Offline Domain Join - Recreating the Blob file using PowerShell

When you need to join a machine to the Active Directory It is a pretty straight forward task using either the User Interface or the PowerShell cmdlet available for that usage.

However in some situation you don't have network connectivity and need to rely on Offline Domain Join, using the Djoin.exe tool. Typically you use djoin in two phases. First you generates a provisioning file that you drop on a newly deployed machine. In the second phase you run djoin with the file as a parameter and the machine is joined to the domain without connection to the domain controller.

My problem
Using that same method, I recently had a tricky problem to solve. The environment where I was performing this was very locked down, not allowing me to copy files to the new provisioned machine.

Fortunately the system handling the deployment could perform action on other systems and gather data. I could rely on something like System Center Orchestrator (or SMA) and get the content of the Blob file over HTTP/HTTPS by invoking a runbook.

Recreating the djoin file with the content was a bit trickier. Djoin is really picky on how the file is created. (see here and here for more information)

Using Djoin

Djoin comes with Windows Client and Server since Windows 7 and Windows Server 2008 R2 installation. Djoin requires administrator privileges, you have to use the tool on an elevated command prompt. Of course, you also need an account that has sufficient rights to create domain computer accounts.

1 - First, Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a blob .txt file that you specify as part of the command.

djoin /provision /domain fx.lab /machine testdjoin01 /savefile provisioning.txt

2 - This blob then has to be copied on the machine and used to offline domain join the Windows machine.

djoin /requestODJ /loadfile provisionning.txt /windowspath %SystemRoot% /localos

Here is what we see when we open the output file (provisionning.txt)

And here in a hexadecimal editor, you can see it is an unicode base64 encoded string by the two first bytes "FF FE".

Copying the content of the blob to another file

Creating a copy of the file is easy, even copying the content on the same machine and dumping it in another file works, djoin will accept those files.
Get-Content provisionning.txt -Encoding Unicode |
Set-Content newfile.txt -Encoding Unicode

Recreating the djoin blob file from the content

Using Djoin with the same parameters we used to create the blob earlier, we will add the parameter /PRINTBLOB which will output the Blob to the console.

The output can then be stored in a Variable and parse to retrieve only the Blob:

# Store the djoin
$djoin = djoin /provision /domain fx.lab /machine testdjoin02 /savefile provisioning /printblob

# Get the blob

Next, this string can be passed across the network using tools such as System Center Orchestrator or SMA. (I won't demonstrate this part in this post)

Finally, on the new deployed machine, we can recreate the Blob file using New-DjoinFile, function available on Github.

# Blob generated 
$Blob = "<Blob generated previously on the domain machine>"

# Recreate djoin file
New-DjoinFile -Blob $blob -DestinationFile $home\desktop\blob.txt -Verbose

You can now use Djoin.exe with the file blob.txt to join your new machine to the domain:

Download the function from Github.

Now if you compare the file generated by djoin.exe and the one recreated by New-DjoinFile, you should get the same content, byte by byte.

Original File:

File created with New-DjoinFile

More information

  • http://www.win7dll.info/netjoin_dll.html
  • http://www.msuiche.net/2009/01/29/windows-7-and-windows-server-2008-r2-djoin-offline-domain-join-utility/ 
  • http://mctexpert.blogspot.com/2016/03/just-for-fun-storing-blob-files-as-xml.html

No comments:

Post a Comment