Certainly! Here's a detailed reference guide with specific information and synthetic data for setting up your `homelab.local` Active Directory domain: # Reference Guide: Setting Up `homelab.local` AD Domain ## Introduction This guide provides a step-by-step process for creating the `homelab.local` Active Directory domain, designed for a home network with personal devices, a cybersecurity lab, network-attached storage (NAS), and various IT equipment. The guide focuses on security, management, and operational efficiency. ## Domain Configuration ### Step 1: Domain and Controller Setup 1. **Primary Domain Controller (PDC):** - Server Name: `DC01` - OS: Windows Server 2019 Standard - IP Address: `192.168.1.10` - Hardware: Dell PowerEdge R440, 32GB RAM, 2x1TB SSD (RAID 1) 2. **Secondary Domain Controller (SDC):** - Server Name: `DC02` - OS: Windows Server 2019 Standard - IP Address: `192.168.1.11` - Hardware: Dell PowerEdge R440, 16GB RAM, 2x1TB SSD (RAID 1) ### Step 2: Organizational Units (OUs) and Structure 1. **Create OUs for Major Areas:** - `CyberLab` - `HomeDevices` - `NAS` - `Users` 2. **Define Sub-OUs:** - Under `CyberLab`: `Testing Environments`, `Research`, `Tools` - Under `NAS`: `Media`, `Personal Storage`, `Lab Data` ### Step 3: Security Groups and User Accounts 1. **Establish Security Groups:** - `LabAdmins`: Full access to CyberLab resources - `FamilyMembers`: Access to HomeDevices and Media shares - `MediaAccess`: Read-only access to Media shares - `Guests`: Limited access to guest network and resources 2. **Create User Accounts:** - Admin Account: `admin@homelab.local` - Family User Accounts: - `john.doe@homelab.local` - `jane.doe@homelab.local` - `alice.doe@homelab.local` - Guest Account: `guest@homelab.local` ### Step 4: Network Configuration and Security 1. **VLANs and Subnets:** - `VLAN 10`: CyberLab - `192.168.10.0/24` - `VLAN 20`: HomeDevices - `192.168.20.0/24` - `VLAN 30`: NAS - `192.168.30.0/24` - `VLAN 40`: Management - `192.168.40.0/24` 2. **Firewall Rules:** - Allow inbound traffic on `VLAN 10` for RDP (TCP/3389), SSH (TCP/22), and HTTP(S) (TCP/80, TCP/443) - Allow outbound traffic on `VLAN 10` to `VLAN 30` for NAS access (SMB, NFS) - Allow inbound traffic on `VLAN 20` for RDP (TCP/3389) and HTTP(S) (TCP/80, TCP/443) - Allow outbound traffic on `VLAN 20` to `VLAN 30` for NAS access (SMB, NFS) - Deny all other traffic between VLANs ### Step 5: NAS Configuration and Access 1. **NAS Device:** - Model: Synology DS1819+ - IP Address: `192.168.30.10` - Shares: - `Media`: Read-only access for `MediaAccess` group, read-write for `FamilyMembers` group - `Personal Storage`: Individual user folders with read-write access for respective users - `Lab Data`: Read-write access for `LabAdmins` group 2. **NAS Backup:** - Daily incremental backup to external USB drive - Weekly full backup to cloud storage (e.g., Backblaze B2) ### Step 6: Group Policy Objects (GPOs) 1. **Password Policy:** - Minimum password length: 12 characters - Password complexity: Enabled - Maximum password age: 90 days - LabAdmins Group: - Minimum password length: 16 characters - Maximum password age: 60 days 2. **Windows Update Policy:** - Automatic updates: Enabled - Schedule: Every Sunday at 2:00 AM 3. **Software Restriction Policy:** - Whitelist: `C:\Program Files`, `C:\Program Files (x86)` - Blacklist: `C:\Users\*\AppData\Local\Temp`, `C:\Windows\Temp` 4. **NAS Access GPO:** - Applied to `NAS` OU - Drive mappings: - `M:` for `Media` share - `P:` for `Personal Storage` share - `L:` for `Lab Data` share ## Mermaid Diagram ```mermaid graph TD; A[PDC: DC01] -->|Manages| B[CyberLab] A -->|Manages| C[HomeDevices] A -->|Manages| D[NAS] A -->|Manages| E[Users] B --> F[Testing Environments] B --> G[Research] B --> H[Tools] C --> I[john.doe Laptop] C --> J[jane.doe Laptop] C --> K[alice.doe Laptop] C --> L[Smart TV] D --> M[Media] D --> N[Personal Storage] D --> O[Lab Data] E --> P[admin] E --> Q[john.doe] E --> R[jane.doe] E --> S[alice.doe] E --> T[guest] ``` ## Conclusion This detailed reference guide provides specific information and examples for setting up the `homelab.local` Active Directory domain. By following these steps and configurations, you can create a secure, organized, and efficient environment for your home network and cybersecurity lab. --- Certainly! Here's the updated reference guide for setting up your `homelab.local` Active Directory domain: # Reference Guide: Setting Up `homelab.local` AD Domain ## Introduction This guide outlines the process for creating an Active Directory (AD) domain, `homelab.local`, tailored for a comprehensive home network that includes personal devices, a cybersecurity lab, network-attached storage (NAS), and various IT and server equipment. It focuses on security, management, and operational efficiency. ## Domain Configuration ### Step 1: Domain and Controller Setup 1. **Primary Domain Controller (PDC):** Choose a dedicated or virtual server with sufficient resources to run Windows Server. This server will manage the `homelab.local` domain. 2. **Secondary Domain Controller (SDC):** Optional but recommended for redundancy. Can be less resource-intensive and also runs Windows Server. ### Step 2: Organizational Units (OUs) and Structure 1. **Create OUs for Major Areas:** - `CyberLab`: For cybersecurity research and testing. - `HomeDevices`: For personal and home devices. - `NAS`: For network-attached storage access and management. - `Users`: For managing user accounts and permissions. 2. **Define Sub-OUs:** - Under `CyberLab`: Create `Testing Environments`, `Research`, `Tools`. - Under `NAS`: Create `Media`, `Personal Storage`, `Lab Data`. ### Step 3: Security Groups and User Accounts 1. **Establish Security Groups:** - `LabAdmins`, `FamilyMembers`, `MediaAccess`, `Guests`, with permissions tailored to their needs. 2. **Create User Accounts:** - Setup `Admin Account(s)` for AD and resource management. - Create individual `Family User Accounts` and `Guest Accounts` as needed. - Use a clear naming convention for user accounts, e.g., `john.doe_001`. ### Step 4: Network Configuration and Security 1. **Segment LAN/WLAN:** - Differentiate between `CyberLab` and `HomeDevices` networks for security and traffic isolation. 2. **Implement Firewall Rules:** - Control traffic between network segments, especially protecting `CyberLab` resources. - Create specific firewall rules for each sub-OU within the `CyberLab`. ### Step 5: NAS Configuration and Access 1. **Set Up Storage Areas:** - Allocate `Media`, `Personal Storage`, and `Lab Data` areas within the NAS, setting appropriate access permissions for each user or group. 2. **NAS Backup Strategy:** - Implement a separate backup strategy for the NAS, including regular incremental backups to an external drive or cloud storage service. ### Step 6: Group Policy Objects (GPOs) 1. **Define Key Policies:** - Enforce a strong `Password Policy`, with a stricter policy for the `LabAdmins` group. - Set an `Update Policy` for automatic Windows updates. - Apply `Software Restrictions` to limit installations on personal and home devices, using a whitelist of approved software. 2. **GPO for NAS Access:** - Create a dedicated GPO for NAS access, defining user and group permissions for specific shares. ## Mermaid Diagram ```mermaid graph TD; A[PDC: homelab.local] -->|Manages| B[CyberLab] A -->|Manages| C[HomeDevices] A -->|Manages| D[NAS] A -->|Manages| E[Users] B --> F[Testing Environments] B --> G[Research] B --> H[Tools] C --> I[Personal Laptops] C --> J[Smart Home Devices] D --> K[Media] D --> L[Personal Storage] D --> M[Lab Data] E --> N[Admins] E --> O[Family] E --> P[Guests] N --> Q[Admin Account] O --> R[Family User Accounts] P --> S[Guest Accounts] ``` ## Conclusion This updated reference guide provides a comprehensive blueprint for setting up a secure and efficient Active Directory domain for your home network and cybersecurity lab. By following these steps and considering the additional recommendations, you can create a well-organized, manageable environment that supports both your professional and personal digital activities.