# Preparing AD Infrastructure in Azure ## Setting up Domain Controller in Azure ### Resource Group Setup Search for then select `Resource groups`. Once inside the `Resource groups` page select `Create` ![[Pasted image 20250426093529.png]] Select a `Subcription`, `Resource group name`, and `Region`, then select `Review + create` ![[Pasted image 20250426094025.png]] Select `Create` ![[Pasted image 20250426094059.png]] ### Virtual Network and Subnet Setup Search for and select `Virtual networks` then select `Create` ![[Pasted image 20250426095208.png]] Select a `Subscription`, `Resource group`, `Virtual network name`, and `Region`, then select `Review + create` ![[Pasted image 20250426095639.png]] Then select `Create` ![[Pasted image 20250426095803.png]] ### Creating the Domain Controller Virtual Machine On the `Virtual machines` page select `Create` ![[Pasted image 20250426095955.png]] Select a `Subscription`, `Resource group`, `Virtual machine name`, and `Region` (that is the same as your virtual network). ![[Pasted image 20250426100159.png]] Select the `Windows server 2022 Datacenter` image then select any size that has at least 2 vcpus ![[Pasted image 20250426100721.png]] Select a `Username` and `Password` the select `Next : Disks >` ![[Pasted image 20250426100926.png]] Select `Next : Networking` ![[Pasted image 20250426101007.png]] Put the Virtual machine in the `Active-Directory-Vnet` then press `Review + create` ![[Pasted image 20250426235554.png]] Select `Create` ![[Pasted image 20250426235730.png]] ### Set Domain Controller's NIC IP to static On the `Virtual machines` page select `dc-1` ![[Pasted image 20250427001202.png]] Select the dropdown next to `Networking` then `Network settings > Network Interface` ![[Pasted image 20250427001409.png]] Select `ipconfig` ![[Pasted image 20250427001454.png]] Select `Static` then `Save` ![[Pasted image 20250427001544.png]] ### Disabling firewall on domain controller (to test connectivity) On the virtual machines tab copy the domain controllers public IPV4 ![[Pasted image 20250427001754.png]] Login to the domain controller using remote desktop ![[Pasted image 20250427003950.png]] Right click the start menu then click run ![[Pasted image 20250427004151.png]] Type `wf.mac` and press `Ok` to open `Windows Firewall` ![[Pasted image 20250427004247.png]] Select `Windows Defender Firewall Properties` ![[Pasted image 20250427004403.png]] Turn the firewall off ![[Pasted image 20250427004517.png]] ## Setting up Domain Client-1 in Azure On the `Virtual machines` page select `Create` ![[Pasted image 20250426095955.png]] Select a `Subscription`, `Resource group`, `Virtual machine name`, and `Region` (that is the same as your virtual network). ![[Pasted image 20250427000056.png]] Select the `Windows 10 Pro` image then select any size that has at least 2 vcpus ![[Pasted image 20250427000217.png]] Select a `Username`, `Password`, and accept the license agreement, then select `Next: Disks >` ![[Pasted image 20250427000302.png]] Select `Next : Networking` ![[Pasted image 20250426101007.png]] Put the Virtual machine in the `Active-Directory-Vnet` then press `Review + create` ![[Pasted image 20250427000600.png]] Select `Create` ### Set Client-1 DNS settings to DC-1 private IP address Copy DC-1 Private IPv4 ![[Pasted image 20250427004739.png]] Select `Networking > Network settins > Network Interface` ![[Pasted image 20250427004902.png]] Select `DNS Servers` ![[Pasted image 20250427005001.png]] Select `Custom` fill in dc-1 private IPv4 then select `Save` ![[Pasted image 20250427005209.png]] ### Restart client-1 Restart `client-1` ![[Pasted image 20250427005322.png]] ### Login to client-1 and ping dc-1 Using remote desktop I logged into client-1 then opened PowerShell and issued the ping command to dc-1 private Ip address ![[Pasted image 20250427010513.png]] Run `ipconfig /all` to make sure the `DNS Server` is set to dc-1 private IPv4 ![[Pasted image 20250427010726.png]] # Deploying Active Directory ## Installing Active Directory On the `Server Manager > Dashboard` select `Add roles and features` ![[Pasted image 20250427022114.png]] Select `Next` until you get to `Server Roles` On `Server roles` install `Active Directory Domain Services` ![[Pasted image 20250427022245.png]] ![[Pasted image 20250427022312.png]] Select `Next` ![[Pasted image 20250427022342.png]] Select Next until you get to `Confirmation` then select `install` ![[Pasted image 20250427022455.png]] ![[Pasted image 20250427022510.png]] ## Make dc-1 the domain controller Click the flag in the top right hand corner then click `Promote this server to a domain controller` ![[Pasted image 20250427023128.png]] Select `Add a new forest` enter your `Root domain name` then select `Next` ![[Pasted image 20250427023252.png]] Create a `DSRM` password then select `Next` ![[Pasted image 20250427023356.png]] Select `Next` ![[Pasted image 20250427023510.png]] Select `Next` ![[Pasted image 20250427023545.png]] Select `Next` ![[Pasted image 20250427023611.png]] Select `Next` ![[Pasted image 20250427023635.png]] Select `Install` ![[Pasted image 20250427023719.png]] ![[Pasted image 20250427023745.png]] dc-1 should automatically restart ![[Pasted image 20250427023816.png]] Log back in to `danquezdomain.com` as `labuser` ![[Pasted image 20250427024341.png]] The wait should take 1-5 mins ![[Pasted image 20250427024406.png]] ![[Pasted image 20250427024510.png]] ## Create Organizational Units Open `Active Directory Users and Computers` ![[Pasted image 20250427024813.png]] Right click your domain and select `New > Organizational Unit` ![[Pasted image 20250427025054.png]] ### `_EMPLOYEES` ![[Pasted image 20250427025147.png]] ### `_ADMINS` ![[Pasted image 20250427025212.png]] ## Create a new admin user Under `_ADMINS` select `New > User` ![[Pasted image 20250427025400.png]] Set the following then select `Next` ![[Pasted image 20250427025445.png]] Create a password then deselect `User must change password at next logon`. Click `Next`. ![[Pasted image 20250427025558.png]] Select `Finish` ![[Pasted image 20250427025620.png]] Right click `Jane Doe` and select `Properties` ![[Pasted image 20250427025740.png]] Go to the `Member of` tab then select `Add` after type in `Domain Admins` then click `Check Names > OK` ![[Pasted image 20250427025926.png]] Click `Apply` then `OK` ![[Pasted image 20250427030002.png]] ## Login to dc-1 as `jane_admin` Logout of dc-1 then login as jane_admin ![[Pasted image 20250427030216.png]] ## Join Client-1 to the domain **Login to client-1** Right click the start-menu and select `System` ![[Pasted image 20250427030507.png]] Click `Rename this PC (advanced)` ![[Pasted image 20250427030548.png]] Select `Change`, enter your domain name, then select `OK` ![[Pasted image 20250427030643.png]] Enter jane_admin credentials then select `OK` ![[Pasted image 20250427030831.png]] ![[Pasted image 20250427030902.png]] ![[Pasted image 20250427030911.png]] Right-click the start menu then navigate to `Restart` ![[Pasted image 20250427031003.png]] ## Create `_CLIENTS` OU Login to dc-1 ad jane_admin and navigate to `Active Directory Users and Computers` ![[Pasted image 20250427024813.png]] Right click your domain and select `New > Organizational Unit` ![[Pasted image 20250427025054.png]] ![[Pasted image 20250427031344.png]] Drag `client-1` into the `_CLIENTS` OU ![[Pasted image 20250427031448.png]] Select `Yes` ![[Pasted image 20250427031509.png]] ![[Pasted image 20250427031539.png]] ## Setup Remote Desktop for non-administrative users on client-1 Login to clinet-1 as jane_admin ![[Pasted image 20250427141543.png]] Right-click the start menu and select `system` ![[Pasted image 20250427141809.png]] Select `Remote Desktop` ![[Pasted image 20250427141909.png]] Select `Select users that can remotely access this PC` ![[Pasted image 20250427142016.png]] Add `Domain Users` to the list of users that can access this client-1 with remote desktop ![[Pasted image 20250427142219.png]] # Creating Users with Powershell ## Creating 10,000 users using PowerShell script Open `PowerShell ISE` as an administrator ![[Pasted image 20250427142529.png]] ![[Pasted image 20250427142545.png]] Create a new file the paste the following script inside. (this script is used to make 10,000 AD users) ![[Pasted image 20250427142728.png]] ``` # ----- Edit these Variables for your own Use Case ----- # $PASSWORD_FOR_USERS = "Password1" $NUMBER_OF_ACCOUNTS_TO_CREATE = 10000 # ------------------------------------------------------ # Function generate-random-name() { $consonants = @('b','c','d','f','g','h','j','k','l','m','n','p','q','r','s','t','v','w','x','z') $vowels = @('a','e','i','o','u','y') $nameLength = Get-Random -Minimum 3 -Maximum 7 $count = 0 $name = "" while ($count -lt $nameLength) { if ($($count % 2) -eq 0) { $name += $consonants[$(Get-Random -Minimum 0 -Maximum $($consonants.Count - 1))] } else { $name += $vowels[$(Get-Random -Minimum 0 -Maximum $($vowels.Count - 1))] } $count++ } return $name } $count = 1 while ($count -lt $NUMBER_OF_ACCOUNTS_TO_CREATE) { $fisrtName = generate-random-name $lastName = generate-random-name $username = $fisrtName + '.' + $lastName $password = ConvertTo-SecureString $PASSWORD_FOR_USERS -AsPlainText -Force Write-Host "Creating user: $($username)" -BackgroundColor Black -ForegroundColor Cyan New-AdUser -AccountPassword $password ` -GivenName $firstName ` -Surname $lastName ` -DisplayName $username ` -Name $username ` -EmployeeID $username ` -PasswordNeverExpires $true ` -Path "ou=_EMPLOYEES,$(([ADSI]`"").distinguishedName)" ` -Enabled $true $count++ } ``` Press `CTRL + S` to save the script and name is `create-users` ![[Pasted image 20250427142830.png]] ![[Pasted image 20250427142916.png]] Run the script ![[Pasted image 20250427142954.png]] ## Logging into one of the newly created users Open `Active Directory Users and Computers` and open the `_EMPLOYEES` OU (You can see a bunch of the newly created users) ![[Pasted image 20250427143252.png]] Login to a random user on `client-1` ![[Pasted image 20250427143418.png]] ![[Pasted image 20250427143502.png]] # Group Policy and Managing Accounts ## Configure an account lockout Group Policy Right-click start > run and type in `gpmc.msc` ![[Pasted image 20250427144446.png]] ![[Pasted image 20250427144529.png]] Select `Edit` next to `Default Domain Policy` ![[Pasted image 20250427144734.png]] Navigate to `Account Lockout Policy` ![[Pasted image 20250427144855.png]] Right-click and change `Account lockout duration = 30 MINS` `` ![[Pasted image 20250427145026.png]] Right-click and enable `Allow Administrator account lockout` ![[Pasted image 20250427145150.png]] Login to client-a as jane_admin ![[Pasted image 20250427145347.png]] Open the `Command Prompt` as a admin and type in `gpupdate /force` to fore the GPO to update ![[Pasted image 20250427145542.png]] ![[Pasted image 20250427145600.png]] ## Dealing with Account Lockouts ### Locking a account due to incorrect password Attempt to log into a random user ten times with the wrong password ![[Pasted image 20250427144001.png]] ![[Pasted image 20250427145743.png]] ## Unlock the locked user account ![[Pasted image 20250427145954.png]] In the `Account` click the box next to `Unlock Account` then press `OK` ![[Pasted image 20250427150151.png]] Log in to the previously locked account ![[Pasted image 20250427150340.png]] ![[Pasted image 20250427150522.png]] ## Resetting Passwords On dc-1 right-click on an account and select `Reset Password` ![[Pasted image 20250427150744.png]] ![[Pasted image 20250427150903.png]] ## Enabling and Disabling Accounts **Disable the same account in Active Directory** On dc-1 right-click an account and go to `properties` in the `properties` select `Account` then `Account is diabled` ![[Pasted image 20250427151054.png]] When the user tries to log in they will get a pop up similar to this ![[Pasted image 20250427151153.png]] ## Observing Logs ### Observing logs on the Domain Controller Open event viewer ![[Pasted image 20250427151359.png]] Type `eventvwr.msc` ![[Pasted image 20250427151453.png]] On event viewer expand `Windows Logs` then right click Security and select `Find` ![[Pasted image 20250427151645.png]] Enter the user you have been using and select `Find Next` ![[Pasted image 20250427151718.png]] You will be able to find login failure events (4776) for the user ![[Pasted image 20250427151833.png]]