Offline Domain Join connector

Offline Domain Join connector enables to join computers to a Microsoft Active Directory domain without the computers contacting a domain controller during the domain join operation. This means that also computers without access to corporate network can be joined to a domain.

You can find instructions for installing the Offline Domain Join connector from the bottom of this page.

How it works?

After you have installed and configured the Offline Domain Join connector(s), please read the Performing offline domain join help page to learn how to join computers to a domain with Miradore.

Requirements

 

• Miradore version 4.4.1 or later.

• Microsoft Active Directory on Windows Server.

• The connector host must run Microsoft Windows 7 (or newer) or Windows Server 2008 R2 (or newer).

• The connector host computer must be able to connect to Miradore server (by default, HTTP(S) connection to port 80/443).

• The connector host computer must have .NET Framework 4.7.2 or later installed.

• Do not run the connector on domain controller, it will not work reliably

• The target computer, that is wanted to be joined to a domain, must run Microsoft Windows 7 (or newer) or Windows Server 2008 R2 (or newer).

• Each Microsoft Active Directory domain requires its own connector, and therefore it is needed to install one connector per each domain. Notice that the connector host must be located in the domain where you want to join the other computers.

• Correct SSL certificate must be available in connector host computers Windows certificate store if HTTPS connection method is enabled from Miradore system settings

Notice! When using DirectAccess and the target computer is Microsoft Windows 7 or Windows Server 2008 R2, the target computer must be connected to the company network once, before the DirectAccess connection works successfully.

Network architecture

Installing Offline Domain Join connector

 

1. Seek a computer that meets the connector host requirements specified above at the Requirements section of this page.

2. Run "ODJ_Connector_setup.exe" installer file. You can find the installer file from the installation directory of Miradore Management Suite under "Connectors > ODJ".

3. In the welcome screen, you should see the connector version number. Proceed with Next.

4. Next, you are asked to read license terms and accept the license agreement.

5. Set connector configurations.

   1. Miradore server name: Host name or IP-address of Miradore server.

   2. Miradore instance name: Many Miradore instances can run on the same host. Instance name specifies the instance.  By default, server is installed with instance name "Miradore".

   3. Miradore server port: TCP/IP port that Miradore server uses. By default it is 80.

   4. Use HTTPS: This option defines protocol (HTTP/HTTPS) that is used when the connector communicates with Miradore server. The use of HTTPS is strongly recommended.

   5. Ignore SSL errors: If checked, all SSL certificate errors are ignored.

   6. Use proxy: If checked, the connector uses a proxy server to connect to Miradore server.

   7. Proxy server: Host name or IP-address of a proxy server.

   8. Proxy port: Proxy server’s port.

   9. Proxy authentication method: Authentication method for the proxy server. Available methods: none, basic, digest and NTLM.

   10. Proxy user name: User name for the proxy server.

   11. Proxy password: Password for the proxy server.

6. Define installation and storage folders for the connector and its log files.

7. You are then asked to verify the installation information. If all looks correct, start the installation by clicking "Start".

8. After the installation has finished, you should see a confirmation telling that the installation was successful. Click "Finish" to exit from the installer.

Configuring Offline Domain Join connector

Connector configuration is done in the management console of Miradore at: "Administration > System settings > Connectors > Offline Domain Join > Host computer".

1. First of all, it is necessary to authorize the connector. In order to do that, open the Offline Domain Join connector item from the Connectors table, and change the connector status to "Active".

2. Before you can save that change, you will also have to enter some connector settings to the fields below. The fields are described below. Fill in the settings and click "Save" to activate the connector.

1. • Domain: Enter here your domain name.
     
     Example of the field format: TRESTACOM

   • Default domain: There can be multiple Offline Domain Join connectors in each Miradore Management Suite instance, one per each domain. This field can be used to choose one of the connectors (and one of the domains) as the default option that is used during initial installations when performing offline domain joins to the computers. The assets are then joined to this domain during their initial installations by default IF the "Offline Domain Join connector" field is left empty at organisation item, that is assigned to the asset(s).

   • Use LDAPS: Do you want to use secure LDAP connection to Active Directory? If yes, please configure the domain controller field. Notice that the use of LDAPS connection is supported starting from Offline Domain Join Connector version 2.0. Earlier connector versions don't support LDAPS. Make sure that LDAPS is also enabled for Microsoft Active Directory.

   • Domain controller: This field is only required if you want to use LDAPS connection to Active Directory. Fill in here the fully qualified domain name of the domain controller.  The domain controller's name must correspond to the subject name in the certificate used for the LDAPS on the domain controller.

   • Username: Username used to authenticate with Microsoft Active Directory. Please use the "DOMAIN\username" format to define the username. The user account should have admin rights to the connector host and it should also have permissions to create computer objects in Active Directory.
     
     Example of the field format: TRESTACOM\username

   • Password: Password for the authenticating user.

   • Target OU: Target organizational unit in the Active Directory where the computer account gets created or moved if it exists already. If this is empty, the default Microsoft Active Directory container will be used. Target OU is used as /machineou-parameter for djoin.exe.
     
     Example of the field format: OU=Workstations,OU=Trestacom_Computers,DC=trestacom,DC=com

   • DirectAccess policy names: Policy names (separated by semicolon) to be included in the offline domain join provisioning data created by the djoin.exe. This should include "DirectAccess Client Settings" and any other custom policies you have made for DirectAccess clients. DirectAccess policy names are used as /policynames-parameter for djoin.exe. Policy paths for /policypaths-parameters are determined automatically using the policy names. This setting is optional, and it is functional only when DirectAccess is used as well.

   • DirectAccess certificate template: Certificate template name for the DirectAccess clients. DirectAccess certificate template name is used as /certtemplate-parameter for djoin.exe. This setting is optional, and it is functional only when DirectAccess is used as well.

   • DirectAccess group name: Name of a security group which is allowed to access company network through DirectAccess. A computer account will be added to this group by the connector. This setting is optional, and it is functional only when DirectAccess is used as well.

3. After configuring, the connector should be fully functional. It is recommended to check the connector log to see whether the connector could connect the Miradore server and Active Directory successfully.

Logging

Miradore Offline Domain Join connector writes log every time it is run. Normally, the connector starts and waits for requests for an hour and then restarts itself again, so there will be a new log file every hour. The log file can be found in Logs-folder under the connector's installation folder on the connector host computer. The connector log is also updated every hour and after every domain join request to Miradore server. In Miradore, the connector log can be found from "System settings > Connectors > Connectors table".

If needed, you can switch the logging level to debug from the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Miradore\Server\ Connectors\ODJ FileLogSeverity = Debug

Active Directory credential requirements

The user account configured for the Active Directory connection must have required credentials to join the computers to the configured OU. See further information in the Microsoft's documentation: Offline Domain Join Step-by-step guide https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(v=ws.10).aspx.

Technical description

Offline Domain Join connector

See also

Performing offline domain join

Device self-service enrollment

Network settings for connectors

Connector authorization

System settings for connectors

Offline Domain Join connector item

Offline Domain Join connector item attributes

 

---

Copyright © 2022 Miradore Ltd. All rights reserved. Miradore is a registered trademark of Miradore Ltd. All other trademarks or registered trademarks are property of their respective owners.