- Admin enter the username and password allowing domain join.<\/li>
- Communication between the domain controller and the machine<\/li>
- Reboot<\/li>
- User can logon with a domain account.<\/li><\/ol>\n\n\n\n
Fun fact:<\/strong> Standard users by default can join up to 5 machines themselves to Active Directory (can be changed).<\/p>\n\n\n\n
Offline Domain Join<\/h3>\n\n\n\n
Introduced with Windows Server 2008R2 and Windows 7, Offline domain join allow a machine to join the domain without the need to be on the network.<\/p>\n\n\n\n
Sequence<\/h4>\n\n\n\n
There is 2 way to execute this sequence. The first one is manually running the commands. The second one is using Autopilot and do the domain join over the air but this requires a MDM server.<\/p>\n\n\n\n
- Administrator\/Autopilot generate a text file which contains a base64 blob with
djoin \/provision<\/code><\/li>- Copy the text file onto the machine<\/li>
- Run
djoin \/requestODJ<\/code><\/li>- Reboot<\/li><\/ol>\n\n\n\n
For the user first logon, the machine needs to have a line of sight with a domain controller, this can be on the corp network or via VPN. For VPN, you need to have a VPN capable to be triggered at the user logon interface also called GINA sometimes (historic reason it was the name of the DLL in Windows XP doing the user logon, now replaced with the Windows Credential Provider since Vista).
After the first user logon, credentials are cached and a traditional user VPN can be used.<\/p>\n\n\n\nDjoin Command Line Reference: https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2012-R2-and-2012\/ff793312(v=ws.11)<\/a><\/p>\n\n\n\n
Azure AD<\/h2>\n\n\n\n
When Microsoft started to create the cloud as we know now, it was mainly an online offering for communication product also known as BPOS (Business Productivity Online Suite), (there’s more history before but archaeology is not the purpose of this post ;), now known as Office 365, this was relying on some back end to sync up users with DirSync, now known as Azure AD Sync, then in 2012\/2013 came Azure AD as we know now.<\/p>\n\n\n\n
Azure AD Registered<\/h3>\n\n\n\n
Registration is a form of being part of Azure AD without impacting the machine side.
Works on different type of devices: Windows 10 (any edition Home included), iOS Android and MacOS.<\/p>\n\n\n\nThe machine can be domain joined, workgroup or consumer joined, so the user logon aspect does not change however for any authentication to the corporate Azure AD the registration will be used.<\/p>\n\n\n\n
Finally, a MAM or a MDM configuration can comes down, if necessary, to protect corporate data.<\/p>\n\n\n\n
Sequence<\/h4>\n\n\n\n
- Windows
- User goes in Settings > Accounts > Access work or school<\/li>
- Click Connect<\/li>
- Login <\/li>
- Machine is registered<\/li><\/ol><\/li><\/ul>\n\n\n\n
Side note: This is what is used for the compliance API integration in Workspace ONE UEM. More info: https:\/\/digitalworkspace.one\/2020\/05\/12\/compliance-api-msft\/<\/a><\/p>\n\n\n\n
Azure AD Join<\/h3>\n\n\n\n
For an end-user, there is not much difference between an Azure AD joined machine from a domain joined machine on a day to day basis, that said, everything in the back end change and the behaviour with it too.<\/p>\n\n\n\n
As Azure is based in the cloud, there is no issue for joining it over-the-air (OTA) a part of having a network connection. It can be attached to an automatic MDM integration, so device get managed as soon as the device is joined, this feature requires Azure AD Premium. One cool thing is that no reboot is required for this process. <\/p>\n\n\n\n
There is 2 provisioning methods to join Azure AD. The most common and largely advertised is the OOBE way, Autopilot can be added on top to make some config before user sign-in.<\/p>\n\n\n\n
OOBE<\/h4>\n\n\n\n
OOBE stand for Out-of-box experience (pronounced oo-bee), it’s the first process that an end-user go through when the machine is started for the first time, hence the name. The user enter an email address and, depending on it, will do an azure AD join for an Azure AD domain or consumer join for a Microsoft account.<\/p>\n\n\n\n
![\"\"](\"http:\/\/172.23.1.43\/wp-content\/uploads\/2020\/08\/OOBE-SignInMicrosoft.png\")
<\/a>OOBE – “Sign in with Microsoft” step<\/figcaption><\/figure><\/div>\n\n\n\n ![\"\"](\"http:\/\/172.23.1.43\/wp-content\/uploads\/2020\/08\/OOBE-SignInAutopilot.png\")
<\/a>OOBE with Autopilot – “Sign in with Microsoft” step <\/figcaption><\/figure><\/div>\n\n\n\n Sequence<\/h5>\n\n\n\n
- Machine boots<\/li>
- Network connection – required for Azure AD join<\/li>
