Let’s have a look at the Windows 11 AD domain join process. In this process, you will learn the prerequisites of Active Directory domain join for Windows 11 PCs. This post also helps you to understand step by step AD Domain join process for Windows 11 computers.
I know most organizations are trying to move to the cloud with Hybrid Azure AD joined, and Azure AD Joined scenarios instead of AD domain joined one. But the real fact of the matter is there will be a lot of AD Domain Joined Windows 11 PCs.
Microsoft supported the AD domain join scenario from Windows 2000 operating system. Until that time, it was all about Workgroup computers. Most of the home computers/PCs are still workgroup computers. I have also included Firewall ports and Domain Join account permission details in this post.
Workgroup Computers – Windows 11
Workgroup computers stores their own database of security principles; it was not stored in a central location. So the only local users can access resources from Workplace computers. Even the Windows 11 PC that I joined to the AD domain was also part of Workgroup. This post teaches how to move Windows 11 PCs from Workgroup to the Active Directory domain.
Windows 11 AD Domain Join Prerequisites
The following are the prerequisites of joining a Windows 11 PC to an AD Domain. There are many prerequisites that you will need to complete before joining a PC to Active Directory. The Domain Join computers store security principles in a central location to give network access and management power remotely.
Let’s start digging into prerequisites of the Windows 11 AD Domain Join process:
- Windows 11 Pro or Enterprise edition.
- Windows 11 Home version is not supported.
- Windows 11 PC should have connectivity to LAN or WiFi network to reach the local DNS server (for name resolution) and AD Domain Controller.
- Windows 11 PC should have a valid IP to reach other servers.
- The DNS server should to have the details of the AD domain controller in your LAN/WAN.
- Windows firewall and Network firewall should be opened to allow communication between both the servers DNS and Domain servers should be reachable from Windows 11 PC.
- The logged in user should be local administrator of Windows 11 PC.
- Domain Join account should be available.
Windows 11 AD Domain Join Firewall Ports
Let’s have a quick look at Windows 11 AD domain join firewall port requirements. The connectivity that is required between Windows 11 PC and AD domain controller and DNS server. There is no additional firewall ports or connectivity requirement for Windows 11 domain join scenario if you compare it to Windows 10.
So if you have already joining Windows 10 devices to the AD domain, you are already covered in this part.
Windows 11 – Domain Join Account Permissions
The following screenshot provides the security permissions required for the domain join account. It’s a shame that there is no RBAC permission group or out-of-box role called Domain Join permission in Active Directory. I have always seen this differentiation between user and application permissions and computer objects related permissions in terms of authentication and device management.
NOTE! Device management permissions for Active Directory (even for Azure Active Directory) always get lower or less priority than authentication features and permissions.
This is why we, as admin, will need to go through the pain of assigning permissions for each OU that you want Windows 11 or Windows 10 computers to be part of. In the following example, I have given Domain join account permission to the Computers container.
You will need to make sure that you have enabled View -> Advance Features. Once the advanced features view is enabled, you can right-click on the Computers container -> got to properties -> Security tab – Advanced -> Add button to provide appropriate permission for AD domain join.
Select the Domain join account after clicking on the Select a Principle hyperlink – Enter the Domain join account and click OK. Once you are there, you need to follow the table mentioned below to give permissions (bare minimum AD Domain Join Service Account Permissions).
Minimum AD Domain Join Service Account Permissions | Applies To |
---|---|
Read All Permissions | This object only |
Create Computer Objects | This object and all descendant objects |
Delete Computer Objects | This object and all descendant objects |
Write All Properties | Descendant Computer objects |
Reset Password | Descendant Computer objects |
Windows 11 Domain Join Process
Now, let’s have a look into the actual domain join process of a Windows 11 PC. You should have a domain controller and DNS server reachability. Also, make sure you are already taken care of the prerequisites listed above.
You can click on the Start or Search option – Launch the Settings app from Windows 11 to start the AD domain join process. You must have an AD Domain Join user account handy. The bare minimum AD Domain Join Service Account Permissions are given in the above table.
From the settings app on Windows 11 PC, click on the Systems page and scroll down until reaching the About page. You should have a local admin account to complete the domain join process.
