Adding an Active Directory Forest to Our VirtualBox Lab

In this module, we will cover the steps to set up a small Active Directory forest in VirtualBox, including a domain controller and two client computers

2 years ago   •   15 min read

By 0xBEN
Table of contents

This module is a part of a larger series of building a security lab in VirtualBox. Click here to be taken back to the series landing page.

Building a Security Lab in VirtualBox
In this post, we we will take a look at an in-detail process of setting up an entry-level cybersecurity lab using VirtualBox




Active Directory Lab Overview

Note: if you don't want your AD lab to have Internet access, modify the firewall rules. I will not be showing you how to do this.

This guide will only cover the following concepts:

  • Configuring pfSense
  • Configuring the Domain Controller
  • Joining clients to the domain

The Cyber Mentor has a great ethical hacking course and part of this course covers Active Directory attacks.

Note: Some attacks require Kali to be on the same LAN as the targets. To change Kali's network configurations, do the following:

  1. Stop the VM
  2. Go to VirtualBox settings for Kali VM
  3. Change the network adapter to be on the AD_LAB LAN
  4. Start Kali again




Getting the Windows ISO Files

We will be getting the ISO files from the Microsoft Evaluation Center. Most of the ISOs you encounter here will have a lifespan of 90 -- 180 days of usage. Some say that you can extend beyond the lifespan and the VMs will still function just fine

Windows Server 2019

  • Please select your experience: ISO
  • Fill out your information (uncheck the box for additional communications)
  • Select your language and click Download

Windows 10 Enterprise

  • Please select your experience: ISO - Enterprise
  • Fill out your information (uncheck the box for additional communications)
  • Select 64bit and Select your language and click Download

Windows 7

When this page was initially written, these download links — on download.microsoft.com — for Windows 7 were functional. At last check — June 23, 2023 — these links are all dead.

I am leaving the links here in case anyone reading this would like to try and look for them on the Internet Archive.

Wayback Machine




Staging the VMs

Windows Server 2019

Click the New VM button

2048 MB is the minimum. 4096 is preferred.

Choose VDI > Choose Dynamically Sized > Go with the default of 50 GB

Right-click on the VM and go to settings. Now, go to Storage.

Choose a disk file

Choose: 17763.737.190906-2324.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us_1.iso – or whatever your .iso file name is.

Choose Network settings

Put the VM on the AD Lab network

Save the settings. Don't start the VM yet!





Windows 10 Enterprise Template

Create a new VM and give it the name: Win10EnterpriseTempalte

2048 MB is the minimum. 4096 MB is preferred.

Choose VDI > Choose Dynamically Sized > Go with the default of 50 GB

Right-click on the VM and go to settings. Now, go to Storage.

Choose a disk file

Choose: 19043.928.210409-1212.21h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso – or whatever your .iso file name is.

Choose Network settings

Put it on the AD Lab network




Install the Operating Systems

Windows Server 2019

Start the VM

Choose your language

Click Install Now

Choose Windows Server 2019 Standard Evaluation (Desktop Experience)

Click Next and accept the terms and conditions.

Click Next and wait for the installation to finish.

Press CTRL + ALT + DEL. Enter a local administrator password and save it to a password vault.





Configure the Network Interface

ℹ️
Remember! We disabled the DHCP service on pfSense for the AD Lab LAN, because we want the domain controller to act as the DHCP server. Therefore, the domain controller will not be automatically configured and we will have to set it up manually.

Right-click the network interface icon.

Choose Open Network & Internet Settings

Scroll down and choose Change adapter options

Right-click the adapter and choose Properties

Double-click Internet Protocol Version 4 (TCP/IPv4)

Configure your adapter as such:

For the DNS servers, the following will happen:

  1. First, check with the DNS server running on the domain controller (we will install this a bit later)
  2. If the DNS server doesn't know the answer, it will forward the DNS query to the default gateway and pfSense will resolve it





Rename the Server

Click the Start Menu and click Settings

Enter a name for your domain controller

Choose Restart Now. If a reason is required, choose Other (planned).





Configure Domain Services

Click Manage > Add Roles and Features

Click Next > Next > Next until you reach Server Roles. Check the following bokes:

  • Active Directory Domain Services
  • DNS Server (so we can resolve the domain controller by DNS name)
Click Add Features
Click Add Features

Click Next > Next > Next > Next > Install. Wait for the install to finish and click Close.





Configure Active Directory Domain Services

Log back into the domain controller as the local administrator and wait for the Server Manager app to load.

Click Promote this server to a domain controller

Choose Add a new forest and specify a root domain name. I chose ad.lab as my domain name, but you can choose any other local TLD.

TLDs such as .com, .org, .net will work as a local domain. Also, best not to use .local either, because that can interfere with multicast traffic.

Click Next. The default options are fine. Specify a restore password. You can use the same password as the local admin or something different. It doesn’t matter. Click Next.

Ignore this message

Click Next and continue with the defaults.

Looks good. Click Install and wait for it to complete.

The server will automatically reboot.

This process will take a while. Be patient.





Configure DNS Forwarders

The DNS server running on the domain controller will act as a resolver for the ad.lab domain (or whichever local domain you chose). We need a forwarder for any DNS query for which the DNS server does not know the answer.

We can use the pfSense default gateway as a downstream DNS server that the domain controller can pass queries to for any unknown hostnames.

Open up the Start Menu and search for DNS.

Expand DNS > DC1 and double-click Forwarders.

Click Edit and add the IP address of the default gateway. Click OK.





