Joining computers to an Active Directory domain is a routine task that becomes tedious when done manually across dozens or hundreds of machines. Scripting the domain join process saves significant time and ensures consistency. This guide covers multiple approaches, from the classic netdom command to modern PowerShell cmdlets and offline domain join for environments without direct network connectivity.
Prerequisites
Before scripting domain joins, verify these requirements:
- DNS resolution — The computer must be able to resolve the domain name. Ensure the DNS settings point to a domain controller or DNS server that hosts the AD DNS zone.
- Network connectivity — The computer must reach a domain controller on the required ports (LDAP 389, Kerberos 88, SMB 445, DNS 53, RPC 135 + dynamic).
- Domain credentials — You need an account with permission to join computers to the domain. By default, any authenticated domain user can join up to 10 computers (controlled by the
ms-DS-MachineAccountQuotaattribute). - Computer name — The computer should have its intended hostname set before joining the domain.
Method 1: Using netdom (Classic)
The netdom command-line tool has been available since Windows 2000 Support Tools and is included in Windows Server and RSAT.
Basic Domain Join
netdom join %COMPUTERNAME% /domain:corp.example.com /userd:CORP\admin /passwordd:P@ssw0rd /reboot:5Parameters:
%COMPUTERNAME%— The computer to join (use the actual name or%COMPUTERNAME%for the local machine)/domain— The FQDN of the target domain/userd— Domain credentials with join permission/passwordd— Password (use*to be prompted securely)/reboot— Seconds to wait before automatic reboot
Join and Place in a Specific OU
netdom join WORKSTATION01 /domain:corp.example.com /userd:CORP\admin /passwordd:* /ou:"OU=Workstations,OU=IT,DC=corp,DC=example,DC=com" /reboot:5Batch Script for Multiple Computers
Create a text file (computers.txt) with one computer name per line, then:
@echo off
for /f %%i in (computers.txt) do (
echo Joining %%i to domain...
netdom join %%i /domain:corp.example.com /userd:CORP\admin /passwordd:* /reboot:30
)
echo Done.
pauseMethod 2: PowerShell Add-Computer (Recommended)
The Add-Computer cmdlet is the modern, preferred method for domain joins.
Join the Local Computer
# Join the local computer to the domain and restart
Add-Computer -DomainName "corp.example.com" -Credential (Get-Credential) -RestartJoin and Place in a Specific OU
Add-Computer -DomainName "corp.example.com" `
-OUPath "OU=Workstations,OU=IT,DC=corp,DC=example,DC=com" `
-Credential (Get-Credential) `
-RestartJoin a Remote Computer
# Join a single remote computer
Add-Computer -ComputerName "WORKSTATION01" `
-DomainName "corp.example.com" `
-Credential (Get-Credential) `
-Restart
# Join multiple remote computers
$computers = @("WS01", "WS02", "WS03", "WS04", "WS05")
Add-Computer -ComputerName $computers `
-DomainName "corp.example.com" `
-OUPath "OU=Workstations,DC=corp,DC=example,DC=com" `
-Credential (Get-Credential) `
-Restart -ForceRename and Join in One Step
Add-Computer -DomainName "corp.example.com" `
-NewName "WS-FINANCE-01" `
-Credential (Get-Credential) `
-RestartBulk Domain Join from CSV
For large-scale deployments, use a CSV file with computer details:
ComputerName,OU
WS01,OU=Sales,DC=corp,DC=example,DC=com
WS02,OU=Engineering,DC=corp,DC=example,DC=com
WS03,OU=HR,DC=corp,DC=example,DC=com$cred = Get-Credential -Message "Enter domain admin credentials"
$computers = Import-Csv -Path "C:\domain-join-list.csv"
foreach ($computer in $computers) {
try {
Add-Computer -ComputerName $computer.ComputerName `
-DomainName "corp.example.com" `
-OUPath $computer.OU `
-Credential $cred `
-Restart -Force `
-ErrorAction Stop
Write-Host "Successfully joined $($computer.ComputerName)" -ForegroundColor Green
}
catch {
Write-Host "Failed to join $($computer.ComputerName): $_" -ForegroundColor Red
}
}Method 3: Offline Domain Join (djoin.exe)
Offline domain join allows you to join a computer to the domain without direct network connectivity to a domain controller at the time of the join. This is useful for:
