Q: Is it possible to join a Windows client computer to an Active Directory (AD) domain when the client computer is located in a branch office that has only read-only domain controllers (DCs) or when no network connection is available to the central site holding read-write DCs?
A: Yes, both are possible starting with Windows 7 and Windows Server 2008 R2, thanks to the djoin.exe command-line utility. Administrators can use djoin.exe to provision a computer account in AD and export the account's AD security information to a text file. This text file can then be moved and imported to the client computer, where an administrator then has to run djoin.exe from an elevated command prompt to effectively join the domain. The content of the text file can also be added to an unattended setup answer file to join a computer to the domain as part of the OS installation.
For example, suppose you want to join a Windows client computer named mywindowsclient to the AD domain mydomain.com. First, you need to create the AD computer account for mywindowsclient in mydomain.com and save the domain join data to a text file named offlinejoin.txt. This can be accomplished by running the following Djoin command from an elevated command prompt on a Windows 7 (or later) or Server 2008 R2 (or later) machine that can communicate with a read-write DC:
- Djoin /provision /domain mydomain.com
- /machine mywindowsclient /savefile c:\offlinejoin.txt
(Although this command wraps here, you'd put it on all one line in the command shell window.) Next, you need to join mywindowsclient to the mydomain.com domain by running the following Djoin command from an elevated command prompt on the mywindowsclient machine:
- Djoin /requestODJ /loadfile c:\offlinejoin.txt
- /windowspath %systemroot% /localos
(Although this command wraps here, you'd put it on all one line in the command shell window.) You must then reboot mywindowsclient. When it comes back up, it'll be joined to the domain.
Note that you can also provision a computer's AD account against DCs running Windows Server 2008 or earlier by using the /downlevel switch in the first Djoin command. For more information about offline domain joins, see TechNet's "Offline Domain Join (Djoin.exe) Step-by-Step Guide."