Home Lab Network Topology

Download as pdf or txt
Download as pdf or txt
You are on page 1of 95

Home Lab Network Topology

w/ Active Directory

Requirements:
Oracle VirtualBox: https://www.virtualbox.org/wiki/Downloads
Server 2019 ISO: https://www.microsoft.com/en-us/evalcenter/download-windows-server-2019
Windows 10 ISO: https://www.microsoft.com/en-us/software-download/windows10

Objective:

This home lab will create an Active Directory environment simulating an organization with over
1,000 users. This setup allows you to:

● Experiment with configurations and settings risk-free, avoiding disruptions to


production systems.
● Build valuable IT skills, enhancing your proficiency and confidence.
● Transfer successful configurations to your workplace environment if authorized.
Download Oracle VirtualBox:

Download Server 2019 ISO:


Navigate to the listed URL. Pick the download that works best for you. Make sure you remember the
location it is downloaded.

Download Windows 10 ISO:

Run the downloaded application


ISO file
Save it to the location on where you can easily find through file explorer
Voila, there goes your ISO file you will use later to create the windows 10 OS on your VM.
Name: DC (Domain Controller)
Version: Other Windows (64-bit)
Base Memory: 2048 MB
Shared Clipboard: Bidirectional
Drag’n Drop: Host To Guest
Here is a security lesson for those who choose the convenience of bidirectional drag and drop:

Security Concerns of Bidirectional Drag and Drop in a Virtual Machine

Enabling bidirectional drag and drop between your host machine and a virtual machine (VM) can be
convenient, but it also poses several security risks:

1. Malware Transmission:
○ Files transferred between the host and VM can carry malware, potentially infecting both
systems.
2. Data Leakage:
○ Sensitive data from the host could be unintentionally moved to the VM, compromising security.
3. Isolation Breach:
○ This feature can break the isolation between the host and VM, exposing both to risks.
4. Unauthorized Access:
○ A compromised VM could be used to exfiltrate data from the host machine.

Mitigation Strategies:

● Disable bidirectional drag and drop unless necessary.


● Use one-way transfer (host to VM or VM to host) to reduce risk.
● Regularly scan both host and VM for malware.
● Limit file transfers to only essential files.

By taking these precautions, you can maintain a secure and effective home lab environment.
Processor/ CPU update
Using NAT so the domain controller can communicate/ connect to the internet through ISP

Adapter 1 will enable the VM to communicate with the router using NAT. The internal adapter will connect to th
internal network, allowing the Domain Controller to communicate with other internal VMs.
This is from the link provided when downloading the Server 2019
*
This may take a while, it is normal
It will restart by itself

To minimize the burden of memorizing multiple passwords, all passwords will be standardized as "Password1."
Only do this on labs, never on an production or personal environment
Run the installation by selecting "Next," "Continue," and "Install" as prompted until you complete the process.
Select the option to restart, sometimes a reboot as necessary. This allows you to resize and manage everything
more efficiently.
Here we are working with the network interface of the domain controller. Identify the internal
NIC and the. external NIC and rename them.

How NAT works in In Oracle VirtualBox

In Oracle VirtualBox, the NAT (Network Address Translation) network type typically uses a
default gateway IP address of `10.0.2.2`. This IP address is used as the default gateway for VMs
connected via NAT to communicate with the host machine and other networks.

When you configure a VM in Oracle VirtualBox to use NAT for its network connection, the
internal DHCP server provided by VirtualBox will automatically assign an IP address to the VM. The
NAT networking mode in VirtualBox provides a way for VMs to communicate with external networks
using the host machine's network connection. The IP addresses assigned to VMs using NAT are
managed by VirtualBox's internal DHCP server.
The INTERNAL network adapter has an Autoconfiguration IPv4 Address of 169.254.147.72, which indicates
that it did not receive an IP address from a DHCP server. Instead, it has assigned itself an Automatic Private IP
Addressing (APIPA) address. APIPA addresses are in the range of 169.254.x.x and are used when a device
cannot obtain an IP address from a DHCP server.

Now we will be creating the IP address for the internal network based on the topology.
Establishing the dns server for internal NIC
Now installing active directory domains services, to create a domain

When you install the Active Directory Domain Services (AD DS) role on Windows Server 2019 using Server
Manager, the DNS server role is installed automatically if it's not already present. This is essential because DNS is
a critical component for AD DS functionality.
“Password1”
Now we will be creating a dedicated admin account instead of using the built in administrator
The “User logon name” can be whatever, create name based on your preferred naming convention

ONLY for lab purposes, I will select a “password never expires”. We can come back later when dealing with
password policies
The account was created but it still needs to be turned into an admin account
You can see it resolves to domain admin

In Active Directory, there are several built-in administrative groups that are recognized by default across domains.
These groups have predefined administrative privileges and are crucial for managing various aspects of the Active
Directory environment.

