In my Direct Access lab I was trying test Offline Domain Join feature. Here is the Official TechNet Article
Just to summarize, Offline domain join feature was introduced in Windows 2008 R2 & can be used by Windows 7 client computers to join domain when they are not directly connected to corporate AD network. In Windows 2012 it has been enhanced to push Direct Access Client Setting GPOs, Root CA Certificates & the Computer Certificate along with Domain Join Meta data. But this enhanced version is limited to Windows 8.
DJOIN.EXE is the tool which is used for this exercise. This tool is inbuilt to Win 2012 & 8 Operating System.
Here is the complete list of Djoin.exe options
So In my Direct Access test lab I have already configured Direct Access Server & related eco system. I would like to add Windows 8 remote (off domain) laptop to automatically join to my test domain & should able to connect using direct access feature. To do this I have a Direct Access Client GPO as “DirectAccess Client Settings” and a Certificate template “DirectAccess IPSec Clients”.
To create “PandaLaptop6” computer account in my Contoso.local domain I compiled my Djoin syntax like bellow;
Djoin /provision /domain Contoso.local /machine PandaLaptop6 /dcname contoso-dc01.contoso.local /rootcacerts /policynames “DirectAccess Client Settings” /certtemplate “DirectAccess IPSec Clients” /savefile c:\Provisions\PandaLaptop6.txt
And it failed with below error.
Provisioning the computer…
Failed to provision [PandaLaptop1] in the domain [Contoso.local]: 0x80094800.
It may be necessary to specify /REUSE when running
djoin.exe again with the same machine name.
Computer provisioning failed: 0x80094800.
The requested certificate template is not supported by this CA.
Even after failure message it is able to create a computer account in AD. So I thought may be only GPO or certificate part of syntax is not working. Verified in CA console; Template name is same; so there should not be any issue.
A thought came to mind to check the template names using certutil tool; so used “certutil –template” and searched for my template.
Woooo – here is the problem, All of these template DON’T have SPACE in their names. Check out those template common names in below screen shot.
Now I corrected my syntax & it worked like expected. It created a metadata TXT file, created the computer account in AD & issued Certificates.
Djoin /provision /domain Contoso.local /machine PandaLaptop6 /dcname contoso-dc01.contoso.local /rootcacerts /policynames “DirectAccess Client Settings” /certtemplate “DirectAccessIPSecClients” /savefile c:\Provisions\PandaLaptop6.txt
Provisioning the computer…
Successfully provisioned [PandaLaptop6] in the domain [Contoso.local].
Provisioning data was saved successfully to [c:\Provisions\PandaLaptop6.txt].
Computer provisioning completed successfully.
The operation completed successfully.
Copied TXT Meta data file to my newly installed Windows 8 Computer & ran below syntax to join domain.
djoin /requestODJ /loadfile c:\PandaLaptop6.txt /windowspath %SystemRoot% /localos
Then rebooted my Remote Win8 computer. As this computer is already having internet connectivity; Direct Access got activated & I was able to login to Contoso.local domain. Isn’t it beautiful??
Watch out for other 2012 Direct Access Articles.