If you want to learn Windows infrastructure the “real” way, building an Active Directory (AD) lab is still one of the best returns on time you can get. A good lab gives you a safe place to practice identity, DNS, Group Policy, certificate services, patching, monitoring, and security baselines—without risking your daily devices.
This post is my general blueprint for standing up a clean AD lab that’s practical, secure-by-default, and easy to expand later.
What I’m Building (High Level)
Goal: A small, stable AD “core” that I can build services around.
Minimum viable lab:
- 1x Domain Controller (AD DS + DNS)
- 1x management workstation or admin VM (recommended)
- 1–2 member servers (file server, monitoring, etc.)
- 1–2 client machines (Windows 11 test endpoints)
Core principles:
- Keep identity (AD) boring and stable.
- Use DNS correctly (AD-integrated DNS is not optional).
- Separate admin activity from daily computing.
- Make it easy to rebuild (documentation + backups).
Step 0: Define the Lab Boundaries
Before touching installers, define the boundaries so you don’t rebuild later.
Network boundary
- Put the lab on its own VLAN/subnet (ideal), or at minimum a dedicated IP range.
- Keep “regular home devices” separate from server and test client networks.
Naming boundary
Pick a DNS name that won’t cause conflicts:
- Use a domain you own (recommended) as a subdomain, for example:
lab.example.net - Avoid
.localunless you have a specific reason—modern integrations don’t always love it.
Time boundary
Time drift breaks AD in subtle and painful ways. Plan for reliable NTP and keep the lab consistent.
Step 1: Plan the Roles and Layout
Start small, and add roles intentionally.
Suggested starting roles
- DC01: AD DS + DNS (keep it focused at first)
- PAW01 (recommended): admin workstation VM
- FS01 (optional): file server for permissions and SMB testing
IP and DNS plan (important)
- Give the DC a static IP
- Configure DC DNS to itself
- Configure clients to use the DC for DNS (not your router, not public resolvers)
General VM sizing
- DC: 2 vCPU, 4–8 GB RAM, 60–80 GB disk
- Clients: 2 vCPU, 4–8 GB RAM
If you plan to add logging/monitoring and keep logs on-box, increase disk accordingly.
Step 2: Build the Domain Controller (DC01)
Install and baseline Windows Server
- Install Windows Server (GUI is fine for a lab)
- Apply updates immediately
- Rename the server (example:
DC01) and reboot - Assign a static IP, gateway, and DNS
Add AD DS + DNS and promote
- Install the Active Directory Domain Services role
- Include DNS Server
- Promote to a domain controller:
- Create a new forest
Choose your domain name (example:
lab.example.net)- Set and store your DSRM password securely
Validate the basics
Confirm:
- DNS zone exists and is AD-integrated
- DC resolves itself and the domain
- No persistent AD/DNS errors in Event Viewer
- Create a new forest
Step 3: Create a Simple OU Structure
A simple OU design beats a complicated one you won’t maintain. Here’s a practical starter:
- `OU=Lab`
- `OU=Servers`
- `OU=Workstations`
- `OU=Users`
- `OU=Groups`
- `OU=Service Accounts`
- `OU=Admins`
This gives you clean targets for Group Policy and delegated administration later.
---
Step 4: Set Up an Admin Model (Don’t Run Everything as Domain Admin)
This is the habit that pays off the most.
### Accounts
At minimum:
- **Daily user** (normal privileges)
- **Admin user** (separate account used only for admin tasks)
### Membership guidance
- Keep **Domain Admin** membership minimal
- Use delegated permissions where possible (a great lab exercise later)
### Admin workstation (MGMT01)
Do administrative work from a dedicated VM instead of your daily PC. It’s a small change that teaches real-world operational discipline.
---
Step 5: Join a Client and Validate Authentication
Bring up a Windows 11 client:
- Set DNS to the DC’s IP
- Join the domain
- Reboot
- Log in with a domain user
Quick validation:
- Confirm you can access `\\DC01\SYSVOL`
- Run:
```powershell
whoami
gpresult /r