Environment
Isolated subnet on VirtualBox, one Domain Controller, a handful of joined Windows endpoints. Everything is intentionally simple so misconfigurations and attack paths are easy to see in later chapters.
Build Walkthrough
End-to-end walkthrough of standing up the domain — from creating the virtual network through getting the first user logged in. Click any screenshot to enlarge.
Create the LabNet virtual network
In VirtualBox, created an isolated NAT network called LabNet on the 10.0.2.0/24 subnet with DHCP enabled. This will be the private wire that DC01 and all client VMs share, isolated from the host network and the public internet.
Attach the Windows Server VM to LabNet
On the future DC VM, changed Adapter 1 from the default NAT to the new LabNet NAT network. This puts the server on the private lab subnet where it can serve as DHCP/DNS for everything else.
Rename the server to DC01
Inside Windows Server, used Rename-Computer -NewName DC01 to give the box a meaningful name before promotion. A reboot is required for the change to take effect.
Assign DC01 a static IP and self-pointing DNS
Set a static IPv4 address of 10.0.2.10 with gateway 10.0.2.1, then pointed the DNS client at 127.0.0.1 so the DC resolves itself once promoted. A domain controller without stable IP + DNS is asking for replication and authentication weirdness later.
Install the AD-Domain-Services and DNS roles
Install-WindowsFeature AD-Domain-Services, DNS -IncludeManagementTools stages the role binaries and tooling. No restart needed yet — this only installs; the next step actually promotes the server.
Promote DC01 to the first domain controller
Install-ADDSForest creates the brand-new forest imrankhomelab.local with NetBIOS IMRANKHOMELAB. Set a Safe Mode Administrator (breakglass) password stored separately from any user account. The DNS delegation warning is expected in a self-contained lab — there is no parent DNS zone above us.
Confirm the forest, NetBIOS name, and core services
After reboot, verified the forest is live: Get-ADDomain returns the correct DNSRoot and NetBIOS name, Get-ADForest shows the schema and naming masters, and the four core services — ADWS, DNS, KDC, Netlogon — are all running. This is the "is the DC actually a DC?" smoke test.
Create the first Organizational Unit
Opened Active Directory Users and Computers and started building OUs to mimic an enterprise structure. First one: IT, directly under imrankhomelab.local. Intentionally left "Protect container from accidental deletion" unchecked so the lab is easy to tear down later.
Build out a realistic OU hierarchy
Created the full set of department OUs to mirror a small enterprise: Executives, Finance, HR, IT, Servers, ServiceAccounts, Users, and Workstations. Real environments have this kind of separation; the lab now does too, which means later GPO scoping and delegation exercises will be meaningful.
Create security groups inside each OU
Inside Executives, created a Global Security group called Executives. Repeated this pattern across the other OUs (HelpDesk, IT-Admins, etc.) so that permissions can be assigned to groups rather than individual users — the way it should be done in production.
Seed user accounts across departments
Created realistic user accounts for each department — names, displays, office (New York), and dropped them into the correct OUs. Examples: Clyde Sandor in IT, Shia Lee, Snola Banee, plus the rest of the roster (mchang, ppatel, lgarcia, orashid, jsmith and others).
Assign group memberships — including some that shouldn't exist
Added users to group memberships. Some assignments are intentionally bad: regular users sit in Domain Admins, mimicking the flat-privilege environments that attackers love. This is the weak posture later chapters will demonstrate breaking, then harden.
Stand up DHCP on the DC for client auto-config
Installed the DHCP role, authorized it in AD to prevent rogue DHCP servers, then created a scope LabNet-Scope covering 10.0.2.100 → 10.0.2.200. Set scope options so clients auto-discover the router (10.0.2.1), the DNS server (10.0.2.10 = DC01), and the search domain (imrankhomelab.local). With this in place, new client VMs join the lab network and find the DC without manual config.
Validate DNS resolution from a client and start domain join
On a fresh client VM, after the client picked up DHCP, repointed DNS at 10.0.2.10, flushed the cache, and ran nslookup imrankhomelab.local — resolution succeeded against DC01. With DNS healthy, opened System Properties → Change settings to begin the domain join.
First client successfully joins the domain
The client machine (mchang's workstation) receives the "Welcome to the imrankhomelab.local domain" confirmation. That's the moment the lab becomes a real, functioning domain — there's now a relationship between this endpoint and the DC, and the user's domain credentials will work here after reboot.
Log in as a domain user
After reboot, logged into the workstation using domain credentials (IMRANKHOMELAB\mchang). The Windows 11 welcome screen authenticating against the DC confirms end-to-end success: DC promoted, DHCP serving, DNS resolving, client joined, domain credential validated.
Findings & Intentional Weak Spots
Observations from the build phase — the conditions later chapters will exploit and then remediate.
- Flat admin modelRegular users sit inside Domain Admins. No Tier-0 separation. A single endpoint compromise can lead straight to forest takeover.
- Service account ready to be KerberoastedThe ServiceAccounts OU will hold an SPN-bound account (
svc_sqlserver) with a weak password — the exact attack surface for Chapter 2. - No password policy hardeningDefault domain password policy only. Complexity is on by default but minimum length is 7 and no fine-grained policies are applied yet.
- Audit policy is defaultKerberos service ticket events (4769) are not being captured at a granularity that would detect roasting. Logging gap noted for Chapter 3 to fix.
- DHCP and DNS run on the same DCCommon in small environments, fine for the lab, but a reminder that DC01 is a single point of failure for everything client-side.