Active Directory HomeLab
This project is a walkthrough of how I created an Active Directory homelab environment in VirtualBox using PowerShell, Active Directory, Windows 11, and MS Server 2019. The network consists of two VM's (virtual machines) where one will be the DC (domain controller) and the other is a client machine. I will have Active Directory (AD) installed on the DC and will generate 1000 randomized users in AD, which can be used to log into the client machine once the domain is set up and the client is properly added. This lab is a simulation of an enterprise network environment, so there will be some configurations that optimize for time and should not be included in a production-enterprise environment.
Downloads
Network Diagram
I will reference this diagram for the project configurations
Creating the domain controller
The first virtual machine will function as our domain controller and will require two network adapters. After creating our machine, using the Server 2019 ISO, we will configure the network adapters. In the VM's Settings > Network page, leave Adapter 1 with the default NAT configuration. Enable Adapter 2 and set Attached to: Internal Network.
After completing the network adapter configuration, we will need to complete the initial setup of Windows Server 2019 on our DC.
After initial setup is completed, we need to configure the network adapters in OS. We can identify which one is going to be the internal adapter by checking the IPv4 addresses their respective connection details.
The one with 10.0.2.15 IPv4 is our internet facing adapter, whereas the other is our internal one since the IPv4 is autoconfigured, so we can now label them as INTERNET and X_Internal_X respectively.
Renaming them will be easier for the configuration we'll be doing throughout the project.
Setting up IP addressing
Now we will be setting up the IP addressing for our internal adapter with the following configuration:
- IP address:
172.16.0.1 - Subnet mask:
255.255.255.0 - Default gateway:
. . . - Preferred DNS server:
127.0.0.1
Note: When we install AD, we will configure the DC to use itself as the primary DNS server, so that's why we have a loopback IP, 127.0.0.1 in the Preferred DNS Server field.
Last thing is to rename the PC to DC and restart before we install our Active Directory Domain Services.
Install Active Directory Domain Services
After booting back into the DC, I install Active Directory Domain Services:
Promote the server to domain controller
Now to promote our server to a domain controller. This will auto restart the VM after the wizard completes the promotion.
Upon next login, we see that our VM is now part of MYDOMAIN.
Instead of the default Administrator account, I create my own domain admin account and promote it to Domain Admins.
RAS / NAT
Now to configure RAS/NAT to allow our client VM that is on the virtual private network to access the internet through the domain controller.
Setup DHCP server
Doing this will allow our Windows 11 client to be auto assigned an IP address and allow our client to browse the internet, even though the VM is on a virtual private network.
After installation, it's time to configure the DHCP and setup a scope. Again, the purpose of DHCP is to allow clients on the network to automatically be assigned an IP address. Referencing our network diagram, I will create a scope that will give IP addresses in a range of 172.16.0.100-200, so a range of 100 addresses that the DHCP server can give out. The DHCP lease time will be kept at the default 8 days. If this were a cafe, for example, I would want to probably use a lease period of 2hrs, since new clients will be logging into our wifi network frequently. We don't want to lock out IP address with a long lease time like 20 days. If we did that, we'll run out of IP's if the new client connection volume exceeds our IP cycle rate set by the DHCP lease time. This effectively prevents new clients from connecting to the internet through our network, since new IP's cannot be assigned. A better solution for the cafe situation would be to have a large IP range with short DHCP lease time. However, we are working with a homelab setup, so the default values will work fine for this situation.
Config to allow us to browse internet from domain controller
In order to get the powershell script from the internet and execute it on our domain controller, we'll need to do some more confiruation. We need to disable the IE Enhanced Security Config setting in our domain controller.
With the IE security feature disabled, we can download the script to the server here.
Powershell script to create 1000 users
Once we've downloaded and extracted the script files, we're ready to run it using PowerShell ISE in administrator mode to create our users. Before running the script though, open the text file, we'll add our first and last name to the names.txt file, just to make it easy to remember for when we log into the client computer after we're done with our server.
By default Windows won't allow us to execute unknown scripts from the internet, so we need to enable execution of our script by running the following command: Set-ExecutionPolicy Unrestricted and then click "Yes to All".
Now, we run the script. There will be some visible errors during execution, but that's because of duplicates in the names.txt file, which shouldn't mess with the script's execution.
Confirming our users have been created in AD:
And we're done with our domain controller setup.
Setup client virtual machine
Finally we can create our client machine, which will act as a user in our domain we created. We will call our machine CLIENT1. This will simulate an employee machine on our domain.
We'll set our network adapter to the internal network we configured when initally setting up our domain controller:
On initial setup, we can name our computer CLIENT, so when we get to the desktop, all we need to do is add our computer to our domain and authenticate the change with our domain admin credentials
Let's logout and log in as our generate user dnguyen.
After a successful login, let's run whoami to confirm my domain\user.
Let's ping google.com to confirm we have access to the internet and for good measure, we can ping our domain: mydomain.com
Back on our DC, we can take a look in our DHCP > dc.mydomai.com > IPv4 > Address Leases to see our client machine listed with its unique IP in our defined scope.
We can also confirm in Active Directory > mydomain.com > Computers that our client is listed there as well.
And success, that is the end of the lab! 🙌
Top comments (0)