As some systems administrators have already found out, on Microsoft Windows Servers some tasks cannot be performed using the Graphical User Interface (GUI). Although multiple vendors have released graphical tools to make these tasks even more tedious easier for the typical click-on-through Windows Admin, these tasks can easily be performed using the built-in command tools.

As you might have noticed already, the more complex features of Active Directory Domain Services are hidden from plain sight and into the command-line. In Windows Server 2008 R2, a couple of new command-line gems were added by the Active Directory team. Let’s check them out!

Note:
Other new features are also command-line only, but not in the traditional sense. Find out more in part 6 of this series!

In this blogpost: Offline Domain Join Creating IFM media with SYSVOLs

Offline Domain Join

Command to use

• djoin.exe

When you want to join a Windows computer to an Active Directory domain, in the past, you would have needed a direct connection with a Domain Controller.

Windows Server 2008 R2 and Windows 7 change that game. With the feature called Offline Domain Join, you can now join a (pre-staged) computer to an Active Directory domain, without a dedicated connection. The Domain Controller no longer needs to ‘see’ the client and the client does not need to meet the Domain Controller.

The Offline Domain Join feature is achieved using a blob. The blob contains all the information a client (or member-server) needs to join the domain. You create the blob on the Domain Controller using the djoin.exe command.

You can use the contents of the blob on the client or soon-to-be member server using the djoin.exe command or by injecting the blob into the system using an answer file in combination with Windows Setup or the Windows Mini Setup, through the System Preparation Tool (sysprep.exe)

To create an Offline Domain Join blob on the Domain Controller, run the following command:

djoin.exe /PROVISION /DOMAIN Domain.tld /MACHINE ClientName /SAVEFILE D:\OfflineProvisioning\ClientName.txt

You can then use the blob you created on a Windows 7 or Windows Server 2008 R2-based Windows installation to join it to the domain in an offline fashion, using the following command:

djoin.exe /REQUESTODJ /LOADFILE C:\Djoin\clientname.txt /WINDOWSPATH C:\Windows

After the client successfully works through the command, the would-be client reboots as a member of the Active Directory domain. On first contact between the client and the Active Directory domain, the client would reset its Computer Account password.

More information:

• Offline Domain Join (Djoin.exe) Step-by-Step Guide (Online version)
• What's New in AD DS: Offline Domain Join
• Windows 2008R2 features part I: Offline domain join
• Windows 2008R2 features part I: Offline domain join
• How do I perform an offline domain join in Windows Server 2008 R2 ?
• Windows Server 2008 R2: Offline Domain Join Step-by-Step Guide
  Requirements when Joining a Domain
• Domain Users Cannot Join Workstation or Server to a Domain
• Will Windows 7’s “offline domain join” finally rid us of all the third party “fast sysprep” functions? No 🙁

Creating IFM media with SYSVOLs

Command to use:

• ntdsutil.exe
• dcpromo.exe

Note:
You will need a Windows Server 2008 R2 Domain Controller to create “Install from Media” (IFM) media with System Volumes (SYSVOLs) included. To use the IFM media, the additional Domain Controller must also be running Windows Server 2008 R2.

Install from Media (IFM) is an additional Active Directory Domain Controller promotion method, where you reduce the replication traffic that is initiated during the promotion. You perform an “Install from IFM” using IFM Media. You create these media with ntdsutil.exe.

In organizations with large System Volumes (SYSVOLs) the initial replication during the installation of an additional domain controller using IFM, would still take long and require significant bandwidth and data usage.  Starting from Windows Server 2008 R2, you can also include the System Volume in IFM media. This will further reduce (not completely eliminate though) traffic.

When creating IFM media, take note of the following:

• IFM media must be created on a Domain Controller in the same domain as you want to promote the additional Domain Controller;
• When you want to install a Global Catalog server from IFM, create IFM media on a Global Catalog server;
• When you want to make the additional Domain Controller a DNS Server, create IFM media on a Domain Controller with a DNS Server installed;
• You can use a 32-bit domain controller to generate installation media for a 64-bit domain controller; the reverse is also true.

To create IFM media in the IFM folder with the System Volume included, in order to create a writeable additional Domain Controller, run the following command:

ntdsutil.exe "act inst NTDS" ifm "Create Sysvol Full C:\IFM” q q

To create IFM media to create an additional Read-only Domain Controller, run the following command:

ntdsutil.exe "act inst NTDS" ifm "Create Sysvol RODC C:\IFM" q q

Then, after you copy the contents of the target IFM folder to the additional domain controller, to promote it, use dcpromo.exe and use the advanced mode installation. When you’re really cool, you’d use an unattend file or script to dcpromo.exe command with the ReplicationSourcePath option.

More information:

• Installing AD DS from Media
• Installing an Additional Domain Controller by Using IFM
• Having Issues Promoting a New Domain Controller over VPN?
• Active Directory Backups and Snapshots