Servers & Devices
Setting up Active Directory and User machines:
- Windows Server 2022
- 4 Windows 11 Pro VMs to represent "Employees" to manage with AD
- Windows Server 2022
- Windows Users "Employees"
- Active Directory - User Creation
- Active Directory - Structuring and Group Creation
Windows Server 2022
Proxmox VM Set Up
Install Files
To start, you'll need to download some files. The 2 files you need are the Server ISO and the VirtIO Driver. You can download the latest stable release at the link below:
- Windows Server Evaluation ISO
- Windows VirtIO
- Download the latest stable release.
When configuring your VM use the following settings to ensure you're VM can boot correctly:
OS Configs
- Change your guest OS type to MS Windows and select the correct version
System Configs
- Select q35 for Gen2, default is i440fx
- Change BIOS to OVMF(UEFI), default is SeaBIOS
- Change your SCSI Controller to VirtIO SCSI, default is VirtIO SCSI Single
- Check Qemu Agent
Disk Configs
- Change your BUS/Device to VirtIO Block, default is IDE
- Change cache to Write Back, default is No Cache
CPU Configs
- Change type to Host, default is x86-64-v2-AES
Memory Configs
- Make sure Ballooning Device is enabled so RAM that isn't being used can be freed
VM Hardware
Once created, select your VM and navigate to the hardware section. Select Add, and add CD/DVD device. Here, you'll add the VirtIO driver. I've already added it, so you'll see 2 CD/DVD Drives.
Installation
Start your VM to begin installation and navigate into the console section of your VM. Select defaults as desired. Once the installer reaches installation type, select Custom:
Here, you'll load the VirtIO driver:
Select Browse, then select the following:
- CD Drive (D:) virtio-win-X.X.XXX ---> amd64 ---> 2k22
Select the Red Hat VirtIO SCSI Controller, then click next:
Once installed, it will ask you what disk you'd like to use. Select the Disk and then continue the install. Once the device reboots, you'll be prompted to enter an admin password, then you should arrive at the following screen:
Final Steps
The last thing you'll need to do is install the VirtIO win-guest tools and then remove boot drives attached to the VM to ensure proper installation.
- Launch the virtio-win-guest-tools application as administrator by navigating as follows:
Next, remove the CD Drive for VirtIO from the Hardware section of your VM in Proxmox, and then configure the Server ISO CD/Drive to "Do not use any media":
Your installation of Windows Server is now complete!
Setting Up Server as Active Directory Domain Controller
Keeping it simple, select install Active Directory Domain Services and DNS Server, via Manage ---> Add Roles and Features.
After installation, promote your Windows server to a Domain Controller :
A Deployment Configuration Wizard screen will pop-up. This step is important to properly setting up active directory services! Select Add a new Forest to begin the configuration wizard:
- Here you can see I've entered AD.testlab.home as my Root Domain Name
- Here you can set levels if you plan on connecting other Windows Servers. For my purposes, I'll be keeping it at its default of Windows Server 2016
- Set your DSRM password and store it safely.
If you're setting this up in a test environment, you'll likely see the following warning pop-up. For our purposes, this is okay:
Click through Additional Options, Paths, and Review Options to get to the prerequisite checks:
- Again, these warnings are okay for test environments. For production, you'll want to acknowledge them and make changes accordingly.
- After installation, the server will need to restart, and you should now be able to log in as Domain Administrator, which should say AD/administrator:
Useful Tips:
- If you're like me, you're using an evaluation copy of Windows and don't have any plans of purchasing a costly license anytime soon. To rearm the license and reset the count back to 180 days, run the following command in PowerShell:
-
slmgr -rearm
-
Windows Users "Employees"
Proxmox VMs for Users
Use, the following configurations to set up VMs for Windows 11 on Proxmox...
Name your machine, then move on to Operating System:
- Select your ISO and change the Type and Version accordingly.
- Select q35, OVMF, and QEMU agent.
