Provisioning DirectAccess Clients using Windows Offline Domain Join

DirectAccess on Microsoft WindowsOne of the many advantages DirectAccess has over traditional client-based VPN is the ease with which DirectAccess clients can be provisioned. DirectAccess does not require any special software to be installed on the client. Everything that DirectAccess needs is included as part of the operating system. This makes onboarding a client for DirectAccess is as simple as adding a computer account to the DirectAccess client security group in Active Directory. That’s it! As soon as the client restarts it will be configured for DirectAccess.

This process works great if the client computer is already joined to the domain and has access to the LAN (either directly connected or via client-based VPN). But what if the client is in a remote location and isn’t yet joined to the domain? Offline Domain Join (ODJ) can help. ODJ is a feature of the Windows operating system introduced with Windows 7 and Windows Server 2008 R2 that allows an administrator to join a host to the domain without requiring the host to contact a domain controller. Beginning with Windows 8 and Server 2012, ODJ supports new command-line parameters that allow the administrator to configure the client machine to include DirectAccess certificates and policies.

Note: ODJ will only provision DirectAccess certificates and policies for Windows 8.x and later clients. ODJ with Windows 7 clients is limited to joining the domain only. ODJ cannot provision Windows 7 clients for DirectAccess.

To use ODJ to provision a DirectAccess client, first create a computer account in Active Directory and then add the account to the DirectAccess client security group. Next, open an elevated Command Prompt window on the DirectAccess server and execute the following command.

djoin.exe /provision /machine <client_machine_name>
/domain <domain_name> /policynames
<DirectAccess_client_settings_ GPO_name>
/certtemplate <DirectAccess_certificate_template_name>
/savefile <filename> /reuse

For example:

djoin.exe /provision /machine client5
/domain lab.richardhicks.net
/policynames "DirectAccess Client Settings"
/certtemplate machine
/savefile c:\users\rhicks\desktop\provision.txt /reuse

Provisioning DirectAccess Clients using Windows Offline Domain Join

On the DirectAccess client, copy the ODJ provisioning file locally. Open an elevated Command Prompt window and execute the following command.

djoin.exe /requestodj /loadfile <filename>
/windowspath <Windows_directory> /localos

For example:

djoin.exe /requestodj /loadfile c:\users\setup\provision.txt
/windowspath C:\Windows /localos

Provisioning DirectAccess Clients using Windows Offline Domain Join

After a restart, the client will be joined to the domain and now be able to establish a DirectAccess connection to the corporate network. Users can now log on with their domain credentials.

Leave a comment

12 Comments

  1. Simon

     /  July 1, 2015

    This is really interesting. I wonder if something similar might be able to help DirectAccess client provisioning?

    An example being an office where the client computers are being added to the security group that is applying the GPO, the computers are getting the GP if you check GPResult, but they are not getting the DirectAccess settings applied.

    Has anyone encountered this issue?

    Reply
    • Hi Simon! You can definitely use offline domain join to provision DirectAccess clients. That is the title of the article, after all. 😉 If you have remote clients joined to a domain and they aren’t getting group policy settings, ODJ isn’t going to help you there. ODJ will only be useful if you need to join the remote client to the domain initially.

      Reply
      • Simon

         /  July 1, 2015

        i understand that Offline Domain Join won’t help, but wondered if there is any method to manually configure these clients to work with DirectAccess?

        Have you heard of anything that could be blocking DirectAccess from being setup on a client?

      • Outside of applying group policy there is no way to manually configure a DirectAccess client. :/

  2. Gabriel Luiz

     /  July 13, 2015

    good Morning.

    I have a question regarding the DirectAccess provisioning in the script, has a line that I have a doubt / CertTemplate where meeting be information within the Windows Server 2012 R2?

    The name of my CA and casa-DC-CA.

    Reply
    • You can find the name of the certificate template by looking at the value of “Template Name” (not “Template Display Name”) on your CA server or by looking at the output of certutil.exe -store my.

      Reply
      • gabrielluizbh

         /  July 13, 2015

        I ran the command as you told me, what this information Do I include below the command offline domain join? And what of the command include iinformação certificate, if possible make an example.

