Adding an Active Directory Forest to Our Proxmox Lab

In this module, we will cover the steps to set up a small Active Directory forest in Proxmox, including a domain controller and two client computers

2 years ago   •   19 min read

By 0xBEN
Table of contents

This page is part of the larger series of converting an old laptop into a bare metal home lab server. Click the link to be taken back to the original post.

Proxmox VE 8: Converting a Laptop into a Bare Metal Server
In this post, we will take a look at an in-detail process of setting up a Proxmox home lab on a bare metal server.





The nature of this section is to help you get the following components added and connected to form a small Active Directory (AD) forest:

  • Domain Controller (DC)
  • 2 Windows 10 Enterprise hosts

This is not intended to be an exhaustive resource on AD.





Warning: Additional Compute Resources Required

Windows is a very demanding operating system. If your Proxmox node is running out of resources as you have been building out your lab, you have the following options:

  • Upgrade any hardware components where possible
  • Power off some other VMs or containers and see if you can free up resources
    • Keep the Windows hosts off whenever you do not need them
    • Remember, you will need the resources available whenever you want to run the Windows hosts
  • Add another Proxmox server and build out your lab over there
    • This option will require you to rebuild a pfSense lab with Open vSwitch and any desired VLANs. It won’t need to be an exact copy of the one we already set up





Getting the ISO Files

Refer back to this page for links to download Windows ISOs.

Running Windows Guests on Proxmox
In this module, we will look at the optimal way to run Windows guests in our Proxmox home lab

Once the ISOs are downloaded, be sure to transfer them to your Proxmox node.





Staging the Network

Adding a VLAN

I am not going to walk you through creating the VLAN. We've already learned this exercise. Please reference the link below if you need a refresher on adding new VLANs, interfaces, and subnets to your cyber range.

Create a pfSense VM for Security Infrastructure
In this module, we will look at setting up a pfSense firewall in VM to segment our home lab network

You need to add this VLAN to your cyber range:

  • VLAN ID Number: 80
  • VLAN Network ID: 10.80.80.1/24
  • Interface Name: AD_LAB
  • DO NOT ENABLE the DHCP server on this VLAN, as the Domain Controller is going to be filling that role

Hands-On Example of Adding the VLAN

If you prefer a bit more of a walkthrough of adding the VLAN, IP3C4C does an outstanding job demonstrating how to add the VLAN to Proxmox Open vSwitch and pfSense. His write-up is also a bit of a spin-off of mine with a few deviations.

  • Whereas I use the ad.lab local domain, he follows The Cyber Mentor's naming conventions to keep it in line with the PEH course
  • He also uses the groups and users from the PEH course as well, whereas I use a different username convention
HomeLab - Proxmox Part 07c - Staging the Network
Create a subnet for our AD Lab





Creating an AD Lab the Insecure Way

Typically you should not put your domain controllers (DC) on the same subnet as the clients. You create a separate /29 subnet and put your DCs there. Then, create a separate subnet for your clients and make them routable.

While it would be good to adhere to best practices, this is a learning environment. Therefore, you will be creating a flat AD lab network, and putting all of the infrastructure on the same broadcast domain. That way you can leverage as many attacks as possible.

Kali and the AD infrastructure are all in the same broadcast domain





Getting Kali on the AD VLAN

We started out by putting Kali on the native LAN. We need to move Kali to the AD VLAN in order to learn about as many attacks as possible. It's easy to make the change.

  1. In Proxmox, change the Kali VM's network interface so that it is on VLAN 80
  2. In Kali, run these commands:

Replace <interface-name> with your Kali VM's interface

sudo ip link set <interface-name> down
sudo ip link set <interface-name> up





Putting Kali Back on the Native VLAN

If you want to move Kali back to the native VLAN, just reverse your steps:

If you want to move Kali back to the native VLAN, just reverse your steps:

  1. In Proxmox, change the Kali VM's network interface so that there is no VLAN ID
  2. In Kali, run these commands:

Replace <interface-name> with your Kali VM's interface

sudo ip link set <interface-name> down
sudo ip link set <interface-name> up





Running Windows Guests on Proxmox

Refer back here for a refresher on general best practices when running Windows guests on Proxmox.

Running Windows Guests on Proxmox
In this module, we will look at the optimal way to run Windows guests in our Proxmox home lab





Windows Server 2019: The Domain Controller

Installation and Initial Setup

This is your template when creating the VM in Proxmox.

General

OS

System

Hard Disk

CPU

Memory

Network

Drivers Disc

Add another CD/DVD drive to your VM and load the VirtIO drivers disc.

Don't start the VM yet





Verify the Boot Order

Ensure the VirtIO drivers disc is unchecked.





Installing Windows Server 2019

Power on the VM and open a NoVNC console.

Choose your language and click Next.

Choose Install Now and choose Windows Server 2019 Standard Evaluation (Desktop Experience)

Click Next. Accept the terms and conditions. Choose Custom: Install Windows Only.





