Lab_AD_Complet/docs/etudiant/en/06-join-windows-client.md

# Join the Windows client to the domain

Goal: start the `pc01` container, install Windows 11, then join the machine
to `corp.lab`.

## Start the container

```
docker compose up -d pc01
```

Windows 11 installs unattended, same as `DC01`. Allow 20 to 40 minutes. Track
via:

- [http://localhost:8009](http://localhost:8009)
- `docker compose logs -f pc01`

Once the desktop is available:

```
./scripts/rdp-client.sh
```

Local credentials: `LocalAdmin` / `AD_ADMIN_PASSWORD` (same value as DC01 in
this lab).

## Step 1: prepare the client

### Rename

Fresh dockurr installs ship with an auto-generated hostname (`WIN-xxxxxxx`).
Rename before joining. GUI: `Settings > System > About > Rename this PC`. Or
PowerShell:

```
Rename-Computer -NewName "PC01" -Restart
```

### Point DNS to the DC

Without correct DNS, the join fails. PC01 must query DC01 to resolve
`corp.lab` and AD SRV records.

GUI: `Settings > Network > Network adapter properties > Edit DNS settings`.

PowerShell:

```
Get-NetAdapter | Format-Table Name, Status
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses <DC_IP>
```

See the docker specifics block below to pick the IP.

### Docker lab specifics

`dockurr/windows` runs Windows inside a VM with internal NAT. The DC
advertises its internal VM IP in DNS, which is not routable from `PC01`. But
the DC container has a DNAT rule forwarding all ports to its VM.

Solution: use the DC **container** IP (visible via `docker inspect lab-dc01`)
and add a `hosts` entry so name resolution lands on it.

In PowerShell on PC01:

```
# Replace <DC_CONTAINER_IP> with the value from:
#   docker inspect lab-dc01 --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'
Add-Content C:\Windows\System32\drivers\etc\hosts "`n<DC_CONTAINER_IP> corp.lab dc01.corp.lab dc01"
ipconfig /flushdns
```

Test:

```
Test-NetConnection -ComputerName corp.lab -Port 389
nslookup corp.lab
```

## Step 2: join the domain

### GUI

1. `Settings > System > About > Join a domain`
2. Or `sysdm.cpl > Change`
3. Enter `corp.lab`, confirm
4. Enter `CORP\Administrator` credentials
5. Restart when prompted

### PowerShell

Key cmdlet: `Add-Computer`.

```
$pass = ConvertTo-SecureString "AdminP@ss!2026" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("CORP\Administrator", $pass)

Add-Computer -DomainName corp.lab -Credential $cred -Restart
```

## Step 3: allow an AD user to RDP

By default, only local `Administrators` can RDP. After joining, the local
`Administrators` contains `CORP\Domain Admins`, so a domain admin can RDP.
Standard users must be explicitly added.

### GUI

1. Right-click `This PC > Properties > Remote Desktop settings`
2. `Select users` > add `CORP\pmartin` (or an AD group)

### PowerShell

```
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\pmartin"
```

In practice, create a dedicated AD group (e.g. `GG_RDPUsers`) and push it via
GPO to the local group on every machine.

## Step 4: test with an AD user

From Linux/macOS host:

```
xfreerdp3 /v:127.0.0.1:3391 /u:pmartin /d:CORP /p:'<pwd>' /cert:ignore +clipboard /size:1600x900 /dynamic-resolution
```

On Windows, use `mstsc` with `CORP\pmartin`.

Once logged in, validate:

```
whoami
whoami /groups
Get-ComputerInfo | Select CsDomain, CsDomainRole
```

You should see `CORP\pmartin`, AD groups, and `CsDomainRole : MemberWorkstation`.

## Notes

- An account with "must change password at next logon" cannot RDP via NLA.
  Either unset the flag on the DC
  (`Set-ADUser -ChangePasswordAtLogon $false`) or force `/sec:rdp` to get the
  change-password screen.
- If `Add-Computer` hits `The mapping between account names and SIDs was not
  done`, the PC is in a broken domain state. Switch to workgroup
  (`Add-Computer -WorkgroupName "WORKGROUP" -Force`) then retry.
- Clean up stale computer accounts in `CN=Computers` when you recreate a
  client.

## Next

`07-join-linux-client.md` for the Linux side.