Lab_AD_Complet/docs/etudiant/en/troubleshooting.md

# Troubleshooting

Common issues encountered while setting up the lab.

## Windows installation stuck

Symptom: http://localhost:8006 stays on the ISO download screen.

Causes:

- Slow/interrupted internet (ISO is several GB)
- Not enough host disk space
- `btrfs` filesystem on `/storage` (dockurr warns, rarely blocking)

Check `docker compose logs -f dc01`, restart if needed.

## /dev/kvm not accessible

Symptom: `KVM acceleration not available` in dockurr logs.

Causes:

- Virtualization disabled in BIOS
- Your user not in the `kvm` group
- WSL2 without nested virt (Windows)

Fixes:

- Linux: `sudo usermod -aG kvm $USER`, reconnect
- Windows: edit `%USERPROFILE%\.wslconfig` with `nestedVirtualization=true`
- macOS Apple Silicon: unsupported, use UTM

## Rename-Computer rejects authentication

Symptom: `Rename-Computer : ... The user name or password is incorrect.`

Happens on a fresh install before any domain membership. The cmdlet attempts
a local authentication that fails for obscure reasons.

Fixes:

- Use the GUI: `sysdm.cpl > Change`
- Or the registry:
  ```
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "Hostname" -Value "NEW"
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -Name "NV Hostname" -Value "NEW"
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" -Name "ComputerName" -Value "NEW"
  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" -Name "ComputerName" -Value "NEW"
  Restart-Computer -Force
  ```

## Add-Computer: "the computer is already in this domain"

The PC has a partial domain state (DNS suffix, workgroup with the same name
as the domain NetBIOS, prior join). Clean first:

```
Add-Computer -WorkgroupName "WORKGROUP" -Force
Restart-Computer -Force
```

If `Remove-Computer` fails with `The mapping between account names and SIDs
was not done`, force via WMI:

```
$cs = Get-WmiObject Win32_ComputerSystem
$cs.UnjoinDomainOrWorkgroup($null, $null, 0)
Restart-Computer -Force
```

## RDP denies the AD user

Symptom: `ERRCONNECT_CONNECT_TRANSPORT_FAILED` after NLA with freerdp, or
"access denied" with mstsc.

Cause: by default only local `Administrators` can RDP. Domain users aren't
granted.

Fix on the client:

```
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "CORP\pmartin"
```

Push via GPO in production.

## "Password must change" over freerdp

Symptom: `ERRCONNECT_PASSWORD_MUST_CHANGE`.

freerdp with NLA cannot display the change-password screen. Two options:

- Clear the flag on the DC:
  ```
  Set-ADAccountPassword -Identity pmartin -Reset -NewPassword (ConvertTo-SecureString "NewP@ss!2026" -AsPlainText -Force)
  Set-ADUser -Identity pmartin -ChangePasswordAtLogon $false
  ```
- Or bypass NLA:
  ```
  xfreerdp3 /sec:rdp ...
  ```

## realm discover returns nothing

Causes:

- Wrong DNS on `linux01` (check `/etc/resolv.conf`)
- DC not answering on port 53
- `dbus` not running in the container:
  ```
  dbus-daemon --system --fork
  ```

## sssd fails to start

Symptom: `Invalid option -f: unknown option` when `realm join` runs
`service sssd restart`.

Context: docker images without full init (no systemd). Start manually:

```
/usr/sbin/sssd --daemon
```

## AD user not resolved on Linux

```
id pmartin@corp.lab
# "no such user"
```

Common causes:

- sssd not running (see above)
- sssd cache out of sync: `sss_cache -E`
- Domain missing from `realm list`: the join silently failed, retry with
  `realm join -v`

## Share inaccessible from a client

- User not in the DL group: `Get-ADGroupMember DL_Share_Common_R`
- Kerberos token not refreshed: relogon
- Restrictive NTFS ACL: check via `Get-Acl` or Security tab

## Full lab reset

To start fresh without touching the rest of your system:

```
docker compose down -v
rm -rf ./storage-dc01 ./storage-pc01
docker compose up -d dc01
```