Настройка direct access в windows server 2016

Configure DirectAccess in Windows Server Essentials

Applies To: Windows Server 2016 Essentials, Windows Server 2012 R2 Essentials, Windows Server 2012 Essentials

This topic provides step-by-step instructions for configuring DirectAccess in Windows Server Essentials to enable your mobile workforce to seamlessly connect to your organization’s network from any Internet-equipped remote location without establishing a virtual private network (VPN) connection. DirectAccess can offer mobile workers the same connectivity experience inside and outside the office from their Windows 8.1, Windows 8, and Windows 7 computers.

In Windows Server Essentials, if the domain contains more than one Windows Server Essentials server, DirectAccess must be configured on the domain controller.

[!NOTE]
This topic provides instructions for configuring DirectAccess when your Windows Server Essentials server is the domain controller. If the Windows Server Essentials server is a domain member, follow the instructions to configure DirectAccess on a domain member in Add DirectAccess to an Existing Remote Access (VPN) Deployment instead.

Process overview

To configure DirectAccess in Windows Server Essentials, complete the following steps.

[!IMPORTANT]
Before you use the procedures in this guide to configure DirectAccess in Windows Server Essentials, you must enable VPN on the server. For instructions, see Manage VPN.

• Step 1: Add Remote Access Management Tools to your server

• Step 2: Change the network adapter address of the server to a static IP address

• Step 3: Prepare a certificate and DNS record for the network location server

  • Step 3a: Grant full permissions to Authenticated Users for the Web server’s certificate template

  • Step 3b: Enroll a certificate for the network location server with a common name that is unresolvable from the external network

  • Step 3c: Add a new host on the DNS server and map it to the Windows Server Essentials server address

• Step 4: Create a security group for DirectAccess client computers

• Step 5: Enable and configure DirectAccess

  • Step 5a: Enable DirectAccess by using the Remote Access Management Console

  • Step 5b: Remove the invalid IPv6Prefix in RRAS GPO (Windows Server Essentials only)

  • Step 5c: Enable client computers running Windows 7 Enterprise to use DirectAccess

  • Step 5d: Configure the network location server

  • Step 5e: Add a registry key to bypass CA certification when you establish an IPsec channel

• Step 6: Configure Name Resolution Policy Table settings for the DirectAccess server

• Step 7: Configure TCP and UDP firewall rules for the DirectAccess server GPOs

• Step 8: Change the DNS64 configuration to listen to the IP-HTTPS interface

• Step 9: Reserve ports for the WinNat service

• Step 10: Restart the WinNat service

[!NOTE]
Appendix: Set up DirectAccess by using Windows PowerShell provides a Windows PowerShell script that you can use to perform the DirectAccess setup.

Step 1: Add Remote Access Management Tools to your server

To add Remote Acc®ss Management Tools ®

1. On the server, in the bottom left corner of the Start page, click the Server Manager icon.

   In Windows Server Essentials, you will need to search for Server Manager to open it. On the Start page, type Server Manager, and then click Server Manager in the search results. To pin Server Manager to the Start page, right-click Server Manager in the search results, and click Pin to Start.

2. If a User Account Control warning message displays, click Yes.

3. On the Server Manager Dashboard, click Manage, and then click Add Roles and Features.

4. In the Add Roles and Features Wizard, do the following:

   1. On the Installation Type page, click Role-based or feature-based installation.

   2. On the Server Selection page (or the Select destination server page in Windows Server Essentials), click Select a server from the server pool.

   3. On the Features page, expand Remote Server Administration Tools (Installed), expand Remote Access Management Tools (Installed), expand Role Administration Tools (Installed), expand Remote Access Management Tools, and then select Remote Access GUI and Command-Line Tools.

   4. Follow the instructions to complete the wizard.

Step 2: Change the network adapter address of the server to a static IP address

DirectAccess requires an adapter with a static IP address. You need to change the IP address for the local network adapter on your server.

To add a static IP address

1. On the Start page, open Control Panel.

2. Click Network and Internet, and then click View network status and tasks.

3. In the task pane of the Network and Sharing Center, click Change adapter settings.

4. Right-click the local network adapter, and then click Properties.

5. On the Networking tab, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

6. On the General tab, click Use the following IP address, and then type the IP address that you want to use.

   A default value for subnet mask appears automatically in the Subnet mask box. Accept the default value, or type the subnet mask value that you want to use.

7. In the Default gateway box, type the IP address of your default gateway.

8. In the Preferred DNS server box, type the IP address of your DNS server.

   [!NOTE]
   Use the IP address that is assigned to your network adapter by DHCP (for example, 192.168.X.X) instead of a loopback network (for example, 127.0.0.1). To find out the assigned IP address, run ipconfig at a command prompt.

