Setting up an active directory over different networks + dmz

#virtualization #windows

Intro

Why do we want to have an active directory over 3 networks?

We want to keep the networks seperate to avoid an attacker being able to get from the client or DMZ network to be able to reach the active directory (AD)

Scope

  1. 3 networks to add to your virtualisation platform.
    1. 192.168.100.0/24 -> server network
    2. 10.0.0.0/8 -> client network
    3. 172.16.0.0/16 -> DMZ network
    4. NAT network
  2. a virtual router (opnsense in this example)
  3. a domain controller/dhcp server with 1 redundant server
  4. some clients
  5. a DMZ server

Setup

Set up an opnsense router. It's not difficult, just click next a couple times.

The networks

Assign the interfaces
Pasted image 20250817140655.png
Do not configure LAGGs nor VLAN's
Pasted image 20250817140720.png
Pasted image 20250817140738.png
Look at the correct MAC address for the correct interface. This is your NAT or outgoing connection.
The rest are LAN's, but remember which one is which. We'll label them after they are set up.
Pasted image 20250817140818.png
Next, set up the IP's.
Pasted image 20250817141112.png
Fire up a client or a server in the client or server network and we'll label the networks.
Set up the correct gateway and browse to the router's IP and log in.
Pasted image 20250817142118.png
Pasted image 20250817142140.png
Walk through the configuration wizard.
Enter the description.
Pasted image 20250817142315.png
Pasted image 20250817142358.png
Now move to the firewall and let's set that one up. Navigate to the rules.
Let's start with the clients network.
Click the plus icon to add a rule
Pasted image 20250817142533.png
Specifiy a TCP/UDP pass rule and pass it to the NAT network.
Pasted image 20250817142803.png
Let's move to the server, client and DMZ networks and apply the same settings.
Change the name of the servers for easy identification.
Pasted image 20250817143242.png
Then move to the DHCRelay settings
Pasted image 20250817151331.png
And add these settings

The servers

Let's set up the AD on the first DC. I'm going to use powershell so everyone can follow.

Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\WINDOWS\NTDS" `
-DomainMode "Win2025" `
-DomainName "idk.local" `

I also installed the DHCP role on the DC.

Join the second DC to the domain and add it to the AD. with the same steps.

The clients

If you configured everything correctly, the client should get an IP address from the server.
Pasted image 20250818100816.png

The DMZ

I installed apache2 on an ubuntu server to demonstrate the DMZ
https://youtu.be/XUb8kwJz_gc

Sources

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-credential?view=powershell-7.5
https://activedirectorypro.com/install-ad-ds/