In this lab I utilized Oracle Virtual Box to create an Active Directory home lab to better understand the inner workings of active directories and to expand on my knowledge of Window's networking.
Link: https://www.virtualbox.org/wiki/Downloads
Make sure to pick the correct OS and following the Oracle VM download, make sure to download the Extension Pack under "VirtualBox 7.0.14 Oracle VM VirtualBox Extension Pack"
Link: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019
Follow the link to download the 64 bit Iso file for Windows 10. Make sure to save the file somewhere easy to find (recommend just saving it to your desktop). Then follow the second link to download the Windows 2019 Server Iso file.
Next, we're going to start creating our first VM. You're going to hit the "New" button.
Go ahead and name the VM. I followed Josh Madakor's video and he recommended just naming it "DC" for Domain Controller. Then select your ISO image from your desktop and make sure to pick one of the "Desktop Experience" options in order to ensure you have a GUI upon creation.
Next, you'll configure the Hardware settings for the VM by choosing the base memory and number of processors. I went ahead and put 4096MB of memory and 4CPUs. Click "next" when you get to Virtual Hard Disk and then Finish.
Once the machine is created; before you power it up, click on the machine in Oracle VM and then click settings. On the general page, click the "Advanced" tab and under Shared Clipboard and Drag'n'Drop, choose the "Bidirectional" option. This will allow us to copy and paste and/or drag files from our main desktop to our VMs.
Next, you'll go down to "Network" and, since we're creating our domain controller, so we want to have 2 NICs: 1 running NAT and another running to the Internal Network. Click on Adapter 2 and check the "Enable Network Adapter" box. For the "Attached to:" drop down, select Internal Network and then press OK.
If you notice that your mouse and VM screen is laggy or unresponsive, you can go to "Devices" and select "Insert Guest Additions CD Image". Then go to your file directory and look for the CD Drive (D:) VirtualBox Guest Additions, then find the VBoxWindowsAdditions-amd64 file and run it. You can restart when prompted or manually reboot on your own. You should notice the QoL change immediately upon restart.
Next up we are setting up our IP Adressing. We will have two NICs: one that will automatically get an IP address from your home router and the other we will now manually set up. Click the network icon at the bottom right of the VM screen and select "Network and Internet Settings". Under Related Settings, select "Change adapter options" and you will see two adapters. We will now figure out which adapter is directing to the internal network and which one is directing to the internet. You'll do this by right-clicking on either of the two and then select "Status" and then "Details". From here, you are looking for the IPv4 address. I selected the first adapter and can see that this particular adapter has an IPv4 address of 10.0.2.15, meaning this is my home DNS server.
Then right-click on the same adapter and rename the home DNS server to "INTERNET" and the other "INTERNAL".
Once you designate which adapter is the internal, we need to set an IP address for it. Right-click the "internal" adapter, select properties, hightlight "Internet Protocol Version 4 (TCP/IPv4) and click properties again. You'll click the box that says, "Use the following IP address" and enter the following information as seen below. The Preferred DNS server is going to re-route back to itself, so you can enter the IP address again, or use the following default DNS server ID to allow the computer to ping, or loopback, to itself.
We will now install Active Directory Domain Services and create a domain. Go to the Server Manager in the DC VM and click "Add Roles and Features". Click next twice, then when you come to 'Select Destination Server', your server should already be highlighted (as it's the only one), but if not, highlight your server. On the 'Select Server Roles' screen you'll select 'Active Directory Domain Services' and when the next box pops up asking if you want to add the required features, press "Add Features". After that, you can click next until you get to the last page and then click "Install".
Following the AD/DS installation, you'll notice a caution sign at the top of the screen. You'll go ahead and click 'Promote this sever to a domain controller'.
Next, you'll select 'Add a new forest' and enter a generic name into the domain name box. Then click next. You will be prompted to enter a password, choose one of your liking (good idea to make a habit of using strong passwords!). Then click next until you're done and the system will restart on it's own.
Upon restart, you should see the MYDOMAIN\Administrator as the user login. We are going to add our own domain admin account. Go to start, Windows Administrative Tools, then Active Directory Users and Computers. You'll see our newly created mydomain.com. Right-click on the mydomain.com, go to New and scroll down to Organizational Unit. Go ahead and name this folder ADMIN and uncheck the box asking to protect the container from accidental deletion.
In the new ADMIN folder, right-click the folder, go down to New and add a new User. Fill everything out with your name and choose your logon name. You'll be prompted for a password. I also checked the box "Password never expires" since it's a lab. Note, that is obviously not a good security policy!
To make your new account an admin account; right-click your name, click properties, then click add at the bottom of the screen. Type in Domain Admins and then click 'check names' to the right. It should find the admin group and go ahead and press OK. Go ahead and log out of the current user profile and log back in with your new admin account.
Next we are installing our Remote Access Server and Network Address Translation to allow us to give our client to be on private virtual network, but access the internet through the domain controller. Go to the Server Manager and click Add Roles and Features. Click next three times and once you get to the 'Select Server Roles' page, you want to select Remote Access. Click next until you get to the 'Select Role Services' page and select 'Routing'. DirectAccess and VPN (RAS) will auto populate, go ahead and leave it and then click next until you get to install and then install the new role and feature.
Next, you'll go to 'Tools' on the Server Manager Dashboard and select 'Routing and Remote Access'.
