search

Offline domain join

The Offline domain join step is used to join a computer to an Active Directory (AD) domain. The needed AD computer account will be created by the DeployR service, so the DeployR service account (typically the computer account) needs to be delegated the rights to perform this action. The resulting "offline domain join" blob is sent back to the device and injected to complete the join process.

Specify the naming pattern to use for the computer, the domain name (DNS), and optionally the OU path (e.g. "OU=My Computers"). Note that Windows does not support specifying containers (e.g. "CN=Computers", which is the default if no OU is specified).

circle-info

Do NOT use the Computer [ex: CN=Computers,DC=2P,DC=garytown,DC=com] container as your organizational unit, as it's not an OU and will break the offline domain function.

For the computer naming pattern, any valid task sequence variable can be specified in the name, using the "%VARIABLENAME%" mechanism. You can also specify substrings from that value. Some examples:

  • %SERIALNUMBER:10% will select the first 10 characters of the SERIALNUMBER task sequence variable.

  • %MAKE:-5% will select the last 5 characters of the MAKE task sequence variable.

  • %RAND:8% will generate a random number eight digits long.

Note that the resulting computer name should be a valid Windows computer name (no spaces, limited special characters). If more complex names are required, these can be generated via a script that sets the COMPUTERNAME task sequence variable. When that value is set, it will override whatever is configured in this step.

If no computer name value is specified, "PC-%RAND:8%" will be used as a default.

To grant the DeployR server rights to join workstations to a domain:

  1. Open Group Policy Management on a system that has it installed.

  2. Double-click the name of the forest, double-click Domains, double-click the name of the domain in which you want to join a computer, right-click Default Domain Policy, and then click Edit.

  3. In the console tree, double-click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.

  4. In the details pane, double-click Add workstations to domain.

  5. Select the Define these policy settings check box, click Add User or Group, and then click on Browse on the Add User or Group window.

  6. On the Select Users, Computers, Service Accounts, or Groups window, click on Object Types, select Computers, and then click OK.

  7. Type the name of the DeployR server, and then click OK twice.

The DeployR server should now have rights to join workstations to the domain.

circle-info

Note: If the computer name specified already exists in Active Directory, the offline domain join will fail. This is a security precaution today, to ensure that the wrong computer is not disabled.

hashtag
Troubleshooting

  • Check the event log for an audit record of the Offline domain Join request

    • Applications & Services Logs -> TwoPintSoftware -> DeployR -> Audit -> Operational

  • Confirm the DeployR Server was setup in Group Policy to with the rights to join devices in the OU you specified:

hashtag
Client DeployR Log

Confirm the Step initialization (Step Init) that the Setting OU and Domain are correct:

Then a successful join will look like:

hashtag
Failed Attempt in Log

Error RC 2224, this happens when you don't have a passcode or security setup and you try to overwrite an object in AD. Aka, you're deploying a computer that's already in AD with the same name, it finds there is already an object, so it fails out because it doesn't have permissions.

Last updated