Lab_AD_Complet/docs/etudiant/en/06-join-windows-client.md

Join the Windows client to the domain

Goal: start the pc01 container, install Windows 11, then join the machine to corp.lab.

Start the container

docker compose up -d pc01

Windows 11 installs unattended, same as DC01. Allow 20 to 40 minutes. Track via:

• http://localhost:8009
• docker compose logs -f pc01

Once the desktop is available:

./scripts/rdp-client.sh

Local credentials: LocalAdmin / AD_ADMIN_PASSWORD (same value as DC01 in this lab).

Step 1: prepare the client

Rename

Fresh dockurr installs ship with an auto-generated hostname (WIN-xxxxxxx). Rename before joining. GUI: Settings > System > About > Rename this PC. Or PowerShell:

Rename-Computer -NewName "PC01" -Restart

Point DNS to the DC

Without correct DNS, the join fails. PC01 must query DC01 to resolve corp.lab and AD SRV records.

GUI: Settings > Network > Network adapter properties > Edit DNS settings.

PowerShell:

Get-NetAdapter | Format-Table Name, Status
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses <DC_IP>

See the docker specifics block below to pick the IP.

Docker lab specifics

dockurr/windows runs Windows inside a VM with internal NAT. The DC advertises its internal VM IP in DNS, which is not routable from PC01. But the DC container has a DNAT rule forwarding all ports to its VM.

Solution: use the DC container IP (visible via docker inspect lab-dc01) and add a hosts entry so name resolution lands on it.

In PowerShell on PC01:

# Replace <DC_CONTAINER_IP> with the value from:
#   docker inspect lab-dc01 --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'
Add-Content C:\Windows\System32\drivers\etc\hosts "`n<DC_CONTAINER_IP> corp.lab dc01.corp.lab dc01"
ipconfig /flushdns

Test:

Test-NetConnection -ComputerName corp.lab -Port 389
nslookup corp.lab

Step 2: join the domain

GUI

1. Settings > System > About > Join a domain
2. Or sysdm.cpl > Change
3. Enter corp.lab, confirm
4. Enter CORP\Administrator credentials
5. Restart when prompted

PowerShell

Key cmdlet: Add-Computer.

$pass = ConvertTo-SecureString "AdminP@ss!2026" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("CORP\Administrator", $pass)

Add-Computer -DomainName corp.lab -Credential $cred -Restart

Step 3: allow an AD user to RDP

By default, only local Administrators can RDP. After joining, the local Administrators contains CORP\Domain Admins, so a domain admin can RDP. Standard users must be explicitly added.

GUI

1. Right-click This PC > Properties > Remote Desktop settings
2. Select users > add CORP\pmartin (or an AD group)

PowerShell

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\pmartin"

In practice, create a dedicated AD group (e.g. GG_RDPUsers) and push it via GPO to the local group on every machine.

Step 4: test with an AD user

From Linux/macOS host:

xfreerdp3 /v:127.0.0.1:3391 /u:pmartin /d:CORP /p:'<pwd>' /cert:ignore +clipboard /size:1600x900 /dynamic-resolution

On Windows, use mstsc with CORP\pmartin.

Once logged in, validate:

whoami
whoami /groups
Get-ComputerInfo | Select CsDomain, CsDomainRole

You should see CORP\pmartin, AD groups, and CsDomainRole : MemberWorkstation.

Notes

• An account with "must change password at next logon" cannot RDP via NLA. Either unset the flag on the DC (Set-ADUser -ChangePasswordAtLogon $false) or force /sec:rdp to get the change-password screen.
• If Add-Computer hits The mapping between account names and SIDs was not done, the PC is in a broken domain state. Switch to workgroup (Add-Computer -WorkgroupName "WORKGROUP" -Force) then retry.
• Clean up stale computer accounts in CN=Computers when you recreate a client.

Next

07-join-linux-client.md for the Linux side.