Offline Domain Join (djoin.exe) is a process that lets one join a computer to a domain without connectivity to a domain controller. This makes it possible to join computers to a domain in locations where there is no connectivity to a corporate network.

As of Windows Server 2012, Offline Domain Join supports /policynames and /rootcacerts. This opens for the possibility of running a domain controller in the cloud, and relying on Direct Access as the only connectivity between domain controller and clients.

Join computer to domain with Offline Domain Join

  • Create a new computer object in the appropriate OU.
  • Add the newly created computer object as a member of your Direct Acces clients security group, as defined in Direct Access settings.
  • Run the provisioning command in an elevated cmd:
djoin /provision /domain "domain.com" /machine "user-pc" /policynames "DirectAccess Client Settings" /rootcacerts /savefile c:\DAprovision.txt /reuse

Substitute:

domain.comThe FQDN of you AD domain.

user-pcThe name of the computer objected created in the first step.

DirectAccess Client SettingsThe name of the Direct Access Client GPO, which was created automatically when deploying Direct Access.

  • Copy DAprovision.txt to C:\ on the computer that will be joined to the domain.

  • Run the join command in an elevated cmd:

djoin /requestODJ /loadfile c:\DAprovision.txt /windowspath %SystemRoot% /localos
  • Reboot

After the computer is rebooted it will automatically connect to Direct Access when connected to Internet. After the connection has been established, the domain controller is reachable, and users are able to sign in using domain credentials.

References

Offline Domain Join (Djoin.exe) Step-by-Step Guide