{"id":10663,"date":"2025-12-19T13:35:10","date_gmt":"2025-12-19T18:35:10","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=10663"},"modified":"2025-12-25T15:38:14","modified_gmt":"2025-12-25T20:38:14","slug":"incoherent-hints-post-for-hyperv-setup-of-server2022-win10-and-win11-subnet","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/incoherent-hints-post-for-hyperv-setup-of-server2022-win10-and-win11-subnet\/","title":{"rendered":"Notes for HyperV Setup of Server2022, Win10 and Win11 Subnet"},"content":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_10663\" class=\"pvc_stats all  \" data-element-id=\"10663\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p><strong>Server2022 Hyper V Setup:<\/strong><\/p>\n<p>You can easily see the IP Addresses of each VM at the screen bottom of Hyper V:<\/p>\n<p>net start vmms<\/p>\n<p>You can turn on all VMs from the Host with:<\/p>\n<p><span style=\"color: #0000ff;\"><span class=\"hljs-built_in\">Get-VM<\/span> | <span class=\"hljs-built_in\">Where-Object<\/span> {<span class=\"hljs-variable\">$_<\/span>.State <span class=\"hljs-operator\">-eq<\/span> <span class=\"hljs-string\">'Off'<\/span>} | <span class=\"hljs-built_in\">Start-VM<\/span><\/span><\/p>\n<p>3 x VMs IP addresses<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"720\" class=\"wp-image-10939\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-1-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"720\" class=\"wp-image-10940\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-2-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"720\" class=\"wp-image-10941\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-3-6.png\" \/><\/p>\n<p>Host laptop settings to enable VMs internal LAN and Shared Laptop WiFi for Inet<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1069\" height=\"244\" class=\"wp-image-10942\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-4-6.png\" \/><\/p>\n<p>The Default Switch needs to be auto to get a useless APIPA address, as it cannot be disabled or deleted from the host, or used as it generates a different IP address on reboots of set static due to win internal NAT functions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"511\" class=\"wp-image-10943\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-5-6.png\" \/><\/p>\n<p>The HyperV New Default Switch does not have NAT functions so will retain static Ips on reboot. X.x.x.34 is the server2022 IP for DNS from the server.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"802\" height=\"532\" class=\"wp-image-10944\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-6-6.png\" \/><\/p>\n<p>The laptop WiFi is gets DHCP from the router and is shared with the Inet Bridge:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"796\" height=\"510\" class=\"wp-image-10945\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-7-6.png\" \/><\/p>\n<p>This shared adaptor allows the Internal VM LAN to access the Internet.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"363\" height=\"468\" class=\"wp-image-10946\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-8-6.png\" \/><\/p>\n<p>Each VM has the Default Switch (NAT) replaced with an adaptor renamed Inet Bridge to allow all the VMs to connect.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10947\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-9-6.png\" \/><\/p>\n<p>Server settings:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1333\" height=\"720\" class=\"wp-image-10948\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-10-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1337\" height=\"720\" class=\"wp-image-10949\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-11-6.png\" \/><\/p>\n<p>Win10 Ips:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1336\" height=\"720\" class=\"wp-image-10950\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-12-6.png\" \/><\/p>\n<p><strong>Tips for your \"Gold Master\" Backup<\/strong><\/p>\n<p>Before you zip up those VHDX files or export them, here is a quick \"pre-flight\" check to ensure your backups are as small and stable as possible:<\/p>\n<ul>\n<li><strong>Empty the Trash:<\/strong> Empty the Recycle Bin on all three VMs.<\/li>\n<li><strong>Check DNS one last time:<\/strong> Make sure Win10VM and Win11VM still have their Host (A) records in the SBS DNS Manager after the reboot.<\/li>\n<li><strong>The \"Export\" Method:<\/strong> Instead of just copying the .vhdx files, consider using the <strong>Export<\/strong> function in Hyper-V. This packages the VM configuration (RAM, CPU, and Virtual Switch settings) along with the disk, making it much easier to \"Import\" if you ever have to move to a new host laptop BUT it can disrupt the VM folders by creating nests of double drives as it doesn\u2019t seem to merge with the folders already there?<\/li>\n<li>Just save the VMs folder in a backup drive. Easier. If the Default Switch is used, with static Ips set, Windows usually resets these back to internal DHCP values to suit the NAT function. If you want to retain static setting you need to add a New Default Switch, which does not use NAT to save settings and leave the Default Switch set auto for DCHP which will give it an APIPA neutral address so be useless.<\/li>\n<\/ul>\n<p>PS&gt; shutdown \/s \/t 0<\/p>\n<p>Using this command via CMD actually bypasses the Shutdown Tracker window entirely.