Joining a computer to a domain when there is a DMZ and an RODC takes a little more effort than normal. This is because the computer account needs to be created on a writable DC, which the computer cannot contact.
There’s two options for this:
1. If possible, move the computer to the same subnet as a writable DC, join, then move it back into the DMZ.
2. Use the offline domain join method as follows.
Offline domain join
On a writable domain controller:
Open an administrative Command Prompt and enter:
djoin /provision /domain “domain.local” /machine “computername” /savefile C:\computername.txt
On the destination computer:
Copy the file to the C: drive
Open an administrative Command Prompt and enter:
djoin /requestODJ /loadfile C:\computername.txt /windowspath %systemroot% /localos
Reboot.
Logging in
You may then find that you are unable to login with a domain account. It may report that there are no Domain Controllers available for your domain.
In AD Sites & Services, ensure that your sites and subnets are set up correctly for the DMZ.
On the domain member computer open regedit.
Navigate to HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
In the right pane, create a new String Value titled “SiteName” and for the Value Name type the name of the site in which the client computer resides (i.e. “DMZ-Site”).
Additionally, check for a value of DynamicSiteName, and change this to the same site (i.e. “DMZ-Site”).
Close the registry editor and restart the client computer to have registry changes take effect.
DNS
If you used the first method to join to the domain, there will be a DNS entry created which points to the old IP address. Delete this.
For either method, create a static DNS entry for the computer on a writable DC so it can be resolved from the network.