This article describes how to join a Windows 10/11 or Windows Server 2022/2019/2016 computer to an on-premises Active Directory domain.
Before You Join Windows to an AD Domain
First, let’s look at the basic requirements and preparations that you need to make on your computer before you join an Active Directory domain:
- Only Pro, Education, Pro for Workstations, and Enterprise editions of Windows 10/11 can be joined to a domain. Note that the Active Directory domain is not supported in Home Editions;
- Your device needs to be connected to a local network and able to access at least one AD domain controller. We assume that your computer already has an IP address from the local subnet configured, with the IP addresses of the nearest domain controllers specified in the computer’s DNS settings (you can configure the network adapter settings manually or get them from the DHCP server);
- Make sure that your computer can resolve the domain name and can access the domain controller:
ping woshub.loc
- The computer’s local time must be within five minutes of the domain controller’s time. The proper time synchronization is required for Kerberos authentication;
- Set the name of your computer (
hostname) to be used in a domain. By default, Windows generates a computer name during installation. However, it’s best to change it to something more meaningful. You can change the computer name using the classic Control Panelsysdm.cpl. Click Change, enter a new computer name, and press OK. As you can see, the computer is now a member of the default WORKGROUP);
You can also use the PowerShell command to change the computer name:
Rename-Computer -NewName "wks-tst1"After you change the hostname, you must restart Windows.
Add Windows to the Domain Using System Properties GUI
You can add your computer to the domain using the classic Control Panel in Windows:
- Run
sysdm.cpland click Change; - Switch the Member of option to Domain and specify your domain’s name;
- You will be prompted to enter the name and password of a user with delegated administrative AD permissions to join computers to the domain. This may be a regular AD user (by default, any domain user can join up to 10 devices) or a privileged domain administrator account;
- The next thing you should see is the message Welcome to the woshub.loc domain;
- Restart your computer.
To join a Windows Server 2022/2019/2019 computer to an AD domain, you must open the System Properties dialog box from the Server Manager -> Local Server -> Domain.
sconfig tool to join a host to a domain. See the article on how to configure the Server Core from the command prompt.After the computer restarts, the domain Group Policies will be applied to your computer, and you will be able to sign in using your domain user account.
Joining Windows to a Domain via the Settings App
Newer versions of Windows 10 and Windows 11 let you join a computer to an AD domain from the Settings app panel.
- Go to Settings -> Accounts -> Access work or school -> and click Connect (for a quick jump to this Settings section, use the following URI shortcut command:
ms-settings:workplace); - Click the link below Alternate actions: Join this device to a local Active Directory domain; If your computer has already been added to the domain, you will see a notification, e.g. “Connected to WOSHUB AD domain“.
- Enter the domain name;
- Then specify a domain user credential;
- Skip the next step of adding the user to the Administrators group (you can add a user to the local Admins using GPO);
- You need to restart Windows to complete joining the domain.
How to Join a Computer to a Domain with PowerShell?
To join computers to an Active Directory domain, you can use the Add-Computer Powershell cmdlet. You can use this command to join a domain with a new hostname and immediately move the computer’s account to a specific OU.
For the simplest case, adding to a domain requires one command only:
Add-Computer -DomainName woshub.loc
Then enter your username and password in the pop-up window.
As mentioned earlier, you can immediately move your computer to a desired OU. In the -OUPath parameter, specify the target OU name in the distinguished name (DN) format:
$OU ="OU=Computers,OU=Munich,DC=woshub,DC=loc"
Add-Computer -DomainName woshub.loc -OUPath $OU -Restart
The -Restart option means that you want to restart Windows immediately after completing the Add-Computer command.
Once the system has been restarted, you can verify that your computer is now a member of the Windows domain by running the command
Get-WmiObject Win32_NTDomain
This command returns the domain name, AD site name, IP address, and domain controller name used to log on (Logon server).
You can also get your domain name with the command:
systeminfo | findstr /B "Domain"
You can also add a remote computer to the domain. To do this, you must specify the computer name in the -ComputerName parameter:
Add-Computer -ComputerName wks-mn14 -DomainName woshub.loc -Credential woshub\Administrator -LocalCredential wks-mn14\Admin -Restart –Force
Note that the Add-Computer command is missing from the built-in Microsoft.PowerShell.Management module in the new versions of PowerShell Core 6.x and 7.x.
Add-Computer: The term 'Add-Computer' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. Suggestion [4,General]: The most similar commands are: Add-Computer, Stop-Computer, Get-ADComputer, New-ADComputer, Set-ADComputer, Add-Content, Rename-Computer, Add-Member.
Therefore, use powershell.exe instead of pwsh.exe to add a computer to the domain in this case.
netdom.exe tool to join Windows to a domain. However, it requires the installation of the RSAT administration package on the client’s computer and is now very rarely used.netdom join %computername% /domain:woshub.loc /UserD:woshub\admin /PasswordD:paSS321
In order to remove a computer from an Active Directory domain and return it to a workgroup, run the following PowerShell command
Remove-Computer
After you leave the domain, you will need to know the password of the local Administrator account to log onto this computer. Do you wish to continue? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y
Pre-staging a Computer Accounts in Active Directory
By default, when you join new computers to a domain, they are placed in the built-in Computers container in the domain root. To manually move a computer account to a different OU (Organizational Unit), you can either drag and drop it or use the Move menu item.
Ad administrator can pre-stage a computer account in Active Directory via the Active Directory Users and Computers dsa.msc snap-in (New -> Computer) or with the New-ADComputer cmdlet from the ActiveDirectory PowerShell module:
New-ADComputer -Name "wks-mn14" -SamAccountName "wks-mn14" -Path "OU=Computers,OU=Munich,DC=woshub,DC=loc"
When you manually create a computer account, make sure that the name you specify matches the hostname of the computer you are adding to the AD domain.
We recommend that you first perform an AD search for computers with the same name. If this name is already in use and you want to assign it to another computer, a solution would be to reset it. Right-click on the computer in AD and select Reset Account.
One more way to reset a computer account in AD is to use PowerShell
Get-ADComputer -Identity "computername" | % {dsmod computer $_.distinguishedName -reset}
This resets the domain computer password used to establish a trust relationship with AD.