Microsoft Active Directory is a very popular platform to manage user authentication and authorization for organizations.

I personally use on-prem AD (Active Directory) to do security research without having to use cloud-based solutions. This gives me the control I want to have, and the peace of mind related to cost control in my haxor lab. Forgetting to shut down a VM instance can be a costly affair if you're not careful on cloud platforms such as AWS and Azure.

In this rather lengthy guide, I will take you through the entire process of setting up two VMs (Virtual Machines) running Windows Server 2022 to create a brand new AD domain on a virtual network in VMware Pro 16.

Add a VM to VMware Workstation with a 60GB disk and make sure you have at least 4GB of RAM allocated to the VM. If you have given the VM too little memory you will get a warning saying that "Windows cannot find the Microsoft Software Licence Terms. Make sure the installation sources are valid and restart the installation".

Installing Windows Server 2022 on a VM is pretty straightforward. Browse to Microsoft.com download the ISO image. After the image is successfully downloaded, verify the download. If the hash of the download matches the one provided by Microsoft you can add it to the Optical drive in your VM, and boot the VM.

When the ISO has loaded, you will be prompted to select your desired operating system language and keyboard layout.

From the list of Windows, server variants select the one labeled Standard Evaluation (Desktop Experience). The Standard Evaluation version will not be installed with a graphical user interface and will be terminal only.

The version without a GUI does require the OS to run fewer processes and because of this make it perform better. But for a lab environment, I just care about testing stuff out, so I use the Desktop Experience to make the experimentation as simple and easy as possible.

If I want to work on my PowerShell skills I can simply SSH into the server, or open a PowerShell window and do it from there.

Once the desired version of Windows Server 2022 is selected you can click next, and accept the license terms before moving forward.

Since you are installing the OS on a brand new VM; you select the second option to install the "server operating system only".

On the next and final screen before the installation actually begins you select the empty drive listed, and click next.

Now you can sit back, and watch the installation of Windows Server 2022 on your VM finish. After the installation sequence is finished you will be asked to create password for the built-in Administrator account.

Click "Finish" to complete the OS installation wizard.

Before the Windows server can be used for anything it's a good idea to update it, to get all the latest fixes.

Open the start menu, and type "update" on your keyboard. This will search for a shortcut to get to windows update.

Once Windows update is open, you can click on the "Check for updates" button to update your Windows Server 2022 installation with all the newest patches and upgrades. Depending on how long since the release of your installed version of Windows Server 2022 the update process can take a very short time or a very long time.

Once the installation is completed you will be prompted with the option to restart the system now.

Click the "Restart now" button and let the system reboot. This reboot might take a while, so be patient.

After the OS is fully updated, you can install "VMware tools". These tools make it possible to freely resize the VM windows and have the display make use of the available windows space. You can also have a shared clipboard to make it possible to copy/paste from your host computer into the guest OS, and vice versa.

In VMware Workstation go to the toolbar, click on VM, then select "Install VMware tools" This will insert a virtual disk into your VM's disk drive.

Once the VM recognizes that a disk has been inserted you can select to run the installer from the autorun option list that will pop up.

Follow the wizard to perform a typical install. Once the installation is completed you need to restart the VM to load the installed drivers.

For my lab, I wanted to have redundant Domain Controllers to play with. That way I could have lab a network reassembling as possible a real-life Active Directory environment.

Since the installation process for Windows Server 2022 is a bit slow and tedious, it can be a good idea to have a clone of a clean Windows Server 2022 install laying around on your drive in case you want a fresh install ready for some experimentation. I will use the VM I just created for that purpose.

I start off by shutting my Windows Server 2022 VM off.

Then I make a clone of the VM by navigating to "VM" -> "manage" -> "Clone..."

Follow the wizard, and make a clone of the current state of the VM, which is a full clone. Give the clone a name that makes it unique, and let the cloning process finish.

You now have an identical clone of the VM you just set up. This can cause some issues on the Domain we are about to create using Active Directory. Therefore we have to make the VM unique on the network. This can easily be done by running a tool called Sysprep.

To run sysprep you navigate to C:\Windows\System32, and run sysprep.exe

Make sure to make the OS "Enter System-Out-of-box Experience" (OOBE), and check the box titled "Generalize". Select "Shutdown" as the shutdown option.

Let the Sysprep tool work its magic, and wait for it to shut down the VM.

After the shutdown you can start the VM, to make it run the initialization sequence and create its own unique identifiers. You will then need to select the language options and add a password for the built-in administrator user account just like you did before the installation of Windows Server 2022 on the first VM.

After that short process, you now have two unique, fully updated, and ready Windows Server 2022 VMs ready to make an Active Directory domain.

Every host on the domain should have a unique hostname. This includes the servers we just created. The easiest way to give windows host a name is by opening File explorer", and right-clicking on "This PC" to bring up the contextual menu for it. Then select "Properties" from the list.

From this window, you can click the "Rename this PC" button to change the name of the host.

I gave the first server the name DC1, (Domain Controller 1), and the second server the name DC2. After a short time processing the changes you must restart the servers to apply the changes.

After the reboot, the Servers will have the new hostnames.

The domain lived inside the 10.1.1.0/24 subnet on the virtual network connecting the VMs that will make up the domain. This is a virtual network was is NAT'ed to my host computer.

I turned off the built-in DHCP server that VMware provides for this network because I want the Windows servers running the Domain Controllers to act as a DHCP server. By acting as a DHCP server the Domain Controller can easily manage what IP addresses are leased out to the network, and provide the correct DNS server and other critical network information to make the domain function properly.