9. In the Alternate DNS Server box, type the IP address of your alternate DNS server, if any.

10. Click OK, and then click Close.

[!IMPORTANT]
Ensure that you configure the router to forward ports 80 and 443 to the new static IP address of the server.

Step 3: Prepare a certificate and DNS record for the network location server

To prepare a certificate and DNS record for the network location server, perform the following tasks:

• Step 3a: Grant full permissions to Authenticated Users for the Web server’s certificate template

• Step 3b: Enroll a certificate for the network location server with a common name that is unresolvable from the external network

• Step 3c: Add a new host on the DNS server and map it to the Windows Server Essentials server address.

Step 3a: Grant full permissions to Authenticated Users for the Web server’s certificate template

Your first task is to grant full permissions to authenticate users for the Web server’s certificate template in the certification authority.

To grant full permissions to Authenticated Users for the Web server’s certificate template

1. On the Start page, open Certification Authority.

2. In the console tree, under Certification Authority (Local), expand <servername>-CA, right-click Certificate Templates, and then click Manage.

3. In Certification Authority (Local), right-click Web Server, and then click Properties.

4. In Web Server properties, on the Security tab, click Authenticated Users, select Full Control, and then click OK.

5. Restart Active Directory Certificate Services. In Control Panel, open View local services. In the list of services, right-click Active Directory Certificate Services, and then click Restart.

Step 3b: Enroll a certificate for the network location server with a common name that is unresolvable from the external network

Next, enroll a certificate for the network location server with a common name that is unresolvable from the external network.

To enroll a certificate for the network location server

1. On the Start page, open mmc (the Microsoft Management Console).

2. If a User Account Control warning message appears, click Yes.

   The Microsoft Management Console (MMC) opens.

3. On the File menu, click Add/Remove Snap-ins.

4. In the Add or Remote Snap-ins box, click Certificates, and then click Add.

5. On the Certificates snap-in page, click Computer account, and then click Next.

6. On the Select Computer page, click Local computer, click Finish, and then click OK.

7. In the console tree, expand Certificates (Local Computer), expand Personal, right-click Certificates, and then, in All Tasks, click Request New Certificate.

8. When the Certificate Enrollment Wizard appears, click Next.

9. On the Select Certificate Enrollment Policy page, click Next.

10. On the Request Certificates page, select the Web Server check box, and then click More information is required to enroll this certificate.

11. In the Certificate Properties box, enter the following settings for Subject Name:

    1. For Type, select Common name.

    2. For Value, type the name of the network location server (for example, DirectAccess-NLS.contoso.local), and then click Add.

    3. Click OK, and then click Enroll.

12. When certificate enrollment completes, click Finish.

Step 3c: Add a new host on the DNS server and map it to the Windows Server Essentials server address

To complete the DNS configuration, add a new host on the DNS server and map it to the Windows Server Essentials server address.

To map a new host to the Windows Server Essentials server address

1. On the Start page, open DNS Manager. To open DNS Manager, search for dnsmgmt.msc, and then click dnsmgmt.msc in the results.

2. In the DNS Manager console tree, expand the local server, expand Forward Lookup Zones, right-click the zone with server’s domain suffix, and then click New Host (A or AAAA).

3. Type the name and IP address of the server (for example, DirectAccess-NLS.contoso.local) and its corresponding server address (for example, 192.168.x.x).

4. Click Add Host, click OK, and then click Done.

Step 4: Create a security group for DirectAccess client computers

Next, create a security group to use for DirectAccess client computers, and then add the computer accounts to the group.

To add a security group for client computers that use DirectAccess

1. On the Server Manager Dashboard, click Tools, and then click Active Directory Users and Computers.

   [!NOTE]
   If you do not see Active Directory Users and Computers on the Tools menu, you need to install the feature. To install Active Directory Users and Groups, run the following Windows PowerShell cmdlet as an administrator: Install-WindowsFeature RSAT-ADDS-Tools. For more information, see Installing or Removing the Remote Server Administration Tool Pack.

2. In the console tree, expand the server, right-click Users, click New, and then click Group.

3. Enter a group name, group scope, and group type (create a security group), and then click OK.

   The new security group is added to the Users folder.

To add computer accounts to the security group

1. On the Server Manager Dashboard, click Tools, and then click Active Directory Users and Computers.

2. In the console tree, expand the server, and then click Users.

3. In the list of user accounts and security groups on the server, right-click the security group that you created for DirectAccess, and then click Properties.