Right-Click your Domain Controller local server and click 'Configure and Enable Routing and Remote Access'.
Under 'Configuration', Select 'Network address translation (NAT)
Under 'NAT Internet Connection', make sure to select the INTERNET adapter, NOT the internal one we named earlier. Hence, the importance of identifying them earlier. Then click next and then finish. The Domain Controller should now have a green arrow pointing up.
We will now set up our DHCP server to allow our client machine to browse the internet with a set range of IP addresses and subnet mask. This simulates how things work in your company and/or school. What you'll need to do is go to the Server Manager, click Add Roles and Features, next, next, next, and then on the 'Select Server Roles' page you'll select the DHCP Server box and add the required features. Then click next to the end and select install.
Next, you'll go to 'Tools' on the Server Manager Dashboard and select DHCP. You'll see the DHCP popup box where we will set up our scope. Right-click the IPv4 server and click New Scope.
For the name of the Scope, put the IP address range (172.16.0.100-200)
For the IP Address Range, you'll use that defined range of IPs we just discussed (100-200). We will give this DHCP client a mask of 24.
You can skip the exclusions page as we won't add any IP exlusions for this lab. For the Lease Duration, since this is a lab, you can keep the duration at the 8 days. This just designates how long a computer can have the given IP address when using the DHCP server. On the Configure DHCP Options, leave the selection of "Yes, I want to configure these options now". Now we will add an IP address to give the clients a default gateway/router to get to the internet through the internal NIC. You'll enter the Domain Controller's IP address and click add.
Next it's asking us what we want to use as our DNS controller, we will be using our domain controller... so click next. You can skip the WINS server. Then click to the end. After this is completed and your back at the DHCP server popout, Authorize the DHCP server. Right click on your domain controller and click 'Authorize'.
You may have to refresh the IPv4 and IPv6. After refreshing, you should see them activate with the green upward arrow.
Not good practice for a production environment Go to the Server Manager and click 'Configure this local server' and click 'IE Enhanced Security Configuration' and disabled both options.
Next, we will use the code provided by Josh Madakor for the list of user names we will be implementing.
Open Internet Explorer in the Domain Controller and copy the link. Save the zip file to the desktop and then copy the extracted files to the desktop as well. Once the file is saved, open the "names" file and add your name to the top of the list of names, save the file.
Then click on start, go to Windows PowerShell, and select Windows PowerShell ISE and right-click to run as an administrator.
Open the PowerShell 1_CREATE_USERS file and in the command line type the command: Set-ExecutionPolicy Unrestricted... Please note, this is a security feature and should not be used outside of a lab environment This allows us to enable the execution of all scripts on the server. Then click 'Yes to All' on the Policy change banner.
Now, to get the code to generate the names, we have to go to the directory within PowerShell. I used cd to change the directory, and then went to the file location: i.e., cd C:\users\a-amolinaro\desktop\AD_PS-mater\1_CREATE_USERS.ps1
Now, click run and you will see the names begin to populate PowerShell.
To set up our Client VM, we will essentially follow the exact same steps as when we created the Domain Controller. However, we are installing Windows 10 on this VM, so make sure to select the proper ISO file. If you run into trouble regarding the Product Key for the Windows10 machine, I used the following link from Microsoft for generic keys. I used the VK7JG-NPHTM-C97JM-9MPGT-3V66T key and it worked fine. The only difference, is once you have created the Client1 VM, go to settings on Oracle VM and under 'Network' change the Network Adapter to Internal Network.
Link: https://www.tenforums.com/tutorials/95922-generic-product-keys-install-windows-10-editions.html
Should you run into problems with internet connection, run the command line and use the ipconfig command. For example, I noticed I did not have a default gateway.
I went back to Server Manager and then Tools, and selected DHCP. I went to IPv4 Server Options and went to Configure Options and had to add a Router and the IP address of the DC.
I then clicked on the domain server and restarted it and refreshed the IPv4.
I went ahead and ran the ping command on the cmd to ensure that the internet was working on the Client VM. This means that we have successfully set up the routing to the DC through the NICs and the infrastructure is complete.
I went ahead and used the 'hostname' command on the Client cmd line to check the name of the computer. Mine had already been configured, but if yours does not work then right-click the start button, go to system and scroll down to 'Rename this PC (advanced)'.
From here, go to "To rename this computer or change its domain or workgroup, click Change" at the bottom. I renamed the computer to Client1, but then you can also change the 'Member of' to our domain. You will get a pop up asking for authorization of the changes. You should be able to use the admin account we created earlier in the lab. (ex., a-amolinaro) Once you've authorized the change, you can click "Restart Now" to apply our changes. As that is restarting, go back to the Domain Controller VM and go to the DHCP folder. Expand the IPv4 server, and expand the Scope folder. Earlier, we did not have a lease, but since we've constructed the network, we now have designated leases.
On the DC VM, click on start and click Administrative Tools, click on Active Directory Users and Computers.
In the Active Directory folder, expand the mydomain.com and click on 'Computers'. You know can see the CLIENT1 computer.
Back on the CLIENT1 computer, sign out if you are currently signed in and try to sign in with your username and password (not the admin account we created). If you remember, we created a regular user account with our name and the password generated by the code should be: Password1. You should have to go through the Windows profile creator, but, this means that we have created the Active Directory successfully!