Setting up Windows AD Lab

One of the important things to do before anyone jumps into AD security is, setting up an active directory on a windows server. This is one of those things that feel empowering for some reason, at least to me. Anyways, let’s not get too sentimental about it and being.

We’ll be using Windows Server 2019 for the Domain Controller (DC), and we’ll first set that up. In the later posts, we’ll join other machines to this DC, but for now, we’ll set up DC and AD DS (Active Directory Domain Services)

So let’s being

Step 1

Login in to your Windows Server using RDP/Console, whatever way is possible for you right now, and navigate to Server Manager. Select “Add roles and features” from the Dashboard screen.

Step 2

Now follow the screens as shown below, the steps here are simple, and I’d like you to not stress it. I’ll provide explanations where I feel it is essential.

One of those pages which are meant to be skipped.
Remote Desktop Services – Is an amazing feature, but let’s focus on Role Based and Feature based installation for now
I know, I have an ugly server name. I’ll change it later. Don’t worry it is possible.
Select Active Directory Domain Services
Accept defaults, if you know better do as you please.
It won’t restart automatically throughout the process but is is good to let it know, that we accept installer’s life choices.
Let this process complete.

Step 3

As we have installed AD DS, we’ll promote the current server to a Domain Controller; as of now, we just have installed AD DS, but we don’t have a DC to control it. This is exactly what we’ll be doing in this step.

We can initiate the process of DC promo from within the console itself.
This is the first screen we’ll see. Don’t be scared it is daunting but easy to understand.

As we set up a fresh forest and a fresh domain in that forest, we’ll choose the option to “Add a new forest,” then we can define what would our root domain be called; for me, it is called “windows.local.” Once define the root domain name, we can move onto the next step.

If we had been adding a new domain to an existing forest, we would have chosen option 2. It is improbable to have multiple domains in a forest, but it can be done.

The first option is to add a new domain controller; it could be a backup domain controller for load sharing or a Read-Only Domain Controller (RODC)

Configure as required.

In layman’s terms, “Functional levels” define the latest version of servers that can be attached to this domain. There are a lot of advanced features as well, which come with a high domain functional level. However, as I plan to add Windows 8 and 2012R2 servers to this domain; thus, I chose 2012 as the functional level.

NETBIOS name defines what will our logins look like, e.g., Administrator account will be called winlab\Administrator the NETBIOS value can be anything of your choice.

We made an error in the steps. We did not set a static IP for the current machine. Let’s tackle that first.

Step 3A

Setting up a static IP address for the machine. We want out DC to stay in one place and not change its IP address on boot. This rarely happens, but if its IP lease expires and we reboot the machine, we’ll have a new IP address, and all the machines in the domain will not be able to resolve the address, thus making the AD non-functional. Thus to avoid situations like these, we set up static IP addresses for the Domain controllers. That is exactly what we are going to do this in step.

Open the attached network interfaces
Turn of IPv6 and open properties for IPv4
Set DNS as localhost and Google/Any other of your choice.
Now if we re-run the pre-requisites check, we’ll have one less error. We can not continue with the installation.

Once you click install, the installation will begin, and there will be one/two restarts of the machine before the installation is complete, and you are allowed to login into the machine. Once you’ve logged in to the machine, we’ll move on giving our machine a respectable name; right now, it is gibberish generated by the machine installation.

Step 4

Changing hostname of the machine.

This step can be done before installation as well; however, I chose to do it later. If you haven’t attached any machine to this domain, you can do it at any time. However, please consider doing this before the installation of AD DS as a general good practice.

Get into the server manager console. Select Local server and click on Hostname
It will give you a warning. Accept the warning and select change
Add the appropriate Computer Name and select OK on the retart warning.
This is our DC, with the new hostname and AD DS installed.

Now we have completed the installation of the AD DS feature on a machine, and we have promoted it to a Domain Controller. We will take a look at exploiting these machines/setups in later posts. However, this is it for now.

If you need to learn how to spin up a Windows Server machine faster, look at my post about using SysPrep for faster provision of windows machines.

If you have questions or need help setting things up, reach out to me @jtnydv