4. On the Members tab, click Add.

5. In the dialog box, type the names of the computer accounts that you want to add to the group, separating the names with a semicolon (;). Then click Check Names.

6. After the computer accounts are validated, click OK. Then click OK again.

[!NOTE]
You can also use the Member of tab in the computer account properties to add the account to the security group.

Step 5: Enable and configure DirectAccess

To enable and configure DirectAccess in Windows Server Essentials, you must complete the following steps:

• Step 5a: Enable DirectAccess by using the Remote Access Management Console

• Step 5b: Remove the invalid IPv6Prefix in RRAS GPO (Windows Server Essentials only)

• Step 5c: Enable client computers running Windows 7 Enterprise to use DirectAccess

• Step 5d: Configure the network location server

• Step 5e: Add a registry key to bypass CA certification when you establish an IPsec channel

Step 5a: Enable DirectAccess by using the Remote Access Management Console

This section provides step-by-step instructions to enable DirectAccess in Windows Server Essentials. If you have not configured VPN on the server yet, you should do that before you start this procedure. For instructions, see Manage VPN.

To enable DirectAccess by using the Remote Access Management Console

1. On the Start page, open Remote Access Management.

2. In the Enable DirectAccess Wizard, do the following:

   1. Review DirectAccess Prerequisites, and click Next.

   2. On the Select Groups tab, add the security group that you created earlier for DirectAccess clients. (If you have not created the security group, see Step 4: Create a security group for DirectAccess client computers for instructions.)

   3. On the Select Groups tab, click Enable DirectAccess for mobile computers only if you want to enable mobile computers to use DirectAccess to remotely access the server, and then click Next.

   4. In Network Topology, select the topology of the server, and then click Next.

   5. In DNS Suffix Search List, add the additional DNS suffix for the client computers, if needed, and then click Next.

      [!NOTE]
      By default, the Enable DirectAccess Wizard already adds the DNS suffix for current domain. However, you can add more if needed.

   6. Review the Group Policy Objects (GPOs) that will be applied, and modify them if needed.

   7. Click Next, and then click Finish.

   8. Restart the Remote Access Management service by running the following Windows PowerShell command in elevated mode:

      Restart-Service RaMgmtSvc

Step 5b: Remove the invalid IPv6Prefix in RRAS GPO (Windows Server Essentials only)

This section applies to a server running Windows Server Essentials.

Open Windows PowerShell as an Administrator and run the following commands:

gpupdate
$key = Get-ChildItem -Path HKLM:SOFTWAREPoliciesMicrosoftWindowsRemoteAccessconfigMachineSIDs | Where-Object{$_.GetValue("IPv6RrasPrefix") -ne $null}
Remove-GPRegistryValue -Name "DirectAccess Server Settings" -Key $key.Name -ValueName IPv6RrasPrefix
gpupdate

Step 5c: Enable client computers running Windows 7 Enterprise to use DirectAccess

If you have client computers running Windows 7 Enterprise, complete the following procedure to enable DirectAccess from those computers.

To enable Windows 7 Enterprise computers to use DirectAccess

1. On the server’s Start page, open Remote Access Management.

2. In the Remote Access Management Console, click Configuration. Then, in the Setup Details pane, under Step 2, click Edit.

   The Remote Access Server Setup Wizard opens.

3. On the Authentication tab, choose the certification authority (CA) certificate that will be the trusted root certificate (you can choose the CA certificate of the Windows Server Essentials server). Click Enable Windows 7 client computers to connect via DirectAccess, and then click Next.

4. Follow the instructions to complete the wizard.

[!IMPORTANT]
There is a known issue for Windows 7 Enterprise computers connecting over DirectAccess if the Windows Server Essentials server did not come with UR1 pre-installed. To enable DirectAccess connections in that environment, you must perform these additional steps:

1. Install the hotfix described in Microsoft Knowledge Base (KB) article 2796394 on the Windows Server Essentials server. Then restart the server.
   2. Then install the hotfix described in Microsoft Knowledge Base (KB) article 2615847 on each Windows 7 computer.

   This issue was resolved in Windows Server Essentials.

Step 5d: Configure the network location server

This section provides step-by-step instructions to configure the network location server settings.

[!NOTE]
Before you begin, copy the contents of the <SystemDrive>inetpubwwwroot folder to the <SystemDrive>Program FilesWindows ServerBinWebAppsSiteinsideoutside folder. Also copy the default.aspx file from the <SystemDrive>Program FilesWindows ServerBinWebAppsSite folder to the <SystemDrive>Program FilesWindows ServerBinWebAppsSiteinsideoutside folder.

