Building a Windows Domain Controller and Client PC Home Lab with VirtualBox

By: Nicolas Foster

This guide will demonstrate how to setup a Domain Controller (DC) with users. A PowerShell script will be used to create approximately 1000 users. A client PC named CLIENT-1 will be virtualized and seamlessly integrated into the domain. Once CLIENT-1 becomes part of our domain, it will automatically receive a private IP address from a pool of addresses. Any username and password contained in the Domain Controller database is eligible for signing into the newly added client PC. This step-by-step tutorial offers a foundational understanding of setting up a corporate Domain Controller and serves as an excellent starting point for those looking to explore and gain expertise in Windows Server.

Requirements:

• Windows Server 2022 ISO

• Windows 10 ISO (Windows Pro) 

• VirtualBox Installer

• VirtualBox Extension Pack

The required software should ONLY be downloaded from official Microsoft and VirtualBox sources. Download the OS ISOs, VirtualBox Installer, and VirtualBox Guest Extension Pack. Install VirtualBox and the Extension Pack. 

Open VirtualBox, select New, name what will become the Domain Controller, and select the Windows Server 2022 ISO. 

Remember to CHECK {Skip Unattended Installation} so that we know everything is properly configured by having an attended installation. 

Give the Windows Domain Controller virtual machine an appropriate amount of CPU cores and RAM as defined by local physical hardware.

Go to Network settings in the virtual machine configuration. The virtualized Domain Controller will use two Network Interface Cards (NICs), one for external internet, and the other for internal private network. 

Adapter 1 operates as a Network Address Translator (NAT), serving as an intermediary that translates IP addresses from the server to our Small Office/Home Office (SOHO) router. Subsequently, the SOHO router employs another NAT process to transform the IP addresses for communication with the broader Internet. In essence, Adapter 1, our NIC, facilitates the server's connectivity to the Internet:

Adapter 2 is not directly connected to the internet; it serves as our private network NIC. This is the NIC where all devices within the domain are connected, creating a closed, private network: 

Equipping the server with two NICs results in the isolation of clients from the internet, allowing only domain-related network traffic. This approach is valuable for maintaining comprehensive control over the domain while minimizing the potential for malware, data leaks, and more.

Here is a visualization of the Network: 

After the network has been setup, run the virtual machine, and install Windows Server 2022 Standard Evaluation (Desktop Experience):

Windows Server 2022 will likely restart a few times during the installation process. Eventually a configuration screen appears, and the Administrator password must be set. Choose a strong password (14 characters long, includes upper and lower letters, special characters, and numbers). 

Only VirtualBox native features for actions such as Ctrl+Alt+Delete can be used to unlock the server. To use Ctrl+Alt+Delete go to the VirtualBox menu and select {Input > Keyboard > Insert Ctrl-Alt-Del} and insert the Administrator password to login to the Domain Controller for the first time. Use the administrator password that was just created.

To make the experience of interacting with the virtualized server better install VirtualBox Guest Addons. To insert Guest Addons, go to {Devices > Insert Guest Additions CD Image…}, then launch File Explorer, navigate to CD Drive, install VBoxWindowsAdditions-amd64.exe, select the box {that will be manually rebooted later}, and do an unplanned restart. 

Now we will be able to adjust the screen size by selecting within the VirtualBox menu {View > Adjust Windows Size} which will make the emulation experience more comfortable.  

Once the basic setup is finished, the next step is to configure the Windows Server.

Change the names of the default internet and internal NICs, so they are easily identifiable when setting up server roles and features. Navigate to {Network Connections > right-click NIC > rename}:

The _INTERNET_ NIC can be identified by its IP address and cross referenced with ipconfig cmd command. This is the NIC which interfaces with the router and internet:

_VB_INTERNAL_NIC_ is the internal VirtualBox Private Network which is identified by viewing NIC IP in details which displays a private APIPA address because it doesn’t have a DHCP IP or a Static IP yet:

Modify the IP address of _VB_INTERNAL_NIC. 

{Right-Click _VB_INTERNAL_NIC_ > Properties > Click Internet Protocol Version 4 (TCP/IPv4) > Select Properties} Select Internet Protocol Version 4 (TCP/IPv4) and use the following static IP address, Subnet mask, and Preferred DNS server for the internal NIC:

All clients and devices will connect through the _VB_INTERNAL_NIC_, which accesses the Internet via the Domain Controller and _INTERNET_ NIC. The _VB_INTERNAL_NIC_ has no default gateway and the serves as the DNS so its IP is also the DNS IP. 

IP settings and network configuration:

After the NICs have been named and IP addresses assigned, rename the server by right clicking the Start Menu and selecting System, then click Rename this PC, enter new name, restart later, and do an unplanned restart.

After changing the name of the server, install a few different Roles and Features. Starting with Active Directory Domain Services (AD DS) which is a database of information about users, computers, and other devices on the network. AD DS also includes Group Policy and SSO but this example is using it for storing and managing users:

Following the installation, post-deployment configuration of AD DS involves promoting the server to a domain controller:

Add a new forest and name the Domain:

Set DSRM Password:

Install AD DS when the Install checkbox is activated:

The server restarts automatically after the installation and now the login has changed to the name of the domain:

Access Active Directory Users and Computers by selecting {Start > Windows Administration Tools > Active Directory Users and Computers}. 

Once in Active Directory Users and Computers {right-click the directory (in my case nf-homelab.com) and select New > Organizational Unit} to add a new folder (New Object).

Name the New Object _Admins_

Right-click _ADMINS_ and select {New > User}, applying your name, logon, and password in the next window.

Make the account an admin {Right-Click > Properties > Member of > Add > Enter: Domain Admins > Check Names > OK}: 

Now the account is an Admin account after hitting OK or Apply:

Log off the general admin account and sign-into the newly created specific admin account:

Add RAS/NAT, which allows this server to function as an intermediary between the internet and the private network, effectively turning it into a router for the private network. The RAS/NAT feature extends the capabilities of our server beyond domain control. It ensures that data can flow smoothly and securely, offering our network the ability to manage both internal and external communications effectively.

Within {Server Manager select Add roles and features > Checkbox Remote Access}:

Select Routing in Role Servies. DirectAccess and VPN (RAS) automatically checks when selecting Routing:

Hit next until the install button activates and install it.

After Remote Access installs, within Server Manager go to {Tools > Routing and Remote Access}. {Right-Click the Domian and Select Configure and Enable Routing and Remote Access}:

Select (Network Address Translation) NAT which translates clients private IP to a routable public IP. 

Select the internet NIC:

Now the server is configured to perform NAT, the next step is to establish a Dynamic Host Configuration Protocol (DHCP) Server. This DHCP Server will automate the assignment of IP addresses within a specified range:

Within {Server Manager select Add roles and features > Check: DHCP Server}:

Once the Install button is activated click install.

After installation go to {Tools > DHCP} within Server Manager, to setup our IP scope:

{Right-Click IPv4 and select New Scope…}:

Name the scope (I’m naming it after the IP range) and plug in the desired IP range: 

Say Yes to wanting to configure DHCP options for this scope now:

Add the Domain Controllers IP address to establish it has the default gateway:

Use the same IP for Domain Name and Domain Name System Servers:

{Right-Click server and select Authorize}:

Right-Click again and select Refresh so that everything is in the green:

The Active Directory is now fully established, and the next step is to populate it with user accounts. To streamline this process, utilize a PowerShell script, which will generate around 1000 new sample users. These users will all share the same password, 'HomeLabUserPassword2022,' for ease of management. Usernames for these accounts will be generated from a list of users stored in a text file. Finally, these user accounts will be organized within the domain and stored in the '_USERS_' Organizational Unit:

Before executing the script, it's essential to adjust the execution policy to 'Unrestricted.' This step is necessary to bypass a built-in security policy. It's important to note that in standard operational scenarios, circumventing this security policy is not recommended. However, in the context of a straightforward home lab setup, it's a practical approach to facilitate the process:

Run the script by pushing the play button found within the Windows PowerShell Integrated Scripting Environment. Any errors are due to duplicate usernames derived from duplicate first and last names found with the names.txt.

After the script has been implemented, we can go to Active Directory Users and Computers over to the newly created _USERS_ organizational unit and see the list of users: 

At this stage, the setup of a straightforward Home Lab Domain is nearly complete. The subsequent step involves creating a Windows 10 client PC within VirtualBox and integrating it with the domain. Once the client is successfully connected, return to the Domain to observe, and assess the effects of this integration on the Domain's functionality.

Installation of the Windows 10 OS is basically the same process as installing Windows Server 2022. 

Select new and check the Skip Unattended Installation box:

After configuration (giving the client RAM, CPU cores, and HD space) open the settings: 

Go to the Network Tab. Select Internal Network:

It’s very important to install the Windows 10 Pro because Windows 10 Home cannot join a domain: 

After Installation of Windows 10 Pro, log-in and check the IP address, subnet mask, and default gateway of the client with ipconfig in the command prompt:

Pinging Google to see if the client has connectivity:

CLIENT-1 has connection to the Internet model:

Ping the Domain Controller (nf-homelab.com):

The connection of Client to DC is confirmed by pinging the DC on the Client:

After connection to the Windows Server is confirmed rename the client PC by going to {Settings > About > Rename this PC (advanced) > Change button}:

Enter the appropriate information and press OK:

A window pops up asking for authorization. Enter an either the admin or admin account:

Go to the {Domain Controller > Server Manager > Tools > DHCP} to view the newly leased Client IP Address for CLIENT-1:

Go to {Start > Administrative Tools > Active Directory Users and Computers} to view the newly created CLIENT-1 in Computers Organizational Unit: