# Join the Windows client to the domain Goal: start the `pc01` container, install Windows 11, then join the machine to `corp.lab`. ## Start the container ``` docker compose up -d pc01 ``` Windows 11 installs unattended, same as `DC01`. Allow 20 to 40 minutes. Track via: - [http://localhost:8009](http://localhost:8009) - `docker compose logs -f pc01` Once the desktop is available: ``` ./scripts/rdp-client.sh ``` Local credentials: `LocalAdmin` / `AD_ADMIN_PASSWORD` (same value as DC01 in this lab). ## Step 1: prepare the client ### Rename Fresh dockurr installs ship with an auto-generated hostname (`WIN-xxxxxxx`). Rename before joining. GUI: `Settings > System > About > Rename this PC`. Or PowerShell: ``` Rename-Computer -NewName "PC01" -Restart ``` ### Point DNS to the DC Without correct DNS, the join fails. PC01 must query DC01 to resolve `corp.lab` and AD SRV records. GUI: `Settings > Network > Network adapter properties > Edit DNS settings`. PowerShell: ``` Get-NetAdapter | Format-Table Name, Status Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses ``` See the docker specifics block below to pick the IP. ### Docker lab specifics `dockurr/windows` runs Windows inside a VM with internal NAT. The DC advertises its internal VM IP in DNS, which is not routable from `PC01`. But the DC container has a DNAT rule forwarding all ports to its VM. Solution: use the DC **container** IP (visible via `docker inspect lab-dc01`) and add a `hosts` entry so name resolution lands on it. In PowerShell on PC01: ``` # Replace with the value from: # docker inspect lab-dc01 --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' Add-Content C:\Windows\System32\drivers\etc\hosts "`n corp.lab dc01.corp.lab dc01" ipconfig /flushdns ``` Test: ``` Test-NetConnection -ComputerName corp.lab -Port 389 nslookup corp.lab ``` ## Step 2: join the domain ### GUI 1. `Settings > System > About > Join a domain` 2. Or `sysdm.cpl > Change` 3. Enter `corp.lab`, confirm 4. Enter `CORP\Administrator` credentials 5. Restart when prompted ### PowerShell Key cmdlet: `Add-Computer`. ``` $pass = ConvertTo-SecureString "AdminP@ss!2026" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("CORP\Administrator", $pass) Add-Computer -DomainName corp.lab -Credential $cred -Restart ``` ## Step 3: allow an AD user to RDP By default, only local `Administrators` can RDP. After joining, the local `Administrators` contains `CORP\Domain Admins`, so a domain admin can RDP. Standard users must be explicitly added. ### GUI 1. Right-click `This PC > Properties > Remote Desktop settings` 2. `Select users` > add `CORP\pmartin` (or an AD group) ### PowerShell ``` Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\pmartin" ``` In practice, create a dedicated AD group (e.g. `GG_RDPUsers`) and push it via GPO to the local group on every machine. ## Step 4: test with an AD user From Linux/macOS host: ``` xfreerdp3 /v:127.0.0.1:3391 /u:pmartin /d:CORP /p:'' /cert:ignore +clipboard /size:1600x900 /dynamic-resolution ``` On Windows, use `mstsc` with `CORP\pmartin`. Once logged in, validate: ``` whoami whoami /groups Get-ComputerInfo | Select CsDomain, CsDomainRole ``` You should see `CORP\pmartin`, AD groups, and `CsDomainRole : MemberWorkstation`. ## Notes - An account with "must change password at next logon" cannot RDP via NLA. Either unset the flag on the DC (`Set-ADUser -ChangePasswordAtLogon $false`) or force `/sec:rdp` to get the change-password screen. - If `Add-Computer` hits `The mapping between account names and SIDs was not done`, the PC is in a broken domain state. Switch to workgroup (`Add-Computer -WorkgroupName "WORKGROUP" -Force`) then retry. - Clean up stale computer accounts in `CN=Computers` when you recreate a client. ## Next `07-join-linux-client.md` for the Linux side.