- Optional: In Autopilot case some configuration is done<\/li>
- User enter it’s UPN (sometimes different from the email address) <\/li>
- Authentication
- On Azure AD for managed domain<\/li>
- On the IDP for federated domain<\/li><\/ol><\/li>
- Machine is joined to Azure AD<\/li>
- Optional: MDM enrolment and configuration\/applications<\/li>
- User Auto logon<\/li><\/ol>\n\n\n\n
Settings<\/h4>\n\n\n\n
A workgroup machine can also be Azure AD joined via the Settings > Accounts > Access work or school<\/p>\n\n\n\n
![\"\"](\"http:\/\/172.23.1.43\/wp-content\/uploads\/2020\/08\/Settings-Set-up-a-work-or-school-account.png\")
<\/a>Settings – Join Azure AD<\/figcaption><\/figure><\/div>\n\n\n\n Sequence<\/h5>\n\n\n\n
- User enter it’s UPN (sometimes different from the email address)<\/li>
- Authentication
- On Azure AD for managed domain<\/li>
- On the IDP for federated domain<\/li><\/ol><\/li>
- Windows ask for confirmation<\/li>
- Optional: MDM enrolment and configuration\/applications<\/li>
- Machine is Azure AD joined.<\/li>
- User switch to the new user.<\/li><\/ol>\n\n\n\n
Hybrid Join<\/h2>\n\n\n\n
As said earlier, Active Directory remains the main directory to join Windows machines.
However, companies adopt more and more cloud apps especially Office 365 and want to start enjoying the capabilities of the cloud, like compliance, conditional access, etc.
But they tend to have large estate so doing a migration over to an Azure AD machine is a big step that a lot are not ready to make for a lot of different reasons.<\/p>\n\n\n\nHybrid Join answer this desire by allowing a machine to be domain joined and<\/strong> Azure AD joined.<\/p>\n\n\n\n
Note:<\/strong> Domain joined machine can be registered in Azure AD and this bring confusion also before 1803 with KB4489894, you had to remove the registered state before trying to join.
More information: https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/devices\/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state<\/a><\/p>\n\n\n\nPrerequisites<\/h3>\n\n\n\n
- Managed domain : Azure AD connect with password hash sync enabled<\/li>
- Federated domain : IDP with WS-Trust support (WS-Trust 1.3 or 2005 endpoints)<\/li>
- Active Directory configuration : SCP object<\/a><\/li><\/ul>\n\n\n\n
Sequence<\/h3>\n\n\n\n
There is 2 way to execute point 1. The first one is traditional estate then do the automatic join. The second one is using Offline domain join with Autopilot and then Azure AD join.<\/p>\n\n\n\n
- Machine is domain joined: Online, Offline or Offline with Autopilot<\/li>
- Discovery of the Azure AD domain via the SCP object<\/li>
- Machine reach Azure AD<\/li>
- Authentication
- Password Hash for Managed<\/li>
- Windows Integrated Authentication for federated<\/li><\/ul><\/li>
- Machine is Hybrid Joined<\/li><\/ol>\n\n\n\n
Validation<\/h3>\n\n\n\n
Nothing is really visible from the interface so you can run
dsregcmd \/status<\/code><\/p>\n\n\n\n![\"\"](\"http:\/\/172.23.1.43\/wp-content\/uploads\/2020\/08\/dsregcmd-status-hybrid-join.png\")
<\/a>Hybrid Join – dsregcmd status<\/figcaption><\/figure><\/div>\n\n\n\n Further Reading<\/h2>\n\n\n\n
There is some great blog out there which go in way more detail on the how each works below some of the best.<\/p>\n\n\n\n
- https:\/\/jairocadena.com\/<\/a><\/li>
- https:\/\/blog.virtualprivateer.com\/workspace-one-and-azure-ad-1\/<\/a><\/li><\/ul>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
In the past on Windows, you had 2 options: Domain join or Workgroup.Windows 10 add more options which can be…<\/p>\n","protected":false},"author":5614970,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[637,1986749],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/327"}],"collection":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/users\/5614970"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/comments?post=327"}],"version-history":[{"count":52,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/327\/revisions"}],"predecessor-version":[{"id":1122,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/posts\/327\/revisions\/1122"}],"wp:attachment":[{"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/media?parent=327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/categories?post=327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.n-dol.org\/wp-json\/wp\/v2\/tags?post=327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- https:\/\/blog.virtualprivateer.com\/workspace-one-and-azure-ad-1\/<\/a><\/li><\/ul>\n\n\n\n
- https:\/\/jairocadena.com\/<\/a><\/li>
- Administrator\/Autopilot generate a text file which contains a base64 blob with