SUPER TRICKY QUESTION - Join domain from command line without NETDOM

Hi there,

I'm after a way of joining a box to domain from the command line without using any reskit or thirdparty utilies. The only tools allowed are ssh for getting onto the box and standard windows binaries. No scripts (like vbs using WMI) may be deployed either.

You can use and .inf file if required (like fo sysoc).

Why I think this is possible - well it's something you can script for unattended installation, so calling an .inf file that joins the box must be possible somehow.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


 * DNS and the other TCP/IP settings are correct.
 * you're logged onto a domain controller with an account operators or higher privilige account

At a command prompt, type
NET COMPUTER \\(name of system) /ADD

dcx45Author Commented:
Err no, if it was that easy I wouldn't post here.

You've got no access to the domain controller whatsoever. You only have an account which has the right to add machines to the domain.

All commands must be carried out on the computer being added.
This may be a little picky but you stated:
"You've got no access to the domain controller whatsoever"
If you have no access WHATSOEVER then you will not be able to join the domain.
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

dcx45Author Commented:

Yeah, hecklers is what we need :)

You know very well what I meant.
dcx45Author Commented:
new point value :)
Please don't take offense.
My statement was not meant as a heckle.

dsadd computer cn=%computername%,ou=computers,dc=domain,dc=local -d DOMAIN -u DOMAIN\administrator -p password


dcx45Author Commented:
Nice try, but this only creates the account in the AD. It does not make the machine itself a member of the domain.


It's *closer*.... ;-)


Make the support tools from Windows XP part of the base install.

netdom join %computername% /Domain:domain.local /userD:domain\administrator /PasswordD:* /reboot:5


dcx45Author Commented:
Hi thanks,

that's where it all started. I know about netdom, that's why the questions (see above) says:

"without using any reskit or thirdparty utilies. The only tools allowed are ssh for getting onto the box and standard windows binaries. No scripts (like vbs using WMI) may be deployed either."

netdom is a resource kit utility. Which is the key differentiator. I appreciate the legwork you're putting in, I'm sure it's not easy staying the top EE expert :), but I've been around the block couple of times too. I was more hoping that somebody with indepth knowledge of the sysoc and install procedures might be able to help as you can "script" domain join in your unattended file. (and you can obviously do this change from the GUI). There must be some dll call that let's you do this....

Actually, it's a support tools utility, and (in theory) not subject to the restrictions you listed. Here's my "street lawyer" take:

 * It's a Microsoft product, and therefore cannot be a third-party utility.
 * Because it's in the support tools, it's not a resource kit utility - you didn't install the RK utilities.
 * It's part of the XP CD, and therefore is a standard windows binary.

If you have the ssh to the domain controller (from the original wording, I'm not sure if ssh is to the client or DC), NETDOM is there by default IIRC.


dcx45Author Commented:

I appriciate your effort on this. The whole point is to take bog standart out-of-the-box installation of Windows, add the  OpenSSH client and use the command line to join the machine to a domain. AFAIK netdom is not present in such scenario. I'm not gonna go into the reasons why this is a no go for us (too lenghty and too many politics). Therefore I was after invocation of the method which is utilised by the unattend text file when you normally join a machine to a domain at a build time. I'm sorry to be such a pain in the ass, but I am and was very well aware of all the methods listed in this thread so far. I didn't call it "super tricky question" for nothing.



They may well have given you the impossible task. Without a script and/or access to NETDOM, I can't see a way to do it.

That said, here's a VB script that will do it.

<--- begin>

'Bowdoin College CIS Department
'Created 8-27-2002 by sblanc
'Adds Windows 2000/XP computers to the domain and reboots them
'Created specifically for adding student computers to domain
Option Explicit

Const JOIN_DOMAIN             = 1
Const ACCT_CREATE             = 2
Const ACCT_DELETE             = 4
Const WIN9X_UPGRADE           = 16
Const JOIN_UNSECURE           = 64
Const DEFERRED_SPN_SET        = 256
Const INSTALL_INVOCATION      = 262144

Dim strDomain, strPassword, strUser, strComputer, ReturnValue
Dim objComputer, objNetwork, objWMIService, objOperatingSystem
Dim colOperatingSystems


Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
                   strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
                   strComputer & "'")

ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
                                                strPassword, _
                                                strDomain & "\" & strUser, _
                                                NULL, _
                                                JOIN_DOMAIN + ACCT_CREATE)

'Display Completion Message to user
Dim objShell, intValue

Set objShell = CreateObject("WScript.Shell")
intValue = objShell.Popup("Your computer has been added to the Domain." _
            & vbCRLF & "Your computer will now reboot.", , , vbExclamation + vbOKOnly)

'perform Reboot
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate,(Shutdown)}!\\" & strComputer & "\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery _
    ("Select * from Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems

<!-- end>


dcx45Author Commented:
Agreed, I was validating what I've learned over the last couple of months. There isn't a widely known or accepted solution to do this.

Something just sprang to mind... if they're against using anything but basic install, how do they expect to get the same functionality that an unattended.txt file gives when that's part of the support tools on the XP CD?

Just a thought.

dcx45Author Commented:
because we're constructing it on the fly with FreeBSD, hmm I wonder what security would say if we captured the domain logon stuff during the BSD interactive phase and pumped it into the file....

Is a RIS install possible, with the WINNT.SIF and other required files on floppy for the rollouts? Granted that RIS has weird requirements (its own partition on a W2K+ server, for one), but that would seem to meet all requirements.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

I know this is an old post, but I ran into the same scenario as dcx45 and thought I would comment.  

Another option to add a computer to a domain from the command line without netdom is to use wmic.exe. Wmic.exe is included in Windows XP during the install. Nothing needs to be installed or added to the system.

I spent days trying to figure out how to use wmic.exe to join the domain. The biggest key was figuring out the syntax as there are a couple of different ways to do it. Importantly, if you specify the AccountOU, you must use the DN as mentioned above. What it fails to mention is that WMIC uses commas (,) to separate paramaters and will cause WMIC to fail. You must use semicolons (;) in your DN instead.  

Example: "OU=testOU; DC=domain; DC=Domain; DC=com"  

Reveiw the command line code that I have included.  Both options work, but the first one is easier to edit and the parameters can be in a different order.
Note: FJoinOptions should be a "1" if adding a new computer to the domain and the computer account does not exist.  Otherwise, set FJoinOptions to a "3".  

Command Line examples 

wmic.exe /interactive:off ComputerSystem Where "name = '%computername%'" call JoinDomainOrWorkgroup AccountOU="OU=XP Workstations;DC=my;DC=domain;DC=com" FJoinOptions=1 Name="" Password="xyz" UserName=""  

wmic.exe /interactive:off ComputerSystem Where "name = '%computername%'" call JoinDomainOrWorkgroup "OU=XP Workstations;DC=my;DC=domain;DC=com", 1, "", "xyz", ""

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.