Setting up offline domain join

If you want your Windows endpoints to join an AD domain, you can use Tanium Provision to set up an ODJ process instead of updating unattend.xml answer files with clear text passwords that contain the domain join credentials.

Before you begin

  • Make sure that you create a firewall rule to allow inbound connections to the port that is specified in the C:\Program Files (x86)\Tanium\Tanium Client\Tools\Provision\settings.yml file. The default port is 8100.
  • The computer account (MYSERVER) must be granted rights to create computer accounts in any organizational unit that is provided to it, using AD Users and Computers.
  • For the Provision scripts to call the service through TDownloader to complete the ODJ process, you must configure the ODJService and DomainName variables in Configure an OS bundle. If the ComputerName value is blank, the current computer name, which is typically randomly generated, is used. If the OU is not specified, then the default OU that is configured in AD is used.

Install the TaniumODJ service

To set up the ODJ process, you must deploy the Tanium Provision - Offline Join Deployment package to at least one computer

  1. In Interact, target the endpoint on which you want to install the TaniumODJ service.
  2. Click Deploy Action and select the Tanium Provision - Offline Join Deployment package.
  3. (Optional) Customize the port, duration, passcode, or max blobs settings.
  4. In the Targeting Criteria section, click Show Preview to Continue and then click Deploy Action.

For example, if you deploy the ODJ service to an endpoint that is named myServer.myDomain.com, then the ODJ URL is http://myServer.myDomain.com/getblob .

(Optional) Add certificates and group policy templates

ODJ blobs can optionally contain additional certificates and group policy templates by adding parameters in the settings.yml file. In the following example, the DirectAccess Client Settings and Default Domain Policy group policy settings, the root certificates that are configured in AD, and the computer-specific certificate that was generated using the ContosoComputer AD Certificate Services template are included, with the service listening on port 8100:

PolicyName:
- DirectAccess Client Settings
- Default Domain Policy
IncludeRootCerts: yes
CertTemplate: ContosoComputer
Port: 8100

Troubleshoot the ODJ process

Issue

If the computer account already exists for the specified computer name, the ODJ blob creation fails because the service does not specify to overwrite the existing computer object in AD.

Solution

Make sure that the computer account does not already exist.

This issue is less likely to occur because Provision appends a numeric suffix to the computer name if needed. For example, if you specify myComputer for the computer name, Provision tries myComputer first. If myComputer already exists, Provision tries myComputer-1, and continues to increase the suffix if that account already exists.