- More importantly, make sure you select VirtIO SCSI
Next, configure Disks:
- Make sure you select VirtIO Block as BUS device. Everything else can remain as default.
After configuring your CPU and Memory, configure your network as follows:
- Before starting your machine, you need to add the VirtIO driver as a CD/DVD. To do this, navigate to Hardware ---> Add ---> CD/DVD
You can now boot up the machine. You should see the default Windows Installer Pop Up:
Select "I don't have a product key" and walk through the default setup. Once you reach the Installation Type, select Custom Install, then Load Driver:
Select "Browse":
Select your VirtIO CD ---> amd64 ---> w11:
Install the RedHat driver:
Continue through the set up and create a User for this machine. I'll be creating 4 VMs total, and this one will be User2.
When setting up your machine, you'll be asked to connect to the network. To bypass this enter the following in CMD prompt:
- To get to CMD prompt, click SHIFT + F10
- You should now be able to select "I don't have internet" as an option:
Almost Done! Let your Device Finish Setting Up and then log in and open up File Explorer. Select your VirtIO drive and run the installer to install all components:
After finishing the install, you should now be connected to the internet. To verify this, navigate to your router (OPNsense in my case) and check to see if your computer is being assigned an IP.
- You can see that my VM now has an IP of 192.168.2.25
- There are several other ways to check the internet connection. I did this so I could assign static IP and change the DNS route to point this machine to my Domain Controller so that I could add it to a Workgroup.
- You're all set, don't forget to update your Windows VM!
DNS Configurations
After setting up your VM and installing Windows 11 Pro, you'll need to configure some DNS routing to make sure your VMs can reach your Domain Controller. I've done this via my OPNsense router and I'll be using "User 2" to demonstrate, Windows 11 Pro VM I've set up. To do this, I configured DNS leases for the VMs via the web GUI as follows:
Next, select the "+" icon to add a static mapping:
To assign a static IP, enter the IP in the IP Address box:
Save and Apply Changes. You should know see the IP Assignment type change to "Static":
You may note that there are now 2 listings for the same device. We now need to change the Adapter settings on the VM. To do this, navigate to Settings --> Network & Internet ---> Advanced Network Settings. Select "Edit" next to More Adapter Options:
Select IPv4 Properties, and assign it the static IP. We'll also assign it the DNS of Domain Controller we set up earlier. My Domain Controller is at 192.168.2.100, so I'll change properties accordingly:
After making these changes, you'll see only one assignment for this VM's mac address, a static one:
You're now ready to add it to your workgroup. Check the next page for how to add it!
Adding Users
With everything configured properly, you should now be able to join your User VM to the Domain/Workgroup. To do this, navigate to Settings ---> About ---> Domain or workgroup in your Windows Settings:
Select Change and enter your Domain details. You will be prompted to enter admin credentials. Use your server admin credentials:
If successfully done, you should receive the following Welcome screen:
Repeat this on your other "Employee VMs" and you're all set!
Active Directory - User Creation
First, lets confirm we've successfully added the Employee VMs to the domain. Navigate to Windows Administrative Tools ---> Active Directory Users and Computers ---> your domain ---> Computers:
- Here, you can see I have 4 Computers connected. Lets move on to creating a User.
Create a User. I'll create 4 Users in the following manner:
The following screen will ask you to make a password. Here, you can set initial password policies. These can be configured now, or changed later:
For simplicity, I'm going to keep the log in credentials as follows:
- Username: Employee#
- Password: User!23
Your User Object will be created:
My 4 Users:
Test
Now, lets see if it worked! Start one of your Employee VMs and try to log in:
Active Directory - Structuring and Group Creation
To get started, I'm going to create an Organizational Unit called "TheCompany". Here, we'll store our Users and Security Groups:
The I've made 2 security groups: Sales and Marketing
Marketing SG Properties:
Sales SG Properties:
Next, I'll load 2 drives, 1 for each SG and set permissions so that only members of each security group can see the relevant shared drive for the group. This will be help set up baselines for when I attempt pentesting to simulate malicious insider threats.