Load the SCSI Driver

Choose Load Driver > OK

Click Browse and expand this disk

Go to vioscsi > 2k19 > amd64

Choose this driver

Click Next and wait for it to finish loading.





Load the Network Driver

Choose Load Driver > OK

Click Browse and expand this disk

Go to NetKVM> 2k19 > amd64

Choose this driver

Click Next and wait for it to finish loading.





Finish the Installation

Click Next and wait for the installation to finish.

Once the installation is finished, set the local administrator password and save it. You could put it in a password manager, or you can put it in the Notes field of the VM.

Click on your VM and go to Summary. Double click here to save a note.





Configure the Network Interface

ℹ️
Remember! We disabled the DHCP service on pfSense for the AD Lab LAN, because we want the domain controller to act as the DHCP server. Therefore, the domain controller will not be automatically configured and we will have to set it up manually.

Right-click the network interface icon.

Choose Open Network & Internet Settings

Scroll down and choose Change adapter options

Right-click the adapter and choose Properties

Double-click Internet Protocol Version 4 (TCP/IPv4)

Configure your adapter as such:

For the DNS servers, the following will happen:

  1. First, check with the DNS server running on the domain controller (we will install this a bit later)
  2. If the DNS server doesn't know the answer, it will forward the DNS query to the default gateway and pfSense will resolve it





Rename the Server

Open the Start Menu and click the Settings icon.

Enter a name for your server

Choose Restart Now. Enter Other (planned) for the reason.





Take a Snapshot of the VM

In Proxmox, click on your Windows Server 2019 VM and go to Snapshots. Click Take Snapshot. Set the following values:

  • Name: WinServer2k19_PreDomain
  • Include RAM: yes
  • Description: Windows Server 2019 Active Directory Domain Services installed. Pre-domain-controller configuration.

Now, we can restore this snapshot any time if we want to roll back to a pre-domain install.





Configure Domain Services

Installing the Domain Controller

Click Manage > Add Roles and Features

Click Next > Next > Next until you reach Server Roles. Check the following bokes:

  • Active Directory Domain Services
  • DNS Server (so we can resolve the domain controller by DNS name)
Click Add Features
Click Add Features

Click Next > Next > Next > Next > Install. Wait for the install to finish and click Close.





Configure Active Directory Domain Services

Log back into the domain controller as the local administrator and wait for the Server Manager app to load.

Click Promote this server to a domain controller

Choose Add a new forest and specify a root domain name. I chose ad.lab as my domain name, but you can choose any other local TLD.

TLDs such as .com, .org, .net will work as a local domain. Also, best not to use .local either, because that can interfere with multicast traffic.

Click Next. The default options are fine. Specify a restore password. You can use the same password as the local admin or something different. It doesn’t matter. Click Next.

Ignore this message

Click Next and continue with the defaults.

Looks good. Click Install and wait for it to complete.

The server will automatically reboot.

This process will take a while. Be patient.





Configure DNS Forwarders

The DNS server running on the domain controller will act as a resolver for the ad.lab domain (or whichever local domain you chose). We need a forwarder for any DNS query for which the DNS server does not know the answer.

We can use the pfSense default gateway as a downstream DNS server that the domain controller can pass queries to for any unknown hostnames.

Open up the Start Menu and search for DNS.

Expand DNS > DC1 and double-click Forwarders.

Click Edit and add the IP address of the default gateway. Click OK.





Add and Configure a DHCP Server

Open Server Manager and go to Manage > Add Roles and Features

Click Next > Next > Next

Click DHCP Server

Click Add Features and click Next > Next > Next > Install

Once the installation is complete, click on Complete DHCP Configuration

Click Next > Commit > Close > Close

Go to the Start Menu and search DHCP

Expand the DHCP server tree and right-click IPv4 and choose New Scope

Click Next and give your DHCP configuration a name and description. Then, click Next.

Configure the DHCP address space and subnet mask. Then, click Next.

We're not configuring any DHCP exclusions (reservations), so click Next.

We'll make it so clients' leases are good for one year. Click Next.

Click Next to configure it now.

Enter the address of the default gateway and click Add.

The default DNS configuration for DHCP clients is good here. Click Next.

We don't have a WINS server in our lab environment. Click Next.

Click Next to activate the DHCP scope and click Finish.





Add a Domain Administrator Account

Go the Start Menu. Search for Active Directory Users and Computers and open the app.

Add a new user
Fill out the properties
Set a password

Click on Users and choose Domain Admins

Click on Members > Add. Enter the username, click Check Names. Click OK > OK.

Log out of the local administrator account.





Add Some Users to the Lab

Log in as the domain administrator.

Go the Start Menu. Search for Active Directory Users and Computers and open the app.

Right click your domain. Choose New > User





John Doe

Set the account details
Set a password and password options\





Jane Doe

Set the account details
Set a password and password options





Add a Group Policy Object to Disable Protections on Client Machines

Open the Start Menu and search for Group Policy

Expand your forest until you see your domain

Right-click your domain name and choose Create a GPO...