To configure the network location server

1. On the Start page, open Remote Access Management.

2. In the Remote Access Management Console, click Configuration, and in the Remote Access Setup details pane, in Step 3, click Edit.

3. In the Remote Access Server Setup Wizard, on the Network Location Server tab, select The network location server is deployed on the Remote Access server, and then select the certificate that was previously issued (in Step 3: Prepare a certificate and DNS record for the network location server).

4. Follow the instructions to complete the wizard, and then click Finish.

Step 5e: Add a registry key to bypass CA certification when you establish an IPsec channel

Your next step is to configure the server to bypass CA certification when an IPsec channel is established.

To add a registry key to bypass the CA certification

1. On the Start page, open regedit (the Registry Editor).

2. In the Registry Editor, expand HKEY_LOCAL_MACHINE, expand System, expand CurrentControlSet, expand Services, and expand IKEEXT.

3. Under IKEEXT, right-click Parameters, click New, and then click DWORD (32 bit) Value.

4. Rename the newly added value to ikeflags.

5. Double-click ikeflags, set the Type to Hexadecimal, set the value to 8000, and then click OK.

[!NOTE]
You can use the following Windows PowerShell command in elevated mode to add this registry key:

Set-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesIKEEXTParameters -Name ikeflags -Type DWORD -Value 0x8000

Step 6: Configure Name Resolution Policy Table settings for the DirectAccess server

This section provides instructions for editing the Name Resolution Policy Table (NPRT) entries for internal addresses (for example, entries with a contoso.local suffix) for DirectAccess client GPOs, and then set the IPHTTPS interface address.

To configure Name Resolution Policy Table entries

1. On the Start page, open Group Policy Management.

2. In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Client Settings, and then click Edit.

3. Click Computer Configurations, click Policies, click Windows Settings, and then click Name Resolution Policy. Choose the entry that has the namespace that is identical to your DNS suffix, and then click Edit Rule.

4. Click the DNS Settings for DirectAccess tab; then select Enable DNS settings for DirectAccess in this rule. Add the IPv6 address for the IP-HTTPS interface in the DNS server list.

   [!NOTE]
   You can use the following Windows PowerShell command to get the IPv6 address:

   (Get-NetIPInterface -InterfaceAlias IPHTTPSInterface | Get-NetIPAddress -PrefixLength 128)[1].IPAddress

Step 7: Configure TCP and UDP firewall rules for the DirectAccess server GPOs

This section includes step-by-step instructions to configure TCP and UDP firewall rules for the DirectAccess server GPOs.

To configure firewall rules

1. On the Start page, open Group Policy Management.

2. In the Group Policy Management console, click the default forest and domain, right-click DirectAccess Server Settings, and then click Edit.

3. Click Computer Configuration, click Policies, click Windows Settings, click Security Settings, click Windows Firewall with Advanced Security, click next-level Windows Firewall with Advanced Security, and then click Inbound Rules. Right-click Domain name Server (TCP-In), and then click Properties.

4. Click the Scope tab, and in the Local IP address list, add the IPv6 address of the IP-HTTPS interface.

5. Repeat the same procedure for Domain Name Server (UDP-In).

Step 8: Change the DNS64 configuration to listen to the IP-HTTPS interface

You must change the DNS64 configuration to listen to the IP-HTTPS interface by using the following Windows PowerShell command.

Set-NetDnsTransitionConfiguration -AcceptInterface IPHTTPSInterface

Step 9: Reserve ports for the WinNat service

Use the following Windows PowerShell command to reserve ports for the WinNat service. Replace «192.168.1.100» with the actual IPv4 address of your Windows Server Essentials server.

Set-NetNatTransitionConfiguration -IPv4AddressPortPool @("192.168.1.100, 10000-47000")

[!IMPORTANT]
To avoid port conflicts with applications, be sure that the port range that you reserve for the WinNat service does not include port 6602.

Step 10: Restart the WinNat service

Restart the Windows NAT Driver (WinNat) service by running the following Windows PowerShell command.

Appendix: Set up DirectAccess by using Windows PowerShell

This section describes how to set up and configure DirectAccess by using Windows PowerShell.

Preparation

Before you begin configuring your server for DirectAccess, you must complete the following:

1. Follow the procedure in Step 3: Prepare a certificate and DNS record for the network location server to enroll a certificate named DirectAccess-NLS.contoso.com (where contoso.com is replaced by your actual internal domain name), and to add a DNS record for the network location server (NLS).

2. Add a security group named DirectAccessClients in Active Directory, and then add client computers for which you want to provide the DirectAccess functionality. For more information, see Step 4: Create a security group for DirectAccess client computers.

