Let’s have a look at the Windows 11 AD domain join process. In this process, you will learn the prerequisites of Active Directory domain join for Windows 11 PCs. This post also helps you to understand step by step AD Domain join process for Windows 11 computers.
I know most organizations are trying to move to the cloud with Hybrid Azure AD joined, and Azure AD Joined scenarios instead of AD domain joined one. But the real fact of the matter is there will be a lot of AD Domain Joined Windows 11 PCs.
Microsoft supported the AD domain join scenario from Windows 2000 operating system. Until that time, it was all about Workgroup computers. Most of the home computers/PCs are still workgroup computers. I have also included Firewall ports and Domain Join account permission details in this post.
Workgroup Computers – Windows 11
Workgroup computers stores their own database of security principles; it was not stored in a central location. So the only local users can access resources from Workplace computers. Even the Windows 11 PC that I joined to the AD domain was also part of Workgroup. This post teaches how to move Windows 11 PCs from Workgroup to the Active Directory domain.
Windows 11 AD Domain Join Prerequisites
The following are the prerequisites of joining a Windows 11 PC to an AD Domain. There are many prerequisites that you will need to complete before joining a PC to Active Directory. The Domain Join computers store security principles in a central location to give network access and management power remotely.
Let’s start digging into prerequisites of the Windows 11 AD Domain Join process:
- Windows 11 Pro or Enterprise edition.
- Windows 11 Home version is not supported.
- Windows 11 PC should have connectivity to LAN or WiFi network to reach the local DNS server (for name resolution) and AD Domain Controller.
- Windows 11 PC should have a valid IP to reach other servers.
- The DNS server should to have the details of the AD domain controller in your LAN/WAN.
- Windows firewall and Network firewall should be opened to allow communication between both the servers DNS and Domain servers should be reachable from Windows 11 PC.
- The logged in user should be local administrator of Windows 11 PC.
- Domain Join account should be available.
Windows 11 AD Domain Join Firewall Ports
Let’s have a quick look at Windows 11 AD domain join firewall port requirements. The connectivity that is required between Windows 11 PC and AD domain controller and DNS server. There is no additional firewall ports or connectivity requirement for Windows 11 domain join scenario if you compare it to Windows 10.
So if you have already joining Windows 10 devices to the AD domain, you are already covered in this part.
Windows 11 – Domain Join Account Permissions
The following screenshot provides the security permissions required for the domain join account. It’s a shame that there is no RBAC permission group or out-of-box role called Domain Join permission in Active Directory. I have always seen this differentiation between user and application permissions and computer objects related permissions in terms of authentication and device management.
NOTE! Device management permissions for Active Directory (even for Azure Active Directory) always get lower or less priority than authentication features and permissions.
This is why we, as admin, will need to go through the pain of assigning permissions for each OU that you want Windows 11 or Windows 10 computers to be part of. In the following example, I have given Domain join account permission to the Computers container.
You will need to make sure that you have enabled View -> Advance Features. Once the advanced features view is enabled, you can right-click on the Computers container -> got to properties -> Security tab – Advanced -> Add button to provide appropriate permission for AD domain join.
Select the Domain join account after clicking on the Select a Principle hyperlink – Enter the Domain join account and click OK. Once you are there, you need to follow the table mentioned below to give permissions (bare minimum AD Domain Join Service Account Permissions).
|Minimum AD Domain Join Service Account Permissions||Applies To|
|Read All Permissions||This object only|
|Create Computer Objects||This object and all descendant objects|
|Delete Computer Objects||This object and all descendant objects|
|Write All Properties||Descendant Computer objects|
|Reset Password||Descendant Computer objects|
Windows 11 Domain Join Process
Now, let’s have a look into the actual domain join process of a Windows 11 PC. You should have a domain controller and DNS server reachability. Also, make sure you are already taken care of the prerequisites listed above.
You can click on the Start or Search option – Launch the Settings app from Windows 11 to start the AD domain join process. You must have an AD Domain Join user account handy. The bare minimum AD Domain Join Service Account Permissions are given in the above table.
From the settings app on Windows 11 PC, click on the Systems page and scroll down until reaching the About page. You should have a local admin account to complete the domain join process.
From the About settings page and click on Domain or Workgroup hyperlink to open the classic Domain Join Window for Windows 11 PC.
From the System Properties -> Computer Name tab -> Click on Change button to AD domain join Windows 11 PC.
It’s now time to enter the name of the Domain -> Enter the name and password of an account with permission to join the Domain.
- Member of – Domain Name -> MEMCM.com.
- User Name -> Enter domain join user name and password.
- Click on OK.
NOTE! – You will need to look into the log file called NetSetup.log located in folder C:\Windows\Debug to troubleshoot Windows 11 domain join process. If you get any error during this step, the log file mentioned in the above line will help you get more details.
You will need to click OK on the welcome message, then click the OK and Restart button to complete the restart process. Once the Windows 11 device is restarted, you will log in with your domain account. In my scenario, it’s MEMCM/Anoop account.
Until you restart the Windows 11 device, it will stay in the current setting, which is the Workgroup (from a security and authentication perspective) computer. Also, it won’t get any security enhancements from having a Windows 11 domain-joined device. You can’t revert the changes until the restart is completed. The device is neither in Workgroup nor in Domain in this particular situation.
- Restart the Windows 11 PC to complete the AD domain join process.
Result – Windows 11 AD Domain Join Process
You can check the result of the Windows 11 AD domain join process from Active Directory Users and Computers.
You can search for the computer account after launching DSA.MSC. If you can check the properties of the Windows 11 record, you can see the OS name as Windows 11 Pro!
You can now log in to Windows 11 PC after AD domain join restart using Domain User name and password. You can run two commands as mentioned below to complete the verification of the domain join process of Windows 11.
- Launch the Command Prompt.
- Type in WhoAmI and check whether the logged in user is domain user or not.
- Type Set l command to check which domain controller this PC connected to.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…..…