Build Your Lab: Medium Lab

Basic Windows enterprise Active Directory lab including a Windows Workstation and a Server.

This lab focuses on the basic principles of common Windows enterprise environments, which includes a Windows 2019 Server (domain controller) providing Active Directory domain services and a Windows 10 host.

DFIR investigations often times take place within enterprise network environments, where many user activities such as authentication are managed and logged by domain controllers. Domain administrators typically manage the domain environment via Windows server management features and utilities such as Group Policy Objects, PowerShell, etc. Therefore, domain controllers are powerful systems and also often the ultimate target for attackers. 

This lab will help to gain a better understanding of basic domain network features and simulating common user activities across a simple Windows domain.

Skills practice:

  • Data acquisition
  • Disk forensic
  • Memory forensic
  • Windows Domains
  • Active Directory

Systems:

  • 1 x Windows 10 VM
  • 1 x Windows Server 2019

Requirements:

  • 4-6 GB of memory

Overview

This lab builds on the the Basic Lab setup by adding a Windows Server 2019 domain controller and joining the Windows 10 workstation to the domain.

Prerequisite: For an introduction into virtualization software, options and best practices it’s highly recommended to read the Virtualization Primer.

Setup instructions

Download and install VirtualBox and a Windows 10 VM

  • Install VirtualBox and a Windows 10 VM as described in the Basic Lab section.
  • In VirtualBox, create a “NATNetwork”. This allows VM to VM communication as well as internet access via the host system.
    • In VirtualBox go to Settings -> Network and click the + sign to add a new “NATNetwork”.
    • Attach this network to the Windows 10 VM network interface and all VM’s going forward.

Install a Windows Server 2019 VM

This guide describes how to install Windows 2019 Server from an ISO. Alternatively, you can also download a VHD from the site below, attach it to a new VM and skip most of installation!

  1. Download the Windows Server 2019 Essentials ISO from the Microsoft Evaluation center
  2. In VirtualBox create new VM and select type Windows and version Windows 2019 (64-bit). Ensure the VM has at least 2 GB RAM assigned and create a virtual hard disk (preferably select dynamic and VMDK for hard disk file type – for compatibility reasons with various forensic tools). Assign at least 30 GB for disk size.
  3. Before starting the VM, open its settings and in:
    • Storage – attach the downloaded Windows 2019 ISO to the VM’s optical drive.
    • Networking – attach “NATNetwork” to the networking adapter
  4. Start the VM and follow the Windows Server installation instructions:
    • When prompted for it, there is no need to provide a product key
    • Select “Custom” install since there is no pre-existing Windows installation
    • It will prompt you to create a password for the built-in administrator account
  5. After a reboot, you will be prompted with the login screen. In the VirtualBox menu select Input -> Keyboard -> Insert Ctrl+Alt+Del to enter your password
  6. If prompted after startup “allow your PC to be discoverable”, select yes.
  7. Recommended: Install VirtualBox Guest Additions as outlined in the Virtualization Primer. This will full screen display and other features as shared folders, copy & paste features, etc.
  8. Important! If you want to change the hostname, now is the time. Do not change it after setting up the active directory services!
    • Go to Settings -> System -> scroll down to the menu “About”.
    • Find the button “Rename this PC” to update the hostname.
  9. Take a snapshot once the VM is set up and powered off.

Install Active Directory Services

In order to set up a domain environment, Active Directory services have to be installed on the Windows Server.

    • Open “Windows Server Manager” from the Start menu.
    • On the top right menu click on “Manage” and “Add roles and features”.
    • Hit next until you get to Server Roles. Select the checkbox for Active Directory Domain Services. From here you can click next to finish the installation.
    • After completing the Active Director Services installation, click on “Promote this server to a Domain Controller”, which should be prompted as a new notification in the Server Manager. You might need to click the refresh button if it’s not there yet.
    • This opens a new Deployment Configuration Window.
      • Select “Add a new forest” and choose the desired domain name for your lab, appended by the top level domain label .local. In our case, our domain name is “BCS.local”.
      • Next define a Directory Services Restore Mode (DSRM) password
      • Click next on the following windows until the prerequisite checks passed and you are able to click Install.
    • After the install, the system will reboot automatically. The login prompt will now show your username in DOMAIN/Administrator format.

Create domain users and administrators

Initially, there is one admin account called “Administrator” in the domain. Now we need to add additional users for this domain.

  • In the Server Manager, click on the right top corner Tools -> Active directory users and computers.
  • In the new window click on your domain (BCS.local in our case), which opens your domain’s Organizational Units (OUs), such as Users.
  • Open the Users folder. The folder contains various security groups and one active user, which is “Administrator”.
  • Create at least one or two more new users e.g. “Alice” (repeat this step for each user):
    • Right click on Users -> New -> User
    • Define first and last name. Use the first name as the user name
    • Click next to define a password. Important: For test systems check the box for “Password never expires”. Confirm if you got prompted with an alert.
  • Assign a user to domain administrators (optional if you have multiple users)
    • Double click the user in the list
    • Select the tab “Member Of” and click “Add”
    • Type “Domain Admins” in object names field and click “Check Names”. This should make the text appear as underlined.

Add the Windows 10 workstation to the domain

  • Update the workstation’s computer name and avoid duplicate computer names in the domain. To do so open System settings -> change settings.
  • Ensure your workstation is able to ping the Domain Controller IP
  • Add the Domain Controller IP as the workstation’s preferred DNS server
    • In the task bar on the right bottom corner, right click the ethernet adapter and click “Open Network & Internet settings”
    • Select “Change adapter options”
    • Right click on the adapter in the next window and select “Properties”
    • In the properties window select Internet Protocol Version 4 (TCP/IPv4) and click on “Properties”
    • Enable “Use the following DNS server address” and enter the Domain Controller’s IP
    • Click OK and close out all windows
  • Join the domain
    • Open Windows settings -> Account -> “Access work or school”
    • Click the [+] Connect button
    • On the bottom of the new window click “Join this device to a local Active Directory domain”
    • In the new window enter your domain name. In our case this is “BCS.local”
    • This should open a security prompt to enter your domain admin credentials
      • If not, double check our network settings to ensure the workstation can reach the domain controller. Verify the that domain controller’s IP is in the workstation’s DNS settings.
    • Enter the desired domain user (Alice, Bob, etc) for this workstation. Allow “Administrator” privileges for this workstation. Next reboot.
    • Upon reboot, the login window will show the user name in the format of DOMAIN\user
    • To validate go into your domain controller’s server manage dashboard -> Tools -> Active Directory and Computers
      • Open your domain (BCS.local in our case) -> Computers, which should show the new workstation that just joined the domain.
       

Finish the setup

  • Once the VMs are set up, power them down and take snapshots. That way you can always revert back and start with a fresh environment.
Scroll to Top

Training Waitlist

Join our waitlist and get notified when training becomes available.

Contact Information
Professional Experience
I'm interested in

*By submitting this form, you’re agreeing that we will contact you and to receive our free email newsletter. (You’ll never be spammed and you can unsubscribe at any time.) We do not share your information with third-parties.