Commands

[!IMPORTANT]
In Windows Server Essentials, you do not need to remove the unnecessary IPv6 prefix GPO. Delete the code section with the following label: # [WINDOWS SERVER 2012 ESSENTIALS ONLY] Remove the unnecessary IPv6 prefix GPO.

# Add Remote Access role if not installed yet
$ra = Get-WindowsFeature RemoteAccess
If ($ra.Installed -eq $FALSE) { Add-WindowsFeature RemoteAccess }

# Server may need to restart if you installed RemoteAccess role in the above step

# Set the internet domain name to access server, replace contoso.com below with your own domain name
$InternetDomain = "www.contoso.com"
#Set the SG name which you create for DA clients
$DaSecurityGroup = "DirectAccessClients"
#Set the internal domain name
$InternalDomain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name

# Set static IP and DNS settings
$NetConfig = Get-WmiObject Win32_NetworkAdapterConfiguration -Filter "IPEnabled=$true"
$CurrentIP = $NetConfig.IPAddress[0]
$SubnetMask = $NetConfig.IPSubnet | Where-Object{$_ -like "*.*.*.*"}
$NetConfig.EnableStatic($CurrentIP, $SubnetMask)
$NetConfig.SetGateways($NetConfig.DefaultIPGateway)
$NetConfig.SetDNSServerSearchOrder($CurrentIP)

# Get physical adapter name and the certificate for NLS server
$Adapter = (Get-WmiObject -Class Win32_NetworkAdapter -Filter "NetEnabled=$true").NetConnectionId
$Certs = dir cert:LocalMachineMy
$nlscert = $certs | Where-Object{$_.Subject -like "*CN=DirectAccess-NLS*"}

# Add regkey to bypass CA cert for IPsec authentication
Set-ItemProperty -Path HKLM:SYSTEMCurrentControlSetServicesIKEEXTParameters -Name ikeflags -Type DWORD -Value 0x8000

# Install DirectAccess.
Install-RemoteAccess -NoPrerequisite -DAInstallType FullInstall -InternetInterface $Adapter -InternalInterface $Adapter -ConnectToAddress $InternetDomain -nlscertificate $nlscert -force

#Restart Remote Access Management service
Restart-Service RaMgmtSvc

# [WINDOWS SERVER 2012 ESSENTIALS ONLY] Remove the unnecessary IPv6 prefix GPO

gpupdate
$key = Get-ChildItem -Path HKLM:SOFTWAREPoliciesMicrosoftWindowsRemoteAccessconfigMachineSIDs | Where-Object{$_.GetValue("IPv6RrasPrefix") -ne $null}
Remove-GPRegistryValue -Name "DirectAccess Server Settings" -Key $key.Name -ValueName IPv6RrasPrefix
gpupdate

# Enable client computers running Windows 7 to use DirectAccess
$allcertsinroot = dir cert:LocalMachineroot
$rootcert = $allcertsinroot | Where-Object{$_.Subject -like "*-CAA*"}
Set-DAServer -IPSecRootCertificate $rootcert[0]
Set -DAClient -OnlyRemoteComputers Disabled -Downlevel Enabled

#Set the appropriate security group used for DA client computers. Replace the group name below with the one you created for DA clients
Add-DAClient -SecurityGroupNameList $DaSecurityGroup
Remove-DAClient -SecurityGroupNameList "Domain Computers"

# Gather DNS64 IP address information
$Remoteaccess = get-remoteaccess
$IPinterface = get-netipinterface -InterfaceAlias IPHTTPSInterface | get-netipaddress -PrefixLength 128
$DNS64IP=$IPInterface[1].IPaddress
$Natconfig = Get-NetNatTransitionConfiguration

# Configure TCP and UDP firewall rules for the DirectAccess server GPO
$GpoName = 'GPO:'+$InternalDomain+'DirectAccess Server Settings'
Get-NetFirewallRule -PolicyStore $GpoName -Displayname "Domain Name Server (TCP-IN)"|Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -LocalAddress $DNS64IP
Get-NetFirewallrule -PolicyStore $GpoName -Displayname "Domain Name Server (UDP-IN)"|Get-NetFirewallAddressFilter | Set-NetFirewallAddressFilter -LocalAddress $DNS64IP

# Configure the name resolution policy settings for the DirectAccess server, replace the DNS suffix below with the one in your domain
$Suffix = '.' + $InternalDomain
set-daclientdnsconfiguration -DNSsuffix $Suffix -DNSIPAddress $DNS64IP

# Change the DNS64 configuration to listen to IP-HTTPS interface
Set-NetDnsTransitionConfiguration -AcceptInterface IPHTTPSInterface

