When you need to join a machine to the Active Directory It is a pretty straight forward task using either the User Interface or the PowerShell cmdlet available for that usage.
However in some situation you don’t have network connectivity and need to rely on Offline Domain Join, using the
Djoin.exe tool. Typically you use djoin in two phases. First you generates a provisioning file that you drop on a newly deployed machine. In the second phase you run djoin with the file as a parameter and the machine is joined to the domain without connection to the domain controller.
My problem Using that same method, I recently had a tricky problem to solve. The environment where I was performing this was very locked down, not allowing me to copy files to the new provisioned machine.
Fortunately the system handling the deployment could perform action on other systems and gather data. I could rely on something like System Center Orchestrator (or SMA) and get the content of the Blob file over HTTP/HTTPS by invoking a runbook.
Djoin comes with Windows Client and Server since Windows 7 and Windows Server 2008 R2 installation. Djoin requires administrator privileges, you have to use the tool on an elevated command prompt. Of course, you also need an account that has sufficient rights to create domain computer accounts.
1 - First, Run
Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a blob .txt file that you specify as part of the command.
djoin /provision /domain fx.lab /machine testdjoin01 /savefile provisioning.txt
2 - This blob then has to be copied on the machine and used to offline domain join the Windows machine.
djoin /requestODJ /loadfile provisionning.txt /windowspath %SystemRoot% /localos
Here is what we see when we open the output file (provisionning.txt)
And here in a hexadecimal editor, you can see it is an unicode base64 encoded string by the two first bytes “FF FE”.
Copying the content of the blob to another file
Creating a copy of the file is easy, even copying the content on the same machine and dumping it in another file works, djoin will accept those files.
Get-Content provisionning.txt -Encoding Unicode | Set-Content newfile.txt -Encoding Unicode
Recreating the djoin blob file from the content
Using Djoin with the same parameters we used to create the blob earlier, we will add the parameter /PRINTBLOB which will output the Blob to the console.
The output can then be stored in a Variable and parse to retrieve only the Blob:
# Store the djoin $djoin = djoin /provision /domain fx.lab /machine testdjoin02 /savefile provisioning /printblob # Get the blob $djoin
Next, this string can be passed across the network using tools such as System Center Orchestrator (SCORCH) or Service Management Automation (SMA). (I won’t demonstrate this part in this post)
Finally, on the new deployed machine, we can recreate the Blob file using New-DjoinFile, function available On Github.
# Blob generated $Blob = "Blob generated previously on the domain machine>" # Recreate djoin file New-DjoinFile -Blob $blob -DestinationFile $home\desktop\blob.txt -Verbose
You can now use
Djoin.exe with the file
blob.txt to join your new machine to the domain:
Now if you compare the file generated by
djoin.exe and the one recreated by
New-DjoinFile, you should get the same content, byte by byte.
File created with New-DjoinFile