Post cover image

June 13, 2026

Active Directory Lab

I created an Active Directory lab on my Windows server 2022 and Windows 11 VM. Here are all the steps and the settings in how I configured…

Karimsaminur

8 min read

I created an Active Directory lab on my Windows server 2022 and Windows 11 VM. Here are all the steps and the settings in how I configured my domain controller and my hosts. I tackled user configurations, GPOs, OUs, enabling permissions, password resets, network configurations and PowerShell scripting and many more. Overall, it was a great learning experience and I will continue to advance this home lab by configuring more IAM tools in the future.

Create Lab environments:

Started with downloading Windows 2022 and Windows 11 ISO from

Microsoft Evaluation Center The Microsoft Evaluation Center brings you full-featured Microsoft product evaluation software available for download…

Created Windows server 2022 VM with boot ISO:

-Emulate Windows machine -Default Machine:Intel ICH9 based PC (2009,x86_64) -6144 MB RAM -Default CPU cores -Storage: 64 GB -Network: Shared Network (virtio-net-pci)

Created Windows 11 Enterprise VM with boot ISO:

-Virtualize Windows machine -4096 MB RAM -4 CPU cores -Storage: 64 GB -Network: Host Only (virtio-net-pci)

Server Install Desktop Setup:

-Standard Evalutaion Desktop Experience with GUI -Custom Installation to Drive Unallocated space 0 -created admin username and password -Used utm guest-tools/spice-tools wizard and fixed resolution and other issues -Renamed system to BigDC and rebooted

Windows 11 Desktop Setup:

None

-Windows 11 Enterprise -Installation to Drive Unallocated Space 0 -Created username and password for login -Used utm guest-tools/spice-tools wizard and fixed resolution and other issues -Renamed PC to desktop PC and rebooted

After setting up basic device configurations, I went to my server and began configuring it as a domain controller.

First I went to Server Manager > Manage > Add Roles and Features. From the installation wizard, I clicked Role-based or feature-based installation.

For server selection, I chose BigDC and for server roles I added AD domain services, DHCP server, and DNS server.

Then I clicked on restart if necessary, and began my install. I promoted my server to a domain controller and restarted my server.

When I returned I went back to wizard and added AD certificate services as well and used all default settings. I named my Domain Controller as LAB.local.

None None None

ATTACHING WINDOWS 11 VM TO DOMAIN CONTROLLER (DC)

In order to connect the Windows 11 host to the server's domain, I had to make sure both VMs could ping each other. I assigned static IP addresses to both ethernet adapters.

I right clicked the internet icon > Open Network Settings > Ethernet > Change adapter options > Adapter > IPv4 (TCP/IPv4) > Use the following IP address and set a subnet scheme.

I struggled with this part as when I enter Window's 11 host adapter options, there was nothing appearing. I changed the adapter from e1000 to virtio-net-pci and changed the network mode from "Shared Network" to "Host only". This troubleshoot ensured that the hosts only talk to each other and can connect via the static IP addresses.

For the DNS server, I put the loopback interface on the server and for the host, I put IP address of the server as the preferred DNS server.

None None None

Still I was only receiving replies from the server but not the host PC. I was stuck so I researched online some common issues, and I found that the Windows Firewall wasn't permitting inbound traffic.

I went to the PowerShell cmd and created a firewall rule from my previous experience with that allowed ICMPv4 packets inbound and outbound. This fixed my connectivity issue where my server began receiving replies from the host and the server.

Here is the code : netsh advfirewall firewall add rule name="Allow ICMPv4" protocol=icmpv4:8 any dir=in action allow

None None None

I then clicked commad > access work or school > add a work or school account > Join this device to a local Active Directory domain. After, I entered the LAB.local name I gave to the DC. I entered my username and password from my DC and restarted my PC when prompted.

None

CREATING DOMAIN USERS

I went to tools > Active Directory Users and Computers > right clicked on LAB.local > New > Organizational Unit > named it Groups.

None None

Here, I began looking at my Administrator account and what groups was it apart of. This allowed me to manipulate and administer what my users can access and do within the host device.

