Build a Hacker-Proof Active Directory Lab in Hyper-V: A Step-by-Step Cyber Range Guide + Video

Listen to this Post

Featured Image

Introduction:

Active Directory (AD) remains the backbone of enterprise identity and access management, yet many IT and cybersecurity professionals only grasp theory without ever building a domain from scratch. Creating a virtual lab with Windows Server 2025, Windows 11, and core services like DNS, DHCP, and Group Policy transforms abstract concepts into practical, defensive skills essential for SOC analysts, system admins, and penetration testers.

Learning Objectives:

  • Deploy a fully isolated virtual Active Directory environment using Hyper-V on a Windows workstation.
  • Configure and integrate AD Domain Services, DNS, DHCP, OUs, and Group Policy Objects (GPOs) through step-by-step command-line and GUI methods.
  • Apply security hardening techniques and simulate common AD attack paths to understand mitigation strategies.

You Should Know:

1. Setting Up Hyper‑V and Virtual Switches

Step‑by‑step guide explaining what this does and how to use it.
A virtual lab requires network isolation to avoid interfering with your host network. Hyper‑V’s default switch provides NAT, but an internal or private switch creates a closed environment. This step ensures your domain controllers and clients can communicate without leaking traffic.

  • Enable Hyper‑V (Windows 10/11 Pro/Enterprise):
    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
    
  • Create an internal virtual switch (isolated lab network):
    New-VMSwitch -Name "ADLabSwitch" -SwitchType Internal
    
  • Verify the switch: `Get-VMSwitch`
    – Assign IP addressing later via DHCP on the Domain Controller.
  1. Deploying Windows Server 2025 as a Domain Controller
    Step‑by‑step guide explaining what this does and how to use it.
    The first server in your lab becomes the forest root domain controller. Installing AD DS, promoting the server, and configuring DNS sets the foundation for all other lab machines.
  • Create a new VM with Windows Server 2025 (2 vCPUs, 4GB RAM, 60GB disk). Attach the VM to ADLabSwitch.
  • Inside the Server VM, set a static IP (e.g., 192.168.10.10/24) and DNS to itself:
    netsh interface ip set address "Ethernet" static 192.168.10.10 255.255.255.0
    netsh interface ip set dns "Ethernet" static 192.168.10.10
    
  • Install AD DS role and promote:
    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
    Import-Module ADDSDeployment
    Install-ADDSForest -DomainName "lab.local" -DomainNetbiosName "LAB" -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Force
    
  • Reboot and verify with Get-ADDomain.

3. Configuring DNS and DHCP Services

Step‑by‑step guide explaining what this does and how to use it.
DNS is critical for AD discovery; DHCP automates IP assignment for client VMs. Proper configuration ensures that Windows 11 clients can locate the domain controller and obtain addresses dynamically.

  • DNS is automatically installed with AD DS. Verify forward lookup zone `lab.local` and reverse lookup zone.
  • Install DHCP on the same server:
    Install-WindowsFeature DHCP -IncludeManagementTools
    Add-DhcpServerV4Scope -Name "LabScope" -StartRange 192.168.10.50 -EndRange 192.168.10.200 -SubnetMask 255.255.255.0
    Set-DhcpServerV4OptionValue -ScopeId 192.168.10.0 -DnsServer 192.168.10.10 -DnsDomain lab.local
    
  • Authorize the DHCP server: `Add-DhcpServerInDC -DnsName “DC01.lab.local” -IPAddress 192.168.10.10`

4. Joining Windows 11 Client to the Domain

Step‑by‑step guide explaining what this does and how to use it.
A domain-joined client allows you to test GPOs, authentication, and lateral movement scenarios. This step simulates a real workstation in an enterprise environment.

  • Deploy a Windows 11 VM on the same ADLabSwitch. Set its network adapter to DHCP (auto‑obtain).
  • From the Windows 11 client, test DNS resolution: `nslookup dc01.lab.local`
    – Join the domain via PowerShell (run as administrator):

    Add-Computer -DomainName "lab.local" -Credential (Get-Credential "LAB\Administrator") -Restart
    
  • After reboot, log in with a domain account (LAB\username). Verify with whoami /domain.

5. Creating Organizational Units and Managing Group Policy

Step‑by‑step guide explaining what this does and how to use it.
OUs help structure users and computers; GPOs enforce security settings like password policies, software restrictions, or Windows firewall rules. This lab skill is essential for any identity and access management role.

  • Create an OU structure:
    New-ADOrganizationalUnit -Name "CORP" -Path "DC=lab,DC=local"
    New-ADOrganizationalUnit -Name "WORKSTATIONS" -Path "OU=CORP,DC=lab,DC=local"
    New-ADOrganizationalUnit -Name "USERS" -Path "OU=CORP,DC=lab,DC=local"
    
  • Create a GPO to enforce a custom screen lock timeout:
    New-GPO -Name "LockoutPolicy" | New-GPLink -Target "OU=WORKSTATIONS,DC=lab,DC=local"
    Set-GPRegistryValue -Name "LockoutPolicy" -Key "HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop" -ValueName "ScreenSaveTimeOut" -Type DWord -Value 900
    
  • Force update on client: `gpupdate /force`
  1. Simulating Attacks and Defenses in the AD Lab
    Step‑by‑step guide explaining what this does and how to use it.
    A realistic AD lab isn’t just for configuration; it’s a cyber range to practice detection and response. This section shows how to simulate common attacks (e.g., Kerberoasting, Pass‑the‑Hash) and apply mitigations.
  • Simulate a simple enumeration (from a Linux attacker VM on the same switch):
    enum4linux -U -S 192.168.10.10
    
  • Mitigate by disabling SMBv1, enforcing SMB signing, and using Protected Users group.
  • Enable advanced audit logging on the Domain Controller:
    auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
    
  • Monitor Event ID 4769 for suspicious ticket requests.

7. Hardening Active Directory Security

Step‑by‑step guide explaining what this does and how to use it.
Many breaches stem from misconfigured AD permissions or weak password policies. Hardening commands reduce the attack surface and prepare you for real-world security baselines.

  • Set fine‑grained password policy:
    New-ADFineGrainedPasswordPolicy -Name "HighSecurity" -Precedence 1 -MinPasswordLength 14 -ComplexityEnabled $true -ReversibleEncryption $false -LockoutThreshold 5
    Add-ADFineGrainedPasswordPolicySubject -Identity "HighSecurity" -Subjects "CN=Domain Admins,CN=Users,DC=lab,DC=local"
    
  • Disable NTLMv1:
    New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5 -PropertyType DWord -Force
    
  • Enable Windows Defender Credential Guard (requires reboot):
    $sid = (Get-WmiObject -Class Win32_ComputerSystem).Domain
    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions "com.secure.Boot_Config"
    

What Undercode Say:

  • Key Takeaway 1: Building an Active Directory lab from scratch is the single most effective way to transition from theoretical knowledge to practical system administration and cybersecurity skills.
  • Key Takeaway 2: Hyper‑V and PowerShell automation allow you to script the entire lab deployment, enabling repeatable blue team exercises and safe attack simulations.

The real value of this lab lies not in memorising GUI steps but in understanding how DNS failures break domain joins, how misconfigured GPG can lock out all users, and how a simple unpatched vulnerability in AD might lead to full domain compromise. By replicating a production‑like environment on your own machine, you gain the confidence to troubleshoot, harden, and defend real Windows networks. The commands provided – from `Install-ADDSForest` to `auditpol` – mirror what works in enterprise settings, making this lab a portable training ground for both SOC analysts and aspiring red teamers.

Prediction:

As hybrid and cloud‑joined identities (Entra ID) become dominant, on‑premises Active Directory will not disappear but will instead serve as the authoritative source for legacy applications and internal trust anchors. Hands‑on AD lab skills will merge with cloud skills – expect future labs to include hybrid Azure AD Connect, Seamless SSO, and Defender for Identity sensors. Cybersecurity professionals who master virtual AD environments today will lead the shift toward unified identity security across on‑prem and cloud, making labs like this a permanent fixture in technical training and certification paths.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Firdevs Balaban – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky