Provisioning DirectAccess Clients using Windows Offline Domain Join

DirectAccess on Microsoft WindowsOne of the many advantages DirectAccess has over traditional client-based VPN is the ease with which DirectAccess clients can be provisioned. DirectAccess does not require any special software to be installed on the client. Everything that DirectAccess needs is included as part of the operating system. This makes onboarding a client for DirectAccess is as simple as adding a computer account to the DirectAccess client security group in Active Directory. That’s it! As soon as the client restarts it will be configured for DirectAccess.

This process works great if the client computer is already joined to the domain and has access to the LAN (either directly connected or via client-based VPN). But what if the client is in a remote location and isn’t yet joined to the domain? Offline Domain Join (ODJ) can help. ODJ is a feature of the Windows operating system introduced with Windows 7 and Windows Server 2008 R2 that allows an administrator to join a host to the domain without requiring the host to contact a domain controller. Beginning with Windows 8 and Server 2012, ODJ supports new command-line parameters that allow the administrator to configure the client machine to include DirectAccess certificates and policies.

Note: ODJ will only provision DirectAccess certificates and policies for Windows 8.x and later clients. ODJ with Windows 7 clients is limited to joining the domain only. ODJ cannot provision Windows 7 clients for DirectAccess.

To use ODJ to provision a DirectAccess client, first create a computer account in Active Directory and then add the account to the DirectAccess client security group. Next, open an elevated Command Prompt window on the DirectAccess server and execute the following command.

djoin.exe /provision /machine <client_machine_name>
/domain <domain_name> /policynames
<DirectAccess_client_settings_ GPO_name>
/certtemplate <DirectAccess_certificate_template_name>
/savefile <filename> /reuse

For example:

djoin.exe /provision /machine client5
/domain lab.richardhicks.net
/policynames "DirectAccess Client Settings"
/certtemplate machine
/savefile c:\users\rhicks\desktop\provision.txt /reuse

Provisioning DirectAccess Clients using Windows Offline Domain Join

On the DirectAccess client, copy the ODJ provisioning file locally. Open an elevated Command Prompt window and execute the following command.

djoin.exe /requestodj /loadfile <filename>
/windowspath <Windows_directory> /localos

For example:

djoin.exe /requestodj /loadfile c:\users\setup\provision.txt
/windowspath C:\Windows /localos

Provisioning DirectAccess Clients using Windows Offline Domain Join

After a restart, the client will be joined to the domain and now be able to establish a DirectAccess connection to the corporate network. Users can now log on with their domain credentials.

Leave a comment

24 Comments

  1. Simon

     /  July 1, 2015

    This is really interesting. I wonder if something similar might be able to help DirectAccess client provisioning?

    An example being an office where the client computers are being added to the security group that is applying the GPO, the computers are getting the GP if you check GPResult, but they are not getting the DirectAccess settings applied.

    Has anyone encountered this issue?

    Reply
    • Hi Simon! You can definitely use offline domain join to provision DirectAccess clients. That is the title of the article, after all. 😉 If you have remote clients joined to a domain and they aren’t getting group policy settings, ODJ isn’t going to help you there. ODJ will only be useful if you need to join the remote client to the domain initially.

      Reply
      • Simon

         /  July 1, 2015

        i understand that Offline Domain Join won’t help, but wondered if there is any method to manually configure these clients to work with DirectAccess?

        Have you heard of anything that could be blocking DirectAccess from being setup on a client?

      • Outside of applying group policy there is no way to manually configure a DirectAccess client. :/

  2. Gabriel Luiz

     /  July 13, 2015

    good Morning.

    I have a question regarding the DirectAccess provisioning in the script, has a line that I have a doubt / CertTemplate where meeting be information within the Windows Server 2012 R2?

    The name of my CA and casa-DC-CA.

    Reply
    • You can find the name of the certificate template by looking at the value of “Template Name” (not “Template Display Name”) on your CA server or by looking at the output of certutil.exe -store my.

      Reply
      • I ran the command as you told me, what this information Do I include below the command offline domain join? And what of the command include iinformação certificate, if possible make an example.

        C:\Windows\system32>certutil.exe -store
        CA “Intermediate Certification Authorities”
        ================ Certificate 0 ================
        Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
        Issuer: CN=Root Agency
        NotBefore: 28/05/1996 19:02
        NotAfter: 31/12/2039 20:59
        Subject: CN=Root Agency
        Signature matches Public Key
        Root Certificate: Subject matches Issuer
        Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
        No key provider information
        Cannot find the certificate and private key for decryption.
        Encryption test passed

        ================ Certificate 1 ================
        Serial Number: 46fcebbab4d02f0f926098233f93078f
        Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
        S
        NotBefore: 16/04/1997 21:00
        NotAfter: 24/10/2016 20:59
        Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
        =VeriSign International Server CA – Class 3, OU=VeriSign, Inc., O=VeriSign Trust
        Network
        Non-root Certificate
        Cert Hash(sha1): d5 59 a5 86 66 9b 08 f4 6a 30 a1 33 f8 a9 ed 3d 03 8e 2e a8
        No key provider information
        Cannot find the certificate and private key for decryption.
        Encryption test passed

        ================ Certificate 2 ================
        Serial Number: 54bf055173103882424c251f435bfd6e
        Issuer: CN=casa-DC-CA, DC=casa, DC=local
        NotBefore: 11/07/2015 19:58
        NotAfter: 11/07/2020 20:08
        Subject: CN=casa-DC-CA, DC=casa, DC=local
        CA Version: V0.0
        Signature matches Public Key
        Root Certificate: Subject matches Issuer
        Cert Hash(sha1): 1b 41 50 84 2b 59 96 0e 09 6a 87 92 e8 5a cd d8 84 f5 5f 16
        No key provider information
        Provider = Microsoft Software Key Storage Provider
        Simple container name: casa-DC-CA
        Unique container name: 2b77df04c418d691929c4f31b0f66d42_f52854a1-6432-4bdd-875
        c-b85523ea86da
        ERROR: missing key association property: CERT_KEY_IDENTIFIER_PROP_ID
        Signature test passed

        ================ Certificate 3 ================
        Serial Number: 198b11d13f9a8ffe69a0
        Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
        1997 Microsoft Corp.
        NotBefore: 01/10/1997 04:00
        NotAfter: 31/12/2002 04:00
        Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
        OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
        97 Microsoft Corp.
        Non-root Certificate
        Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
        No key provider information
        Cannot find the certificate and private key for decryption.
        Encryption test passed
        ================ CRL 0 ================
        Issuer: OU=VeriSign Commercial Software Publishers CA, O=VeriSign, Inc., L=Inter
        net
        ThisUpdate: 23/03/2001 21:00
        NextUpdate: 07/01/2004 20:59
        CRL Entries: 3
        CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab

        ================ CRL 1 ================
        Issuer: CN=casa-DC-CA, DC=casa, DC=local
        ThisUpdate: 13/07/2015 08:38
        NextUpdate: 14/07/2015 20:58
        CRL Entries: 0
        CA Version: V0.0
        CRL Number: CRL Number=02
        Delta CRL Indicator: Minimum Base CRL Number=01
        CRL Hash(sha1): 9e 40 b9 26 9b 66 27 da b8 56 52 69 cc ae af 59 90 99 85 ac

        ================ CRL 2 ================
        Issuer: CN=casa-DC-CA, DC=casa, DC=local
        ThisUpdate: 11/07/2015 19:58
        NextUpdate: 19/07/2015 08:18
        CRL Entries: 0
        CA Version: V0.0
        CRL Number: CRL Number=01
        CRL Hash(sha1): 1d bc ad 50 cc dd 97 08 49 d2 cd 85 d3 b7 0b f1 3d d8 e6 b9
        CertUtil: -store command completed successfully.

