AD Test Network

I am setting up an Active Directory test network with VirtualBox. It will consist of the following components. Links are provided showing configuration information I referenced.


Use these Network settings for all machines:

  • Adapter 1: Enabled
  • Attached to: NAT Network
  • Name: NatNetwork  ( – DHCP & IPv6 disabled)
  • Adapter 2: Enabled
  • Attached to: Host-only Adapter
  • Name: VirtualBox Host-Only Ethernet Adapter (
  • DHCP Server: Enabled
  • DHCP Lower Address Bound:

Active Directory Domain Controller

Download Debian installation image and create the server in VirtualBox:

  • Name:
  • Type: Linux
  • Version: Debian (64-bit)
  • RAM: 1024 MB
  • Virtual HD: 8.00 GB
  • HD Type: VDI, dynamically allocated

Change the Network settings to the NAT Network.

Attach the installation image to the server’s Optical Drive and start the server.

  • Hostname:
  • Leave the root password blank.
  • Enter the desired user name and password for the admin (sudo) account.
  • Make your disk partition selections and write changes to disk.
  • Software selection: Only “SSH server” and “standard system utilities”.
  • Install the GRUB boot loader on /dev/sda
  • Finish the installation and reboot.

Login as the admin user and switch to root. Change to use static IP address. A second adapter will be enabled on Linux machines to enable SSH logins from the host machine. Make these changes to /etc/network/interfaces

# The primary network interface
allow-hotplug enp0s3
iface enp0s3 inet static
# The secondary network interface
allow-hotplug enp0s8
iface enp0s8 inet static

Make these changes for resolving DNS names to /etc/resolv.conf


Make these changes for resolving the local host name to /etc/hosts localhost DC1

Reboot the machine to switch to the static IP address.

Change the default UMASK in /etc/login.defs

Install Samba and packages needed for an AD DC. Use the FQDN for the server in the Kerberos setup. Also install some utility programs:

  • apt update
  • apt install samba attr winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user
  • apt install smbclient ldb-tools net-tools dnsutils git

Stop and disable all Samba processes,  and remove the default smb.conf file

  • systemctl stop smbd nmbd winbind
  • systemctl disable smbd nmbd winbind
  • rm /etc/samba/smb.conf

Provision the Samba AD:

samba-tool domain provision --use-rfc2307 --interactive
Server Role=dc
DNS forwarder IP address=
Administrator password=Passw0rd

Make these changes for resolving DNS names to /etc/resolv.conf


Add these lines to the [global] section of /etc/samba/smb.conf (version < 4.6.0)

winbind nss info = rfc2307
winbind use default domain = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
protocol = SMB3
usershare max shares = 0

Use the Samba created Kerberos configuration file for your DC, enable the correct Samba services, and reboot to make sure everything works:

  • cp /var/lib/samba/private/krb5.conf /etc/
  • systemctl unmask samba-ad-dc
  • systemctl start samba-ad-dc
  • systemctl enable samba-ad-dc
  • reboot

Verify the File Server shares provided by the DC:

smbclient -L localhost -U%

Verify the DNS configuration works correctly:

  • host -t SRV
  • host -t SRV
  • host -t A

Verify Kerberos:

  • kinit administrator
  • klist

Install NTP Time Synchronization

apt install ntp

Configure NTP by editing these two lines in /etc/ntp.conf

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict mask notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)

Restart the NTP service and verify it is syncing with other servers

systemctl restart ntp.service
ntpq -p

Ease AD password restrictions, if desired:

samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --min-pwd-length=6
samba-tool domain passwordsettings set --max-pwd-age=0
samba-tool user setexpiry administrator --noexpiry


Install WSD Daemon

As root, clone git repository and edit file:

git clone
cd wsdd
nano etc/systemd/wsdd.service
ExecStart=/usr/bin/wsdd -d SAMDOM -4 -s

Copy the files to the correct locations, enable the service, and start it:

cp src/ /usr/bin/wsdd
cp etc/systemd/wsdd.service /etc/systemd/system
systemctl daemon-reload
systemctl enable wsdd.service
systemctl start wsdd.service

Configure AD Accounts Authentication

Add winbind value for passwd and group lines in the /etc/nsswitch.conf configuration file:

passwd: compat winbind
group: compat winbind

Edit the file /usr/share/pam-configs/mkhomedir

Name: Create home directory on login
Default: yes
Priority: 900
Session-Type: Additional
Session-Interactive-Only: yes

Enable  entries required for winbind service to automatically create home directories for each domain account at the first login:


Give sudo access to members of “domain admins”:

echo "%SAMDOM\\domain\ admins ALL=(ALL) ALL" > /etc/sudoers.d/SAMDOM
chmod 0440 /etc/sudoers.d/SAMDOM

Install DHCP Service

Install the server:

apt install isc-dhcp-server

Just use IPv4 on the NatNetwork with these edits to the /etc/default/isc-dhcp-server configuration file:

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
# Separate multiple interfaces with spaces, e.g. "eth0 eth1".

Edit the /etc/dhcp/dhcpd.conf configuration file:

# dhcpd.conf
# Sample configuration file for ISC dhcpd
# option definitions common to all supported networks...
option domain-name "";
option domain-name-servers;
default-lease-time 600;
max-lease-time 7200;
# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
#log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
subnet netmask {
# This is a very basic subnet declaration.
subnet netmask {
option routers;

Restart the service:

systemctl start isc-dhcp-server.service

Test the AD DC

Create an AD account for yourself and add it to the “Domain Admins” group with the commands:

samba-tool user create ted
samba-tool group addmembers "Domain Admins" ted

Verify the domain users are shown by both commands:

wbinfo -u
getent passwd

Verify the domain groups are shown by both commands:

wbinfo -g
getent group

Verify the domain ownership on a test file:

touch /tmp/testfile
chown ted:"Domain Admins" /tmp/testfile
ls -l /tmp/testfile

Create a GPO  with the instructions at This Link.