Lab_AD_Complet/docs/etudiant/en/troubleshooting.md

Troubleshooting

Common issues encountered while setting up the lab.

Windows installation stuck

Symptom: http://localhost:8006 stays on the ISO download screen.

Causes:

• Slow/interrupted internet (ISO is several GB)
• Not enough host disk space
• btrfs filesystem on /storage (dockurr warns, rarely blocking)

Check docker compose logs -f dc01, restart if needed.

/dev/kvm not accessible

Symptom: KVM acceleration not available in dockurr logs.

Causes:

• Virtualization disabled in BIOS
• Your user not in the kvm group
• WSL2 without nested virt (Windows)

Fixes:

• Linux: sudo usermod -aG kvm $USER, reconnect
• Windows: edit %USERPROFILE%\.wslconfig with nestedVirtualization=true
• macOS Apple Silicon: unsupported, use UTM

Rename-Computer rejects authentication

Symptom: Rename-Computer : ... The user name or password is incorrect.

Happens on a fresh install before any domain membership. The cmdlet attempts a local authentication that fails for obscure reasons.

Fixes:

• Use the GUI: sysdm.cpl > Change
• Or the registry:

  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "Hostname" -Value "NEW"
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "NV Hostname" -Value "NEW"
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" -Name "ComputerName" -Value "NEW"
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" -Name "ComputerName" -Value "NEW"
  Restart-Computer -Force
  

Add-Computer: "the computer is already in this domain"

The PC has a partial domain state (DNS suffix, workgroup with the same name as the domain NetBIOS, prior join). Clean first:

Add-Computer -WorkgroupName "WORKGROUP" -Force
Restart-Computer -Force

If Remove-Computer fails with The mapping between account names and SIDs was not done, force via WMI:

$cs = Get-WmiObject Win32_ComputerSystem
$cs.UnjoinDomainOrWorkgroup($null, $null, 0)
Restart-Computer -Force

RDP denies the AD user

Symptom: ERRCONNECT_CONNECT_TRANSPORT_FAILED after NLA with freerdp, or "access denied" with mstsc.

Cause: by default only local Administrators can RDP. Domain users aren't granted.

Fix on the client:

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\pmartin"

Push via GPO in production.

"Password must change" over freerdp

Symptom: ERRCONNECT_PASSWORD_MUST_CHANGE.

freerdp with NLA cannot display the change-password screen. Two options:

• Clear the flag on the DC:

  Set-ADAccountPassword -Identity pmartin -Reset -NewPassword (ConvertTo-SecureString "NewP@ss!2026" -AsPlainText -Force)
  Set-ADUser -Identity pmartin -ChangePasswordAtLogon $false
  

• Or bypass NLA:

  xfreerdp3 /sec:rdp ...
  

realm discover returns nothing

Causes:

• Wrong DNS on linux01 (check /etc/resolv.conf)
• DC not answering on port 53
• dbus not running in the container:

  dbus-daemon --system --fork
  

sssd fails to start

Symptom: Invalid option -f: unknown option when realm join runs service sssd restart.

Context: docker images without full init (no systemd). Start manually:

/usr/sbin/sssd --daemon

AD user not resolved on Linux

id pmartin@corp.lab
# "no such user"

Common causes:

• sssd not running (see above)
• sssd cache out of sync: sss_cache -E
• Domain missing from realm list: the join silently failed, retry with realm join -v

Share inaccessible from a client

• User not in the DL group: Get-ADGroupMember DL_Share_Common_R
• Kerberos token not refreshed: relogon
• Restrictive NTFS ACL: check via Get-Acl or Security tab

Full lab reset

To start fresh without touching the rest of your system:

docker compose down -v
rm -rf ./storage-dc01 ./storage-pc01
docker compose up -d dc01