New Active Directory Documents for IT Pros
Welcome to TechNet Blogs Sign in | Join | Help

Active Directory Documentation Team

Information for IT Professionals who work with Active Directory. All blog posts are provided "AS IS" with no warranties, and confer no rights.

News

  • Ask your Active Directory general and troubleshooting questions in the Directory Services Forum http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads
New Djoin.exe utility in Windows Server 2008 R2

Windows Server 2008 R2 domain controllers include a new feature named Offline Domain Join. A new utility named Djoin.exe lets you join a computer to a domain, without contacting a domain controller while completing the domain join operation, by obtaining a blob from a Windows Server 2008 R2 domain controller at an earlier point in time. The computer is domain-joined when it first starts, so no restart is needed as with a normal domain join. The general steps for using Djoin.exe are:

  1. Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.
  2. Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.
  3. Start the destination computer, and the computer will be joined to the domain.

The computer where you run djoin /provision and the destination computer both need to run Windows Server 2008 R2 or Windows 7. We have a step-by-step guide published at http://technet.microsoft.com/en-us/library/dd392267(WS.10).aspx and appreciate any feedback you have.

This posting is provided "AS IS" with no warranties, and confers no rights.

Posted: Tuesday, May 26, 2009 10:35 PM by Justin [MSFT]

Comments

Active Directory Documentation Team : bNew/b Djoin.exe utility in b…/b « Windows 7 Live Info said:

PingBack from http://windows7live.info/?p=15000

# May 26, 2009 8:08 PM

lmundy said:

The entire process for joining the domain offline seem to work flawlessly, however, once you have joined the domain and restarted you are still stuck in as much as you can't login as you have no cached credentials, and the only way to get thenm is if you have access to a domain controller to process the logon.  This requires you to be physically connected to the domain. Hence, you might as well wait until you are locally network attached to the domain and join in the normal manner.

If I'm missing something here please let me know.

# July 2, 2009 6:12 PM

Justin [MSFT] said:

Hi lmundy,

Thank you for the comment. You are not missing anything. The ODJ does not enable logon without network connectivity to a domain controller. I asked the djoin.exe developer about your comment and he replied that "to collect and apply the additional state to enable logon would require additional feature work, probably in more than just ODJ. There have been discussions on this but currently there isn’t any work planned by our team."

So the main benefit today is to reduce the time required and streamline the process for the domain join itself, and to frontload the domain join so if there are any problems with it, they might be exposed and resolved before the new domain client is rolled out in production environment.

We had feedback from some organizations that want to enable scenarios where they are rolling out 1000 VMs in a datacenter and they want to achieve this in an hour. In some cases the domain join itself was adding several minutes to each VM rollout, so cumulatively the domain joins could impede the high-speed, wide-scale rollout.

I think this is one of the main scenarios that djoin.exe was initially intended to target (as opposed to enabling a broader offline working scenario). I think the intent is that the next generation of System Center products will leverage it also.  

But it's great to see customers finding it useful for their own scenarios as well, and for their feedback about how it can be improved.

Sincerely,

Justin

# July 6, 2009 9:47 PM
Anonymous comments are disabled
Page view tracker