The user then runs the package, which joins the computer to the domain and applies the initial Group Policy settings required for the machine to become a DirectAccess client. The package is fairly small, so you can e-mail it to them, or make it downloadable from a published Web site, or send it in a password-protected USB key, depending on your security concerns. Next, make the package available to the users. Now you add the computers to the DirectAccess security group-this is a security group that you need to create so that you can apply the DirectAccess Group Policy settings to it by using Group Policy Security Group filtering. Then you create a provisioning package from a domain-joined computer that is already on the corporate network. It works as follows: 1.įirst, you create computer accounts for the machines that you want to join to the domain. Windows Server 2012 introduces a solution to this problem-DirectAccess Offline Domain Join. And if those devices are going to be configured as DirectAccess clients, they must be domain joined. There are still security concerns, so IT wants to be able to control those devices. More organizations are willing to allow users to purchase their own devices and then let them use those devices to connect to the corporate network. Perhaps even more problematic is the growing trend of Bring You Own Device (or maybe Buy Your Own Device). Multiple this activity by thousands of machines and you can see that it takes a good amount of time and money. ![]() Someone has to image the machine, join it to the domain, box it, and then get it mailed out to the end user. While that does work, there is a lot of overhead involved. One way this has been dealt with in the past is to have an IT image in the user's machine and join it to the domain during the imaging process. This creates a bit of a dilemma for IT organizations that need to deal with an increasing number of employees that never physically (or through wireless) connect to the corpnet. One of the primary requirements for a DirectAccess client is that it is a member of a domain that is hosting the Group Policy Object entries that are used to configure the DirectAccess client. Debra Littlejohn Shinder, in Windows Server 2012 Security from End to Edge and Beyond, 2013 DirectAccess Remote Domain Offline Join Run the text file on the computer using djoin.exe and when it reboots, it will be joined to the domain. Use djoin.exe to output the relevant state information that the computer will use to connect to the domain to a text file. 2.įorce the replication of the secrets of the computer that is going to join the domain. The general process for using offline domain join is simple: 1.Ĭreate the computer account on the Active Directory. Windows 7 and Windows Server 2008 R2 include the application djoin.exe located on %SystemDrive\Windows\System32\djoin.exe to perform this task. Prior to Windows 7 and Windows Server 2008 R2, there was no application to make these relationship changes on the computer unless it was directly connected to the domain controller at the time it joined the domain. When a computer joins a domain, trust relationships change between both the computer and the Active Directory domain. This feature can add computers to a domain when network connectivity is not available. Offline domain join is a new feature in Windows 7 and Windows Server 2008 R2 that lets you join a computer to a domain without contacting a domain controller directly. The following tasks will walk you through the process to perform an Offline Domain Join. ![]() The Offline Domain Join process can be very useful when you are automatically deploying a large number of computers, or if you want to give someone the ability to join a computer to the domain, without them needing special privileges in AD. ![]() The domain join process will automatically join the computer to the domain. 3.īoot the computer when connected to the network hosting the AD domain. This will copy the Offline Domain Join file to the Windows directory and instruct the computer to join the domain on boot. ![]() The djoin command is run with the/requestODJ parameter. The file is copied to the computer that will be joining the domain via Offline Domain Join. This generates a file to be used by the computer that will be joining the domain. The djoin/provision option is used to provision a computer account for the computer for which you want to perform an Offline Domain Join. The djoin command line tool is run on a Windows 7 or Windows Server 2008 R2 computer that is joined to the domain. The Offline Domain Join is a three-step process described subsequently: 1. Offline Domain Join is a new feature in Windows Server 2008 R2 and Windows 7 that allows you to join a computer to an AD domain without having connectivity to a DC.
0 Comments
Leave a Reply. |