- Provisioning machines in a factory or staging area without domain network access
- Deploying VMs from templates
- Joining computers across WAN links with unreliable connectivity
Step 1: Provision the Computer Account
Run this on any domain-joined computer with appropriate permissions:
djoin /provision /domain corp.example.com /machine NEWPC01 /savefile C:\odjblob.txtOptions:
/provision— Create the computer account in AD/domain— Target domain name/machine— Name of the computer to be joined/savefile— Path to save the provisioning blob/machineou— (Optional) OU path for the computer account
With OU placement:
djoin /provision /domain corp.example.com /machine NEWPC01 /machineou "OU=Workstations,DC=corp,DC=example,DC=com" /savefile C:\odjblob.txtStep 2: Apply the Blob on the Target Computer
Transfer the blob file to the target computer (via USB drive, network share, etc.) and run:
djoin /requestODJ /loadfile C:\odjblob.txt /windowspath %SystemRoot% /localosStep 3: Restart
Restart the computer. When it boots, it will be domain-joined and able to authenticate with its machine account once it has network connectivity to a DC.
Automating Offline Domain Join in Deployment
You can integrate djoin into an OS deployment task sequence (MDT, SCCM/MECM):
# Generate blob during imaging task sequence
$computerName = $env:COMPUTERNAME
djoin /provision /domain corp.example.com /machine $computerName /reuse /savefile "C:\Windows\odjblob.txt"
# Apply during OOBE or first-boot script
djoin /requestODJ /loadfile "C:\Windows\odjblob.txt" /windowspath %SystemRoot% /localosPre-Staging Computer Accounts
For better organization and security, pre-stage computer accounts in Active Directory before the domain join:
Using PowerShell
# Pre-stage a single computer account
New-ADComputer -Name "WS01" `
-Path "OU=Workstations,DC=corp,DC=example,DC=com" `
-Enabled $true
# Pre-stage from a list
$computers = @("WS01", "WS02", "WS03", "WS04", "WS05")
foreach ($pc in $computers) {
New-ADComputer -Name $pc `
-Path "OU=Workstations,DC=corp,DC=example,DC=com" `
-Enabled $true
Write-Host "Pre-staged $pc"
}Troubleshooting Domain Join Failures
Common Errors and Solutions
“The specified domain either does not exist or could not be contacted”
- Verify DNS settings:
nslookup corp.example.com - Ensure the preferred DNS server is a domain controller or forwards to one
- Test connectivity:
Test-NetConnection -ComputerName corp.example.com -Port 389
“An attempt to resolve the DNS name of a DC in the domain being joined has failed”
- Check that DNS SRV records exist:
nslookup -type=srv _ldap._tcp.dc._msdcs.corp.example.com - Verify the computer’s primary DNS suffix
“Access is denied” or “The user does not have permission”
- Verify the account has domain join permissions
- Check the
ms-DS-MachineAccountQuotaattribute (default: 10) - Check if the computer account was pre-staged and the joining user has write permissions to it
“The machine account already exists”
- The computer name is already used in AD. Either delete the stale account or use a different name:
# Reset the existing computer account Reset-ComputerMachinePassword -Server "dc01.corp.example.com" -Credential (Get-Credential)
Verification After Domain Join
# Verify domain membership
(Get-WmiObject Win32_ComputerSystem).Domain
# Test secure channel to DC
Test-ComputerSecureChannel -Verbose
# Verify the computer account in AD
Get-ADComputer -Identity $env:COMPUTERNAMESummary
Scripting domain joins eliminates the manual, repetitive process of joining each computer individually. Use Add-Computer in PowerShell for modern environments — it handles local and remote joins, OU placement, and renaming in a single cmdlet. For scenarios without network connectivity, djoin.exe provides offline domain join capability. For legacy environments, netdom remains a reliable option. Always verify DNS resolution and domain connectivity before attempting joins, and pre-stage computer accounts in the correct OUs for organizational consistency.