# Copy the necessary files to NLS site folder
XCOPY 'C:inetpubwwwroot' 'C:Program FilesWindows ServerBinWebAppsSiteinsideoutside' /E /Y
XCOPY 'C:Program FilesWindows ServerBinWebAppsSiteDefault.aspx' 'C:Program FilesWindows ServerBinWebAppsSiteinsideoutside' /Y

# Reserve ports for the WinNat service
Set-NetNatTransitionConfiguration -IPv4AddressPortPool @("192.168.1.100, 10000-47000")

# Restart the WinNat service
Restart-Service winnat

Additional References

• Manage Anywhere Access

• Manage Windows Server Essentials

DirectAccess Offline Domain Join

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This guide explains the steps to perform an offline domain join with DirectAccess. During an offline domain join, a computer is configured to join a domain without physical or VPN connection.

This guide includes the following sections:

• Offline domain join overview

• Requirements for offline domain join

• Offline domain join process

• Steps for performing an offline domain join

Offline domain join overview

Introduced in Windows Server 2008 R2, domain controllers include a feature called Offline Domain Join. A command line utility named Djoin.exe lets you join a computer to a domain without physically contacting a domain controller while completing the domain join operation. The general steps for using Djoin.exe are:

1. Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.

2. Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.

3. Reboot the destination computer, and the computer will be joined to the domain.

Offline domain join with DirectAccess policies scenario overview

DirectAccess offline domain join is a process that computers running Windows Server 2016, Windows Server 2012, Windows 10 and Windows 8 can use to join a domain without being physically joined to the corporate network, or connected through VPN. This makes it possible to join computers to a domain from locations where there is no connectivity to a corporate network. Offline domain join for DirectAccess provides DirectAccess policies to clients to allow remote provisioning.

A domain join creates a computer account and establishes a trust relationship between a computer running a Windows operating system and an Active Directory domain.

Prepare for offline domain join

1. Create the machine account.

2. Inventory the membership of all security groups to which the machine account belongs.

3. Gather the required computer certificates, group policies, and group policy objects to be applied to the new client(s).

. The following sections explain operating system requirements and credential requirements for performing a DirectAccess offline domain join using Djoin.exe.

Operating system requirements

You can run Djoin.exe for DirectAccess only on computers that run Windows Server 2016, Windows Server 2012 or Windows 8. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows Server 2016, Windows 10, Windows Server 2012 or Windows 8. The computer that you want to join to the domain must also be running Windows Server 2016, Windows 10, Windows Server 2012 , or Windows 8.

Credential requirements

To perform an offline domain join, you must have the rights that are necessary to join workstations to the domain. Members of the Domain Admins group have these rights by default. If you are not a member of the Domain Admins group, a member of the Domain Admins group must complete one of the following actions to enable you to join workstations to the domain:

• Use Group Policy to grant the required user rights. This method allows you to create computers in the default Computers container and in any organizational unit (OU) that is created later (if no Deny access control entries (ACEs) are added).

• Edit the access control list (ACL) of the default Computers container for the domain to delegate the correct permissions to you.

• Create an OU and edit the ACL on that OU to grant you the Create child — Allow permission. Pass the /machineOU parameter to the djoin /provision command.

The following procedures show how to grant the user rights with Group Policy and how to delegate the correct permissions.

Granting user rights to join workstations to the domain

You can use the Group Policy Management Console (GPMC) to modify the domain policy or create a new policy that has settings that grant the user rights to add workstations to a domain.

Membership in Domain Admins, or equivalent, is the minimum required to grant user rights. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To grant rights to join workstations to a domain

1. Click Start, click Administrative Tools, and then click Group Policy Management.

2. Double-click the name of the forest, double-click Domains, double-click the name of the domain in which you want to join a computer, right-click Default Domain Policy, and then click Edit.

3. In the console tree, double-click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.

4. In the details pane, double-click Add workstations to domain.

5. Select the Define these policy settings check box, and then click Add User or Group.

6. Type the name of the account that you want to grant the user rights to, and then click OK twice.

Offline domain join process

Run Djoin.exe at an elevated command prompt to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a binary file that you specify as part of the command.

For more information about the NetProvisionComputerAccount function that is used to provision the computer account during an offline domain join, see NetProvisionComputerAccount Function (https://go.microsoft.com/fwlink/?LinkId=162426). For more information about the NetRequestOfflineDomainJoin function that runs locally on the destination computer, see NetRequestOfflineDomainJoin Function (https://go.microsoft.com/fwlink/?LinkId=162427).

