A hands-on lab to build:
- Active Directory setup for centralized authentication
- Splunk SIEM deployment for log collection and threat analysis
Windows Server - Domain Controller with Active Directory, DNS, and DHCP Windows 11 - Domain-joined workstation Splunk - SIEM platform for log ingestion and analysis
Windows Server - 10.1.10.x - Domain Controller - Host-only
Windows 11 - 10.1.10.x - Domain Workstation - Host-only
Subnet: 255.x.x.x
Default Gateway: 10.1.10.x
All virtual machines were created and managed using Oracle VirtualBox. Each VM uses dual network adapters:
- Adapter 1: Host-only (for internal lab communication)
- Adapter 2: NAT (for internet access)
While setting up the Active Directory lab, my virtual machines (Windows Server and Windows 11) were configured with static IPs on a Host-only network (10.1.10.x subnet). This allowed internal communication between the two VMs but no internet access for software updates or tool downloads.
I configured Dual Adapters: Adapter 1 and 2, then attached the Host-only Adapter Purpose: Internal lab network (10.1.10.x) and Adapter 2 attached to NAT, respectively.
I verified connectivity by pinging my server and client IP addresses to confirm they are communicating, and by pinging 8.8.8.8 and google.com to confirm DNS and internet resolution.
Both VMs (Windows Server and Windows 11) can now:
- Communicate within the lab network (Host-only)
- Access the internet via NAT
- Perform AD-related downloads, Windows updates, and install security tools such as Splunk
Splunk Web returned “Oops. Page not found!” when adding a local event log input on Windows Server. Splunk Web failed to load the local event log configuration page, likely due to permissions or UI rendering issues.
Configured Windows Event Logs manually by editing inputs.conf under C:\Program Files\Splunk\etc\system\local, then restarted the Splunk service to activate the inputs.