None

I then went to Users and dragged out everything except Administrator and Guest. I then created 4 users with simple login and password. I clicked password never expires for all accounts for future ticket I wanted to handle with my Peppermint ticketing system.

None None

DHCP CONFIGURATION

In server manager, I navigated to tools > DHCP > expand server > IPv4 > right click on the server > Authorize. Here I created a scope for the DHCP server pool of 50 usable IP addresses using the server as the address.

None None

To confirm my DNS was active, I did a nslookup using my servers name. In the server manager, I went to tools > DNS > Forward Lookup Zones > LAB.local. I confirmed that there was a BigDC record that mapped to 192.168.64.10.

None

GROUP POLICY OBJECTS (GPO)

To simulate real-world IT environments, I created group policy objects (GPOs). Following the process to create organizational units (OUs), I created 3 departments: Engineering, Management and IT. I dragged 5 users into the OUs.

  • Engineering: Test Users 3 and 4
  • Management: Test Users 1 and 2
  • IT: Administrator

Within the IT department I created an Admin department OU to handle administrator work. This replicates real-world scenarios where there may be multiple teams within one department.

None

After, I create a new group called EngineeringSHARE within the Engineering OU. I added three members: User 1, 3, and 4. I then created a shared folder within the group members.

I went to Server Manager > Files and Storage Services > Shares > Tasks > New Shares. I created the folder called EngineeringSHARE and went with default settings until permissions appeared. I clicked disable inheritance and clicked Convert Inheritance.

None None

I removed permissions for specific users and added EngineeringSHARE group that I created. After creating the share I went to my Windows 11 host.

None

I logged into a user not within the EngineeringSHARE group to see whether or not it was permitted. This replicates enabling permissions in an AD environment where not everyone should be able to access specific folders.

None

I tackled GPO even more by making a default wallpaper for the Engineering department. I created an engineering wallpaper using paint and gave the Engineering department access to it.

I went to Server Manager > File Storage and Services > Shares > NETLOGON > open share and copied the wallpaper on to NETLOGON. I then copied the path of the location by right clicking the wallpaper.

Then I went to Server Manager > tools > Group Policy Management > Forest LAB.local > Engineering > right clicked on Create a GPO in this domain, and Link it. I named it SetEngineeringWallpaper and right clicked on edit.

I went to User Configuration > Policies > Administrative Templates > Desktop > Desktop > Desktop Wallpaper. I enabled the settings and pasted the copied path of the wallpaper into wallpaper name and clicked ok. I logged into a user in the group and ensured that the wallpaper was there.

None None None

POWERSHELL SCRIPTING FOR AD

PowerShell is important for configuration, automating tasks, and system administration within Windows. Here are a few of the functions I looked into for AD.

None None None None None None

After doing some basic PowerShell scripting, I wanted to create an automation task for an administrator. I created a script for automating new user accounts.

None None None

PASSWORD RESET GP

I wanted to replicate a password reset as that is key in working for IAM/IT resources. I went to Server Manager > Tools > right click on LAB.local > Create a GPO in this domain, and link it here… > name it AccountLockoutPolicy.

I right clicked on edit and went to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > double clicked on Account Lockout Threshold. I clicked on define the policy setting and set it to 3 attempts at invalid logins.

Suggested value changes appeared and I changed the account lockout duration 0 minutes and Reset account lockout counter after to 60 minutes. This ensured that only the Administrator can unlock the account. I pressed ok and right clicked on the AccountLockoutPolicy to enforce the rule.

None

To imitate a real-world IAM setting, I went to login onto my Windows 11 host as my Test User 1. Then, I put in 3 faulty password attempts to see if the GPO worked. This caused my Test User 1 account to be locked and unable to attempt logins.

None

I navigated to Server Manager > Tools > Active Directory Users and Computers > Management > Find Objects in the AD Domain Services. I searched for Test User 1 and changed the password for the user. I unlocked the user account and made sure the user changes the password after the next login.

None

I logged into the Test User1 account and changed the password after to see the enforcement of the GPO. It was succesful.

None None