Active Directory Home Lab Setup

Active Directory Home Lab Setup (AD DS & DHCP)

Description: in this lab, I used VirtualBox to create virtual machines and simulate setting up a corporate network environment. In this project, I became more familiar with the following technologies:

• Active Directory Domain Services
• User Account Creation & Modification
• PowerShell Scripting
• RAS/NAT
• Group Policy
• DHCP

Network Diagram

Virtual Machines Used

• Windows 10 Pro (Client 1/User PC)
• Windows Server 2019 Standard - Desktop Experience (Domain Controller)

For brevity, I’ll skip downloading the ISO files and setting up each virtual machine. In this project I used Oracle VirtualBox which can be found here. For a more in-depth tutorial of this lab, check out Josh Madakor’s YouTube video which I used to setup this project.

Step 1: Domain Controller Setup

With Windows Server 2019 installed, and an easy-to-remember password setup, our first order of business is setting up the Domain Controller. The DC will host the Active Directory Domain Services, RAS/NAT (Remote Access Server & Name Address Translation), and DHCP (Dynamic Hosting Configuration Protocol) services. This will allow us to replicate a corporate environment by providing Active Directory administration, connecting the devices within our internal network, and dynamically assigning IP addresses to those devices so they can connect to each other and the internet.

Within our Hypervisor settings, we should have configured 2 networks, one using NAT (Network Address Translation) which connects to the internet and the other attaching to the internal network.

Rename & Configure Domain Controller Networks (NIC)

After logging in to the Domain Controller, we want to go ahead and add custom names to each network so we can more easily tell them apart, which will help us down the road.

To determine which network is which, you need to access the Network Adapter Settings and check the status of each to identify the IPv4 address. The internal network should be using a local address (169.254…) and the internet network should look much different (mine being 10.2…) which is coming from your ISP.

After renaming the networks, those would look something more or less like this:

Even though this is our domain controller, and will be serving dynamic IP addresses via DHCP to the client machines within our network, we’ll want to manually assign this machine a static IP address, Subnet Mast, Default Gateway, and DNS address on the internal NIC according to our map.

Through the properties and IPv4 settings on the internal network, you can access the following popup and configure the IP addresses as shown:

• good to note here that the DNS address of 127.0.0.1 is the loopback IP address, which is the same as inputting “172.16.0.1” - the IP address we’ve assigned this machine

With that knocked out, we can go ahead and rename this PC so it is easier to identify in the future. (Done through the System settings)

After that, It’ll prompt you to restart, then we can move on to the next step.

Step 2: Active Directory Domain Services (AD DS) Setup

Now that is done, we can move on to setting up Active Directory Domain Services (AD DS) and creating our domain. After logging into the DC you should be looking at the Server Manager.

From the Server Manager, we can install AD DS and create our domain.

From the “Add Roles and Features” link, we’ll eventually get to a long list of services, select Active Directory Domain Services and smash “Next” until you get to the Install prompt, and let it rip.

That’ll take a while, but once done, you’ll see a notification warning up at the top right of the Server Manager Dashboard.

Next, you’ll click on that and run the “Post Deployment Configuration.”

Now we need to select “Add a new forest” for the deployment operation and give our domain name a name. You can choose whatever you want, but I went with “mydomain.com” to keep is simple.

Windows will prompt you for a DSRM password you need to enter (but we won’t be using it). After adding that and smashing the next button a few dozen times, you can install the service and restart the virtual machine.

Now while logging in, you’ll see the login username is the Administrator account under whichever domain name you chose:

Log back in and we’ll create our first Organizational Unit and custom admin account within Active Directory.

Adding Organizational Units & New Users

From the Server Manager, click “Tools” in the top right and find “Active Directory Users and Computers.”

With that pulled up, you should see the domain you created:

Right click on that bad boy, click “New Object” and select “Organizational Unit.”

We’ll call this Organization Unit (OU) “_ADMINS” so we can keep track of all users with escalated privileges.

Alright, now that we have an OU created for all admin accounts, let’s add our own user account. Right click the OU folder you’ve just created, select “New Object” and then “User.”

You can input whatever you want here, but many organizations follow a similar naming convention for admin accounts, such as: “a-{first initial}{last name}.” You can reference my info below:

Add Admin Level Privileges

After selecting “Next,” adding your password, and creating the user, you’ll want to right click the user and navigate to Properties. Here we can manage various user settings and customize more profile features.

In order to grant this account admin-level privileges, we need to click the “Member Of” tab and type “domain admins” then click “Check Names” then “Ok.”

Once this is done you should see both Domain Admins & Domain Users in the box like below:

To test our new admin account, we can sign out of the Domain Controller and try signing back in with our new account.

BOOM goes the dynamite. Our new account is up and running and we should have admin rights.

Now we can continue adding the necessary services to our server.

Step 3: Adding RAS/NAT and DHCP Services

From the Server Manager dashboard, select “Add Roles and Features” again and select “Remote Access.”

