Managing Active Directory Offline Domain Join in Server 2022
Posted on 21st June 2023
Introduction
In Server 2022, Active Directory Offline Domain Join (OOJ) can be used to join a computer to an Active Directory domain without requiring the computer to be connected to the domain network. This allows for scenarios in which a computer needs to be joined to a domain, but cannot be connected to the domain network. For example, a computer that is located in a remote office or branch office (ROBO) that does not have a VPN connection to the domain network can be joined to the domain using OOJ.
Prerequisites
- The computer must be running Server 2022.
- The computer must have a static IP address.
- The computer must be connected to the Internet.
- The computer must have an Active Directory domain account.
Configuring Active Directory Offline Domain Join
1. On the domain controller, open the Active Directory Users and Computers console.
2. In the console tree, expand the domain, expand Computers, and then click the OU in which you want to add the computer account.
3. In the details pane, click the Action menu, and then click New > Computer.
4. In the New Object – Computer dialog box, type a name for the computer, and then click Next.
5. In the Operating System list, select the operating system for the computer, and then click Next.
6. In the Computer Domain list, select the domain in which you want to add the computer account, and then click Next.
7. In the Offline Domain Join Settings dialog box, type the name of the OU in which the computer account will be created, and then click Next.
8. In the Join Options dialog box, select the Join the domain using an offline domain join option, and then click Next.
9. In the Summary dialog box, review the settings, and then click Finish.
Adding a Computer to the Domain Using Active Directory Offline Domain Join
1. On the computer that you want to join to the domain, open the Server Manager console.
2. In the navigation pane, click Offline Domain Join.
3. In the details pane, click the Join a domain option.
4. In the Join a Domain dialog box, type the name of the domain that you want to join, and then click OK.
5. In the User Name and Password dialog box, type the credentials of a user who has permission to join computers to the domain, and then click OK.
6. In the Offline Domain Join dialog box, review the settings, and then click Finish.
Conclusion
In this article, you have learned how to configure Active Directory Offline Domain Join in Server 2022 and how to join a computer to the domain using Active Directory Offline Domain Join.
Performing an Offline Domain Join
To perform an Offline Domain Join, you will need:
- A computer running Windows Server 2022 with the Active Directory Domain Services role installed.
- The domain name and credentials of a user with permissions to join computers to the domain.
- The name of an OU (Organizational Unit) in the domain where the computer account will be created.
Once you have gathered the required information, you can begin the Offline Domain Join process by running the following command on the server:
djoin.exe /provision /domain domainname /machine computername /savefile c:tempoffline.txt
This will create a file called offline.txt in the c:temp directory. This file contains the information required to join the computer to the domain offline.
Next, copy the offline.txt file to the computer you wish to join to the domain. On the computer, open an elevated command prompt and run the following command:
djoin.exe /requestodj /loadfile c:tempoffline.txt /windowspath %windir% /localos
This will create a file called request.txt in the c:temp directory. This file contains the information required by the Active Directory Domain Services role to create the computer account.
Finally, copy the request.txt file to the server and run the following command to complete the Offline Domain Join process:
djoin.exe /odjin /loadfile c:temprequest.txt
The computer will now be joined to the domain.
Assuming you have completed the steps in the article to create the answer file, you will need to modify the Unattend.xml file to add the following information for the Active Directory Offline Domain Join:
In the section, add the following:
FQDN of the domain you want to join
Administrator account name
Password for the administrator account
FQDN of the domain you want to join
OU=Servers,DC=contoso,DC=com
In the section, add the following:
true
Save and close the Unattend.xml file.
Assuming you have a working Active Directory domain and want to join a server to it while it is offline, you will need to take the following steps.
1. On the domain controller, open the DNS Manager console and expand the Forward Lookup Zones folder.
2. Right-click the zone in which you want to add the new server and select New Alias (CNAME).
3. In the New Alias (CNAME) dialog box, enter the Alias name and the Fully qualified domain name (FQDN) of the new server.
4. Click OK to add the new alias.
5. On the new server, open the DNS Manager console and expand the Forward Lookup Zones folder.
6. Right-click the zone in which the server is located and select New Host (A or AAAA).
7. In the New Host dialog box, enter the Hostname and the IP address of the new server.
8. Click OK to add the new host.
9. On the new server, open the Active Directory Domains and Trusts console.
10. Right-click the domain and select Properties.
11. In the Domain Properties dialog box, select the Security tab.
12. Under Secure channel, click the Reset button.
13. In the Reset Secure Channel dialog box, click Yes.
14. On the new server, open the Active Directory Users and Computers console.
15. Right-click the OU in which you want to add the new server and select Properties.
16. In the OU Properties dialog box, select the Security tab.
17. Under Secure channel, click the Reset button.
18. In the Reset Secure Channel dialog box, click Yes.
19. On the new server, open the Active Directory Sites and Services console.
20. Right-click the site in which you want to add the new server and select Properties.
21. In the Site Properties dialog box, select the Security tab.
22. Under Secure channel, click the Reset button.
23. In the Reset Secure Channel dialog box, click Yes.
24. On the new server, open the Group Policy Management console.
25. Right-click the domain and select Properties.
26. In the Domain Properties dialog box, select the Group Policy tab.
27. Under Group Policy objects, click the Default Domain Controllers Policy object.
28. In the Default Domain Controllers Policy dialog box, click the Edit button.
29. In the Group Policy Management Editor window, expand Computer Configuration, Policies, Administrative Templates, System, and then click the Group Policy node.