<\/p>\n<p>Server 2022: The L1 \"First Login\" Workflow<\/p>\n<p>When you first land on the desktop, Server Manager will launch automatically. Here is your L1 checklist to get the lab \"production-ready\":<\/p>\n<p>Local Server Configuration (The L1 Basics)<\/p>\n<p>Click Local Server on the left. This is your \"Dashboard\" for the physical (or virtual) box.<\/p>\n<ul>\n<li>Time Zone: Ensure this is correct. If the server time is more than 5 minutes off from the workstations, Active Directory login will fail due to Kerberos security requirements.<\/li>\n<li>Remote Desktop: By default, it's Disabled. An L1 task is often \"Enable RDP so the admins can get in.\" Click \"Disabled\" and toggle it to \"Allow remote connections.\"<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10951\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-13-6.png\" \/><\/p>\n<p>Note Protocol (not a port! = Any, as it is an App level connection, not OSI 3)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"193\" height=\"133\" class=\"wp-image-10952\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-14-6.png\" \/><\/p>\n<p>I set a Share so it is visible on the network. Noticeable difference in GUI ops speed over Win11 VM! <img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"768\" class=\"wp-image-10953\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-15-6.png\" \/><\/p>\n<p>Set a static IP \u2013 server has to have one to have green boxes \u2013 no incorrect configs.<\/p>\n<p>?? L1 Scenario: \"I can't ping the new server!\"<\/p>\n<p>This is a classic ticket. By default, Windows Server 2022 has the Advanced Firewall locked down tight. It won't even respond to a PING (ICMP).<\/p>\n<ul>\n<li>The L1 Fix: 1. Go to Server Manager &gt; Tools &gt; Windows Firewall with Advanced Security.<\/li>\n<\/ul>\n<p>2. In Inbound Rules, find File and Printer Sharing (Echo Request - ICMPv4-In).<\/p>\n<p>3. Right-click and Enable Rule.<\/p>\n<ul>\n<li>\n<ul>\n<li><em>Now your host machine should be able to \"see\" the VM on the network.<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10954\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-16-6.png\" \/><\/p>\n<p>Visible in Network, but can\u2019t share yet without Users\/Computers etc added:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"418\" height=\"527\" class=\"wp-image-10955\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-17-6.png\" \/><\/p>\n<p>Server 2022 looks and feels very much like Windows 10\/11, so you won't feel lost. The main difference is that everything is \"Role-Based.\" You don't just \"install an app\"; you \"Add a Role.\"<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"768\" class=\"wp-image-10956\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-18-6.png\" \/><\/p>\n<p>Promotion to a Domain Controller: For the first in a new domain, 3<sup>rd<\/sup> option \u2013 Add new forest!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10957\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-19-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10958\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-20-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10959\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-21-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10960\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-22-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"768\" class=\"wp-image-10961\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-23-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"768\" class=\"wp-image-10962\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-24-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"768\" class=\"wp-image-10963\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-25-6.png\" \/><\/p>\n<p>? The \"Nested\" Network Flow<\/p>\n<ol>\n<li>The VM Level (172.27.176.x): Both your Server (.34) and Win11 VM (.35) live in this internal \"NAT Bubble\". For this to happen there needs to be 1 HyperV switch set to Internal;<\/li>\n<\/ol>\n<p>Explain the NATd LAN for the VMs\u2026it complicated as a Default Switch in HyperV uses NAT, bound to the Host Lan Adaptor, but a New Virtual Switch does not use NAT, apparent later\u2026<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10964\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-26-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10965\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-27-6.png\" \/><\/p>\n<p>Each Net adaptor for each VM is also a default switch, set to the same static IP values that the Ghost DHCP gives it at first boot with IP6 unclicked to see IP4 addresses in IPCONFIG, so that it\u00b4s default gateway is the Hyper V 172.x.x.x network, DNS set to the server IP with 8.8.8.8 secondary. It should be able to ping the 192.168.1.1 wifi router due to NAT across the host Win11 net adaptor.<\/p>\n<p>BUT this all changes later to get around not being able to change or disable the default switch in the host by adding 2 adaptors to each VM \u2013 one a New Default Switch to enable the internal LAN bubble, the other as a gateway through the host, using metric weighting and unusual IP4 static settings\u2026its complicated!<\/p>\n<p>Enhanced session bug in my host needs to be Basic, else cant login. This means no text copy between host and VMs. Duh.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10966\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-28-6.