// LAB 001 — HANDS_ON_LABS

3-VM Active Directory
Domain Lab

Built a fully functional multi-machine AD environment from scratch — domain controller, client machines, OU structure, group policies, and DNS — simulating a real enterprise network in VirtualBox.

Server 2019Active DirectoryGPO VirtualBoxDNSDHCPgpresult
PLATFORM
VirtualBox 7.x
OS
Windows Server 2019 + Win10
MACHINES
1 DC + 2 Clients
DOMAIN
corp.local
// OBJECTIVE
WHAT I SET OUT TO PROVE

Build a realistic Active Directory domain environment that mirrors what you'd find in an enterprise — not just "install AD and call it done," but a fully configured forest with meaningful OU structure, working Group Policy, joined clients, and DNS resolution. Every configuration decision had to be deliberate and documentable.

// ENVIRONMENT
LAB SETUP

Three VMs on a VirtualBox internal network (intnet) so machines can communicate without internet exposure. Static IPs assigned manually. Server 2019 licensed via Microsoft Evaluation Center.

network_layout.txt
# VM Configuration
DC01 Windows Server 2019 192.168.10.1 Domain Controller
CLIENT01 Windows 10 Pro 192.168.10.10 Domain Member
CLIENT02 Windows 10 Pro 192.168.10.11 Domain Member

# VirtualBox Network: Internal Network (intnet)
# DNS on clients points to DC01 (192.168.10.1)
// WALKTHROUGH
STEP-BY-STEP EXECUTION
STEP 01
INSTALL AD DS AND PROMOTE TO DOMAIN CONTROLLER

Installed the Active Directory Domain Services role via PowerShell, then ran the forest promotion. Chose corp.local as the domain name, set the functional level to Windows Server 2016, and configured the DSRM password.

powershell — DC01
PS C:\> Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

PS C:\> Install-ADDSForest `
-DomainName "corp.local" `
-DomainNetbiosName "CORP" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Force

WARNING: Windows Server 2019 domain controller will reboot automatically...
The operation completed successfully.
STEP 02
DESIGN AND BUILD THE OU HIERARCHY

Created a realistic OU structure reflecting department-based administration — matching what you'd manage in a mid-size enterprise. Nested OUs allow granular GPO targeting per the LSDOU model.

powershell — DC01
# OU structure: corp.local
# └── Corp
# ├── Users
# │ ├── IT
# │ ├── HR
# │ ├── Finance
# │ └── Operations
# ├── Computers
# └── Groups

PS C:\> New-ADOrganizationalUnit -Name "Corp" -Path "DC=corp,DC=local"
PS C:\> New-ADOrganizationalUnit -Name "Users" -Path "OU=Corp,DC=corp,DC=local"
PS C:\> foreach ($dept in @("IT","HR","Finance","Operations")) {
New-ADOrganizationalUnit -Name $dept -Path "OU=Users,OU=Corp,DC=corp,DC=local"
}
STEP 03
CREATE USERS, GROUPS, AND MEMBERSHIPS

Provisioned 10 test users using the New-BulkADUsers.ps1 script with SampleUsers.csv. Created security groups per department and nested the IT group inside a Domain Admins mirror group for testing delegation.

powershell — DC01
# Bulk provision from CSV
PS C:\> .\New-BulkADUsers.ps1 -CSVPath ".\SampleUsers.csv"

OK | Created: John Smith (jsmith) -> OU=IT,OU=Users,OU=Corp,DC=corp,DC=local
OK | Created: Maria Garcia (mgarcia) -> OU=HR,OU=Users,OU=Corp,DC=corp,DC=local
OK | Created: David Johnson (djohnson) -> OU=Finance,OU=Users,OU=Corp,DC=corp,DC=local
...

--- Provisioning Summary ---
Created : 10
Skipped : 0
Failed : 0
STEP 04
DESIGN AND DEPLOY GROUP POLICY OBJECTS

Created 5 GPOs targeting different levels of the OU hierarchy. Practiced LSDOU precedence by deliberately setting conflicting policies at different levels and using gpresult /r to verify which policy won.

powershell — DC01
# GPO 1: Password Policy (Domain level)
# GPO 2: Disable USB Storage (Corp OU)
# GPO 3: Software Restriction - block .exe from Downloads (IT OU)
# GPO 4: Desktop Wallpaper enforcement (Users OU)
# GPO 5: Audit Policy — logon events (Domain level)

PS C:\> New-GPO -Name "Corp-PasswordPolicy" | New-GPLink -Target "DC=corp,DC=local"
PS C:\> Set-GPRegistryValue -Name "Corp-PasswordPolicy" `
-Key "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" `
-ValueName "MaximumPasswordAge" -Type DWord -Value 90

# Verify on client
C:\> gpresult /r
Applied Group Policy Objects
Corp-PasswordPolicy
Corp-DisableUSB
Corp-DesktopWallpaper
STEP 05
JOIN CLIENT MACHINES TO THE DOMAIN

Pointed both Windows 10 clients to DC01 for DNS (required for domain join). Joined via GUI and PowerShell. Verified domain membership, checked that users could log in with domain credentials, and confirmed GPOs applied correctly.

powershell — CLIENT01
# Set DNS to DC01
PS C:\> Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 192.168.10.1

# Join domain
PS C:\> Add-Computer -DomainName "corp.local" -Credential (Get-Credential) -Restart

# Verify after reboot
PS C:\> (Get-WmiObject Win32_ComputerSystem).PartOfDomain
True
PS C:\> (Get-WmiObject Win32_ComputerSystem).Domain
corp.local
// OUTCOME
RESULTS
  • Fully functional corp.local domain with 1 DC and 2 joined Windows 10 clients
  • Multi-OU forest: 4 department OUs under Users, plus Computers and Groups containers
  • 10 domain users provisioned via bulk CSV script, placed in correct OUs
  • 5 GPOs deployed — password policy, USB restriction, software restriction, wallpaper, audit logging
  • Verified LSDOU precedence by testing conflicting policies at different OU levels
  • All GPO application confirmed via gpresult /r on both clients
  • DNS resolving correctly — clients locate DC via SRV records
// RELATED LABS
BUILT ON TOP OF THIS ENVIRONMENT
LAB 002 → LDAPS & PKI LAB 003 → PowerShell Automation LAB 006 → AD Replication & Health
← BACK TO ALL LABS