This project provides a comprehensive guide to installing and configuring Active Directory using VirtualBox. It includes steps for setting up a Windows Server 2022 as a domain controller and connecting a client PC to the domain.
- Prerequisites
- Setting Up VirtualBox
- Creating Virtual Machines
- Installing Windows Server and Active Directory
- Configuring Active Directory
- Setting Up Client PC
- Testing and Verification
- Troubleshooting
- Common Issues and Solutions
- Issue: Unable to Join Domain
- Issue: DNS Issues
- Issue: Time Synchronization Problems
- Issue: Incorrect Domain Name
- Issue: Account Permissions
- Issue: Active Directory Services Not Running
- Issue: Computer Account Already Exists
- Issue: Group Policy Issues
- Issue: Network Location Awareness
- Issue: IPV6 Configuration
- Issue: Duplicate SPN
- Additional Tools for Troubleshooting
- Common Issues and Solutions
- VirtualBox installed on your computer.
- ISO files for Windows Server 2022 and Windows client (e.g., Windows 10).
- Basic understanding of networking concepts.
Download and install VirtualBox from here.
- Open VirtualBox and click on
New
. - Name the VM (e.g.,
DC-01
) and selectMicrosoft Windows
andWindows 2022 (64-bit)
. - Allocate at least 2GB of RAM.
- Create a virtual hard disk (VDI) with at least 20GB of storage.
- Attach the Windows Server ISO to the VM's optical drive.
- Run the installer.
- Choose the language and region and click
Install Now
. - In the the menu, select
Windows Server 2022 Standart Evaluation (Desktop Experience)
.
- Choose a VDI that you created and proceed with installation.
- Follow similar steps to create another VM (e.g.,
Client-PC
). - Allocate at least 2GB of RAM.
- Attach the Windows 10 ISO to the VM's optical drive.
- Start the
DC-01
VM and boot from the ISO. - Follow the installation prompts to install Windows Server.
- Set a strong administrator password.
- Open File Explorer, right click
This PC
and pressProperties
. - In the first window, change the device name to
Server2022
. - Reboot the VM.
- Open Server Manager.
- Click on
Add roles and features
. - Select
Active Directory Domain Services
and follow the prompts to install.
- In Server Manager, click on the flag notification and select
Promote this server to a domain controller
. - Add a new forest and name your domain (lets use
greenday.com
as a domain name). - Follow the prompts, setting the Directory Services Restore Mode (DSRM) password.
- Restart the server once the configuration is complete.
- Open
Active Directory Users and Computers
. - Create Organizational Units (OUs) for different departments.
- Right-click on the OU and select
New > User
to create user accounts.
There are better and more efficient ways to add objects in Active Directory. However, as this is a tutorial we can create a new user 'helpdesk' just as an example.
- Start the
Client-PC
VM and boot from the ISO. - Follow the installation prompts to install Windows 10.
- When choosing a version of Windows 10, choose
Windows 10 Pro
.
- Set up a local account.
- Log in to the client PC with the local account.
- Open File Explorer, right click
This PC
and pressProperties
. - In the first window, change the device name to
HOST-PC1
. - Reboot the VM.
- After rebooting, go to
Settings > System > About
and click onJoin a domain
.
- Enter the domain name (in our example, we will use a domain name
greenday.com
). - Provide the domain credentials (a user account or in our case we will use admin credentials).
- Restart the client PC.
- Log in to the client PC with a domain account.
- Open
Command Prompt
and runping DC-01
to ensure connectivity.
- On the client PC, select
Other user
on the login screen.
- Enter the domain credentials and log in.
โข As you can see, our HOST-PC1
has been successully added to the domain.
- Solution: Ensure the client PC can reach the domain controller. Check the following:
- Network Connectivity: Verify that the client PC and the domain controller are on the same network or have proper routing between networks.
- Firewall Settings: Ensure that the firewall on the domain controller is not blocking necessary ports (e.g., TCP/UDP 389 for LDAP, TCP 88 for Kerberos, TCP 445 for SMB).
- Ping Test: From the client PC, ping the domain controller by its IP address and hostname to confirm connectivity.
- Solution: Ensure the domain controller's IP address is set as the primary DNS server on the client PC. Additionally:
- DNS Configuration: Verify that the DNS server is configured correctly and that the domain controller's A and SRV records are present in the DNS zone.
- Flush DNS Cache: Run
ipconfig /flushdns
on the client PC to clear any cached DNS entries that might be outdated.
- Solution: Ensure that the client PC's time is synchronized with the domain controller. Kerberos authentication is time-sensitive and requires the time difference to be within 5 minutes. Run the following on the client PC:
w32tm /resync
- Solution: Double-check the domain name being entered on the client PC. Ensure it matches the domain name configured on the domain controller. Use the fully qualified domain name (FQDN) when joining the domain.
- Solution: Ensure the account being used to join the domain has sufficient permissions. The account should be a member of the Domain Admins group or have delegated permissions to join computers to the domain.
- Solution: Verify that all necessary Active Directory services are running on the domain controller. Check the status of the following services and start them if they are stopped:
- Active Directory Domain Services
- DNS Server
- Kerberos Key Distribution Center
- Solution: If the computer account already exists in Active Directory, it might need to be reset. On the domain controller, open
Active Directory Users and Computers
, find the computer account, right-click, and selectReset Account
.
- Solution: Ensure that Group Policy Objects (GPOs) are applied correctly:
- Run gpupdate: On the client PC, run
gpupdate /force
to force a Group Policy update. - Check GPO Status: Use the
gpresult /r
command on the client PC to check the applied GPOs and identify any issues.
- Run gpupdate: On the client PC, run
- Solution: Ensure that the network location is set correctly on the client PC:
- Private Network: The network connection should be set to Private (not Public) to allow proper domain discovery and communication.
- Solution: If IPV6 is enabled but not configured properly, it can cause issues:
- Disable IPV6: Temporarily disable IPV6 on both the client PC and the domain controller to see if it resolves the issue. This can be done through the network adapter settings.
- Solution: Service Principal Names (SPNs) must be unique in the domain. Duplicate SPNs can cause authentication issues:
- Check for Duplicates: Use the
setspn -X
command on the domain controller to check for duplicate SPNs and resolve any found.
- Check for Duplicates: Use the
-
Dcdiag: Run the
dcdiag
command on the domain controller to perform a comprehensive health check of the Active Directory domain. -
Event Viewer: Check the Event Viewer logs on both the domain controller and client PC for any errors related to Active Directory, DNS, or networking.
-
Netdom: Use the
netdom
command-line tool for domain management tasks, such as resetting a machine account password:netdom resetpwd /s:server /ud:domain\User /pd:password