End-to-End DJOIN Blob File Creation for On-the-Fly ODM Offline Domain Join (ODJ) Rollback
Introduction
This document outlines the steps required to create a Blob file for Offline Domain Join (ODJ) rollback using ODM. There is no ODJ rollback option in the tool. Further, if you try the standard non-ODJ rollback, it will fail with a message informing you that the workstation has not been migrated.
I am skipping some things here that should be considered if you are rolling this into production. These include but are not limited to, declaring the $Output for ODM AD so that your return values reflect true success and failure and using the built-in variables that come with the ODM scripting service. There is more, but for now, let’s get the basic information for the world to use.
Some of the values in the scripts below are hard coded for ease of understanding in the example. This data can be pulled from system variables in the ODM AD scripting service. A blog to detail some of the more common ones is coming. Also, it likely would be best to use your own Global Variables (under Configurations\Variables) vs hard coding things in the script as I have done below.
The code below are suggestions and have had limited testing in my lab, so please validate and test in your own environment before going full production.
Steps for Blob File Creation Process
1. Add the Source Service Account as a Local Admin on the Workstation
# PowerShell script to add service account as a local admin
# Define the username for the source administrator account
$username = “Domain\serviceAccuntName”
# Assign the account
try {
# Add the new user to the local administrator’s group
Add-LocalGroupMember -Group “Administrators” -Member $username
Write-Host “Administrator account ‘$username’ added successfully.”
} catch {
Write-Host “Error adding administrator account: $_”
}
2. Change the ODM AD Agent Credentials to Source Service Account
A few key points on this one that can get you tripped up.
- I wrote this as PoSH. You could do all of this in CMD as well. The formatting is a bit different, but the basics are there.
- In the case of PoSH, you must use “sc.exe” as PoSH has an SC command that it will default to otherwise.
- In the sc.exe command, those spaces after the equal signs (=) are required.
$username = “Domain\serviceAccuntName”
$clearTextPassword= “DoNotUseThisPassword”
$serviceName = “ODMActiveDirectory”
sc.exe config ODMActiveDirectory obj= $username password= $clearTextPassword
Restart-Service $serviceName -Force
3. Restart the Service
This is an easy one.
# Restart Active Directory Agent Service
$serviceName = “ODMActiveDirectory”
Restart-Service $serviceName
4. Create a Blob File
Now that you have credentials on the service that can create the blob and either update the existing computer object or able to provision a computer object, you can create the blob file for the DJoin. I wrote about this in a previous article about ODM On-Demand scripting, and I used a CMD approach there. The PoSH approach is 90% the same with, again, some formatting changes to facilitate the language change. In my case, as with my post, I am updating an existing AD computer account. Most DJoin examples I find are doing the provision, so I’ll be different, as usual.
$fqdn = “domain.com”
$saveFileWithPath = “c:\users\public\” + $env:COMPUTERNAME.txt
c:\windows\system32\djoin.exe /provision /reuse /domain $fqdn /machine $env:COMPUTERNAME /savefile $saveFileWithPath
5. Change the Credentials Back to NT\SYSTEM
Why change it back? You don’t have to, but for simplicity’s sake, and perhaps for a bit of extra security, the default agent state should be Local System.
sc.exe config ODMActiveDirectory obj= “Localsystem”
6. Restart the Service
To make the service account credentials change you have to restart the service again. You don’t have to, of course, as you did all this to do an ODJ, which will do a reboot for you, but better safe than sorry.
# Restart Active Directory Agent Service
$serviceName = “ODMActiveDirectory”
Restart-Service $serviceName
Adding a Local Administrator
During migrations, it is often advantageous to have a local administrator account on the workstation. If the customer doesn’t have one, and in particular while we are in Beta testing, it is nice to have one added. This is another task you can accomplish via ODM AD Actions and Tasks.
Conclusion
Following these steps will ensure the successful creation of a Blob file for the ODJ rollback process. Each task is crucial for the seamless execution of the entire procedure and ensures that the service operates with the correct credentials at every stage.