Remote joining Active Directory

Today I found myself in an odd situation. A remote work PC needed join to Active Directory. But VPN would not work unless PC was already in the domain. Catch 22. After some searching and reading, I found that using “DJOIN” in Windows 7+, the PC could offline-authenticate. DJOIN is bundled with the system, by default. Here’s what to do:

On a trusted PC:

  1. On a CMD prompt as the appropriate Domain Admin or delegate.
  2. Run: djoin /provision /domain ad.example.com /machine PC-NAME /reuse /savefile blob.txt
  3. Copy blob.txt to the PC.

On remote PC:

  1. Open a privileged CMD (right-click on CMD, select run as Administrator).
  2. Run: djoin /requestODJ /loadfile blob.txt /windowspath %SystemRoot% /localos
  3. Reboot
  4. I still had to login as the local account and establish the VPN connection, which this time worked just fine.
  5. When VPN is running, Switch user (Win+L).
  6. Login as ad\username

Presto! From here on, I disconnected the VPN from my local account and started it again with the AD account.