Steps for performing a DirectAccess offline domain join

The offline domain join process includes the following steps:

1. Create a new computer account for each of the remote clients and generate a provisioning package using the Djoin.exe command from an already domain joined computer in the corporate network.

2. Add the client computer to the DirectAccessClients security group

3. Transfer the provisioning package securely to the remote computers(s) that will be joining the domain.

4. Apply the provisioning package and join the client to the domain.

5. Reboot the client to complete the domain join and establish connectivity.

There are two options to consider when creating the provisioning packet for the client. If you used the Getting Started Wizard to install DirectAccess without PKI, then you should use option 1 below. If you used the Advanced Setup Wizard to install DirectAccess with PKI, then you should use option 2 below.

Complete the following steps to perform the offline domain join:

Option1: Create a provisioning package for the client without PKI

1. At a command prompt of your Remote Access server, type the following command to provision the computer account:

   Djoin /provision /domain <your domain name> /machine <remote machine name> /policynames DA Client GPO name /rootcacerts /savefile c:filesprovision.txt /reuse
   

Option2: Create a provisioning package for the client with PKI

1. At a command prompt of your Remote Access server, type the following command to provision the computer account:

   Djoin /provision /machine <remote machine name> /domain <Your Domain name> /policynames <DA Client GPO name> /certtemplate <Name of client computer cert template> /savefile c:filesprovision.txt /reuse
   

Add the client computer to the DirectAccessClients security group

1. On your Domain Controller, from Start screen, type Active and select Active Directory Users and Computers from Apps screen.

2. Expand the tree under your domain, and select the Users container.

3. In the details pane, right-click DirectAccessClients, and click Properties.

4. On the Members tab, click Add.

5. Click Object Types, select Computers, and then click OK.

6. Type the client name to add, and then click OK.

7. Click OK to close the DirectAccessClients Properties dialog, and then close Active Directory Users and Computers.

Copy and then apply the provisioning package to the client computer

1. Copy the provisioning package from c:filesprovision.txt on the Remote Access Server, where it was saved, to c:provisionprovision.txt on the client computer.

2. On the client computer, open an elevated command prompt, and then type the following command to request the domain join:

   Djoin /requestodj /loadfile C:provisionprovision.txt /windowspath %windir% /localos
   

3. Reboot the client computer. The computer will be joined to the domain. Following the reboot, the client will be joined to the domain and have connectivity to the corporate network with DirectAccess.

See Also

NetProvisionComputerAccount Function
NetRequestOfflineDomainJoin Function

DirectAccess Offline Domain Join

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

This guide explains the steps to perform an offline domain join with DirectAccess. During an offline domain join, a computer is configured to join a domain without physical or VPN connection.

This guide includes the following sections:

• Offline domain join overview

• Requirements for offline domain join

• Offline domain join process

• Steps for performing an offline domain join

Offline domain join overview

Introduced in Windows Server 2008 R2, domain controllers include a feature called Offline Domain Join. A command line utility named Djoin.exe lets you join a computer to a domain without physically contacting a domain controller while completing the domain join operation. The general steps for using Djoin.exe are:

1. Run djoin /provision to create the computer account metadata. The output of this command is a .txt file that includes a base-64 encoded blob.

2. Run djoin /requestODJ to insert the computer account metadata from the .txt file into the Windows directory of the destination computer.

3. Reboot the destination computer, and the computer will be joined to the domain.

Offline domain join with DirectAccess policies scenario overview

DirectAccess offline domain join is a process that computers running Windows Server 2016, Windows Server 2012, Windows 10 and Windows 8 can use to join a domain without being physically joined to the corporate network, or connected through VPN. This makes it possible to join computers to a domain from locations where there is no connectivity to a corporate network. Offline domain join for DirectAccess provides DirectAccess policies to clients to allow remote provisioning.

A domain join creates a computer account and establishes a trust relationship between a computer running a Windows operating system and an Active Directory domain.

Prepare for offline domain join

1. Create the machine account.

2. Inventory the membership of all security groups to which the machine account belongs.

3. Gather the required computer certificates, group policies, and group policy objects to be applied to the new client(s).

. The following sections explain operating system requirements and credential requirements for performing a DirectAccess offline domain join using Djoin.exe.

Operating system requirements

You can run Djoin.exe for DirectAccess only on computers that run Windows Server 2016, Windows Server 2012 or Windows 8. The computer on which you run Djoin.exe to provision computer account data into AD DS must be running Windows Server 2016, Windows 10, Windows Server 2012 or Windows 8. The computer that you want to join to the domain must also be running Windows Server 2016, Windows 10, Windows Server 2012 , or Windows 8.

