Setting Up Active Directory in a Virtual Machine (VM) – Step-by-Step Guide

Posted on

If you’re diving into Active Directory (AD), setting it up in a virtual environment is the best way to test things out without breaking anything important. In this guide, I’ll walk you through:

✔️ Installing Windows Server in a VM
✔️ Setting up a Domain Controller
✔️ Adding users, groups, and roles
✔️ Joining a Windows 11 machine to the domain
✔️ Applying Group Policies (GPOs)
✔️ Using PowerShell to automate AD tasks

Let’s get started.

1. Setting Up Your Virtual Machine

First things first, you need a VM running Windows Server 2019 or 2022. You can use Hyper-V, VMware, or VirtualBox to create one.

Step 1: Install Windows Server in a VM

  1. Download the Windows Server 2022 ISO from Microsoft.
  2. Create a new VM with at least:
    • 2 vCPUs
    • 4GB RAM (8GB recommended)
    • 50GB+ storage
  3. Mount the ISO and install Windows Server.
  4. Set a static IP address (important for domain setup).

2. Installing Active Directory Domain Services (AD DS)

Once your Windows Server VM is running:

Step 2: Install AD DS Role

  1. Open Server Manager > Click Manage > Add Roles and Features.
  2. Select Role-Based Installation > Click Next.
  3. Under Server Roles, check Active Directory Domain Services and click Next.
  4. Click Install and wait for it to finish.

3. Promoting the Server to a Domain Controller

Now, we need to promote the server to a Domain Controller (DC).

Step 3: Set Up the Domain

  1. After installation, click Promote this server to a domain controller (from the Server Manager notifications).
  2. Choose Add a new forest and enter your domain name (e.g., mydomain.local).
  3. Click Next through the prompts and:
    • Set Forest Functional Level to Windows Server 2016 or later.
    • Set a DSRM password (for AD recovery).
  4. Click Install and let it reboot.

After rebooting, log in using DOMAIN\Administrator.

4. Creating Users, Groups, and Roles in AD

With our domain set up, let’s create users and groups in Active Directory Users and Computers (ADUC).

Step 4: Open ADUC

  1. Click Start, type Active Directory Users and Computers, and open it.

Step 5: Create an Organizational Unit (OU)

  1. Right-click your domain name (mydomain.local) > New > Organizational Unit.
  2. Name it something like IT Department and click OK.

Step 6: Add a New User

  1. Inside your OU, right-click > New > User.
  2. Fill in:
    • First Name, Last Name, Username (jdoe).
  3. Set a password (e.g., Password123!).
  4. Click Finish.

Step 7: Create a Group and Assign Users

  1. In ADUC, navigate to an OU.
  2. Right-click > New > Group.
  3. Name it (e.g., IT Admins).
  4. Select Global and Security > Click OK.
  5. Right-click the user > Properties > Member Of > Add the group.

5. Joining a Windows 11 Machine to the Domain

To test AD, we’ll join a Windows 11 VM to the domain.

Step 8: Set Up Windows 11 VM

  1. Install Windows 11 in a VM.
  2. Set a static IP (in the same subnet as your AD server).
  3. Set the Preferred DNS to the AD server’s IP.

Step 9: Join the Domain

  1. Open Settings > System > About.
  2. Click Domain or Workgroup > Change Settings.
  3. Select Domain, enter mydomain.local, and click OK.
  4. Enter your AD Administrator credentials.
  5. Restart the computer.

Now you can log in as DOMAIN\jdoe!

6. Applying Group Policies (GPOs)

Step 10: Create and Apply a GPO

  1. Open Group Policy Management (gpmc.msc).
  2. Right-click Group Policy Objects > New > Name it (e.g., Security Policy).
  3. Right-click an OU > Link an Existing GPO.

Step 11: Enforce Password Policy

  1. Open your GPO and go to:pgsqlCopyEditComputer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
  2. Modify:
    • Min Password Length: 10 characters
    • Enforce Password History: 5 previous passwords
    • Max Password Age: 90 days
  3. Click Apply and OK.

Step 12: Restrict USB Devices

  1. Go to:pgsqlCopyEditComputer Configuration > Policies > Administrative Templates > System > Removable Storage Access
  2. Enable All Removable Storage Classes: Deny All Access.

Run gpupdate /force on the client machine to apply policies.

7. Automating Active Directory with PowerShell

Manually managing AD is fine for small setups, but PowerShell saves time when dealing with multiple users.

Step 13: Create a User with PowerShell

powershellCopyEditNew-ADUser -Name "John Doe" -GivenName "John" -Surname "Doe" `
-SamAccountName "jdoe" -UserPrincipalName "jdoe@mydomain.local" `
-Path "OU=IT Department,DC=mydomain,DC=local" `
-AccountPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force) `
-Enabled $true

Step 14: Bulk Import Users from CSV

  1. Create a CSV (users.csv):CopyEditFirstName,LastName,Username,OU John,Doe,jdoe,IT Department Jane,Smith,jsmith,HR
  2. Run:
powershellCopyEdit$users = Import-Csv "C:\users.csv"
foreach ($user in $users) {
    $password = ConvertTo-SecureString "Password123!" -AsPlainText -Force
    New-ADUser -Name "$($user.FirstName) $($user.LastName)" `
    -SamAccountName $user.Username -UserPrincipalName "$($user.Username)@mydomain.local" `
    -Path "OU=$($user.OU),DC=mydomain,DC=local" `
    -AccountPassword $password -Enabled $true
}

Step 15: Assign a User to a Group

powershellCopyEditAdd-ADGroupMember -Identity "IT Admins" -Members "jdoe"

Final Thoughts

Congrats! 🎉 You now have a working Active Directory lab running in a VM. You’ve set up users, groups, policies, and even automated tasks with PowerShell.

SHARE ON

Facebook
Linkedin
Twitter