# Troubleshooting Common issues encountered while setting up the lab. ## Windows installation stuck Symptom: http://localhost:8006 stays on the ISO download screen. Causes: - Slow/interrupted internet (ISO is several GB) - Not enough host disk space - `btrfs` filesystem on `/storage` (dockurr warns, rarely blocking) Check `docker compose logs -f dc01`, restart if needed. ## /dev/kvm not accessible Symptom: `KVM acceleration not available` in dockurr logs. Causes: - Virtualization disabled in BIOS - Your user not in the `kvm` group - WSL2 without nested virt (Windows) Fixes: - Linux: `sudo usermod -aG kvm $USER`, reconnect - Windows: edit `%USERPROFILE%\.wslconfig` with `nestedVirtualization=true` - macOS Apple Silicon: unsupported, use UTM ## Rename-Computer rejects authentication Symptom: `Rename-Computer : ... The user name or password is incorrect.` Happens on a fresh install before any domain membership. The cmdlet attempts a local authentication that fails for obscure reasons. Fixes: - Use the GUI: `sysdm.cpl > Change` - Or the registry: ``` Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "Hostname" -Value "NEW" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "NV Hostname" -Value "NEW" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" -Name "ComputerName" -Value "NEW" Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" -Name "ComputerName" -Value "NEW" Restart-Computer -Force ``` ## Add-Computer: "the computer is already in this domain" The PC has a partial domain state (DNS suffix, workgroup with the same name as the domain NetBIOS, prior join). Clean first: ``` Add-Computer -WorkgroupName "WORKGROUP" -Force Restart-Computer -Force ``` If `Remove-Computer` fails with `The mapping between account names and SIDs was not done`, force via WMI: ``` $cs = Get-WmiObject Win32_ComputerSystem $cs.UnjoinDomainOrWorkgroup($null, $null, 0) Restart-Computer -Force ``` ## RDP denies the AD user Symptom: `ERRCONNECT_CONNECT_TRANSPORT_FAILED` after NLA with freerdp, or "access denied" with mstsc. Cause: by default only local `Administrators` can RDP. Domain users aren't granted. Fix on the client: ``` Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\pmartin" ``` Push via GPO in production. ## "Password must change" over freerdp Symptom: `ERRCONNECT_PASSWORD_MUST_CHANGE`. freerdp with NLA cannot display the change-password screen. Two options: - Clear the flag on the DC: ``` Set-ADAccountPassword -Identity pmartin -Reset -NewPassword (ConvertTo-SecureString "NewP@ss!2026" -AsPlainText -Force) Set-ADUser -Identity pmartin -ChangePasswordAtLogon $false ``` - Or bypass NLA: ``` xfreerdp3 /sec:rdp ... ``` ## realm discover returns nothing Causes: - Wrong DNS on `linux01` (check `/etc/resolv.conf`) - DC not answering on port 53 - `dbus` not running in the container: ``` dbus-daemon --system --fork ``` ## sssd fails to start Symptom: `Invalid option -f: unknown option` when `realm join` runs `service sssd restart`. Context: docker images without full init (no systemd). Start manually: ``` /usr/sbin/sssd --daemon ``` ## AD user not resolved on Linux ``` id pmartin@corp.lab # "no such user" ``` Common causes: - sssd not running (see above) - sssd cache out of sync: `sss_cache -E` - Domain missing from `realm list`: the join silently failed, retry with `realm join -v` ## Share inaccessible from a client - User not in the DL group: `Get-ADGroupMember DL_Share_Common_R` - Kerberos token not refreshed: relogon - Restrictive NTFS ACL: check via `Get-Acl` or Security tab ## Full lab reset To start fresh without touching the rest of your system: ``` docker compose down -v rm -rf ./storage-dc01 ./storage-pc01 docker compose up -d dc01 ```