Click OK. Right-click on your new group policy object and click Edit…

Expand down into Computer Configuration > Policies > Administrative Templates > Windows Components

Click on Windows Defender Antivirus

Set it to Enabled and click OK

Click on Real-time Protection

Double-click Turn off real-time protection

Set it to Enabled and click OK

Now, go to Network > Network Connections > Windows Defender Firewall > Domain Profile

Double-click Windows Defender Firewall: Protect all network connections

Set it to Disabled and click OK

Right-click the group policy object

Turn on the Enforced option





Force Update the Group Policy Settings on the Domain Controller

Right-click the Start Menu and open Windows PowerShell (Admin)

Run this command





Windows 10 Enterprise Clients

Preparing a Template VM

General

OS

System

Hard Disk

CPU

Memory

Network

Drivers Disc

Add another CD/DVD drive to your VM and load the VirtIO drivers disc.

Don't start the VM yet





Verify the Boot Order





Installation and Initial Setup

Choose your language and click Next.

Click Next. Accept the terms and conditions. Choose Custom: Install Windows Only.





Load the SCSI Driver

Choose Load Driver > OK

Click Browse and expand this disk

Go to vioscsi > 2k19 > amd64

Choose this driver

Click Next and wait for it to finish loading.





Load the Network Driver

Choose Load Driver > OK

Click Browse and expand this disk

Go to NetKVM> 2k19 > amd64

Choose this driver

Click Next and wait for it to finish loading.





Finish the Installation

Click Next and wait for the installation to finish.

Select your regional and language settings. Then, choose Domain join instead.

Enter Template and click Next.

Enter a password and set security questions. I recommend saving them somewhere. You can use the Notes field of the VM in Proxmox.

Turn off all the services.

Choose Not now for Cortana





Sysprep the Template

Log into the system using the template credentials and open a PowerShell terminal as administrator.

Run the command:

C:\Windows\System32\Sysprep\sysprep.exe

Click OK. Let the sysprep process run to completion. The VM should shutdown.





Convert the VM to a Template

Go to Proxmox and right-click the Windows 10 Enterprise VM. Then, choose Convert to template.

We will use this template any time we want to create a new Windows 10 Enterprise VM, rather than go through this build process every time.





Create the Domain Computers

In Proxmox, you can identify a template by its icon.

Example template

Right-click the template and choose clone

Use a full clone

Create one more clone

Use a full clone

Start up both VMs.





Joining the Computers to the Domain

⚠️
I am only going to demonstrate this process on one of the VMs. Follow along and repeat this process on any other clients you want to join to the domain.

Log into one of the VMs using the template credentials we created earlier. Go to the Start Menu > Search This PC > Right-click > choose Properties.

Go to Advanced System Settings

Click on Computer Name

Click Change

Click More

Set the DNS suffix to match your domain forest. Uncheck the box.

Change the  computer name to anything you'd like

Choose Member of domain and set it to your domain forest

You will get a prompt. Enter the domain admin credentials.

Success!

Reboot the VM. You can now login to the computer as john.doe@ad.lab or jane.doe@ad.lab.

Repeat this process on the other Windows 10 Enterprise VM.





You Now Have a Small AD Forest

Congratulations! You now have a domain controller and two Windows 10 Enterprise clients joined to the domain controller.

If the VMs seem a little sluggish, you should probably increase the RAM on the VMs. Other than that, you are now ready for the next phase of your adventures.

ℹ️
REMEMBER! You enabled the DNS service on the Domain Controller. It is now the Start of Authority (SOA) for the ad.lab local domain. If you are having trouble resolving computer hostnames to IP addresses, compare what is in DNS with what is in the DHCP pool.
Open the DNS app from the Start Menu
Choose the ad.lab forward lookup zone (or whatever your local domain is)
You should see a list of records that are generated when the host joins the domain
Open the DHCP app from the Start Menu
Drill down to Address Leases and compare the IP addresses with your DNS records





Hack your Active Directory Lab

I encourage you to do some research on some courses that demonstrate some common Active Directory attacks. The Cyber Mentor has a great ethical hacking course and part of this course covers Active Directory attacks.

ℹ️
TCM uses the local domain marvel.local in his course. Our local domain is ad.lab .

Also, in his course, his domain administrator account and local users go by different accounts. In our lab, we have the following users:

  • Domain Admin: domain.admin@ad.lab
  • User 1: john.doe@ad.lab
  • User 2: jane.doe@ad.lab
⚠️
We have not set up a SQL service principal in this guide nor have we set up file shares. I'll try to add this in a future version.

Just remember these things when you're going through TCM's course, as there will be some differences.





Next Step: Creating a Windows 7 Buffer Overflow VM

Creating a Windows 7 Buffer Overflow Practice VM in Proxmox
In this module, we will look at creating a vulnerable Windows 7 VM in Proxmox that will run some applications which are vulnerable to 32-bit stack-based buffer overflows

Spread the word

Keep reading