Offline domain join

The Offline domain join step is used to join a computer to an Active Directory (AD) domain. The needed AD computer account will be created by the DeployR service, so the DeployR service account (typically the computer account) needs to be delegated the rights to perform this action. The resulting "offline domain join" blob is sent back to the device and injected to complete the join process.

Specify the naming pattern to use for the computer, the domain name (DNS), and optionally the OU path (e.g. "OU=My Computers"). Note that Windows does not support specifying containers (e.g. "CN=Computers", which is the default if no OU is specified).

For the computer naming pattern, any valid task sequence variable can be specified in the name, using the "%VARIABLENAME%" mechanism. You can also specify substrings from that value. Some examples:

• %SERIALNUMBER:10% will select the first 10 characters of the SERIALNUMBER task sequence variable.

• %MAKE:-5% will select the last 5 characters of the MAKE task sequence variable.

• %RAND:8% will generate a random number eight digits long.

Note that the resulting computer name should be a valid Windows computer name (no spaces, limited special characters). If more complex names are required, these can be generated via a script that sets the COMPUTERNAME task sequence variable. When that value is set, it will override whatever is configured in this step.

If no computer name value is specified, "PC-%RAND:8%" will be used as a default.

To grant the DeployR server rights to join workstations to a domain:

Granting Rights - GPO (Part 1)

1. Open Group Policy Management on a system that has it installed.

2. Double-click the name of the forest, double-click Domains, double-click the name of the domain in which you want to join a computer, right-click Default Domain Policy, and then click Edit.

3. In the console tree, double-click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.

4. In the details pane, double-click Add workstations to domain.

5. Select the Define these policy settings check box, click Add User or Group, and then click on Browse on the Add User or Group window.

6. On the Select Users, Computers, Service Accounts, or Groups window, click on Object Types, select Computers, and then click OK.

7. Type the name of the DeployR server, and then click OK twice.

The DeployR server should now have rights to join workstations to the domain.

Granting Rights - Delegate control in AD (Part 2)

Delegate control to create computer accounts by the ODJ service

Because the ODJ service can create computer accounts in AD, it is important to limit the scope where the service can make changes to AD. It is highly recommended to limit the ODJ service to create only computer accounts in a single AD OU.

Before you delegate control to create computer accounts, prevent unprivileged users from joining computers to the domain by setting the ms-DS-MachineAccountQuota attribute to 0. For more information, see Microsoft Documentation: Default limit to number of workstations a user can join to the domain.

1. Open Active Directory Users and Computers and connect to the domain where you want the computer accounts created.

2. Right-click the domain, select New > Organizational Unit, enter a name for the OU, and then click OK.

3. Right-click the OU, click Delegate Control..., click Next, and then click Add....

   1. For Select this object type:, click Object Types..., select Computers, and then click OK.

   2. For Enter the Name of the DeployR Server Object,which is running the ODJ process, click Check Names, click OK, and then click Next.

   3. Select Create a custom task to delegate and then click Next.

   4. Select the following options and then click Next.

      • Only the following objects in the folder:

      • Computer objects

      • Create selected objects in the folder

      • Delete selected objects in this folder

   5. Select the following permissions, click Next, and then click Finish.

      • Read All Properties

      • Write All Properties

      • Change Password

      • Reset Password

      • Read and write account restrictions

      • Validated write to DNS host name

      • Validated write to service principal name

4. This OU will be the one that you'll be able to join machines to using DeployR Offline Domain Join Step.

Offline Domain Join Behavior | Things to Note

• When using ODJ, you must have Security enabled in DeployR, either a passcode or Entra for the DeployR Service to allow the update / modification of an AD Object. This is NOT a requirement if it is a new computer object.

• If redeploying a machine already in AD, the Computer object must already be in an OU that the DeployR server has been delegated rights to.

• If redeploying a machine already in AD, the object will not move to a new OU, even if you specifiy a different OU in the Task Sequence. If you need it moved, you will need to move it manually in ADUC, or delete the object first so DeployR can create it in the desired location.

Troubleshooting

• Check the event log for an audit record of the Offline domain Join request

  • Applications & Services Logs -> TwoPintSoftware -> DeployR -> Audit -> Operational

  
• Confirm the DeployR Server was setup in Group Policy to with the rights to join devices in the OU you specified:

  

  

Client DeployR Log

Confirm the Step initialization (Step Init) that the Setting OU and Domain are correct:

Then a successful join will look like:

Failed Attempt in Log

Error RC 2224, this happens when you don't have a passcode or security setup and you try to overwrite an object in AD. Aka, you're deploying a computer that's already in AD with the same name, it finds there is already an object, so it fails out because it doesn't have permissions.

Error RC 8557 typically means the quota has been filled, by default it's 10 domain joins. Once you've delegated rights properly, you will not see this error.