Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2014-04-04) Domain Join through an RODC instead of an RWDC (Update 1)

Posted by Jorge on 2014-04-04


In the blog post (2009-01-01) Domain Join through an RODC instead of an RWDC I explained the so called read-only domain join against an RODC. In that blog post you will find a VBS script that helps you achieve that goal. Prior to the VBS script you see multiple ways of pre-creating the computer and having the password of the computer account replicate to the RODC.

In this blog post I provide a PowerShell script (don’t forget the execution policy on the server!) that performs the read-only domain join. You can get the PowerShell script through this link, or you can copy it from below.

Param( [string]$fqdnADdomain, # The FQDN Of the AD domain [string]$fqdnRODC, # The FQDN of the RODC to use [string]$computerAccountPWD # The password for the computer account ) Clear-Host Write-Host "*******************************************************************" -ForeGroundColor Yellow Write-Host "* --> Performing Read-Only Domain Join Against RODC <-- *" -ForeGroundColor Yellow Write-Host "* Written By: Jorge de Almeida Pinto [MVP-DS] *" -ForeGroundColor Yellow Write-Host "* https://jorgequestforknowledge.wordpress.com/ *" -ForeGroundColor Yellow Write-Host "*******************************************************************" -ForeGroundColor Yellow # Checking If All Parameters Are Available And Correct If (!($fqdnADdomain)) { Write-Host "" Write-Host "No FQDN Of An AD Domain Has Been Specified" -ForeGroundColor Red Write-Host "The FQDN Of An AD Domain Is Required!" -ForeGroundColor Red Write-Host "Aborting Script..." -ForeGroundColor Red Write-Host "" BREAK } If (!($fqdnRODC)) { Write-Host "" Write-Host "No FQDN Of An RODC Has Been Specified" -ForeGroundColor Red Write-Host "The FQDN Of An RODC Is Required!" -ForeGroundColor Red Write-Host "Aborting Script..." -ForeGroundColor Red Write-Host "" BREAK } If (!($computerAccountPWD)) { Write-Host "" Write-Host "No Computer Account Password Has Been Specified" -ForeGroundColor Red Write-Host "The Computer Account Password Specified During Pre-Creation Is Required!" -ForeGroundColor Red Write-Host "Aborting Script..." -ForeGroundColor Red Write-Host "" BREAK } # Defining Required Constants Set-Variable JOIN_DOMAIN -option Constant -value 1 # Joins a computer to a domain. If this value is not specified, the join is a computer to a workgroup Set-Variable MACHINE_PASSWORD_PASSED -option Constant -value 128 # The machine, not the user, password passed. This option is only valid for unsecure joins Set-Variable NETSETUP_JOIN_READONLY -option Constant -value 2048 # Use an RODC to perform the domain join against # Cumulative Value To Use $readOnlyDomainJoinOption = $JOIN_DOMAIN + $MACHINE_PASSWORD_PASSED + $NETSETUP_JOIN_READONLY # Getting Info From The Local Computer $localComputerSystem = Get-WMIObject Win32_ComputerSystem $computerName = $localComputerSystem.Name # Present The Gathered Information Write-Host "" Write-Host "" Write-Host "Trying To Perform A Read-Only Domain Join Using The Following Information..." -ForeGroundColor Yellow Write-Host "" Write-Host "FQDN AD Domain............: "$fqdnADdomain -ForeGroundColor Yellow Write-Host "FQDN RODC.................: "$fqdnRODC -ForeGroundColor Yellow Write-Host "Computer Name.............: "$computerName -ForeGroundColor Yellow Write-Host "Computer Account Password.: "$computerAccountPWD -ForeGroundColor Yellow Write-Host "" # Performing The Read-Only Domain Join $errorCode = $localComputerSystem.JoinDomainOrWorkGroup($fqdnADdomain+"\"+$fqdnRODC,$computerAccountPWD,$null,$null,$readOnlyDomainJoinOption) # Error Handling # List of 'system error codes' (http://msdn.microsoft.com/en-us/library/ms681381.aspx) and # List of 'network management error codes' (http://msdn.microsoft.com/en-us/library/aa370674(VS.85).aspx) $errorDescription = switch ($($errorCode.ReturnValue)) { 0 {"SUCCESS: The Operation Completed Successfully."} 5 {"FAILURE: Access Is Denied."} 53 {"FAILURE: The Network Path Was Not Found."} 64 {"FAILURE: The Specified Network Name Is No Longer Available."} 87 {"FAILURE: The Parameter Is Incorrect."} 1326 {"FAILURE: Logon failure: Unknown Username Or Bad Password."} 1355 {"FAILURE: The Specified Domain Either Does Not Exist Or Could Not Be Contacted."} 2691 {"FAILURE: The Machine Is Already Joined To The Domain."} default {"FAILURE: Unknown Error!"} } If ($($errorCode.ReturnValue) -eq "0") { Write-Host "Domain Join Result Code...: "$($errorCode.ReturnValue) -ForeGroundColor Green Write-Host "Domain Join Result Text...: "$errorDescription -ForeGroundColor Green } Else { Write-Host "Domain Join Result Code...: "$($errorCode.ReturnValue) -ForeGroundColor Red Write-Host "Domain Join Result Text...: "$errorDescription -ForeGroundColor Red } # Finishing Up Write-Host "" Write-Host "REMARK:" -ForeGroundColor Cyan Write-Host "The Computer Account Password Will Be Reset Shortly After The Domain Join!" -ForeGroundColor Cyan Write-Host "" Write-Host "###### FINISHED ######" Write-Host "-----------------------------------------------------" If ($($errorCode.ReturnValue) -eq "0") { Write-Host "" Write-Host "!!! THE COMPUTER WILL REBOOT AUTOMATICALLY IN 2 MINUTES !!!" -ForeGroundColor Cyan Write-Host "" Write-Host "!!! TO STOP THE REBOOT USE THE COMMAND: SHUTDOWN /A !!!" -ForeGroundColor Cyan SHUTDOWN /R /T 120 }

Have fun!

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER:

https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

#########

http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

2 Responses to “(2014-04-04) Domain Join through an RODC instead of an RWDC (Update 1)”

  1. jon said

    Hi
    Love your script but i get an access denied error. Not clear on what access it fails on though. My local execution policy is unrestricted so guessing access to the RODC? How do i run the script under an account with access on the RODC?
    MANY MANY thanks

    • Jorge said

      you do not need to run it under an account that has access on the RODC. Please read the blog posts (the old one and the new one)
      you authenticate by provide the password of the computer (pre-created)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: