Hello Everyone !

I always adopted the following philosophy;

You don’t have to know everything exactly but you have to know everything.

I try to learn everything because I try to have an idea about everything. Therefore, on this site, I share information on web security, reverse engineering, CTF and the system. I don’t master all of these topics. I’m just curious and investigating…

In this series, it will be practically penetration test about Active Directory. Active Directory is the directory service used on Microsoft networks. Active Directory stores all information of the organization, such as users, computers, locations, printers. If you pay attention to this site, I’ve always posted information on the practice. I’m not going to give much theoretical knowledge in this series.

At the end of the article, you can find theoretical information about Active Directory from the links. In the first article of the series, we will install our own Active Directory lab. The lab to be prepared will be on the command line. I will share lab configs from GitHub.

Let’s start !

In our Active Directory lab;

  • DC (Domain Controller) is the name given to computers that establish the domain structure and store the database of each Object within the domain. Therefore, we will need 1 DC (Domain Controller).
  • We will add 1 ADC (Additional Domain Controller) to reduce the workload of the domain. If the first DC crashes, jobs will be executed for a certain period of time via ADC, users will continue to log in and some services connected to the directory service will not be affected.
  • 1 Client with which we will perform the penetration test.

You can download the Windows Server 2019 ISO file and Windows 10 ISO file from the addresses given below;


Windows Server 2019


Windows 10


We will have the possibility to install more than 2 servers in the future. Therefore, we will install a machine named MASTER2019 and copy the other servers on this machine. Thus, we will speed up the installation processes.

Figure – 1

We need to create our virtual network before installing the lab. You can create it by clicking virtual network editor on the edit tab of VMware. Remember, the lab we will create will have our own private network, so we need to set it as Host-Only. Also, DHCP feature should not be active.

Figure – 2

Let’s start the installation of Windows Server 2019 by clicking New Virtual Machine on the File tab.

Figure – 3

Usually the Administrator user name is used by default. It is generally used as Password1 in the password. In real life, please don’t make such a mistake 🙂

Figure – 4

The important point here is that the network setting remains NAT before starting the installation process. Otherwise, the installation process will fail.

Figure – 5

As suggested, a 60 GB virtual disk will suffice.

Figure – 6
Figure – 8
Figure – 7
Figure – 9

When the virtual machine setup is finished, we can start the server setup. After opening MASTER19, apply the following items in order;

  1. Select Windows Server 2019 Standard Evaluation (Desktop Experience) and click next
  2. Select Custom: Install Windows Only (advanced) and click next
  3. Select Drive 0 Unallocated Space and click next
  4. Server installation will start.
Figure – 10

After the virtual machine restarts, enter the password you set on the screen.

Figure – 11

Installing one by one on multiple computers with the same hardware features spends time and is an unnecessary workload. We need to ensure that the image we want to copy gives different SID, different user, computer name and license information on each computer. We can achieve this with the “Sysprep” installation tool developed by Microsoft.


To summarize the Domain Controller briefly;

  • The servers where the Active Directory Service is installed and configured are called Domain Controllers.
  • Authentication operations of all users and computers hosted by Active Directory Domain Services are performed by the Domain Controller.
  • At least one can have dozens of DCs as needed.


Figure – 12

Let’s create our DC machine by copying the pre-installed MASTER19 virtual machine.

NOTE: Don’t forget to change NID

Figure – 13

You can install the DC-MATRIX machine by following the above steps in order.

Let’s start the installation process by opening Windows PowerShell !

Figure – 14

Let’s start with learning the name of the network adapter in the command line. It is useful to change the name of the adapter to make it memorable.

Get-NetAdapterTo list network cards
Rename-NetAdapterChange of the NIC (Network Interface Card) name physically installed on the server.
-NameExisting name
-NewNameNew name to be given
Table For Figure – 14

Figure – 15

Then, since the Network ID is, let’s give our IP value according to this ID. I gave the IP address of Türk Telekom as DNS Server Address. Currently, the Lab environment is not accessible externally. Private Network…

New-NetIPAddressDefining an IP address
-InterfaceAliasCurrent name of the network card used
-PrefixLengthSubnet mask (e.g = 24)
Set-DnsClientServerAddressDNS server address
Table For Figure – 15
Figure – 16

Let’s turn this protocol off as there is no need for IPv6-related configuration right now. To close this protocol, we first need to learn the Component ID value.

NOTE: Default ID of IPv6 is ms_tcpip6.

Get-NetAdapterBindingConnectors that are active on the network card
Disable-NetAdapterBindingDisabling the component
Table For Figure – 16

Rename-Computer -NewName ‘DC-MATRIX’ -Restart

Finally, with the command above, let’s change the name of our computer and restart it.

Figure – 17

We brought information about the roles and services available on the server. According to lab plan, we will define the role of Active Directory Domain Services on this virtual machine.

Get-WindowsFeatureIt brings information about the role, Feature list, and states.
Install-WindowsFeatureThe command used for role and feature installation
AD-Domain-ServicesIt represents the role we want to load.
-IncludeManagementToolsFor the installation of administrative tools required for ADDS.
Table For Figure – 17
Figure – 18

After the ADDS installation process is completed, the ADDSDeployment module must be imported. All modules and commands do not come as defaults to improve server performance. Therefore, we should import the modules according to our needs. In order to use the created device as a domain controller, Active Directory Domain Services role has been installed and a forest named matrix.local has been created in the promate section. The installation of the DNS role with ADDC has been performed. Forest will ask you to create a password for Safe Mode before installation begins.

Import-ModuleImporting the PowerSh*ll module
Install-ADDSForestA new Active Directory Forest installation
-CreateDnsDelegationCreates a delegation for the domain in DNS
-DatabasePathThat will contain the domain database
-DomainModeThe domain functional level of the first domain in the creation of a new forest
-DomainNameThe fully qualified domain name for the domain
-DomainNetbiosNameThe NetBIOS name for the root domain in the new forest.
-ForestModeThe forest functional level for the new forest
-InstallDnsDetermined whether a DNS role needs to be installed for the DC
-LogPathThe location where the domain log files will be saved
-NoRebootOnCompletionNot reboot the computer upon completion of this command
-SysvolPathDefine the SYSVOL folder path
-ForceForces a command to execute, ignoring the given alert.
Table For Figure – 18
Figure – 19

After entering the password, the Forest structure will start to be established. Server will be restarted after the installation process is finished.

Figure – 20

We need to create a primary zone for the completed DNS role. You can apply the following commands quickly with PowerShell ISE.

Add-DnsServerPrimaryZoneAdds primary zone on a DNS server
-NetworkIDNetwork ID and prefix length for a reverse lookup zone
-ReplicationScopeThe domain directory partition on which to store an Active Directory-integrated zone.
Add-DnsServerResourceRecordPtrAdds pointer (PTR) record to a specified Domain Name System (DNS) zone.
-NamePart of the IP address for the host
-ZoneNameThe name of a reverse lookup zone
-ComputerNameDNS Server
-PtrDomainNameFQDN for a resource record in the DNS namespace
Get-ADObjectGet an Active Directory object or performs a search to retrieve multiple objects
-IdentityActive Directory object by providing one of the following property values
New-ADReplicationSubnetTo creates a new Active Directory subnet object
-SiteThe site associated with this subnet
Table For Figure – 20
Figure – 21

When we query the IP address with nslookup, we now see that our DC-MATRIX server has successfully defined the DNS role. At the beginning of the article, Türk Telekom now writes local ip instead of the IP address written in DNS. Instead of the value of “”, let’s enter the IP address “” that we set at the beginning of the article again.

After performing the required DNS setups, we can add users to AD structure with PowerShell ISE.

Figure – 22

Let’s create an Organizational Unit (Nebuchadnezzar) in which we can accommodate objects such as users, computers, printers and groups. Since the design of the OUs is hierarchical, I added different OUs in it (Captains and Operators). Then add users and groups to these OUs. I subscribe users to groups. Then I create a main group and join other groups to this main group.

You may be confused, not a problem … You can understand how hierarchy I created by examining the chart below.

Figure – 23
New-ADOrganizationalUnitTo create an Active Directory organizational unit (OU)
-PathPath of the OU or container where the new object is created
New-ADUserTo create an Active Directory user
-UserPrincipalNameUPN in the format <user>@<DNS-domain-name>
-AsSecureStringTo create a secure string from an encrypted standard string
New-ADGroupTo create an Active Directory group object
-GroupScopeProperty of a group object to the specified value
Add-ADGroupMemberAs new members of an Active Directory group
-MembersAn array of user, group, and computer objects
Table For Figure – 22

Yes guys, I want to let you know that the installation of the DC-MATRIX machine is now over. Now we need to install the ADC-MATRIX machine.

Come on, don’t stop!


Additional Domain Controller are secondary servers that are configured to provide redundancy and increase performance of servers. For example, as a result of a DC crash, ADC can be activated and operations can continue without problems in the Active Directory structure.

We can start the installation process… Let’s create our virtual machine by examining the following items;


Figure – 24

Network Configuration… Remember, we now have a DNS in our AD structure. So we will give the DNS address the IP address of the DC-MATRIX server.

Figure – 25

We will use the Administrator user in the User group in DC-MATRIX to be included in an AD on the network.

Add-ComputerTo add the local computer or remote computers to a domain or workgroup
-CredentialUser account that has permission to join the computers to a new domain
Figure – 26

After the computer restarts, click the Other User tab and enter the user name you see on the screen. Attention ! The Administrator used here is the user of the domain. Not a local user.

Figure – 27

Let’s use nslookup to check if we can join the domain without any problems.

Figure – 28

Run the following PowerShell command to add an Additional Domain Controler. When you run the command as before, it will ask you to create a recovery password. By the way, this password does not have to be the same as DC-MATRIX.

Install-ADDSDomainControllerInstalls a domain controller in Active Directory
-CreateDnsDelegationCreates a delegation for the domain in DNS
-DatabasePathThat will contain the domain database
-DomainNameThe fully qualified domain name for the domain
-InstallDnsDetermined whether a DNS role needs to be installed for the DC
-LogPathThe location where the domain log files will be saved
-NoGlobalCatalogDefines if domain controller will hold a global catalog replica or not
-SiteNameExisting site where you can place the new domain controller
-SysvolPathDefine the SYSVOL folder path
-NoRebootOnCompletionNot reboot the computer upon completion of this command
-ForceForces a command to execute, ignoring the given alert.
Table For Figure – 28
Fİgure – 29

After the computer restarts, you can see that ADC-MATRIX also takes DNS role. We can say that the configurations of our servers are now complete. Now let’s move on to the installation of the CLIENT-MATRIX machine.


You can follow the sequence below to perform the installation procedures.


Figure – 30

We need to make the configurations of Windows 10 machine. I entered this “…89.4” IP because the domain has the NID

Figure – 31

The process done here is to add the computer to your domain. The most confused detail here is that only Domain Admin can add users. WRONG ! Any authenticated user can add the computer to the domain. After the login is confirmed, you can restart the computer.

Figure – 32

It’s time to use the users which we created for the domain… You can log in from the users we created by clicking the Other User tab at the bottom left.

Figure – 33

And now our lab is ready… DC, ADC and CLIENT computers are ready. With this lab, we will learn many tools to pentest AD structure.

See you in the next article…



For Active Directory Modules




For Active Directory Installation


For Active Directory Security