Setting up offline domain join

If you want your Windows endpoints to join an Active Directory (AD) domain, you can use Tanium Provision to set up an ODJ process instead of updating unattend.xml answer files with clear text passwords that contain the domain join credentials.

Add newly provisioned endpoints to an organizational unit where they can be vetted before users sign in to those endpoints. For more information, see Delegate control to create computer accounts by the ODJ process.

Before you begin

  • Make sure that you create a firewall rule to allow inbound connections to the port that is specified in Configure ODJ settings.
  • The computer account for the TaniumPXE service must be granted rights to create computer accounts in any organizational unit that is provided to it, using AD Users and Computers.
  • For endpoints that are imaged with Provision to successfully complete the ODJ process, you must configure the ODJService and DomainName variables in Create a Windows OS bundle. If the ComputerName value is blank, then the current computer name, which is typically randomly generated, is used. If the organizational unit (OU) is not specified, then the default OU that is configured in AD is used.

Create an ODJ endpoint

To set up the ODJ process, you must enable the ODJ process on at least one Provision endpoint.

  1. Configure ODJ settings if needed.
  2. From the Provision menu, click Provision Endpoints and then click Create Provision Endpoint.

    You can also click Create Provision Endpoint from the Quick Links section of the Provision Overview page.

  3. In the Satellite Endpoints section, select one or more satellites or click Create Satellite to create one in Direct Connect. For more information, see Tanium Direct Connect: Create satellites.

    Offline Domain Join is available only for Windows satellites.

  4. In the Features section, select Offline Domain Join (ODJ) and then click Save and Deploy Now.

As an example, if you enable the ODJ process on an endpoint that is named myServer.myDomain.com, then the ODJ URL is https://myServer.myDomain.com:myPort/getblob.

(Optional) Add certificates and group policy templates

ODJ blobs can optionally contain additional certificates and group policy templates by manually adding them as key value pairs in an OS bundle.

  1. In the Key Value Entries section of the OS bundle creation page, click Add Key Value Pair.

    If a key value entry already exists, click Add next to the last key value entry instead of clicking Add Key Value Pair.

  2. Specify the boolean value to include root certificates in AD in the generated ODJ blob.
    1. For the Key field, manually enter IncludeRootCerts.
    2. For the Value field, enter 1.
  3. Specify the name of the certificate template to use when generating a new certificate in the ODJ blob for the computer.
    1. For the Key field, manually enter CertTemplate.
    2. For the Value field, enter a name.
  4. Specify the group policy objects to include in the ODJ blob for the computer.
    1. For the Key field, manually enter PolicyNames.
    2. For the Value field, enter a list of names. For example, DirectAccess Client Settings or Default Domain Policy.

Troubleshoot the ODJ process

Issue

If the computer account already exists for the specified computer name, the ODJ blob creation fails because the service does not specify to overwrite the existing computer object in AD.

Solution

Make sure that the computer account does not already exist.

This issue is less likely to occur because Provision appends a numeric suffix to the computer name if needed. For example, if you specify myComputer for the computer name, Provision tries myComputer first. If myComputer already exists, Provision tries myComputer-1, and continues to increase the suffix if that account already exists.

Delegate control to create computer accounts by the ODJ process

Because the ODJ process can create computer accounts in AD, it is important to limit the scope where the service can make changes to AD. It is highly recommended to limit the ODJ process to create only computer accounts in a single AD OU.

  1. Open Active Directory Users and Computers and connect to the domain where you want the computer accounts created.
  2. Right-click the domain, select New > Organizational Unit, enter a name for the OU, and then click OK.
  3. Right-click the OU, click Delegate Control..., click Next, and then click Add... in the Delegation of Control Wizard.
  4. For Select this object type:, click Object Types..., select Computers, and then click OK.
  5. For Enter the object names to select (examples):, provide the name of the computer that is running the ODJ process, click Check Names, click OK, and then click Next.
  6. Select Create a custom task to delegate and then click Next.
  7. Select the following options and then click Next.
    • Only the following objects in the folder:
    • Computer objects
    • Create selected objects in the folder
    • Delete selected objects in this folder
  8. Select the following permissions, click Next, and then click Finish.
    • Read all properties
    • Write all properties
    • Read permissions
    • Modify permissions
    • Change password
    • Reset password
    • Validated write to DNS host name
    • Validated write to service principal name