Offline Domain Join

Copper Contributor

We are testing the of Offline Domain Join using DirectAccess, our testing includes two use cases, DJOIN with Certificate and DJOIN Without Certificate. We would like to use this process to rejoin AD Orphan workstations of users that are at home and that do not VPN to the corporate network and have them connect trough DirectAccess.

 

DJOIN with Certificate
DJOIN Command Syntax: “DJOIN /provision /machine COMPUTERNAME /domain DOMAINNAME /policynames "DirectAccess Client Settings" /certtemplate CATEMPLATENAME /savefile c:\files\provision.txt /reuse”
This command is erroring out saying that CA Template is not supported. Our PKI environment is a Symantec PKI solution that the Root CA is cloud hosted with issuing servers on corporate network. Certificates are previsioned based on the workstation being member of an AD group and the uses of a GPO. The DJOIN command does not create a Blob text files.
The test workstation is a member of the PKI and DirectAccess Global Security group.

 

DJOIN Without Certificate
DJOIN Command Syntax: “DJOIN /provision /machine COMPUTERNAME /domain DOMAINNAME /policynames "DirectAccess Client Settings" /savefile c:\files\provision.txt /reuse”
When we run the command it create the Blob text file successfully, we move the file to the workstation and then unjoin the workstation from the domain by moving the computer to a WORKGROUP. After the computer reboots, we login to the computer with an account that has admin access. Next we run the command “DJOIN /requestodj /loadfile C:\Files\provision.txt /windowspath %windir% /localos”. The command completes successfully and we are prompting to reboot the computer. After the computer reboots we try to login with a AD domain account which fails after some time indicating that there is no trust with the workstation. The test workstation is hardwired connect to the network.

 

We have a case open with Microsoft and they are researching  it.

Thanks for any help

3 Replies

@Lawrence_Tobin 

Microsoft Support would be able to help you, since they will check you log files and directly work with you. Using DirectAccess without Certificate is unsupported scenario and most likely it will fail to work.

You may also check out these steps:

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/add-to-existing-vp... 

 

First thing Microsoft or Anyone would need to have the logs for that particular workstation from the remote access server. Then, they can troubleshoot it.
not sure but Net Config /?