WS2 will be created in Active Directory. If I now open
Active Directory Users and Computers and navigate into computers, you will notice that the computer
account for WS2 have been created. If I open the properties for the computer
account WS2, notice that when I go to the operating system tab none of the details have
been filled in. Until I run DJoin on the other computer, these details will remain blank.
Now that the computer account has been created, I can now change to the my client operating
system. First of all I will open networking and sharing
center from the start menu. You can see here that no network cards are installed on this
computer and thus it is not connected to any networks. This computer could not normally
be joined to a domain until a network card has been installed and configured.
To add the computer to the domain, once again I will use DJoin from the command prompt.
When opening the command prompt make sure that it is opened with administrator rights.
This time when DJoin is run, the first parameter will be RquestODJ rather than provision used
last time. After this is the parameter LoadFile followed by the filename of the file saved
previously. The file itself is only small. In order to access the file on this computer
I have copied it to a floppy disk. I copied the file from the server to the floppy disk
when you were not looking. The next parameter is WindowsPath followed
by the directory where Windows is located. You can enter in a path like C:\Windows but
since I am logged into the computer that I am changing I will enter in %WinDir%.This
is an environment variable which will substitute the current windows directory.
The final parameter is LocalOS. This tells DJoin that the computer that is to be joined
to the domain in the local computer. Djoin does not take long to join the computer
to the domain. Once complete, the computer needs to be restarted so I will now restart
the computer. This computer is now part of the domain and will be able to take part in
the domain just like any other computer that was joined to the domain using an online Domain
Controller. Once the computer has rebooted, from the login
screen I will be able to login to the domain. Since there is no networking adapter installed
on this computer, I will get an error message saying that no available logon servers are
available but you can see the computer is part of the domain.
Well that’s it for offline domain join. Thanks for watching anther video from IT Free
Training. Please see are web page or YouTube channel for more free videos for this and
other course. See you next time.