Overview
What I Built
A multi-VM environment on VMware Workstation that mirrors a small enterprise network. The goal was deliberate, hands-on repetition with systems I would encounter in a real IT or security role — DNS failures, Group Policy misconfigurations, AD trust issues, firewall gaps — all in a place where breaking things is the whole point.
Instead of reading about how Active Directory works, I built it, broke it, and rebuilt it. That difference matters when you are diagnosing a production issue at 2am.
- Deployed Windows Server 2019 and promoted it to a domain controller
- Configured Active Directory: users, groups, OUs, and nested group policies
- Set up DNS zones, DHCP scopes, and forward/reverse lookup records
- Domain-joined Windows 10/11 client machines and managed them centrally via GPO
- Introduced deliberate misconfigurations and practiced step-by-step remediation
- Ran Kali Linux on the same isolated virtual network for attack simulation
Lab Stack
Environment
- VMware Workstation — virtual network host and snapshot management
- Windows Server 2019 — AD DS, DNS, DHCP, File Services
- Windows 10 / 11 — domain-joined workstation clients
- Kali Linux — offensive tooling, recon, and exploitation practice
- Internal vNet — fully isolated NAT segments, no internet exposure
Active Directory
DNS
Group Policy
DHCP
Firewalls
Kali Linux
Architecture
Network Topology
Virtual machines across two isolated network segments, mimicking a real enterprise LAN with a separated attacker node.
WinServer-DC-01
Domain Controller
Windows Server 2019 — hosts AD DS, primary DNS, DHCP. Authoritative for the hamanlab.local domain.
WinClient-01 / 02
Domain Workstations
Windows 10 and 11 machines joined to the domain. Used for GPO testing, user privilege scenarios, and endpoint hardening.
Kali-Attacker
Attack Node
Kali Linux on an isolated segment. Used for network recon, brute-force testing, and vulnerability scanning against lab targets.
Virtual Switch / NAT
Network Segmentation
VMware virtual switches create isolated LAN and DMZ-style segments. NAT adapter provides selective internet access for updates only.
File & Print Server
Shared Services
Secondary Server 2019 instance running file shares and print services. Used to practice permissions, ACLs, and audit policy.
Sysmon + Event Logs
Monitoring Layer
Sysmon deployed on domain machines. Windows Event Forwarding sends logs to a central collector for basic SIEM-style review.
Build Process
How It Came Together
Each phase was driven by a specific skill gap — not a checklist. Problems came first; the infrastructure was built around solving them.
Phase 01
Bare Metal to Domain Controller
Installed Windows Server 2019, configured static IP, promoted to domain controller for hamanlab.local. Set up AD DS, primary DNS zone, and DHCP scope. First real taste of what breaks when DNS is misconfigured.
Phase 02
Domain Clients and Group Policy
Joined Windows 10 and 11 VMs to the domain. Created OUs for different departments, built Group Policy Objects for password policy, desktop lockdown, and software deployment. Tested GPO inheritance and blocking.
Phase 03
Deliberate Misconfigurations
Introduced common real-world mistakes on purpose — weak password policies, over-permissioned users, open file shares, AS-REP roastable accounts. Then diagnosed and remediated each one using the same tools an admin would use in production.
Phase 04
Kali and Attack Simulation
Added Kali Linux to an isolated segment. Ran nmap recon, performed password spraying against domain accounts, used BloodHound to map attack paths through AD. Seeing the attack from the attacker side completely changed how I thought about defense.
Phase 05 — Ongoing
Monitoring and Hardening
Deployed Sysmon with SwiftOnSecurity config across domain machines. Set up Windows Event Forwarding to a central collector. Now actively building detection rules and reviewing logs after each attack simulation.
Security Practice
What I Practiced Hands-On
Every technique below was executed in the lab — not read about, not watched in a tutorial.
01
Active Directory Enumeration
Used BloodHound and ldapdomaindump to map AD structure, identify privilege escalation paths, and find misconfigured delegation settings. Practiced both attacker enumeration and defensive AD hygiene.
02
Password Attacks and Remediation
Ran AS-REP roasting against accounts with pre-auth disabled, tested password spraying with valid usernames. Then hardened with Kerberos pre-auth enforcement, fine-grained password policies, and account lockout thresholds.
03
Network Scanning and Firewall Rules
Used nmap to fingerprint the lab network from the Kali node. Identified open ports, service versions, and exposure gaps. Built Windows Firewall rules and tested them with follow-up scans to verify coverage.
04
Log Analysis and Incident Review
After each attack simulation, reviewed Sysmon event logs and Windows Security logs to reconstruct the attack chain. Focused on Event IDs 4624, 4625, 4768, 4769, 7045 — the staples of AD attack detection.
05
Privilege Escalation Testing
Tested local privilege escalation from a standard domain user. Misconfigured service permissions, writable PATH entries, and token impersonation — then locked each vector down and verified via re-test.
06
Snapshot-Based Break and Restore
Used VMware snapshots as a rollback mechanism for destructive testing. Built a discipline of pre-attack snapshots, aggressive break scenarios, log capture, and clean rollback — simulating real incident response cycles.
Tooling
Tools Used in the Lab
Takeaways
What This Lab Taught Me
01
DNS is the foundation of everything. When it breaks, everything else breaks in confusing ways. Debugging DNS taught me more about AD than any course.
02
Attack paths through AD are obvious once you have run them. BloodHound visualizing a path from standard user to Domain Admin changed how I think about access control permanently.
03
Log review is a skill that requires repetition. Knowing which Event IDs matter, in what order, and what normal looks like takes time the lab provided safely.
04
Breaking things is the fastest way to learn. Hours fixing a misconfigured GPO or broken Kerberos trust stick longer than any documentation ever will.
Why This Project Matters
Most IT and security certifications teach you how things should work. This lab teaches how they actually break — and how to fix them under pressure. Every hour in this environment builds the muscle memory that matters most in a real incident. It is not a study tool. It is a practice environment built to simulate real work.