“Domain Admins” - Members of this group have full administrative control over the domain. They can perform all
administrative tasks within the domain, including managing domain controllers, creating and managing users and
groups, modifying group policies, etc.
Now you are good to go. You can now sign out and sign back in
Now installing Network Address Translation for the internal network
Now we will configure Network Address Translation for the internal network
If you are not able to select the top radio button, cancel out and try again

It should look like this


This part of configuring the Domain Controller (DC) with RRAS (Routing and Remote Access Service) is to
enable NAT (Network Address Translation) for your internal network. This configuration allows devices on your
internal network, such as the Windows 10 VM that will be created soon, to access the internet through the DC.

Now we will create the DHCP. This will allow client computers to get an IP address and connect to the
internet even though they will be in a private/ internal network. Installing DHCP on the server
You can see DNS is installed, because it was installed when installing AD DS. DNS is an essential part of AD DS
DHCP installation is complete, now he will configure it
Creating a scope for the DHCP lease
Establishing the default gateway for the internal NIC
Now we will allow the server to browse the internet, this is NOT recommend on a production environment
I am turning it off so I can access the list of names to add to the domain, I will turn it back on later experiments
Now we will use powershell to run the script to create users for the active directory
Allowing the PowerShell script to create the users
PS C:\WINDOWS\system32> # Define the default password for the users
$PASSWORD_FOR_USERS = "Password1"

# Read the list of user names (first and last names) from the file 'names.txt'
$USER_FIRST_LAST_LIST = Get-Content .\names.txt

# Convert the plain text password to a secure string


$password = ConvertTo-SecureString $PASSWORD_FOR_USERS -AsPlainText -Force

# Create a new Active Directory Organizational Unit (OU) named '_USERS'


# and make it unprotected from accidental deletion
New-ADOrganizationalUnit -Name _USERS -ProtectedFromAccidentalDeletion $false

# Loop through each name in the list of user names


foreach ($n in $USER_FIRST_LAST_LIST) {
# Extract the first name and convert it to lowercase
$first = $n.Split(" ")[0].ToLower()
# Extract the last name and convert it to lowercase
$last = $n.Split(" ")[1].ToLower()
# Create a username by combining the first initial and the last name,
# then convert it to lowercase
$username = "$($first.Substring(0,1))$($last)".ToLower()
# Output the username being created to the console
Write-Host "Creating user: $($username)" -BackgroundColor Black -ForegroundColor Cyan

# Create a new Active Directory user with the specified properties


New-AdUser -AccountPassword $password ` # Set the account password
-GivenName $first ` # Set the given name (first name)
-Surname $last ` # Set the surname (last name)
-DisplayName $username ` # Set the display name to the username
-Name $username ` # Set the name to the username
-EmployeeID $username ` # Set the employee ID to the username
-PasswordNeverExpires $true `# Set the password to never expire
-Path "ou=_USERS,$(([ADSI]`"").distinguishedName)" ` # Set the path to the new
OU
-Enabled $true # Enable the user account
}

This is the script used in the PowerShell script with explanation


Now we will create a client computer that will connect to the internet through the domain controller.

Creating CLIENT1
4095 MB
The domain controller functions as the default gateway for the client computer. It forwards packets to the Oracle IP
address, which then passes them to the ISP's default gateway. From there, the packets traverse various hops and
routers until they reach the Google server.
This part also adds the computer to the domain. Computer becomes a member of “mydomain.com”
On the DC server you can verify that the Client 1 computer has been assigned an IP address by the DHCP server.
Here you can verify the lease and expiration date.

In the active directory users and computers, you can verify that the CLIENT1 has indeed been added to the
domain computers and it is now a member of the domain. Now you can use the CLIENT1 computer tp sign in
using one of the accounts created by the PowerShell script from earlier
This setup now simulates a corporate environment. A newly onboarded employee can be granted credentials and
can use a computer connected to the domain such as CLIENT1. They can access any computer within the same
domain they are a member of.

You can follow the same process to add CLIENT2. Once both clients are added, you can experiment with various
configurations and settings to gain a deeper understanding of how Active Directory domain servers operate. This
hands-on experience will help to learn more about user management, group policies, and other essential aspects
of Active Directory administration.

You might also like