Slap that next button until you get to the “Role services” popup, then make sure “Routing” is ticked:

Keep going through that install process and system restart. Once you’re back to the Server Manager, click on “Tools” in the top right and open up the “Routing and Remote Access” settings.

You should see the DC listed below. Right click that » Configure and Enable… » and make sure Network address translation (NAT) is selected.

After you click next, you should see both network interfaces that we renamed earlier in this dialogue box under “Use this public interface … connect to the internet.” (If you don’t, you may need to restart the DC within the Routing and Remote Access settings).

We want to click on the INTERNET interface and slap some more next buttons. Once that is done, you should see a little green up arrow appear next to the DC. Now our RAS/NAT services are up and running.

RAS (Remote Access Server) is what allows us to simulate physically connecting this server with our client-side virtual machine that we’ll check on later and NAT (Name Address Translation) allows us to define one public IP address that internal clients will use to connect to the internet.

Now all that’s left is installing DHCP services.

Adding DHCP To Our Server

To add DHCP, we’ll follow the same process we’ve used to install the other services. “Add Roles and Features” » find and select the server “DC…” » find and check “DHCP” » slap next and then install.

With it installed, let’s find and open the config settings from “Tools” in the top right » DHCP.

Now we need to setup the scope: this will be the range of IP addresses the server uses to dish out to internally connected devices that want to connect to the internet.

Determining IP address ranges is outside the “scope” of this project (ha ha ha), but referencing our topology map - we want to assign the scope as 172.16.100-200.

From the DHCP settings, you should see your DC server lsited on the left-hand side. Click the arrow to expose IPv4 & IPv6 (which should both be red at this point).

Right click IPv4 and select “New Scope…”

You can name the scope whatever you’d like, in my case, I just named it after the range: “172.16.0.100-200.”

Once you click next, you’ll have to enter the Start & End IP addresses as well as the Subnet Mask:

Smash that next button until you come to the Router (Default Gateway) options.

Here we want to input the IP address of the Domain Controller since it will serve as the Default Gateway for clients and forward them to the internet. After inputting the IP, click “Add” and then you’re ready to smash that next button a few more times.

It could be necessary to right click the Domain Controller in the DHCP settings and select “Authorize” to get the service to start. Now you should be seeing green check marks next to IPv4 & IPv6 to indicate they are working!

Step 4: PowerShell Scripting 1,000+ Users

Now that all of our required services are up and running, we can use this handy PowerShell script (thanks Josh!) to quickly add a ton of user accounts that we can muck about with in later labs.

You’ll need to download the script onto the Domain Controller first. Once it’s there, you can open up Windows Powershell ISE (make sure to run as administrator!) from the Start Menu.

With that open, you can click “File” » “Open” » select the script wherever it’s located.

You’ll also need to navigate to the directory containing the script using PowerShell. Once you’re there, you can click the Run button and watch the users populate in real time!

Now we have an Active Directory Domain setup with tons of mock users, a Domain Controller configured to automatically assign IP addresses to the client machines they login to and connect them to the internet.

Let’s login to the client machine and see if everything is working.

Step 5: Verify Everything Works

This is assuming you’ve already setup the virtual machine using Windows 10 Pro (not Home - as you won’t be able to sign into a domain)

Internet/Network Connectivity

Let’s boot up the Client 1 virtual machine. After logging in, we want to ensure we have network connectivity and the internet is working. Remember, we’re not yet connected to the domain but VirtualBox is simulating that this machine is hardwired to the Domain Controller, so it should still have network access.

Open up your terminal and run ipconfig to check things look good and try pinging a website to verify DNS is working and you’re connected.

Or just open up the browser and visit a site if you’d rather do so:

Boom shakalakah, we are online! Now time to connect to the domain.

Connect To The Domain

The script we just used set every user password as “Password1” so we could grab a username from that list OR you could create your own user account within Active Directory (like we did earlier) to sign in to the client machine with.

To connect to the domain, you can open up the System settings by right-clicking the Start Menu button. Scroll down and select “Rename this PC (advanced).”

This will enable us to join the domain and rename the PC in one fell swoop. Click “Change” and rename the PC “CLIENT1” if you’re still following along with the network diagram.

• And in the “Member of” box click on Domain and enter the FQDN: “mydomain.com”

Once you click OK, it will prompt you for login credentials of someone who belongs to the domain. This could be your admin account we created earlier or any user that was generated from the PowerShell script.

Now it’ll restart so you can login to the domain.

Verify DHCP Is Working Properly

From the Domain Controller, we can verify DHCP has leased out an IP address for the client.

Open up the DHCP tool and navigate to the “Address Leases” folder pictured below:

If you see CLIENT1 listed then you know DHCP services are working correctly.

CONGRATS! You’ve setup a mock-corporate network all from one computer using a hypervisor and virtualization.