Add and Configure a DHCP Server

Open Server Manager and go to Manage > Add Roles and Features

Click Next > Next > Next

Click DHCP Server

Click Add Features and click Next > Next > Next > Install

Once the installation is complete, click on Complete DHCP Configuration

Click Next > Commit > Close > Close

Go to the Start Menu and search DHCP

Expand the DHCP server tree and right-click IPv4 and choose New Scope

Click Next and give your DHCP configuration a name and description. Then, click Next.

Configure the DHCP address space and subnet mask. Then, click Next.

We're not configuring any DHCP exclusions (reservations), so click Next.

We'll make it so clients' leases are good for one year. Click Next.

Click Next to configure it now.

Enter the address of the default gateway and click Add.

The default DNS configuration for DHCP clients is good here. Click Next.

We don't have a WINS server in our lab environment. Click Next.

Click Next to activate the DHCP scope and click Finish.





Adding a Domain Administrator Account

Go the Start Menu. Search for Active Directory Users and Computers and open the app.

Right click the domain name and click New > User
Fill out the fields with the user details
Set the password and password options
Click Users
Click Domain Admins
Enter the domain administrator username and click Check Names. Click OK > OK.
Sign out of the local administrator account




Add Some Users to the Lab

Log in as the new domain administrator.

Go the Start Menu. Search for Active Directory Users and Computers and open the app.

Right click your domain and choose New > User.





John Doe





Jane Doe





Add a Group Policy Object to Disable Protections on Client Machines

Open the Start Menu and search for Group Policy.

Expand your forest until you see your domain

Right-click your domain name and choose Create a GPO...

Click OK. Right-click on your new group policy object and click Edit…

Expand down into Computer Configuration > Policies > Administrative Templates > Windows Components

Click on Windows Defender Antivirus. Double-click Turn off Windows Defender Antivirus.

Set it to Enabled and click OK. Click on Real-time Protection.

Double-click Turn off real-time protection

Set it to Enabled and click OK. Now, go to Network > Network Connections > Windows Defender Firewall > Domain Profile.

Double-click Windows Defender Firewall: Protect all network connections

Set it to Disabled and click OK. Right-click the group policy object and set it to Enforced.





Force Update the Group Policy Settings on the Domain Controller

Right-click the Start Menu and open Windows PowerShell (Admin)

Run gpupdate /force





Windows 10 Enterprise Template

Power on the VM.

Choose your language and click Next

Choose Install Now and accept the terms and conditions. Choose Custom: Install Windows Only.

Click Next. Wait for the installation to finish.

Select your regional and language settings. Choose Domain join instead.

Enter the username Template, as this is going to be our template VM.

Enter a password and set security questions. Save the information in a password vault. Turn off all the services here.

Choose Not now for Cortana.





Sysprep the Template

Log into the system using the template credentials and open a PowerShell terminal as administrator.

Run the command:

C:\Windows\System32\Sysprep\sysprep.exe

Click OK. Let the sysprep process run to completion. The VM should shutdown.





Windows 10 Enterprise VM 1

Right click the Windows 10 Enterprise Template and choose Clone.

Click Clone and wait for process to complete.





Windows 10 Enterprise VM 2

Right click the Windows 10 Enterprise Template and choose Clone.

Click Clone and wait for process to complete.





Joining the Computers to the Domain

⚠️
I am only going to demonstrate this process on one of the VMs. Follow along and repeat this process on any other clients you want to join to the domain.

Windows 10 Ent VM 1

Start up and login to Win10Ent1 using the template credentials. Go to the Start Menu > Search for This PC > Right-click > choose Properties

Go to Advanced system settings
Click Computer Name
Click Change
Click More
Enter your local DNS suffix for your AD domain
Name your computer whatever you like
Enter your AD local domain
Enter the domain administrator credentials
Success!
You can now login as one of your domain users
Output from the whoami command




You Now Have a Small AD Forest

Congratulations! You now have a domain controller and two Windows 10 Enterprise clients joined to the domain controller.

If the VMs seem a little sluggish, you should probably increase the RAM on the VMs. Other than that, you are now ready for the next phase of your adventures.

ℹ️
REMEMBER! You enabled the DNS service on the Domain Controller. It is now the Start of Authority (SOA) for the ad.lab local domain. If you are having trouble resolving computer hostnames to IP addresses, compare what is in DNS with what is in the DHCP pool.
Open the DNS app from the Start Menu
Choose the ad.lab forward lookup zone (or whatever your local domain is)
You should see a list of records that are generated when the host joins the domain
Open the DHCP app from the Start Menu
Drill down to Address Leases and compare the IP addresses with your DNS records





Hack your Active Directory Lab

I encourage you to do some research on some courses that demonstrate some common Active Directory attacks. The Cyber Mentor has a great ethical hacking course and part of this course covers Active Directory attacks.

ℹ️
TCM uses the local domain marvel.local in his course. Our local domain is ad.lab .

Also, in his course, his domain administrator account and local users go by different accounts. In our lab, we have the following users:

  • Domain Admin: domain.admin@ad.lab
  • User 1: john.doe@ad.lab
  • User 2: jane.doe@ad.lab
⚠️
We have not set up a SQL service principal in this guide nor have we set up file shares. I'll try to add this in a future version.

Just remember these things when you're going through TCM's course, as there will be some differences.





Next Step: Troubleshooting Your Lab

Troubleshooting Your VirtualBox Lab
In this module, we will take a look at some common problems you may experience in your VirtualBox lab and how to begin fixing them.

Spread the word

Keep reading