        C:\Windows\system32>certutil.exe -store
        CA “Intermediate Certification Authorities”
        ================ Certificate 0 ================
        Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
        Issuer: CN=Root Agency
        NotBefore: 28/05/1996 19:02
        NotAfter: 31/12/2039 20:59
        Subject: CN=Root Agency
        Signature matches Public Key
        Root Certificate: Subject matches Issuer
        Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
        No key provider information
        Cannot find the certificate and private key for decryption.
        Encryption test passed

        ================ Certificate 1 ================
        Serial Number: 46fcebbab4d02f0f926098233f93078f
        Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
        S
        NotBefore: 16/04/1997 21:00
        NotAfter: 24/10/2016 20:59
        Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
        =VeriSign International Server CA – Class 3, OU=VeriSign, Inc., O=VeriSign Trust
        Network
        Non-root Certificate
        Cert Hash(sha1): d5 59 a5 86 66 9b 08 f4 6a 30 a1 33 f8 a9 ed 3d 03 8e 2e a8
        No key provider information
        Cannot find the certificate and private key for decryption.
        Encryption test passed

        ================ Certificate 2 ================
        Serial Number: 54bf055173103882424c251f435bfd6e
        Issuer: CN=casa-DC-CA, DC=casa, DC=local
        NotBefore: 11/07/2015 19:58
        NotAfter: 11/07/2020 20:08
        Subject: CN=casa-DC-CA, DC=casa, DC=local
        CA Version: V0.0
        Signature matches Public Key
        Root Certificate: Subject matches Issuer
        Cert Hash(sha1): 1b 41 50 84 2b 59 96 0e 09 6a 87 92 e8 5a cd d8 84 f5 5f 16
        No key provider information
        Provider = Microsoft Software Key Storage Provider
        Simple container name: casa-DC-CA
        Unique container name: 2b77df04c418d691929c4f31b0f66d42_f52854a1-6432-4bdd-875
        c-b85523ea86da
        ERROR: missing key association property: CERT_KEY_IDENTIFIER_PROP_ID
        Signature test passed

        ================ Certificate 3 ================
        Serial Number: 198b11d13f9a8ffe69a0
        Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
        1997 Microsoft Corp.
        NotBefore: 01/10/1997 04:00
        NotAfter: 31/12/2002 04:00
        Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
        OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
        97 Microsoft Corp.
        Non-root Certificate
        Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
        No key provider information
        Cannot find the certificate and private key for decryption.
        Encryption test passed
        ================ CRL 0 ================
        Issuer: OU=VeriSign Commercial Software Publishers CA, O=VeriSign, Inc., L=Inter
        net
        ThisUpdate: 23/03/2001 21:00
        NextUpdate: 07/01/2004 20:59
        CRL Entries: 3
        CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab

        ================ CRL 1 ================
        Issuer: CN=casa-DC-CA, DC=casa, DC=local
        ThisUpdate: 13/07/2015 08:38
        NextUpdate: 14/07/2015 20:58
        CRL Entries: 0
        CA Version: V0.0
        CRL Number: CRL Number=02
        Delta CRL Indicator: Minimum Base CRL Number=01
        CRL Hash(sha1): 9e 40 b9 26 9b 66 27 da b8 56 52 69 cc ae af 59 90 99 85 ac

        ================ CRL 2 ================
        Issuer: CN=casa-DC-CA, DC=casa, DC=local
        ThisUpdate: 11/07/2015 19:58
        NextUpdate: 19/07/2015 08:18
        CRL Entries: 0
        CA Version: V0.0
        CRL Number: CRL Number=01
        CRL Hash(sha1): 1d bc ad 50 cc dd 97 08 49 d2 cd 85 d3 b7 0b f1 3d d8 e6 b9
        CertUtil: -store command completed successfully.

      • You forgot the “-my” switch. 🙂 Try it again using certutil.exe -store my and let me know if you find it.

  3. Simon

     /  November 9, 2016

    Hi Richard, Great article once again! I was wondering, does the DC and/or AD Functinnal level need to be 2012 to be able to generate the blob with de DirectAccess config? I keep getting error 0xc00000001

    Reply
  1. Troubleshooting DirectAccess IP-HTTPS Error Code 0x800b0109 | Richard M. Hicks Consulting, Inc.
  2. Deployment Considerations for DirectAccess on Amazon Web Services (AWS) | Richard M. Hicks Consulting, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: