One of the many advantages DirectAccess has over traditional client-based VPN is the ease with which DirectAccess clients can be provisioned. DirectAccess does not require any special software to be installed on the client. Everything that DirectAccess needs is included as part of the operating system. This makes onboarding a client for DirectAccess is as simple as adding a computer account to the DirectAccess client security group in Active Directory. That’s it! As soon as the client restarts it will be configured for DirectAccess.
This process works great if the client computer is already joined to the domain and has access to the LAN (either directly connected or via client-based VPN). But what if the client is in a remote location and isn’t yet joined to the domain? Offline Domain Join (ODJ) can help. ODJ is a feature of the Windows operating system introduced with Windows 7 and Windows Server 2008 R2 that allows an administrator to join a host to the domain without requiring the host to contact a domain controller. Beginning with Windows 8 and Server 2012, ODJ supports new command-line parameters that allow the administrator to configure the client machine to include DirectAccess certificates and policies.
Note: ODJ will only provision DirectAccess certificates and policies for Windows 8.x and later clients. ODJ with Windows 7 clients is limited to joining the domain only. ODJ cannot provision Windows 7 clients for DirectAccess.
To use ODJ to provision a DirectAccess client, first create a computer account in Active Directory and then add the account to the DirectAccess client security group. Next, open an elevated Command Prompt window on the DirectAccess server and execute the following command.
djoin.exe /provision /machine <client_machine_name> /domain <domain_name> /policynames <DirectAccess_client_settings_ GPO_name> /certtemplate <DirectAccess_certificate_template_name> /savefile <filename> /reuse
For example:
djoin.exe /provision /machine client5 /domain lab.richardhicks.net /policynames "DirectAccess Client Settings" /certtemplate machine /savefile c:\users\rhicks\desktop\provision.txt /reuse
On the DirectAccess client, copy the ODJ provisioning file locally. Open an elevated Command Prompt window and execute the following command.
djoin.exe /requestodj /loadfile <filename> /windowspath <Windows_directory> /localos
For example:
djoin.exe /requestodj /loadfile c:\users\setup\provision.txt /windowspath C:\Windows /localos
After a restart, the client will be joined to the domain and now be able to establish a DirectAccess connection to the corporate network. Users can now log on with their domain credentials.
Simon
/ July 1, 2015This is really interesting. I wonder if something similar might be able to help DirectAccess client provisioning?
An example being an office where the client computers are being added to the security group that is applying the GPO, the computers are getting the GP if you check GPResult, but they are not getting the DirectAccess settings applied.
Has anyone encountered this issue?
Richard Hicks
/ July 1, 2015Hi Simon! You can definitely use offline domain join to provision DirectAccess clients. That is the title of the article, after all. 😉 If you have remote clients joined to a domain and they aren’t getting group policy settings, ODJ isn’t going to help you there. ODJ will only be useful if you need to join the remote client to the domain initially.
Simon
/ July 1, 2015i understand that Offline Domain Join won’t help, but wondered if there is any method to manually configure these clients to work with DirectAccess?
Have you heard of anything that could be blocking DirectAccess from being setup on a client?
Richard Hicks
/ July 6, 2015Outside of applying group policy there is no way to manually configure a DirectAccess client. :/
Gabriel Luiz
/ July 13, 2015good Morning.
I have a question regarding the DirectAccess provisioning in the script, has a line that I have a doubt / CertTemplate where meeting be information within the Windows Server 2012 R2?
The name of my CA and casa-DC-CA.
Richard Hicks
/ July 13, 2015You can find the name of the certificate template by looking at the value of “Template Name” (not “Template Display Name”) on your CA server or by looking at the output of certutil.exe -store my.
gabrielluizbh
/ July 13, 2015I ran the command as you told me, what this information Do I include below the command offline domain join? And what of the command include iinformação certificate, if possible make an example.
C:\Windows\system32>certutil.exe -store
CA “Intermediate Certification Authorities”
================ Certificate 0 ================
Serial Number: 06376c00aa00648a11cfb8d4aa5c35f4
Issuer: CN=Root Agency
NotBefore: 28/05/1996 19:02
NotAfter: 31/12/2039 20:59
Subject: CN=Root Agency
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): fe e4 49 ee 0e 39 65 a5 24 6f 00 0e 87 fd e2 a0 65 fd 89 d4
No key provider information
Cannot find the certificate and private key for decryption.
Encryption test passed
================ Certificate 1 ================
Serial Number: 46fcebbab4d02f0f926098233f93078f
Issuer: OU=Class 3 Public Primary Certification Authority, O=VeriSign, Inc., C=U
S
NotBefore: 16/04/1997 21:00
NotAfter: 24/10/2016 20:59
Subject: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU
=VeriSign International Server CA – Class 3, OU=VeriSign, Inc., O=VeriSign Trust
Network
Non-root Certificate
Cert Hash(sha1): d5 59 a5 86 66 9b 08 f4 6a 30 a1 33 f8 a9 ed 3d 03 8e 2e a8
No key provider information
Cannot find the certificate and private key for decryption.
Encryption test passed
================ Certificate 2 ================
Serial Number: 54bf055173103882424c251f435bfd6e
Issuer: CN=casa-DC-CA, DC=casa, DC=local
NotBefore: 11/07/2015 19:58
NotAfter: 11/07/2020 20:08
Subject: CN=casa-DC-CA, DC=casa, DC=local
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 1b 41 50 84 2b 59 96 0e 09 6a 87 92 e8 5a cd d8 84 f5 5f 16
No key provider information
Provider = Microsoft Software Key Storage Provider
Simple container name: casa-DC-CA
Unique container name: 2b77df04c418d691929c4f31b0f66d42_f52854a1-6432-4bdd-875
c-b85523ea86da
ERROR: missing key association property: CERT_KEY_IDENTIFIER_PROP_ID
Signature test passed
================ Certificate 3 ================
Serial Number: 198b11d13f9a8ffe69a0
Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c)
1997 Microsoft Corp.
NotBefore: 01/10/1997 04:00
NotAfter: 31/12/2002 04:00
Subject: CN=Microsoft Windows Hardware Compatibility, OU=Microsoft Corporation,
OU=Microsoft Windows Hardware Compatibility Intermediate CA, OU=Copyright (c) 19
97 Microsoft Corp.
Non-root Certificate
Cert Hash(sha1): 10 9f 1c ae d6 45 bb 78 b3 ea 2b 94 c0 69 7c 74 07 33 03 1c
No key provider information
Cannot find the certificate and private key for decryption.
Encryption test passed
================ CRL 0 ================
Issuer: OU=VeriSign Commercial Software Publishers CA, O=VeriSign, Inc., L=Inter
net
ThisUpdate: 23/03/2001 21:00
NextUpdate: 07/01/2004 20:59
CRL Entries: 3
CRL Hash(sha1): a3 77 d1 b1 c0 53 88 33 03 52 11 f4 08 3d 00 fe cc 41 4d ab
================ CRL 1 ================
Issuer: CN=casa-DC-CA, DC=casa, DC=local
ThisUpdate: 13/07/2015 08:38
NextUpdate: 14/07/2015 20:58
CRL Entries: 0
CA Version: V0.0
CRL Number: CRL Number=02
Delta CRL Indicator: Minimum Base CRL Number=01
CRL Hash(sha1): 9e 40 b9 26 9b 66 27 da b8 56 52 69 cc ae af 59 90 99 85 ac
================ CRL 2 ================
Issuer: CN=casa-DC-CA, DC=casa, DC=local
ThisUpdate: 11/07/2015 19:58
NextUpdate: 19/07/2015 08:18
CRL Entries: 0
CA Version: V0.0
CRL Number: CRL Number=01
CRL Hash(sha1): 1d bc ad 50 cc dd 97 08 49 d2 cd 85 d3 b7 0b f1 3d d8 e6 b9
CertUtil: -store command completed successfully.
Richard Hicks
/ July 14, 2015You forgot the “-my” switch. 🙂 Try it again using certutil.exe -store my and let me know if you find it.
