This guide walks you through a practical demonstration of joining a client machine to an AD domain controller via Netfoundry service including config steps.
For this demonstration, we have considered setting up a network between an ER running on a VMWARE VM on-premise (Assuming it is the headquarters) and Azure South India that hosts the Windows 11 client VM. The NetFoundry-hosted edge routers are provisioned at Azure & AWS in India. We expect to join the Azure VM to AD domain controller hosted at HQ.
Step 1. Build the Network using our Getting Started Guide.
Step 2. Create endpoint identity in NetFoundry. (remote user identity)
To get started with creating your Endpoint, navigate to Network Settings → Manage Endpoints. From there, click the blue plus sign in the upper right-hand corner to create a new Endpoint.
To know more about creating and managing the endpoint, click here.
Download the resulting "endpoint_name.jwt". Follow the directions for desired OS below:
Step 3. Provision of NetFoundry-hosted Edge routers
At least one publicly accessible Edge Router is required for endpoints and edge routers to create a fabric. Having a min of two hosted ERs is a best practice for redundancy and smart routing.
Step 4. Provision of Customer-hosted Edge Routers ( On-prem ) :
Customer self-hosted Edge Routers (CERs) act as egress routers for endpoints / other CERs to reach the services terminated on the CER endpoint.
Create and Register CERs in a private cloud
Use the below deployment guides to provision a customer-hosted Edge Router into a branch office or a private cloud.
Create and Register CERs on AWS / Azure / OCI / any Public Cloud
Use the below deployment guides to provision a customer-hosted Edge Router into your AWS / Azure/ GCP/ OCI.
Step 5. Create a Service
The service definition provides the details of what device or devices will be utilized to provide access to services, either on the device (Zero Trust Client SDK Application) or the network connected to the device (via its LAN, for example). The service also defines how the endpoints acting as clients will access the service. Also, the service hosting details are provided.
Note: In this case, you have to enter a wildcard hostname of FQDN of your domain controller at intercept IP and Microsoft recommended Ports for the service. Active directory service from Microsoft uses SRV and requires support for wild card DNS.
Step 6. Creating the AppWAN
The AppWAN defines the services that one or more client endpoints can access.
Note: The endpoint/service/edge router attribute will select all endpoints/services/edge routers with that specific attribute. The @ symbol is used to tag Individual endpoints/services/edge routers and the # symbol is used to tag a group of endpoints/services/edge routers.
Step 7. Add DNS server IP in Customer Hosted ER
Adding the local DNS server IP address in a customer-hosted ER helps to resolve the intercepted wild card URL (*.netfoundrylocal.io) in the above-created service. To know more about static configuration click here.
- Use the below command to initiate a customer ER static IP configuration
- Find the below screen capture for static IP configuration on HQ Customer Hosted ER
- In this scenario, we are hosting the DNS service in the Active Directory server itself.
- Use the below command to validate the DNS resolution
Step 8. Join the Client in Domain Controller
Before you join the DC from you windows machine running WDE, check that everything works fine as expected from powershell
Resolve-DnsName cs.netfoundrylocal.io -Type SRV
To know more about joining the client machine in the domain controller click here
On the Desktop, click the start button, type Settings, and then press ENTER.
Navigate to System then go to about.
Under computer name, domain, and workgroup settings, click change settings.
Under the Computer Name tab, click Change.
Under Member of, click domain, type the name of the domain that you wish this computer to join, and then click OK.
Click OK in the Computer Name/Domain Changes dialog box, and then restart the computer.