# Offline domain join

The **Offline domain join** step is used to join a computer to an Active Directory (AD) domain.  The needed AD computer account will be created by the DeployR service, so the DeployR service account (typically the computer account) needs to be delegated the rights to perform this action.  The resulting "offline domain join" blob is sent back to the device and injected to complete the join process.

<figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2FaRvp268GUPJXLdLZbPkY%2Fimage.png?alt=media&#x26;token=f050fe77-4320-4df4-807d-1b510d77cd0b" alt=""><figcaption></figcaption></figure>

Specify the naming pattern to use for the computer, the domain name (DNS), and optionally the OU path (e.g. "OU=My Computers").  Note that Windows does not support specifying containers (e.g. "CN=Computers", which is the default if no OU is specified).

{% hint style="info" %}
Do NOT use the Computer \[ex: CN=**Computers**,DC=2P,DC=2pintdemo,DC=com] container as your organizational unit, as it's not an OU and will break the offline domain function.&#x20;
{% endhint %}

For the computer naming pattern, any valid task sequence variable can be specified in the name, using the "%VARIABLENAME%" mechanism.  You can also specify substrings from that value.  Some examples:

* %SERIALNUMBER:10% will select the first 10 characters of the SERIALNUMBER task sequence variable.
* %MAKE:-5% will select the last 5 characters of the MAKE task sequence variable.
* %RAND:8% will generate a random number eight digits long.

Note that the resulting computer name should be a valid Windows computer name (no spaces, limited special characters).  If more complex names are required, these can be generated via a script that sets the COMPUTERNAME task sequence variable.  When that value is set, it will override whatever is configured in this step.&#x20;

If no computer name value is specified, "PC-%RAND:8%" will be used as a default.

This step can be performed at any time in the task sequence.  We would recommend you do it while in the Full OS, but that's not required. ODJ can work from Windows PE. All it ends up doing is injecting the blob into the OS; the join happens on boot (even if it can't talk to a DC).

To grant the DeployR server rights to join workstations to a domain:

## Granting Rights - GPO (Part 1)

1. Open **Group Policy Management** on a system that has it installed.
2. Double-click the name of the forest, double-click **Domains**, double-click the name of the domain in which you want to join a computer, right-click **Default Domain Policy**, and then click **Edit**.
3. In the console tree, double-click **Computer Configuration**, double-click **Policies**, double-click **Windows Settings**, double-click **Security Settings**, double-click **Local Policies**, and then double-click **User Rights Assignment**.
4. In the details pane, double-click **Add workstations to domain**.
5. Select the **Define these policy settings** check box, click **Add User or Group**, and then click on **Browse** on the **Add User or Group** window.
6. On the **Select Users, Computers, Service Accounts, or Groups** window, click on **Object Types**, select **Computers**, and then click **OK**.
7. Type the name of the DeployR server, and then click **OK** twice.

The DeployR server should now have rights to join workstations to the domain.

## Granting Rights - Delegate control in AD (Part 2)

### Delegate control to create computer accounts by the ODJ service

Because the ODJ service can create computer accounts in AD, it is important to limit the scope where the service can make changes to AD. It is highly recommended to limit the ODJ service to create only computer accounts in a single AD OU.

Before you delegate control to create computer accounts, prevent unprivileged users from joining computers to the domain by setting the **ms-DS-MachineAccountQuota** attribute to 0. For more information, see [Microsoft Documentation: Default limit to number of workstations a user can join to the domain](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/default-workstation-numbers-join-domain).

1. Open **Active Directory Users and Computers** and connect to the domain where you want the computer accounts created.
2. Right-click the domain, select **New > Organizational Unit**, enter a name for the OU, and then click **OK**.
3. Right-click the OU, click **Delegate Control...**, click **Next**, and then click **Add...**.
   1. For **Select this object type:**, click **Object Types...**, select **Computers**, and then click **OK**.
   2. For **Enter the Name of the DeployR Server Object**,which is running the ODJ process, click **Check Names**, click **OK**, and then click **Next**.
   3. Select **Create a custom task to delegate** and then click **Next**.
   4. Select the following options and then click **Next**.
      * **Only the following objects in the folder:**
      * **Computer objects**
      * **Create selected objects in the folder**
      * **Delete selected objects in this folder**
   5. Select the following permissions, click **Next**, and then click **Finish**.
      * **Read All Properties**
      * **Write All Properties**
      * **Change Password**
      * **Reset Password**
      * **Read and write account restrictions**
      * **Validated write to DNS host name**
      * **Validated write to service principal name**
4. **This OU will be the one that you'll be able to join machines to using DeployR Offline Domain Join Step.**

### Offline Domain Join Behavior | Things to Note

* When using ODJ, you must have Security enabled in DeployR, either a passcode or Entra for the DeployR Service to allow the update / modification of an AD Object.  This is NOT a requirement if it is a new computer object.
* If redeploying a machine already in AD, the Computer object must already be in an OU that the DeployR server has been delegated rights to.
* If redeploying a machine already in AD, the object will not move to a new OU, even if you specifiy a different OU in the Task Sequence.  If you need it moved, you will need to move it manually in ADUC, or delete the object first so DeployR can create it in the desired location.

### Troubleshooting

* Check the event log for an audit record of the Offline domain Join request

  * Applications & Services Logs -> TwoPintSoftware -> DeployR -> Audit -> Operational

  <figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2Fv2YsIplAkgPL8nLIGrJZ%2Fimage.png?alt=media&#x26;token=bebc1487-f1ac-4a96-8ba8-387ad5f3744c" alt=""><figcaption></figcaption></figure>
* Confirm the DeployR Server was setup in Group Policy to with the rights to join devices in the OU you specified:<br>

  <figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2FNXYPQyDNNBB22KCu1WTp%2Fimage.png?alt=media&#x26;token=639cceb5-484e-47be-bb54-c6cf4c429906" alt=""><figcaption></figcaption></figure>

  <figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2F6VQJJwqYP8Th3uKIbMvt%2Fimage.png?alt=media&#x26;token=9bc1a5ed-539e-474a-87d2-241c53559d01" alt=""><figcaption></figcaption></figure>

#### Client DeployR Log

Confirm the Step initialization (Step Init) that the Setting OU and Domain are correct:

<figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2FJ0H6BjJUcyWp5ST7DgEi%2Fimage.png?alt=media&#x26;token=d2de7a93-8969-40c9-b422-b4bb4841b41b" alt=""><figcaption></figcaption></figure>

Then a successful join will look like:

<figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2F9j3FhYY4OaoqpfgJCXxz%2Fimage.png?alt=media&#x26;token=a8ccbe18-f625-4c4b-b755-8a8f93ccfa05" alt=""><figcaption></figcaption></figure>

#### Failed Attempt in Log

**Error RC 2224**, this happens when you don't have a passcode or security setup and you try to overwrite an object in AD.  Aka, you're deploying a computer that's already in AD with the same name, it finds there is already an object, so it fails out because it doesn't have permissions.

<figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2FyyhQQ3AO3cUKFZ7dMgXG%2Fimage.png?alt=media&#x26;token=b053d06c-39ce-49d4-a5c1-a30f476ba434" alt=""><figcaption></figcaption></figure>

<figure><img src="https://744643921-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJO9NLelA0RS8JB4i9oaQ%2Fuploads%2F6i2stmY87wj3YKPddkXn%2Fimage.png?alt=media&#x26;token=0c80f1de-591d-48af-a3b3-a456dedbe034" alt=""><figcaption></figcaption></figure>

**Error RC 8557** typically means the quota has been filled, by default it's 10 domain joins.  Once you've delegated rights properly, you will not see this error.