Simon
/ November 9, 2016Hi Richard, Great article once again! I was wondering, does the DC and/or AD Functinnal level need to be 2012 to be able to generate the blob with de DirectAccess config? I keep getting error 0xc00000001
Richard M. Hicks
/ November 10, 2016I don’t think so, but I’m not certain about that.
Morten
/ October 4, 2017Hi Richard.
I have tried to set this up, but I keep getting the following error when I include the /certtemplate option:
Provisioning the computer…
Failed to provision [test01] in the domain [domain.local]: 0x8007007f.
It may be necessary to specify /REUSE when running
djoin.exe again with the same machine name.
Computer provisioning failed: 0x8007007f.
The specified procedure could not be found.
If i leave out the /certtemplate option provisioning works fine. I can even get DirectAccess to work through a provisioned client, if I configure DA not to use certificate validation.
I have tried with different templates, both custom templates (variations of the Worksattion Authentication template) and original templates (both Workstation Authentication and Computer template). I am aware of the difference between display name template name, and if I deliberately enter a false template name, I get a template error, and not the error described.
Access rights on all templates are set for Domain Computers to enroll.
Any suggestions?
Regards – Morten
Richard M. Hicks
/ October 16, 2017I’m assuming you are using the /REUSE switch, correct? You are right, you must use the certificate template name when specifying the template to use, not the template’s display name. If you’ve got that right, you should be good to go. Not sure why it wouldn’t work. :/
Jorn
/ February 19, 2018I also get
Computer provisioning failed: 0x8007007f.
The specified procedure could not be found.
if i take out /CERTTEMPLATE it works.
Richard M. Hicks
/ February 20, 2018Not sure what’s up there as that error code doesn’t seem to have anything to do with certificate provisioning. I can only suggest you look closely at permission on the template and make sure whoever is creating the offline domain join package has read and enroll permissions.
Casey Brennan
/ December 13, 2017I’m getting Access Denied 0x80070005 when using /certtemplate. If I remove this switch, djoin works great. I’m specifying the correct template name. I was thinking that because the cert template only allows Domain Computers to enroll that perhaps my user ID needed read/write and enroll rights on the template — but even with those rights, I still get Access Denied. Without the machine cert, DA fails to work after running the djoin command and rebooting. Anyone else run across this? Would be great if it just worked……
Richard M. Hicks
/ December 14, 2017That error seems to indicate a permissions issue of some sort. What specifically, I don’t know. I’ve had very few issues with offline domain join and I’ve never encountered this error myself. The only thing I can suggest is to ensure that the account you are using is a member of the domain administrators group and that you have read and enroll permissions at a minimum on the template you are using.
Shahid Mushtaq
/ September 4, 2018Hi Richard,
Do you know if Offline Domain Join and AllwaysOnVPN can work together. We have various clients never come to office and we are able to setup with Offline Domain Join in DirectAccess. But I’m wondering how it can work with AlwaysOnVPN where we only have User Tunnels.
Thanks,
Shahid
Richard M. Hicks
/ September 4, 2018You can certainly use offline domain join on Windows 10 Always On VPN clients, but the ODJ process doesn’t apply the VPN client settings like it does with DirectAccess client settings unfortunately. You’ll still need some mechanism to get the VPN client settings pushed to the client after joining the domain, such as Intune.
Sulabh Upadhyaya
/ March 31, 2020Can you run this on an existing domain joined laptop? If so will it see in the OU that it in and move on? Would it behave in the same as adding back a computer to a domain with the same name?
Richard M. Hicks
/ March 31, 2020I believe so, yes.
Seeker
/ January 15, 2021Thank you for the wonderful tutorial, just have one issue as i did a /reuse but my clients are stuck on connecting, what can i do to fix this thank you
Richard M. Hicks
/ January 18, 2021Could be an issue with resolving or connect to the directaccess-WebProbeHost URL. Have a look at this post for more information.
https://directaccess.richardhicks.com/2017/05/22/directaccess-network-connectivity-assistant-nca-configuration-guidance/