- Active Directory
- PowerShell
- CMD
- Oracle Virtual Box: https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html
- Microsoft Server 2019: https://www.microsoft.com/en-us/evalcenter/download-windows-server-2019
- Windows 10 (22H2): https://www.microsoft.com/en-us/software-download/windows10
NETWORK OVERVIEW
Download and install Virtual Box using the link above. The first virtual machine will house the domain controller so I'll need two network adapters, one to access the internet (NAT) and one dedicated to the internal network (Internal Network) so that the Domain Controller can communicate with the internal network. Go to Settings > Network > Advanced to make these changes.
I'll give the domain controller a simple name (DC) and in the General > Advanced tab, I'll set the clipboard to "Bidrectional" which allows me to drag and drop things from my actual desktop into this virtual machine and visa versa.
Click "Ok". Now double-click the domain controller (DC) and navigate to the directory where I downloaded Server 2019, select it and click "Mount and Retry Boot". This might take a while.
Once Server 2019 is installed, I have to configure IP addressing for the internal (private) network. The external (internet) network automatically gets IP addressing from my home router. Click "Change adapter options".
Now I have to figure out which one of these adapters connects to the internet and name both approriately because I will be using them later when I set up routing. I'll right-click the first one and go to Status > Details. I can see that the IP address is 10.0.2.15 which looks like a proper home IP address so I'll rename it as _INTERNET_ and the other as X_Internal_X.
Now I'll rename this PC. Right-click the Start Menu > System > Rename this PC. I'll name it "DC' meaning Domain Controller. Click Next > Restart now > Continue.
I have to assign an IP address to the internal adapter. The diagram above shows the "NIC (Internal)" IP address 172.16.0.1 which is what I'll assign. I'm not going to use a default gateway because the DC itself is going to serve as the default gateway. When I install Active Directory, it automatically installs DNS and this server is going to use itself as the DNS server so I'll give it a loopback address 127.0.0.1 which allows it to ping itself. This forces a restart.
After the reboot, I'll install Active Directory and create a domain. On the Server Manager Dashboard click Add roles and features > Next > Next > Next and then I'm going to select Active Directory Domain Services > Add Features. This might take a while.
At this point I've installed the software for Active Directory Domain Services but I haven't created the domain yet. So for the post deployment configuration I'll click the flag in the upper-right corner and select "Promote this server to a domain controller".
Add new forest and give it a simple name like mydomain.com, this forces a restart.
Now I can see MYDOMAIN\Administrator indicating that the domain was created successfully. I'll log in with my simple password "Password1" for the purpose of this lab ONLY!
Now I'll create my own domain admin account instead of using the one built in. Go to Start > Windows Administrative Tools > Active Directory Users and Computers. Then right-click on mydomain.com, select "New" in the drop down menu and select "Organizational Unit". This will house my admin account.
I'll name my admin account "_ADMINS". Then I'll right-click "_ADMINS" and go to New > User. In the window that opens, I'll fill in my name. NOTE: In the space "User logon name", I want to use a- to signify that this is an admin account, my first name initial and my last name (a-jlong) because this is the common naming convention in a lot of organizations.
I have an account now but it's still not an admin, so to make it a domain admin I need to right-click my name and in the drop down go to Properties > Member Of > Add. In the window that opens, type "domain admins" in the lower box, then click "Check Names".
Click Ok. Now my account is a domain admin account. To use this, I'm going to sign out and sign back in with my domain admin account (a-jlong).
Now I'm going to install the remote access server and network address translation. The purpose of RAS/NAT is to allow the client (when I install it) to be on the internal network but still have access to the internet through the domain controller. To do this, go to Add roles and features > Next > Next > select Remote Access.
Next > select Routing. Then keep clicking "Next" then click "Install". This will take some time.
Now in the upper-right corner I'll select "Tools" and go down to "Routing and Remote Access". Right-click on "DC (local)" and select "Configure and Enable Routing and Remote Access".
Then I need to install NAT to allow my internal client to access the internet using one IP address.
Now that RAS/NAT is configured, I'm going to set up DHCP on the domain controller with scope information so that my Windows 10 client can get an IP address that will let it get on the internet. Click on Add roles and features > Next > Next then select "DHCP Server". Keep clicking "Next", then Install.
Looking at the diagram, I defined a DHCP scope that will give IP addresses in this range (172.16.0.100-200). Right-click "IPv4" and select "New Scope".
Looking at the "Lease duration for DHCP clients" section in the image below, this defines how long a computer can have an IP address before it needs to be refreshed. For example, if you're in a cafe and you have a lease duration of 8 days, nobody will be able to use that IP address until the lease expires. But for the purpose of a home lab, this is fine.
Now I can see my IPv4 is green and my scope has been created. There are no leases in it because I haven't created the client computer yet.
Before I create my client computer, I'm going to use a PowerShell script to create over 1000 user accounts in Active Directory so I don't have to manually create them. To do this, I need to make a configuration that allows me to get on the internet from the domain controller so I will have to disable the security functions of the domain controller. Normally I wouldn't do this in a real production environment, but for my home lab it's fine.
Now I will paste this link https://github.com/joshmadakor1/AD_PS into the browser,download the script and extract it to the desktop. Before I run the script, I have to enable the execution of all scripts.
Running the script to create 1000 user accounts.
Now I will create another virtual machine to act as a user in the domain. I'll give it the name "CLIENT1", configure it so that it will only be able to get on the internet by being assigned an IP address from the domain controller and join it to the domain.
And now I'll check to make sure "CLIENT1" is getting an IP address from the domain controller and I'll ping the domain as well.