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10967\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-29-6.png\" \/><\/p>\n<ol>\n<li>The Virtual Gateway (172.27.176.1): This is the internal side of your laptop's Default Switch. It acts as the \"door\" out of the VM world.<\/li>\n<li>The Virtualized Host NAT: Your laptop takes that 172.x traffic and \"translates\" (NAT) it into your laptop's physical IP address.<\/li>\n<li>The Physical Level (192.168.1.x): Your laptop sends the request out via its WiFi adapter to your building's router.<\/li>\n<li>The Gateway (192.168.1.1): The building router sends it to the ISP and out to the Internet.<\/li>\n<\/ol>\n<p>Adding win10:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1026\" height=\"766\" class=\"wp-image-10968\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-30-6.png\" \/><\/p>\n<p>Open CMD as Administrator on the Server.<\/p>\n<p>Add the New Name as an Alias: Type: netdom computername Server2022.server2022.local \/add:sbs.server2022.local <em>(This tells AD: \"I am still Server2022, but I am also going to be known as sbs.\")<\/em><\/p>\n<p>Make the New Name Primary: Type: netdom computername Server2022.server2022.local \/makeprimary:sbs.server2022.local<\/p>\n<p>Reboot the Server:<\/p>\n<p>Shutdown \/r \/t 0<\/p>\n<p>The server will now reboot and swap its identity to sbs without breaking the trust relationship.<\/p>\n<p>Remove the Old Name (Optional): Once you log back in as sbs, you can clean up the old name:<\/p>\n<p>netdom computername sbs.server2022.local \/remove:Server2022.server2022.local<\/p>\n<p>C:\\Users\\Administrator&gt;netdom computername sbs.server2022.local \/remove:Server2022.server2022.local<\/p>\n<p>Successfully removed Server2022.server2022.local as an alternate name for the computer.<\/p>\n<p>The command completed successfully.<\/p>\n<p>C:\\Users\\Administrator&gt;hostname<\/p>\n<p>sbs<\/p>\n<p>wont that name change affect the win 10 vm login?<\/p>\n<p>Yes, it absolutely will. Because you changed the \"Boss\" of the domain's name from\u00a0Server2022\u00a0to\u00a0sbs, your Windows 10 VM is currently holding a \"membership card\" for a server that technically doesn't exist by that name anymore.<\/p>\n<p>Here is exactly what will happen and how to fix it for your Sunday project:<\/p>\n<p>?? The Problem: The \"Broken Trust\"<\/p>\n<p>The Win10 VM looks for the Domain Controller using\u00a0DNS\u00a0and\u00a0Kerberos.<\/p>\n<ul>\n<li>DNS:\u00a0This is likely okay because the DC (sbs) updated its own record.<\/li>\n<li>Kerberos:\u00a0This is the problem. The Win10 VM has a \"Secure Channel\" established with\u00a0Server2022. Now that the server is\u00a0sbs, the Win10 machine might give you an error saying:\u00a0<em>\"The trust relationship between this workstation and the primary domain failed.\"<\/em><\/li>\n<\/ul>\n<p>?? How to Fix the Win10 VM<\/p>\n<p>You don't need to unjoin and rejoin the domain (which is a hassle). You can usually refresh the trust relationship using PowerShell on the\u00a0Windows 10 VM:<\/p>\n<ol>\n<li>Log in to the Win10 VM\u00a0(If domain login fails, use the local admin: \u00a0.\\LocalAdminName).<\/li>\n<li>Open PowerShell as Administrator.<\/li>\n<li>Run this command:\u00a0Test-ComputerSecureChannel -Repair -Credential (Get-Credential)<\/li>\n<li>Enter your credentials:\u00a0Type\u00a0LABSERVER2022\\Administrator\u00a0and the password.<\/li>\n<li>Restart the Win10 VM.<\/li>\n<\/ol>\n<p>Renaming the Primary Domain Controller from Server2022 to SBS did not disrupt client workstation connectivity, as the Active Directory Forest name (server2022.local) remained constant. Client authentication and trust were maintained via existing DNS resolution within the forest.<\/p>\n<p>server2022.local - does not show up in my Network icon though has a standard share set, but if I type \\\\sbs it connects to netlogin snd sysvol foders, but not with \\\\server2022.local ?<\/p>\n<p>Why it's missing from the \"Network\" Icon<\/p>\n<p>Windows Server 2022 disables Network Discovery by default for security. To make it show up in that \"Network\" folder:<\/p>\n<ol>\n<li>Open Services.msc (The list of background tools).<\/li>\n<li>Find these two services and set them to Automatic (Started):\n<ul>\n<li>Function Discovery Provider Host<\/li>\n<li>Function Discovery Resource Publication<\/li>\n<\/ul>\n<\/li>\n<li>Once those are running, the server \"announces\" itself to the network.<\/li>\n<\/ol>\n<p>roaming profile working for Steve, you need to set up the \"landing zone\" on the server first.<\/p>\n<p>Here is the exact order of operations on your sbs server:<\/p>\n<p>?? Step 1: Create and Share the Folder<\/p>\n<p>You need a central location where the server will store the profile data.<\/p>\n<ol>\n<li>Create a folder on your data drive (e.g., E:\\Profiles).<\/li>\n<li>Share the folder:\n<ul>\n<li>Right-click Profiles &gt; Properties &gt; Sharing &gt; Advanced Sharing.<\/li>\n<li>Check Share this folder.<\/li>\n<li>Name the share Profiles$ (Adding the $ makes it hidden from casual browsing, which is a pro move).<\/li>\n<\/ul>\n<\/li>\n<li>Permissions: Click Permissions and give Everyone - Full Control.\n<ul>\n<li><em>Note: Don't worry, the security is actually handled in the next step (NTFS).<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>? Step 2: Set the NTFS Security (The \"Gotcha\" Step)<\/p>\n<p>This is where most people get the \"Temporary Profile\" error. You must set these specifically so Windows can create Steve's folder for him.<\/p>\n<ol>\n<li>In the same Properties window, go to the Security tab &gt; Advanced.<\/li>\n<li>Disable Inheritance and \"Convert inherited permissions into explicit permissions.\"<\/li>\n<li>Ensure the following are set:\n<ul>\n<li>CREATOR OWNER: Full Control (Subfolders and files only).<\/li>\n<li>System &amp; Administrators: Full Control (This folder, subfolders, and files).<\/li>\n<li>Authenticated Users: List folder\/Read data, Create folders\/Append data (This folder only).<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>? Step 3: Link the Path to Steve\u2019s User Object<\/p>\n<p>Now you tell Active Directory to use that folder for Steve.<\/p>\n<ol>\n<li>Open Active Directory Users and Computers.<\/li>\n<li>Find Steve (the domain user, not the local\/Hotmail one).<\/li>\n<li>Right-click Steve &gt; Properties &gt; Profile tab.<\/li>\n<li>In the Profile path field, type: \\\\sbs\\Profiles$\\%username%<\/li>\n<li>Click Apply. (You will see %username% automatically change to steve).<\/li>\n<\/ol>\n<p>? What to do next in Win10<\/p>\n<p>Once the server is ready, the \"magic\" happens when Steve logs in:<\/p>\n<ul>\n<li>Go to your Win10 VM.<\/li>\n<li>Sign out of your current account.<\/li>\n<li>Log in as LABSERVER2022\\steve.<\/li>\n<li>Windows will see that path on sbs, create a folder called steve.V6 (for Windows 10), and start syncing.<\/li>\n<\/ul>\n<p>Account Lockout Policy:<\/p>\n<p>How to set the \"Trap\" for Steve<\/p>\n<p>To make the lockout happen on your Win10 VM, you need to change this in the Domain policy, not the local one:<\/p>\n<ol>\n<li>Close that window and open Group Policy Management (gpmc.msc).<\/li>\n<li>Navigate to Domains &gt; server2022.local.<\/li>\n<li>Right-click Default Domain Policy and select Edit.<\/li>\n<li>Go to the same path: Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Account Policies &gt; Account Lockout Policy.<\/li>\n<li>Double-click Account lockout threshold and change it to 5.\n<ul>\n<li><em>Windows will likely pop up a box suggesting you also set the duration and reset timer to 30 minutes. Just click OK to accept those defaults.<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<p>? The \"Secret Sauce\" for L1<\/p>\n<p>Policies don't apply instantly. To make the Win10 VM respect the new \"5 attempts\" rule immediately:<\/p>\n<ul>\n<li>Go to your Win10 VM.<\/li>\n<li>Open Command Prompt and run: gpupdate \/force<\/li>\n<\/ul>\n<p>Now, when you try those bad passwords again, it won't just keep \"thinking\"\u2014it will slam the door shut after the 5th try.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1209\" height=\"593\" class=\"wp-image-10969\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-31-5.png\" \/><\/p>\n<p>The L1 Password Reset Procedure<\/p>\n<ol>\n<li>Open Active Directory Users and Computers on the sbs server.<\/li>\n<li>Find Steve Edwards in the Users list.<\/li>\n<li>Right-click Steve and select Reset Password....<\/li>\n<li>Set the Temporary Password: Type something like Spring2025!.<\/li>\n<li>The \"L1 Golden Rule\": Check the box \"User must change password at next logon.\"\n<ul>\n<li><em>Why?<\/em> This ensures that only Steve knows his actual password once he logs in, protecting you from liability.<\/li>\n<\/ul>\n<\/li>\n<li>Click OK.<\/li>\n<\/ol>\n<p>the \"change pword next login box is greyed out\"<\/p>\n<p>That is a classic \"caught ya\" moment in Active Directory! When that box is greyed out, it\u2019s usually because of a conflicting setting on the\u00a0Account\u00a0tab.<\/p>\n<p>?? Why it's Greyed Out<\/p>\n<p>You cannot force a user to change their password if the account is set so that the password\u00a0never\u00a0changes or\u00a0cannot\u00a0be changed.<\/p>\n<p>Check these two boxes on Steve's\u00a0Account\u00a0tab:<\/p>\n<ol>\n<li>\"User cannot change password\": If this is checked, the \"change at next logon\" box will be greyed out because those two rules contradict each other.<\/li>\n<li>\"Password never expires\": Sometimes, depending on the Windows Server version, having this checked will prevent you from enforcing a \"next logon\" change until you uncheck it.<\/li>\n<\/ol>\n<p>? The L1 Fix<\/p>\n<p>To get control back:<\/p>\n<ul>\n<li>Uncheck\u00a0\"User cannot change password\".<\/li>\n<li>Uncheck\u00a0\"Password never expires\" (at least temporarily).<\/li>\n<li>Hit\u00a0Apply.<\/li>\n<li>Now, the\u00a0\"User must change password at next logon\"\u00a0box should be clickable again.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1209\" height=\"593\" class=\"wp-image-10970\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-32-2.png\" \/><\/p>\n<p><strong>This network gets broken on reboots as the default switch is tied to the host net card, so the static Ips I set to get the VMs working is fucked by the Default switch getting a new random set of addresses \u2013 MS lunacy!<\/strong><\/p>\n<p>THIS IS WHERE you have to create a new virtual switch set as Internal, then set all the VMs to use THAT switch, making the Default Switch, that cannot be removed, redundant on reboots.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"400\" height=\"455\" class=\"wp-image-10971\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-33-2.png\" \/><\/p>\n<p>NOTE you leave the default gateway blank as that is already configured in the Host\u2019s netcard (wifi).<\/p>\n<p>The only way to get a working VM subnet domain that has Inet access also is add 2 adaptors to each VM and share the host NIC with the VMs\/Default switches, 1 set to bridged for each VM so each has a gateway out of the internal network via the host nic.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10972\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-34-2.png\" \/><\/p>\n<p>This dual switch per VM gives the VM 2 networks on the 172.27.172.34 static for the Internal network and the other from the Host WIFI router on 192.168.1.x:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10973\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-35-2.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10974\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-36-2.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10975\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-37-2.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10976\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-38-2.png\" \/><\/p>\n<p>The 172 LAN is static Ips, the 192 LAN is auto. As usual, Win nets next quite work, with the Win11 VM missing from view but available via \\\\Win11VM in Explorer:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10977\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-39.png\" \/><\/p>\n<p>The default switch had to be made irrelevant on the host, as it cannot be deleted or disabled, so the metrics set for it are 10 to make it a bad option for traffic for the domain LAN VMs. This needs to be done on all 3 VMs, and the New Virtual Switch given metrics of 500 on each VM \u2013 complicated nonsense due to MS randomising the Default switch static settings every reboot, twats!:<\/p>\n<p>The host shows a confusing mess, but it works to get the VMs and host connected to each other by Shares and ping and all have Internet paths:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"859\" height=\"720\" class=\"wp-image-10978\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-40.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1125\" height=\"593\" class=\"wp-image-10979\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-41.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"506\" height=\"652\" class=\"wp-image-10980\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-42.png\" \/><\/p>\n<p>Never consistency with MS! PC own address gets shown in IP6 despite being unclicked in all adaptor! FFS\u2026<\/p>\n<p>So I have a working VM LAN on 172.27.176.x, and a gateway for the VMs via 192.168.1.1. Via Network icon the VMs can see the host \"laptop\" but cannot login as a password field is required when the login to my host is an online MS account that uses a PIN, not a password.<\/p>\n<p><strong>Why this matters for the job<\/strong><\/p>\n<p>In an L1 role, you will get calls from users saying: <em>\"I can't get into the shared drive!\"<\/em> 90% of the time, it's because they are trying to use their laptop's PIN instead of their Domain\/Network password. Teaching them that <strong>\"A PIN is for the device; a Password is for the network\"<\/strong> is a standard L1 troubleshooting script.<\/p>\n<p>Account Lockout Policy:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1343\" height=\"766\" class=\"wp-image-10981\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-43.png\" \/><\/p>\n<p>The 1<sup>st<\/sup> Net Adaptor Settings for Server2022:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10982\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-44.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"749\" height=\"418\" class=\"wp-image-10983\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-45.png\" \/><\/p>\n<p>The 1<sup>st<\/sup> Net Adaptor Settings for Win10:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10984\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-46.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"748\" height=\"409\" class=\"wp-image-10985\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-47.png\" \/><\/p>\n<p>The Inet Bridge adaptor is set to automatic (DCHP, DNS, Gateway etc)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"687\" class=\"wp-image-10986\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-48.png\" \/><\/p>\n<p>The VM host adaptor for the Default Switch (Inet Bridge)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"878\" height=\"530\" class=\"wp-image-10987\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-49.png\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"743\" height=\"448\" class=\"wp-image-10988\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-50.png\" \/><\/p>\n<p>Metrics were set so the net data paths between the two adaptors are widely attractive for one and unattractive for the other\u2026metrics 500 (lo priority) for the static adaptor and 10 (hi priority) for the auto.<\/p>\n<table>\n<thead>\n<tr>\n<th><strong>Device<\/strong><\/th>\n<th><strong>IP Address<\/strong><\/th>\n<th><strong>Role<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Host Inet Bridge<\/strong><\/td>\n<td><strong>172.27.176.1<\/strong><\/td>\n<td>The \"Gateway\" for the VMs to talk to your laptop.<\/td>\n<\/tr>\n<tr>\n<td><strong>SBS Server<\/strong><\/td>\n<td><strong>172.27.176.34<\/strong><\/td>\n<td>The Domain Controller \/ DNS Provider.<\/td>\n<\/tr>\n<tr>\n<td><strong>Win10VM<\/strong><\/td>\n<td><strong>172.27.176.33<\/strong><\/td>\n<td>Static Workstation<\/td>\n<\/tr>\n<tr>\n<td><strong>Win11VM<\/strong><\/td>\n<td><strong>172.27.176.35<\/strong><\/td>\n<td>The Static Workstation you just restored.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Joining a Windows 11 VM to an older SBS domain (which likely uses a .local extension) is often a \"clash of generations.\" Windows 11 has much stricter security defaults than previous versions.<\/p>\n<p>Since your pings to .1 and 8.8.8.8 are working, the \"pipe\" is open, but the <strong>Domain Handshake<\/strong> is likely being blocked by one of three things.<\/p>\n<p><strong>?? Step 1: The \"DNS Search\" Test<\/strong><\/p>\n<p>Windows 11 is very stubborn\u2014if it can't find the _ldap records for the domain, it won't even try to join.<\/p>\n<p>In the Win11 VM, open Command Prompt and run:<\/p>\n<p>nslookup yourdomain.local<\/p>\n<ul>\n<li><strong>If it fails:<\/strong> Your Win11 VM is likely using the <strong>Host (.1)<\/strong> or <strong>Google (8.8.8.8)<\/strong> as its primary DNS.<\/li>\n<li><strong>The Fix:<\/strong> Go to IPv4 settings and ensure <strong>172.27.176.34<\/strong> (SBS) is the <strong>ONLY<\/strong> DNS server listed. Remove the others temporarily.<\/li>\n<\/ul>\n<p><strong>?? Step 2: Disable IPv6<\/strong><\/p>\n<p>Windows 11 often tries to find the Domain Controller via IPv6 first. If your SBS server isn't configured for IPv6 (which it probably isn't), the join request will time out.<\/p>\n<ol>\n<li>Go to <strong>Network Connections<\/strong> in the Win11 VM.<\/li>\n<li>Right-click your adapter -&gt; <strong>Properties<\/strong>.<\/li>\n<li><strong>Uncheck<\/strong> \"Internet Protocol Version 6 (TCP\/IPv6)\".<\/li>\n<li>Try the join again.<\/li>\n<\/ol>\n<p><strong>?? Step 3: SMB 1.0 \/ Legacy Compatibility<\/strong><\/p>\n<p>SBS (depending on the version) might be trying to communicate using older protocols that Windows 11 has disabled by default for security.<\/p>\n<ol>\n<li>Search for <strong>\"Turn Windows features on or off\"<\/strong>.<\/li>\n<li>Look for <strong>SMB 1.0\/CIFS File Sharing Support<\/strong>.<\/li>\n<li>Ensure the <strong>SMB 1.0\/CIFS Client<\/strong> is checked.<\/li>\n<li>Restart the VM.<\/li>\n<\/ol>\n<p><strong>?? The \"NetID\" Shortcut<\/strong><\/p>\n<p>If the GUI \"Join Domain\" button is spinning forever, try the old-school way. It often gives a more specific error message:<\/p>\n<ol>\n<li>Right-click the Start button -&gt; <strong>System<\/strong>.<\/li>\n<li>Click <strong>Advanced system settings<\/strong> -&gt; <strong>Computer Name<\/strong> tab.<\/li>\n<li>Click <strong>Network ID...<\/strong> and follow the wizard.<\/li>\n<\/ol>\n<p><strong>? Error Message Decoder<\/strong><\/p>\n<p>If it fails again, what is the <strong>exact<\/strong> error message?<\/p>\n<ul>\n<li><strong>\"An Active Directory Domain Controller (AD DC) ... could not be contacted\"<\/strong>: This is 100% a <strong>DNS<\/strong> issue.<\/li>\n<li><strong>\"The specified network name is no longer available\"<\/strong>: This is an <strong>SMB\/Firewall<\/strong> issue.<\/li>\n<li><strong>\"Access Denied\"<\/strong>: You are communicating, but your Administrator credentials or permissions are being rejected.<\/li>\n<\/ul>\n<p><strong>When you ran nslookup, did it return the correct IP address for your SBS server?<\/strong><\/p>\n<table>\n<thead>\n<tr>\n<th><strong>Checkpoint<\/strong><\/th>\n<th><strong>Command \/ Action<\/strong><\/th>\n<th><strong>Why?<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Connectivity<\/strong><\/td>\n<td>ping [DC-IP]<\/td>\n<td>Confirms a basic path exists.<\/td>\n<\/tr>\n<tr>\n<td><strong>DNS<\/strong><\/td>\n<td>nslookup [DomainName]<\/td>\n<td>Confirms the PC can \"find\" the DC.<\/td>\n<\/tr>\n<tr>\n<td><strong>Time<\/strong><\/td>\n<td>w32tm \/query \/status<\/td>\n<td>Confirms Kerberos won't reject the login.<\/td>\n<\/tr>\n<tr>\n<td><strong>Edition<\/strong><\/td>\n<td>winver<\/td>\n<td>Confirms it's not \"Home Edition.\"<\/td>\n<\/tr>\n<tr>\n<td><strong>Firewall<sup>4<\/sup><\/strong><\/td>\n<td>wf.msc<sup>5<\/sup><\/td>\n<td>Ensures RPC\/NetBIOS traffic isn't blocked.<sup>6<\/sup><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Back to L1 Support theory.<\/strong> Assume you have no knowledge of my current VM domain issues. What are the L1 support expectation possible causes for a Win11 PC not being able to join a Domain?<\/p>\n<p>In an L1 Support interview or scenario, the expectation is that you follow a logical, \"bottom-up\" troubleshooting methodology (<strong>OSI Model layers 1 through 3<\/strong>).<\/p>\n<p>If a Windows 11 machine can't join a domain, an L1 tech is expected to rule out the \"low-hanging fruit\" before escalating to Tier 2 (Server\/Network Admins).<\/p>\n<p><strong>1. Physical &amp; Basic Connectivity (Layer 1 &amp; 2)<\/strong><\/p>\n<p>The most common mistake is assuming the \"pipe\" is open when it isn't.<\/p>\n<ul>\n<li><strong>Network Profile:<\/strong>\u00a0Is the connection set to\u00a0<strong>\"Public\"<\/strong>? Windows 11 aggressively blocks discovery on Public profiles. It must be\u00a0<strong>Private<\/strong>.<\/li>\n<li><strong>Media State:<\/strong>\u00a0Is the cable plugged in \/ is the Virtual Switch connected?<\/li>\n<li><strong>IP Conflicts:<\/strong>\u00a0Does the PC have a valid IP in the same subnet as the Domain Controller (DC), or is it stuck with an APIPA address (169.254.x.x)?<\/li>\n<\/ul>\n<p><strong>2. DNS: The \"Universal\" Domain Killer (Layer 3)<\/strong><\/p>\n<p>In 90% of domain join failures,\u00a0<strong>DNS is the culprit<\/strong>.<\/p>\n<ul>\n<li><strong>Wrong DNS Server:<\/strong>\u00a0The client is using the Router (192.168.1.1) or Google (8.8.8.8) instead of the\u00a0<strong>DC's internal IP<\/strong>.<\/li>\n<li><strong>The L1 Test:<\/strong>\u00a0Run\u00a0nslookup [domain.local]. If it doesn't return the DC's IP address, the join will always fail.<\/li>\n<li><strong>IPv6 Interference:<\/strong>\u00a0Sometimes Windows 11 tries to resolve the domain via IPv6. L1 techs often disable IPv6 temporarily to force the join over IPv4.<\/li>\n<\/ul>\n<p><strong>3. Time Synchronization (Clock Skew)<\/strong><\/p>\n<p>Active Directory relies on\u00a0<strong>Kerberos<\/strong>, which is extremely sensitive to time.<\/p>\n<ul>\n<li><strong>The 5-Minute Rule:<\/strong>\u00a0If the workstation's clock is more than\u00a0<strong>5 minutes<\/strong>\u00a0off from the Domain Controller's clock, the security handshake will fail.<\/li>\n<li><strong>The L1 Fix:<\/strong>\u00a0Check the BIOS time or use\u00a0net time \\\\DC-NAME \/set \/y.<\/li>\n<\/ul>\n<p><strong>4. Windows Edition &amp; Credentials<\/strong><\/p>\n<ul>\n<li><strong>Windows Home vs. Pro:<\/strong>\u00a0You\u00a0<strong>cannot<\/strong>\u00a0join Windows 11\u00a0<strong>Home<\/strong>\u00a0to a domain. L1 must verify the user has Pro, Enterprise, or Education.<\/li>\n<li><strong>Account Permissions:<\/strong>\u00a0Does the user (or the tech) have the \"Add Workstations to Domain\" right?\u00a0By default, any authenticated user can join 10 machines, but this is often restricted.<\/li>\n<li><strong>Existing Computer Object:<\/strong>\u00a0If a computer with the same name already exists in Active Directory, and the tech doesn't have \"Reset Password\" rights on that object, the join will fail with \"Access Denied.\"<\/li>\n<\/ul>\n<p><strong>5. Summary Table for L1 Quick-Check<\/strong><\/p>\n<table>\n<thead>\n<tr>\n<th>Checkpoint<\/th>\n<th>Command \/ Action<\/th>\n<th>Why?<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Connectivity<\/strong><\/td>\n<td>ping [DC-IP]<\/td>\n<td>Confirms a basic path exists.<\/td>\n<\/tr>\n<tr>\n<td><strong>DNS<\/strong><\/td>\n<td>nslookup [DomainName]<\/td>\n<td>Confirms the PC can \"find\" the DC.<\/td>\n<\/tr>\n<tr>\n<td><strong>Time<\/strong><\/td>\n<td>w32tm \/query \/status<\/td>\n<td>Confirms Kerberos won't reject the login.<\/td>\n<\/tr>\n<tr>\n<td><strong>Edition<\/strong><\/td>\n<td>winver<\/td>\n<td>Confirms it's not \"Home Edition.\"<\/td>\n<\/tr>\n<tr>\n<td><strong>Firewall<\/strong><\/td>\n<td>wf.msc<\/td>\n<td>Ensures RPC\/NetBIOS traffic isn't blocked.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>? The \"Golden Answer\" for an Interview<\/strong><\/p>\n<p>If asked this in a test, say:\u00a0<em>\"I would start by verifying the DNS settings, as the machine must be able to resolve the domain's SRV records. Then, I'd check the system time for clock skew and ensure the machine is running a Pro or Enterprise edition of Windows.\"<\/em><\/p>\n<p><strong>Since we know your Win11 VM is having this exact issue, would you like to run the\u00a0<\/strong>nslookup<strong>\u00a0and\u00a0<\/strong>winver<strong>\u00a0checks to see which of these L1 hurdles is stopping you?<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; ping sbs<\/strong><\/p>\n<p><strong>Pinging sbs.local [172.27.176.34] with 32 bytes of data:<\/strong><\/p>\n<p><strong>Reply from 172.27.176.34: bytes=32 time&lt;1ms TTL=128<\/strong><\/p>\n<p><strong>Reply from 172.27.176.34: bytes=32 time=1ms TTL=128<\/strong><\/p>\n<p><strong>Reply from 172.27.176.34: bytes=32 time&lt;1ms TTL=128<\/strong><\/p>\n<p><strong>Reply from 172.27.176.34: bytes=32 time=1ms TTL=128<\/strong><\/p>\n<p><strong>Ping statistics for 172.27.176.34:<\/strong><\/p>\n<p><strong> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<\/strong><\/p>\n<p><strong>Approximate round trip times in milli-seconds:<\/strong><\/p>\n<p><strong> Minimum = 0ms, Maximum = 1ms, Average = 0ms<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt;<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; nslookup sbs.server2022.local<\/strong><\/p>\n<p><strong>DNS request timed out.<\/strong><\/p>\n<p><strong> timeout was 2 seconds.<\/strong><\/p>\n<p><strong>Server: UnKnown<\/strong><\/p>\n<p><strong>Address: 172.27.176.34<\/strong><\/p>\n<p><strong>Name: sbs.server2022.local<\/strong><\/p>\n<p><strong>Address: 172.27.176.34<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; w32tm \/query \/status<\/strong><\/p>\n<p><strong>The following error occurred: The service has not been started. (0x80070426)<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; w32tm \/query \/status<\/strong><\/p>\n<p><strong>Leap Indicator: 3(not synchronized)<\/strong><\/p>\n<p><strong>Stratum: 0 (unspecified)<\/strong><\/p>\n<p><strong>Precision: -23 (119.209ns per tick)<\/strong><\/p>\n<p><strong>Root Delay: 0.0000000s<\/strong><\/p>\n<p><strong>Root Dispersion: 0.0000000s<\/strong><\/p>\n<p><strong>ReferenceId: 0x00000000 (unspecified)<\/strong><\/p>\n<p><strong>Last Successful Sync Time: unspecified<\/strong><\/p>\n<p><strong>Source: Local CMOS Clock<\/strong><\/p>\n<p><strong>Poll Interval: 10 (1024s)<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; Test-NetConnection -ComputerName 172.27.176.34 -Port 445<\/strong><\/p>\n<p><strong>ComputerName : 172.27.176.34<\/strong><\/p>\n<p><strong>RemoteAddress : 172.27.176.34<\/strong><\/p>\n<p><strong>RemotePort : 445<\/strong><\/p>\n<p><strong>InterfaceAlias : Ethernet 6<\/strong><\/p>\n<p><strong>SourceAddress : 172.27.176.35<\/strong><\/p>\n<p><strong>TcpTestSucceeded : True<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; Get-NetFirewallProfile | select Name, Enabled<\/strong><\/p>\n<p><strong>Name Enabled<\/strong><\/p>\n<p><strong>---- -------<\/strong><\/p>\n<p><strong>Domain True<\/strong><\/p>\n<p><strong>Private True<\/strong><\/p>\n<p><strong>Public True<\/strong><\/p>\n<p><strong>The Next Steps (L1 Troubleshooting Logic)<\/strong><\/p>\n<p><strong>Before we try to join again, we must resolve these two blocks.<\/strong><\/p>\n<p><strong>Step 1: Disable Firewall (Standard L1 \"Rule Out\" Procedure) On the Win11 VM, run: Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False<\/strong><\/p>\n<p><strong>Step 2: Start\/Sync Time (Ensuring the clock is identical to SBS) On the Win11 VM, run: w32tm \/resync \/force<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt;<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; w32tm \/resync \/force<\/strong><\/p>\n<p><strong>&gt;&gt;<\/strong><\/p>\n<p><strong>Sending resync command to local computer<\/strong><\/p>\n<p><strong>The command completed successfully.<\/strong><\/p>\n<p><strong>PS C:\\WINDOWS\\system32&gt; nslookup sbs.server2022.local<\/strong><\/p>\n<p><strong>Server: UnKnown<\/strong><\/p>\n<p><strong>Address: 172.27.176.34<\/strong><\/p>\n<p><strong>Name: sbs.server2022.local<\/strong><\/p>\n<p><strong>Address: 172.27.176.34<\/strong><\/p>\n<p><strong>The Server: UnKnown persists because there is no Reverse Lookup Zone or PTR Record for the SBS server. In a professional environment, this is an L1 \"Fix it before proceeding\" item.<\/strong><\/p>\n<p><strong>However, since the name still resolves to the correct IP, we can attempt the join. If it fails, we know exactly what to fix in the SBS DNS Manager.<\/strong><\/p>\n<p><strong>The Join Attempt<\/strong><\/p>\n<p><strong>Run this command in PowerShell:<\/strong><\/p>\n<p><strong>Add-Computer -DomainName \"server2022.local\" -Restart<\/strong><\/p>\n<p><strong>One Final L1 \"Best Practice\"<\/strong><\/p>\n<p><strong>Now that you are in, Turn the Firewall back on but do it the right way.<\/strong><\/p>\n<p><strong>Since the VM now knows it's on a Domain, it will use the \"Domain Profile\" for its firewall. Most of the ports needed for the domain to function are opened automatically once the machine realizes it's \"Home\" on the DC.<\/strong><\/p>\n<p><strong>Run this to bring the walls back up: Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True<\/strong><\/p>\n<p><strong>? The Lesson Learned<\/strong><\/p>\n<p><strong>In an interview, if they ask: \"What's the hardest part of a domain join?\" You can now answer from experience: \"Ensuring DNS, Time Sync, and Security Profiles are aligned before even touching the 'Join' button.\"<\/strong><\/p>\n<p>Login Script Example:<\/p>\n<p>_______________________________________________________________<\/p>\n<p>@echo off<\/p>\n<p>net use P: \/delete \/y<\/p>\n<p>net use P: \\\\sbs\\Public<\/p>\n<p>:: This is the line that creates the pop-up box with your original info<\/p>\n<p>msg * \"Welcome %USERNAME%. Today is %DATE% and the time is %TIME%. Your P: drive is now mapped.\"<\/p>\n<p>pause<\/p>\n<p>________________________________________________________________<\/p>\n<p><strong><img loading=\"lazy\" decoding=\"async\" width=\"403\" height=\"140\" class=\"wp-image-10989\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-51.png\" \/><\/strong><\/p>\n<p>The P: drive folder has to be already created and shared on the server c: drive for the script to map it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1337\" height=\"593\" class=\"wp-image-10990\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2025\/12\/word-image-10663-52.png\" \/><\/p>\n<p>Shutting Down fully before backup; Shut down each vm, server LAST! Then; net stop vmms<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_10663\" class=\"pvc_stats all  \" data-element-id=\"10663\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p>Server2022 Hyper V Setup: You can easily see the IP Addresses of each VM at the screen bottom of Hyper V: net start vmms You can turn on all VMs from the Host with: Get-VM | Where-Object {$_.State -eq 'Off'} | Start-VM 3 x VMs IP addresses Host laptop settings to enable VMs internal LAN <a href=\"https:\/\/stevepedwards.today\/DebianAdmin\/incoherent-hints-post-for-hyperv-setup-of-server2022-win10-and-win11-subnet\/\" class=\"more-link\">...<span class=\"screen-reader-text\">\u00a0 Notes for HyperV Setup of Server2022, Win10 and Win11 Subnet<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-10663","post","type-post","status-publish","format-standard","hentry","category-post"],"a3_pvc":{"activated":true,"total_views":20,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/10663","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=10663"}],"version-history":[{"count":11,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/10663\/revisions"}],"predecessor-version":[{"id":10759,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/10663\/revisions\/10759"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=10663"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=10663"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=10663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}