Credential requirements

To perform an offline domain join, you must have the rights that are necessary to join workstations to the domain. Members of the Domain Admins group have these rights by default. If you are not a member of the Domain Admins group, a member of the Domain Admins group must complete one of the following actions to enable you to join workstations to the domain:

• Use Group Policy to grant the required user rights. This method allows you to create computers in the default Computers container and in any organizational unit (OU) that is created later (if no Deny access control entries (ACEs) are added).

• Edit the access control list (ACL) of the default Computers container for the domain to delegate the correct permissions to you.

• Create an OU and edit the ACL on that OU to grant you the Create child — Allow permission. Pass the /machineOU parameter to the djoin /provision command.

The following procedures show how to grant the user rights with Group Policy and how to delegate the correct permissions.

Granting user rights to join workstations to the domain

You can use the Group Policy Management Console (GPMC) to modify the domain policy or create a new policy that has settings that grant the user rights to add workstations to a domain.

Membership in Domain Admins, or equivalent, is the minimum required to grant user rights. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To grant rights to join workstations to a domain

1. Click Start, click Administrative Tools, and then click Group Policy Management.

2. Double-click the name of the forest, double-click Domains, double-click the name of the domain in which you want to join a computer, right-click Default Domain Policy, and then click Edit.

3. In the console tree, double-click Computer Configuration, double-click Policies, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click User Rights Assignment.

4. In the details pane, double-click Add workstations to domain.

5. Select the Define these policy settings check box, and then click Add User or Group.

6. Type the name of the account that you want to grant the user rights to, and then click OK twice.

Offline domain join process

Run Djoin.exe at an elevated command prompt to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a binary file that you specify as part of the command.

For more information about the NetProvisionComputerAccount function that is used to provision the computer account during an offline domain join, see NetProvisionComputerAccount Function (https://go.microsoft.com/fwlink/?LinkId=162426). For more information about the NetRequestOfflineDomainJoin function that runs locally on the destination computer, see NetRequestOfflineDomainJoin Function (https://go.microsoft.com/fwlink/?LinkId=162427).

Steps for performing a DirectAccess offline domain join

The offline domain join process includes the following steps:

1. Create a new computer account for each of the remote clients and generate a provisioning package using the Djoin.exe command from an already domain joined computer in the corporate network.

2. Add the client computer to the DirectAccessClients security group

3. Transfer the provisioning package securely to the remote computers(s) that will be joining the domain.

4. Apply the provisioning package and join the client to the domain.

5. Reboot the client to complete the domain join and establish connectivity.

There are two options to consider when creating the provisioning packet for the client. If you used the Getting Started Wizard to install DirectAccess without PKI, then you should use option 1 below. If you used the Advanced Setup Wizard to install DirectAccess with PKI, then you should use option 2 below.

Complete the following steps to perform the offline domain join:

Option1: Create a provisioning package for the client without PKI

1. At a command prompt of your Remote Access server, type the following command to provision the computer account:

   Djoin /provision /domain <your domain name> /machine <remote machine name> /policynames DA Client GPO name /rootcacerts /savefile c:filesprovision.txt /reuse
   

Option2: Create a provisioning package for the client with PKI

1. At a command prompt of your Remote Access server, type the following command to provision the computer account:

   Djoin /provision /machine <remote machine name> /domain <Your Domain name> /policynames <DA Client GPO name> /certtemplate <Name of client computer cert template> /savefile c:filesprovision.txt /reuse
   

Add the client computer to the DirectAccessClients security group

1. On your Domain Controller, from Start screen, type Active and select Active Directory Users and Computers from Apps screen.

2. Expand the tree under your domain, and select the Users container.

3. In the details pane, right-click DirectAccessClients, and click Properties.

4. On the Members tab, click Add.

5. Click Object Types, select Computers, and then click OK.

6. Type the client name to add, and then click OK.

7. Click OK to close the DirectAccessClients Properties dialog, and then close Active Directory Users and Computers.

Copy and then apply the provisioning package to the client computer

1. Copy the provisioning package from c:filesprovision.txt on the Remote Access Server, where it was saved, to c:provisionprovision.txt on the client computer.

2. On the client computer, open an elevated command prompt, and then type the following command to request the domain join:

   Djoin /requestodj /loadfile C:provisionprovision.txt /windowspath %windir% /localos
   

3. Reboot the client computer. The computer will be joined to the domain. Following the reboot, the client will be joined to the domain and have connectivity to the corporate network with DirectAccess.

See Also

NetProvisionComputerAccount Function
NetRequestOfflineDomainJoin Function