Offline domain join is a new process that joins computers running Windows® 7 or Windows Server 2008 R2 to a domain in Active Directory Domain Services (AD DS)—without any network connectivity. This process includes a new command-line tool, Djoin.exe, which you can use to complete an offline domain join. Run Djoin.exe to provision the computer account metadata. When you run the provisioning command, the computer account metadata is created in a .txt file that you specify as part of the command. After you run the provisioning command, you can either run Djoin.exe again to request the computer account metadata and insert it into the Windows directory of the destination computer. Following section covers the content of these computer account metadata files.
Here is what we see when we open the output file into an hexadecimal editor.
«
We ignore two first bytes, and the following sequence of bytes is an unicode base64 encoded string.
Decoded base64 string is a DATA_BLOB encrypted by NetpEncodeProvisioningBlob / NetpDecodeProvisioningBlob private APIs from netjoin.dll which is new toWindows 7/Windows Server 2008 R2. Both functions calls NdrMesTypeDecode2 / NdrMesTypeEncode2 from RPCRT4.dll to perferm the encryption/decryption process.
This dll is pretty interesting because of NetpLogPrintHelper() calls, e.g. the following in NetpDumpBlobToLog() function:
[…]
NetpLogPrintHelper("\tlpMachinePassword: %s\n", "omitted from log");
[…]
As you can see, sensitive information are removed from debug log (netsetup.log).
Decoded blob file contains a structure I called “PROVISION_DATA” which is composed of information about Domain Dns Policy, Domain Controller, miscelleneous information about the machine and so on.
#define NETSETUP_PROVISION_DOWNLEVEL_PRIV_SUPPORT 0x1
#define NETSETUP_PROVISION_REUSE_ACCOUNT 0x2
#define NETSETUP_PROVISION_USE_DEFAULT_PASSWORD 0x4
#define NETSETUP_PROVISION_SKIP_ACCOUNT_SEARCH 0x8
#define NETSETUP_PROVISION_ONLINE_CALLER 0x40000000
#define NETSETUP_PROVISION_CHECK_PWD_ONLY 0x80000000
typedef struct _DOMAIN_DNS_POLICY { // sizeof = 0x2C
TCHAR Name[4]; // 0x000
TCHAR DnsDomainName[4]; // 0x008
TCHAR DnsForestName[4]; // 0x010
GUID DomainGuid; // 0x018
PSID Sid; // 0x028
} DOMAIN_DNS_POLICY, *PDOMAIN_DNS_POLICY;
typedef struct _DOMAIN_CONTROLLER { // size of = 0x30
PCHAR DomainControllerName; // 0x000
PCHAR DomainControllerAddress; // 0x004
ULONG DomainControllerAddressType; // 0x008
GUID DomainGuid; // 0x00C
PCHAR DomainName; // 0x01C
PCHAR DnsForestName; // 0x020
ULONG Flags; // 0x024
PCHAR DcSiteName; // 0x28
PCHAR ClientSiteName; // 0x2C
} DOMAIN_CONTROLLER, *PDOMAIN_CONTROLLER;
typedef struct _DOMAIN_INFORMATION {
//
// Global Information
//
LPVOID lpDomainName; // 0x008
LPVOID lpMachineName; // 0x00C
LPVOID lpMachinePassword; // 0x010
//
// Domain Policy
//
DOMAIN_DNS_POLICY DomainPolicy; // 0x014
//
// Domain Controller
//
DOMAIN_CONTROLLER DomainController; // 0x048
//
// Options – NETSETUP_PROVISION
//
ULONG Options; // 0x078
} DOMAIN_INFORMATION, *PDOMAIN_INFORMATION;
typedef struct _PROVISION_DATA {
//
// ODJ Blob
//
ULONG Version; // 0x000
ULONG Size; // 0x004
PDOMAIN_INFORMATION DomainInformation;
} PROVISION_DATA, *PPROVISION_DATA;
I wrote a tool called “dinfo” for “Domain Information” to read these files, this tool works with user rights only under Windows 7 and Windows Server 2008 R2 because of dependency to netjoin.dll Now it’s time to introduce dinfo.exe! Here is a screenshot of the tool in action.
PS1: Encoded data blob can also be retrived in the registry at the following magic key : Software\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Microsoft-Windows-UnattendedJoin\Identification.
PS2: Thomas aime les nouilles.