From the About settings page and click on Domain or Workgroup hyperlink to open the classic Domain Join Window for Windows 11 PC.
From the System Properties -> Computer Name tab -> Click on Change button to AD domain join Windows 11 PC.
It’s now time to enter the name of the Domain -> Enter the name and password of an account with permission to join the Domain.
- Member of – Domain Name -> MEMCM.com.
- User Name -> Enter domain join user name and password.
- Click on OK.
NOTE! – You will need to look into the log file called NetSetup.log located in folder C:\Windows\Debug to troubleshoot Windows 11 domain join process. If you get any error during this step, the log file mentioned in the above line will help you get more details.
You will need to click OK on the welcome message, then click the OK and Restart button to complete the restart process. Once the Windows 11 device is restarted, you will log in with your domain account. In my scenario, it’s MEMCM/Anoop account.
Until you restart the Windows 11 device, it will stay in the current setting, which is the Workgroup (from a security and authentication perspective) computer. Also, it won’t get any security enhancements from having a Windows 11 domain-joined device. You can’t revert the changes until the restart is completed. The device is neither in Workgroup nor in Domain in this particular situation.
- Restart the Windows 11 PC to complete the AD domain join process.
Result – Windows 11 AD Domain Join Process
You can check the result of the Windows 11 AD domain join process from Active Directory Users and Computers.
You can search for the computer account after launching DSA.MSC. If you can check the properties of the Windows 11 record, you can see the OS name as Windows 11 Pro!
You can now log in to Windows 11 PC after AD domain join restart using Domain User name and password. You can run two commands as mentioned below to complete the verification of the domain join process of Windows 11.
- Launch the Command Prompt.
- Type in WhoAmI and check whether the logged in user is domain user or not.
- Type Set l command to check which domain controller this PC connected to.
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…..…
Dear Anoop,
I want to check what should be the minimum AD Server should be to connected to Windows 11, we have a customer who is running AD on Windows 2008, will I be able to Join an Windows 11 desktop to it.
Hi Kiran – I don’t see any additional requirement for Windows 11 if I compare it with Windows 10. So, if Windows 10 domain join works with Windows server 2008 Domain Controllers, then Windows 11 domain join also should work with Server 2008 DCs. Disclaimer – I have not tested this scenario. And obviously, all the new features of Windows 11 are not expected to work without of support DC. And it’s a high risk to keep 2008 domain controllers for the organization.
I have a Windows Server 2008R2 Domain and have successfully joined Windows 7 and Windows 10 computers without issue. But Windows 11 is a nightmare. It appears to join OK but none of the permissions are setup correctly. The Domain Admins group does not have access to Win 11 PC which makes installing software difficult or impossible. I have manually added Domain Admin privs to the C: drive which has solved my software installation issues but I cannot move users’ Documents folders to their network locations (computer hangs, not responding). *sigh*. I currently have no trust in Windows 11 at all.
I can’t reproduce the issue. Are you using any custom images to build Windows 11 devices and how are you adding the devices to the domain? Are you sure all the required ports are opened? Any more details available in the NetSetup.log log file.
A Win11 insider build was brought to my attention recently (22000.652) which had been rejoined/migrated from another domain. After inspecting it, I noticed several things wrong. 1) The computer could not read from the AD DFS sysvol or netlogon shares – it would timeout and then prompt the user for creds (no creds used mattered). 2) the AD acct for it was completely missing the MsDS-SupportedEncryptionTypes attribute, which of course is required to control which methods are allowed on the domain. 3) credential manager was completely hosed. I suspect this could have been part of the problem with issue 2 mentioned.
After fiddling with it for some time, we gave up and notified the end user to roll back or reinstall the OS to a release version. Had this been a fresh install with these issues, I’d have suggested a MS ticket for it, but instead was truly a beta release that a dev thought ‘would be good for testing’… on a production workstation no less.
Hi – I moved a domain joined Windows 11 PC to a warehouse that has no connection to our domain controller about 40 days ago. I was able to log in without issue until this morning. Now when I try ands log in I get ‘domain not available’. I unplugged ethernet and cannot log in with cached creds. Question: is there a time limit on how long a Windows 11 PC can go without ‘checking in’ with domain controller? Thanks for any thoughts.