Join Active Directory Domain Controller from windows machine running WDE

Introduction

This guide walks you through a practical demonstration of joining a client machine to an AD domain controller via Netfoundry service including config steps.

Sample Architecture

AD_via_Ziti.drawio.png

For this demonstration, we have considered setting up a network between an ER running on a VMWARE VM on-premise (Assuming it is the headquarters) and Azure South India that hosts the Windows 11 client VM. The NetFoundry-hosted edge routers are provisioned at Azure & AWS in India. We expect to join the Azure VM to AD domain controller hosted at HQ.

 

Step 1. Build the Network using our Getting Started Guide.

https://support.netfoundry.io/hc/en-us/articles/4418243181453-Sign-up-for-NetFoundry-console-access-and-create-your-Zero-Trust-Network

Step 2. Create endpoint identity in NetFoundry. (remote user identity)

To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus sign in the upper right-hand corner to create a new Endpoint.

To know more about creating and managing the endpoint, click here.

Download the resulting "endpoint_name.jwt". Follow the directions for desired OS below:

Windows

Mac

Linux

Step 3. Provision of NetFoundry-hosted Edge routers

At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a min of two hosted ERs is a best practice for redundancy and smart routing. 

To learn more about Edge Routers go to the Create and Manage Edge Routers article on the NetFoundry Support Hub.

Step 4. Provision of Customer-hosted Edge Routers ( On-prem ) :

Customer self-hosted Edge Routers (CERs) act as egress routers for endpoints / other CERs to reach the services terminated on the CER endpoint.

Create and Register CERs in a private cloud

Use the below deployment guides to provision a customer-hosted Edge Router into a branch office or a private cloud.

https://support.netfoundry.io/hc/en-us/articles/5700949793293-Deployment-guides-for-provisioning-customer-edge-routers-in-a-private-cloud

Create and Register CERs on AWS / Azure / OCI / any Public Cloud

Use the below deployment guides to provision a customer-hosted Edge Router into your AWS / Azure/ GCP/ OCI.

https://support.netfoundry.io/hc/en-us/articles/5701001893133-Deployment-guides-for-provisioning-customer-edge-routers-in-public-clouds

 

Step 5. Create a Service

The service definition provides the details of what device or devices will be utilized to provide access to services, either on the device (Zero Trust Client SDK Application) or the network connected to the device (via its LAN, for example).  The service also defines how the endpoints acting as clients will access the service.  Also, the service hosting details are provided.

To know more about Services go to Create and Manage Services article on the Netfoundry support hub.

 

chrome_3orIaLGoxN.png

Note: In this case, you have to enter a wildcard hostname of FQDN of your domain controller at intercept IP and Microsoft recommended Ports for the service. Active directory service from Microsoft uses SRV and requires support for wild card DNS.

 

Step 6. Creating the AppWAN

The AppWAN defines the services that one or more client endpoints can access.

To know more about AppWAN go to Create and Manage AppWAN article on the Netfoundry support hub.

chrome_ZMs0VBaKkl.png

Note: The endpoint/service/edge router attribute will select all endpoints/services/edge routers with that specific attribute. The @ symbol is used to tag Individual endpoints/services/edge routers and the # symbol is used to tag a group of endpoints/services/edge routers.

 

Step 7. Add DNS server IP in Customer Hosted ER

Adding the local DNS server IP address in a customer-hosted ER helps to resolve the intercepted wild card URL (*.netfoundrylocal.io) in the above-created service. To know more about static configuration click here.

  • Use the below command to initiate a customer ER static IP configuration 
    $sudo set-ip.sh      
  • Find the below screen capture for static IP configuration on HQ Customer Hosted ER

          vmware_giT9iAlfpI.png                                                                            vmware_ekGb6TeBb8.png

  • In this scenario, we are hosting the DNS service in the Active Directory server itself.
  • Use the below command to validate the DNS resolution
    $nslookup netfoundrylocal.io

         vmware_1EkYsykOZp.png

Step 8. Join the Client in Domain Controller

Before you join the DC from you windows machine running WDE, check that everything works fine as expected from powershell

Resolve-DnsName cs.netfoundrylocal.io -Type SRV

To know more about joining the client machine in the domain controller click here

  • On the Desktop, click the start button, type Settings, and then press ENTER.

  • Navigate to System then go to about.

  • Under computer name, domain, and workgroup settings, click change settings.

  • Under the Computer Name tab, click Change.

  • Under Member of, click domain, type the name of the domain that you wish this computer to join, and then click OK.

  • Click OK in the Computer Name/Domain Changes dialog box, and then restart the computer.

 mstsc_vCToQafI69.png

 

mstsc_VPOoVpTOQw.png

 

mstsc_r7auwD67vD.pngmstsc_b0ydXycHUX.png

 

mstsc_WefKM6kNIj.png

 

Was this article helpful?
2 out of 3 found this helpful

Comments

0 comments

Article is closed for comments.