In this network, the default gateway is 10.1.1.2, and I will give every server a static IP in the range of 10.1.1.10 to 10.1.1.19.

The Domain Controllers had the IP addresses of 10.1.1.10 and 10.1.1.11

I think the quickest way to access the NIC (Network Interface Card) settings in Windows is to right-click on the start menu, to open the contextual menu. From there you can select Network connections.

From there you can click on "Change adapter options" to get to a list of the VM's NICs.

From the list of NICs, you can right-click on the Ethernet adapter and open the properties for it.

Next, you must highlight "Internet Protocol Version 4 (TCP/IPv4)" and click on properties.

Now you can finally set static IP settings on the NIC. Since DC1 and DC2 will act as DNS servers you must set the DNS server address to the IP addresses those will use.

Close the properties for the NIC and the settings will be applied.

When both DC1 and DC2 has a static IP you can proceed with the creation of an Active Directory Domain.

In our domain we want DC1 to be the main DC (Domain Controller). Now that the hostname and a static IP are set on DC1 we can add the Domain Service to it.

Open Server Manager, and from the top-right menu, open "Manage", and select "Add Roles and Features".

This will open a wizard that will guide you through the process of setting up the new server role. Click next on the first screen, and select "Role-based or feature-based installation" before you continue.

On the next page, you have the option to make the installation on another server, but since you currently have no domain to manage just click next to continue.

From the list of roles to install, select "Active Directory Domain Service".

Make sure that the box for "Include management tools (if applicable)" is checked, and click on the "Add Feature" button to continue. This will close the window and enable you to continue with the wizard.

On the next page, you will be given the option to install another feature on the server. Skip this by clicking "next".

The next page will give you general information about what Active Directory is, and warn you that you will need to install a DNS server role on this server. Click next to continue.

Finally, you can start the installation of the AD DS role by clicking on the install button.

After the installation is completed you can close the wizard and restart the server. After the reboot, you can add the Domain Controller role by promoting the server to a DC by clicking on the notification in Server Manager.

This will open a new wizard. Because we want to create a brand new forest and a new domain, select the "Add a new Forest" radio button, and enter a creative name for your forest. I called my forest and domain "haxor.local"

On the next page, you must set the forest and domain functional level to ensure backward compatibility. This will simply define the backward compatibility of your Domain Service. In a lab environment and for a brand new production environment I would leave it as default. The main reason to reduce the functional level of the Domain Service is to make it possible for an older version of Windows Server to make use of the Domain Service provided by your Domain Controller.

Make sure that the checkbox for "Domain Name System (DNS) server" capability is checked before you set a secure (long and complex) password for your DSRM password and click "Next" continue.

The next page will take you through the process of setting up a DNS server on DC1. Just click next to accept the default settings on all pages until you get to the final page that prompts you to start the installation.

Once the installation is completed the server will automatically reboot. After the reboot is completed you have successfully completed the creation of the domain. 🎉

The Administrator user account on DC1 is now the Domain Admin for the newly created domain. From now on that account must be used to manage the entire domain.

If DC1 shuts down the entire domain stops functioning. Because of this, it's a good idea to add a second DC (Domain Controller) for redundancy. DC2 will be acting as a backup DC in our domain.

Add the server role just like we did on DC1 and restart the server. After the server is up and running again, you can complete the promotion of the server to a DC.

When you have opened the DC Promotion Wizard, you will now make DC2 an additional domain controller to an existing domain.

To authenticate click on the "Select..." button, and enter the credentials for the domain admin. On this domain, this is HAXOR\Administrator, and the password to that account and continue the wizard.

When you get to the Additional Options, you must select that the redundant DC should replicate from the main DC. In this case that is DC1.haxor.local

Follow the rest of the wizard using default options, and start the installation. Once the installation is complete the server will reboot to apply the settings.

You now have a redundant Domain Controller for your domain. By adding the Domain Controller role to DC2 you also added a redundant DNS server to the domain.

To make every host on the network be able to easily connect to the domain controller, and to take control over IP address leases we can configure a DHCP server on the Domain Controllers.

We start the configuration on DC1. This will be the main DHCP server on the network of our Domain. In server manager open "Add roles and Features". Click next all the way until you get to the "Select server roles" page. Add a checkmark to "DHCP server" in the list.

Add the feature, including the management tools. Click next until you come to the page where you can click on the install button.

After the installation is completed you can click on the "Complete DHCP configuration" link, to open the configuration wizard.

In this wizard, you will be taken through the process of creating a security group and authorizing the DHCP server.

Once this basic configuration is completed you can finally configure the network information to be handed out on the network. In server manager, open "Tools", and select the DHCP option.

In the DHCP server manager, you can add a DHCP scope by right-clicking on the IPv4 section, and selecting "New scope..."

Give the scope a meaningful name, and add a range of IP addresses that the DHCP server will use to hand out IP addresses to clients that connect to it.

Continue the wizard by adding any excluded addresses you might need. In my example, I skipped the need to exclude addresses by simply having the start IP from 10.1.1.20. By doing this I adhered to the rule I decided on when designing the network addressing structure.

Set the correct default gateway information, add the DNS server information, and finish the wizard by activating the scope.

Congratulations! You now have a working DHCP server on your domain to help autoconfiguration of the connecting host to simply the process of adding them to the Domain. 🎉