30. In the right pane, double-click the Allow cross-domain Group Policy trust processing policy.
31. In the Allow cross-domain Group Policy trust processing dialog box, select the Enabled option and click OK.
32. On the new server, open an elevated command prompt and run the following command:
gpupdate /force
33. On the new server, open the Registry Editor.
34. Navigate to the following key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachine
35. In the right pane, delete the Group Policy Objects and Group Policy Update values.
36. Close the Registry Editor.
37. On the new server, open the Group Policy Management console.
38. Right-click the domain and select Properties.
39. In the Domain Properties dialog box, select the Group Policy tab.
40. Under Group Policy objects, click the Default Domain Controllers Policy object.
41. In the Default Domain Controllers Policy dialog box, click the Edit button.
42. In the Group Policy Management Editor window, expand Computer Configuration, Policies, Administrative Templates, System, and then click the Group Policy node.
43. In the right pane, double-click the Allow cross-domain Group Policy trust processing policy.
44. In the Allow cross-domain Group Policy trust processing dialog box, select the Disabled option and click OK.
45. On the new server, open an elevated command prompt and run the following command:
gpupdate /force
46. On the new server, open the Registry Editor.
47. Navigate to the following key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachine
48. In the right pane, delete the Group Policy Objects and Group Policy Update values.
49. Close the Registry Editor.
50. On the new server, restart the computer.
51. On the domain controller, open the DNS Manager console and expand the Forward Lookup Zones folder.
52. Right-click the zone in which you added the new server and select Delete.
53. In the Confirm Delete dialog box, click Yes.
54. On the new server, open the DNS Manager console and expand the Forward Lookup Zones folder.
55. Right-click the zone in which the server is located and select Delete.
56. In the Confirm Delete dialog box, click Yes.
57. On the new server, open the Active Directory Domains and Trusts console.
58. Right-click the domain and select Properties.
59. In the Domain Properties dialog box, select the Security tab.
60. Under Secure channel, click the Reset button.
61. In the Reset Secure Channel dialog box, click Yes.
62. On the new server, open the Active Directory Users and Computers console.
63. Right-click the OU in which you added the new server and select Properties.
64. In the OU Properties dialog box, select the Security tab.
65. Under Secure channel, click the Reset button.
66. In the Reset Secure Channel dialog box, click Yes.
67. On the new server, open the Active Directory Sites and Services console.
68. Right-click the site in which you added the new server and select Properties.
69. In the Site Properties dialog box, select the Security tab.
70. Under Secure channel, click the Reset button.
71. In the Reset Secure Channel dialog box, click Yes.
72. On the new server, open the Group Policy Management console.
73. Right-click the domain and select Properties.
74. In the Domain Properties dialog box, select the Group Policy tab.
75. Under Group Policy objects, click the Default Domain Controllers Policy object.
76. In the Default Domain Controllers Policy dialog box, click the Edit button.
77. In the Group Policy Management Editor window, expand Computer Configuration, Policies, Administrative Templates, System, and then click the Group Policy node.
78. In the right pane, double-click the Allow cross-domain Group Policy trust processing policy.
79. In the Allow cross-domain Group Policy trust processing dialog box, select the Enabled option and click OK.
80. On the new server, open an elevated command prompt and run the following command:
gpupdate /force
81. On the new server, open the Registry Editor.
82. Navigate to the following key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachine
83. In the right pane, delete the Group Policy Objects and Group Policy Update values.
84. Close the Registry Editor.
85. On the new server, open the Group Policy Management console.
86. Right-click the domain and select Properties.
87. In the Domain Properties dialog box, select the Group Policy tab.
88. Under Group Policy objects, click the Default Domain Controllers Policy object.
89. In the Default Domain Controllers Policy dialog box, click the Edit button.
90. In the Group Policy Management Editor window, expand Computer Configuration, Policies, Administrative Templates, System, and then click the Group Policy node.
91. In the right pane, double-click the Allow cross-domain Group Policy trust processing policy.
92. In the Allow cross-domain Group Policy trust processing dialog box, select the Disabled option and click OK.
93. On the new server, open an elevated command prompt and run the following command:
gpupdate /force
94. On the new server, open the Registry Editor.
95. Navigate to the following key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup PolicyStateMachine
96. In the right pane, delete the Group Policy Objects and Group Policy Update values.
97. Close the Registry Editor.
98. On the new server, restart the computer.
99. On the domain controller, verify that the new server appears in the DNS Manager console and the Active Directory Users and Computers console.
100. On the new server, verify that the Group Policy objects are applied.
