Although Windows Server can operate in a workgroup (peer-to-peer) network, the product is intended to function in the context of an Active Directory Domain Services (AD DS) domain. Learn how to join a Window Server 2016 workgroup server to a domain by using several of the most common methods.
We should see Windows Server 2016 publish before the end of this year, and you may wonder if Microsoft changed the way domain join works. Short answer — no.
Let's take a quick tour through the myriad ways in which you can join a Windows Server 2016 workgroup machine (physical or virtual) to an AD DS domain. In my environment I have a Windows Server 2016-based domain controller and the forest/domain functional levels are set to Windows Server 2012 R2.
System Control Panel
Most administrators who haven't automated domain join tend to rely upon the System Control Panel item. For my preferred method, press Windows key + R to invoke the Run dialog box, type sysadm.cpl and press ENTER.
Using Control Panel to perform AD domain join.
In the System Properties dialog box, press Change. In the Computer Name/Domain Changes dialog, switch from Workgroup to Domain, type the target domain name and press Enter. Assuming that the Windows Server 2016 workgroup computer can reach a domain controller, you will see the Windows Security dialog box, where you can enter credentials of an account that has the Add workstations to domain user right.
After a restart, you can log onto the domain from the server.
If you aren't automating routing administrative tasks like domain join by using Windows PowerShell yet, then you certainly should be. From the Windows Server 2016 workgroup computer, right-click the Windows PowerShell icon and select Run as Administrator from the shortcut menu; this starts an elevated PowerShell console session.
Next, run the Add-Computer cmdlet to perform the domain join and to force a restart:
Add-Computer -ComputerName 'mem1' -DomainName 'toms.local' -Credential Get-Credential -Restart
The call to Get-Credential gives you the opportunity to supply administrative credentials. There exist many ways to pass credentials to PowerShell, but this method has the advantage of not showing raw passwords on-screen.
Desired State Configuration (DSC)
We can use Windows PowerShell Desired State Configuration (DSC) not only to perform a domain join, but also to enforce that configuration. In other words, DSC can automatically rejoin our Windows Server 2016 computer to the domain if, for instance, a misinformed administrator were to remove it.
From an elevated PowerShell ISE session on the target computer, we'll first temporarily relax script execution policy:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
Next, we'll install the xComputerManagement DSC resource from the PowerShell Gallery:
Install-Module -Name xComputerManagement -Force
Our DSC Configuration Script
The previous screen capture shows my DSC configuration script. Let me explain what's going on my calling out specific code line numbers:
1: DSC configurations are structured very much like PowerShell functions
22-26: Here we instruct the local computer to check its compliance every 15 minutes and auto-correct if it configuration drifts
42: We need this code to embed the domain join password into the MOF. This is fine for testing, but in production you should use digital certificates and never expose administrative credentials
Running the above script generates a Managed Object Format (MOF) file that we'll apply to the local system by running the Start-DSCConfiguration cmdlet. Assuming our PowerShell prompt is inside the target MOF folder, the syntax works like this:
Start-DSCConfiguration -Path . -Force -Wait
You'll be prompted to restart, of course, but after that you can count on that Windows Server 2016 remaining a member of your Active Directory domain.
Offline Domain Join
Offline domain join works well when you need to join a computer to an AD domain and there's no connectivity to a read/write domain controller available.
From an elevated console session on a domain controller, run the the djoin.exe command to (a) stage a new AD account for the Windows Server 2016 workgroup server; and (b) create the provisioning file.
djoin /provision /domain 'toms.local' /machine 'mem1' /savefile 'mem1.txt'
The components of an offline domain join.
In the preceding screen capture, I've assembled all the requisite components of an offline domain join. Notice that the djoin tool created an account for my MEM server; however, don't expect to glean information from the provisioning file. Even though it uses the .txt extension, its contents are gobbledygook.
Copy the provisioning file to the target server and run the following command from an elevated console session to complete the domain join:
djoin /requestODJ /loadfile 'C:\mem1.txt' /windowspath %systemroot%/localos
Those are the most common ways to join a Windows Server 2016 workgroup server to an Active Directory domain. I'll bet you're relieved that Microsoft hasn't messed with our domain join workflow in Windows Server 2016. I am