Windows 7 and Windows Server 2008 R2 djoin (Offline Domain Join) utility.
Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join.
Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer.
Following section covers the content of these computer account metadata files.
Here is what we see when we open the output file into an hexadecimal editor.
We ignore two first bytes, and the following sequence of bytes is an unicode base64 encoded string.
Decoded base64 string is a DATA_BLOB encrypted by NetpEncodeProvisioningBlob / NetpDecodeProvisioningBlob private APIs from netjoin.dll which is new toWindows 7/Windows Server 2008 R2. Both functions calls NdrMesTypeDecode2 / NdrMesTypeEncode2 from RPCRT4.dll to perferm the encryption/decryption process.
This dll is pretty interesting because of NetpLogPrintHelper() calls, e.g. the following in NetpDumpBlobToLog() function:
-
[…]
-
NetpLogPrintHelper("\tlpMachinePassword: %s\n", "omitted from log");
-
[…]
As you can see, sensitive information are removed from debug log (netsetup.log).
Decoded blob file contains a structure I called “PROVISION_DATA” which is composed of information about Domain Dns Policy, Domain Controller, miscelleneous information about the machine and so on.
-
#define NETSETUP_PROVISION_DOWNLEVEL_PRIV_SUPPORT 0×1
-
#define NETSETUP_PROVISION_REUSE_ACCOUNT 0×2
-
#define NETSETUP_PROVISION_USE_DEFAULT_PASSWORD 0×4
-
#define NETSETUP_PROVISION_SKIP_ACCOUNT_SEARCH 0×8
-
#define NETSETUP_PROVISION_ONLINE_CALLER 0×40000000
-
#define NETSETUP_PROVISION_CHECK_PWD_ONLY 0×80000000
-
-
typedef struct _DOMAIN_DNS_POLICY { // sizeof = 0×2C
-
TCHAR Name[4]; // 0×000
-
TCHAR DnsDomainName[4]; // 0×008
-
TCHAR DnsForestName[4]; // 0×010
-
GUID DomainGuid; // 0×018
-
PSID Sid; // 0×028
-
} DOMAIN_DNS_POLICY, *PDOMAIN_DNS_POLICY;
-
-
typedef struct _DOMAIN_CONTROLLER { // size of = 0×30
-
PCHAR DomainControllerName; // 0×000
-
PCHAR DomainControllerAddress; // 0×004
-
ULONG DomainControllerAddressType; // 0×008
-
GUID DomainGuid; // 0×00C
-
PCHAR DomainName; // 0×01C
-
PCHAR DnsForestName; // 0×020
-
ULONG Flags; // 0×024
-
PCHAR DcSiteName; // 0×28
-
PCHAR ClientSiteName; // 0×2C
-
} DOMAIN_CONTROLLER, *PDOMAIN_CONTROLLER;
-
-
typedef struct _DOMAIN_INFORMATION {
-
//
-
// Global Information
-
//
-
LPVOID lpDomainName; // 0×008
-
LPVOID lpMachineName; // 0×00C
-
LPVOID lpMachinePassword; // 0×010
-
-
//
-
// Domain Policy
-
//
-
DOMAIN_DNS_POLICY DomainPolicy; // 0×014
-
-
//
-
// Domain Controller
-
//
-
DOMAIN_CONTROLLER DomainController; // 0×048
-
-
//
-
// Options – NETSETUP_PROVISION
-
//
-
ULONG Options; // 0×078
-
-
} DOMAIN_INFORMATION, *PDOMAIN_INFORMATION;
-
-
typedef struct _PROVISION_DATA {
-
//
-
// ODJ Blob
-
//
-
ULONG Version; // 0×000
-
ULONG Size; // 0×004
-
-
PDOMAIN_INFORMATION DomainInformation;
-
-
} PROVISION_DATA, *PPROVISION_DATA;
I wrote a tool called “dinfo” for “Domain Information” to read these files, this tool works with user rights only under Windows 7 and Windows Server 2008 R2 because of dependency to netjoin.dll
Now it’s time to introduce dinfo.exe! Here is a screenshot of the tool in action.
PS1. Encoded data blob can also be retrived in the registry at the following magic key : “Software\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Microsoft-Windows-UnattendedJoin\Identification”.
PS2. Thomas aime les nouilles.
