Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Active Directory Home Lab Setup and Configuration

Active Directory Home Lab Process and Walkthrough

Overview:

  • This project documents the process of setting up an Active Directory (AD) environment on a virtualized lab. The goal of this was to create a secure and manageable directory service that simulates a corporate environment for my learning purposes. The set up includes a domain controller, user management, group policy objects (GPOs), and group memberships.

Prerequisites:

  • Proxmox for hosting virtualized environment
  • Oracle VirtualBox Manager
  • Windows Server 2022 for Domain Controller
  • Windows 10 Enterprise for client machines
  • Active Directory Administrative Center

Network Setup:

  • The Active Directory included one domain controller configured as a DNS server. The virtualized client machines (Windows 10) connected to the domain to be able to find other clients on the network, test logins, file sharing, and access control.

Server Configuration Process:

  • Running Proxmox on a home server, I installed Windows Server 2022 on a virtual machine as the domain controller.
  • Renamed server machine to DC-01.
  • Used Server Manager to install Active Directory Domain Services and promote the server to domain controller.
  • Created AD domain of homelab.local.
  • Set up the server with a static IP address and set up as the primary DNS, with a secondary DNS to be able to reach the internet.

Client Configuration Process:

  • Installed Windows 10 Enterprise on a client Machine VM.
  • Changed the primary DNS server configuration to the server’s IP address and used a secondary DNS address (8.8.8.8) to allow client to reach the internet.
  • Used the system properties dialogue to join the machine to the domain homelab.local, entering the domain credentials.

User and Group Management:

  • Simulating an enterprise environment, I created three regional Organizational Units
    • USA
    • Asia
    • Europe
  • Under each OU, I nested the following OUs to mantain a clean and organized structure
    • Computers
    • Service Accounts
    • Users
  • Finally, another set of OUs were nested under users for each department
    • Accounting
    • HR
    • IT
  • Computers OU was set to organize the computers in each region.
  • Service Accounts would host the accounts set up for specific services, such as an autologin computer for a kiosk or a printer station.
  • The individual user accounts were organized under their own department to allow GPOs to be set specifically for those department and users as needed.
  • New users were created manually, entering their name, user logon, as well as an initial password with the configuration of “user must change password at next logon” for security.
  • Security Group was also created for each department, beginning with # (#HR_Department) for easy organization and users were added to corresponding group.
  • Used a PowerShell script to further add 1000 users quickly and automatically.

Group Policy Management:

  • Following GPOs were created and activated, emulating a corporate environment best practices:
    • Password Policy to enforce strong passwords and enhance security:
      • Password Maximum age of 90 days
      • Minimum password length of 5 characters with complexity requirements enabled
    • Account Lockout Policy to prevent brute force attacks:
      • Account lockout duration and reset lockout counter of 30 minutes
      • Account lockout after 3 invalid logon attempts
    • Drive Mapping:
      • Set up two automatic mapped drives for each department:
        • A specific department shared drive for department sharing
        • A shared folder mapped to all departments
        • Set up NTFS permissions based on shared drive purpose, such as giving a group full access or read only
    • Restricted Access to Control Panel:
      • Restricted Access to control panel for all users/departments, except for the IT OU, to prevent accidental change in system configurations
    • Disabled USB Storage:
      • Disabled USB Storage access for all users except IT department to meet organization security and or privacy requirements
    • Desktop Wallpaper Policy:
      • Set up a default wallpaper for all users

Troubleshooting and Issues Encountered:

  • Set up was fairly straight forward and easy to do, encountering only a couple of issues:
    • Issue: During my first set up, I created the AD domain and elevated the server to Domain Controller BEFORE changing the server’s name. This caused a critical error as I was locked out after rebooting the server and could not log into the domain.
      • Solution: This led me to make sure I renamed any workstations or servers prior to setting up any configurations in order to prevent this kind of issues.
    • Issue: One client was unable to join the domain due to a DNS resolution failure.
      • Solution: Verified DNS configuration on the client machine to make sure the domain controller’s IP was listed as the primary DNS server.

Conclusion:

  • The project was a success, giving me valuable experience and insights in configuring and managing an Active Directory environment. All components functioned as expected, and gave me knowledge of complexities of DNS, GPOs, and user management. In the future, I plan on furthering this set up to include additional servers for redundancy as well as integrating more services and improving security settings.

Leave a Reply

Your email address will not be published. Required fields are marked *