      • You forgot the “-my” switch. 🙂 Try it again using certutil.exe -store my and let me know if you find it.

  3. Simon

     /  November 9, 2016

    Hi Richard, Great article once again! I was wondering, does the DC and/or AD Functinnal level need to be 2012 to be able to generate the blob with de DirectAccess config? I keep getting error 0xc00000001

    Reply
  4. Morten

     /  October 4, 2017

    Hi Richard.

    I have tried to set this up, but I keep getting the following error when I include the /certtemplate option:

    Provisioning the computer…
    Failed to provision [test01] in the domain [domain.local]: 0x8007007f.
    It may be necessary to specify /REUSE when running
    djoin.exe again with the same machine name.
    Computer provisioning failed: 0x8007007f.
    The specified procedure could not be found.

    If i leave out the /certtemplate option provisioning works fine. I can even get DirectAccess to work through a provisioned client, if I configure DA not to use certificate validation.

    I have tried with different templates, both custom templates (variations of the Worksattion Authentication template) and original templates (both Workstation Authentication and Computer template). I am aware of the difference between display name template name, and if I deliberately enter a false template name, I get a template error, and not the error described.
    Access rights on all templates are set for Domain Computers to enroll.

    Any suggestions?

    Regards – Morten

    Reply
    • I’m assuming you are using the /REUSE switch, correct? You are right, you must use the certificate template name when specifying the template to use, not the template’s display name. If you’ve got that right, you should be good to go. Not sure why it wouldn’t work. :/

      Reply
      • Jorn

         /  February 19, 2018

        I also get
        Computer provisioning failed: 0x8007007f.
        The specified procedure could not be found.
        if i take out /CERTTEMPLATE it works.

      • Not sure what’s up there as that error code doesn’t seem to have anything to do with certificate provisioning. I can only suggest you look closely at permission on the template and make sure whoever is creating the offline domain join package has read and enroll permissions.

  5. Casey Brennan

     /  December 13, 2017

    I’m getting Access Denied 0x80070005 when using /certtemplate. If I remove this switch, djoin works great. I’m specifying the correct template name. I was thinking that because the cert template only allows Domain Computers to enroll that perhaps my user ID needed read/write and enroll rights on the template — but even with those rights, I still get Access Denied. Without the machine cert, DA fails to work after running the djoin command and rebooting. Anyone else run across this? Would be great if it just worked……

    Reply
    • That error seems to indicate a permissions issue of some sort. What specifically, I don’t know. I’ve had very few issues with offline domain join and I’ve never encountered this error myself. The only thing I can suggest is to ensure that the account you are using is a member of the domain administrators group and that you have read and enroll permissions at a minimum on the template you are using.

      Reply
  6. Hi Richard,

    Do you know if Offline Domain Join and AllwaysOnVPN can work together. We have various clients never come to office and we are able to setup with Offline Domain Join in DirectAccess. But I’m wondering how it can work with AlwaysOnVPN where we only have User Tunnels.

    Thanks,
    Shahid

    Reply
    • You can certainly use offline domain join on Windows 10 Always On VPN clients, but the ODJ process doesn’t apply the VPN client settings like it does with DirectAccess client settings unfortunately. You’ll still need some mechanism to get the VPN client settings pushed to the client after joining the domain, such as Intune.

      Reply
  7. Sulabh Upadhyaya

     /  March 31, 2020

    Can you run this on an existing domain joined laptop? If so will it see in the OU that it in and move on? Would it behave in the same as adding back a computer to a domain with the same name?

    Reply
  8. Seeker

     /  January 15, 2021

    Thank you for the wonderful tutorial, just have one issue as i did a /reuse but my clients are stuck on connecting, what can i do to fix this thank you

    Reply
  1. Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109 | Richard M. Hicks Consulting, Inc.
  2. Deployment Considerations for DirectAccess on Amazon Web Services (AWS) | Richard M. Hicks Consulting, Inc.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading