Context
Deployment of an Active Directory environment in the homelab for hands-on Windows Server administration in realistic conditions. The DC runs on PVE-02 (always-on) in VLAN 10 MGMT. The domain corp.homelab.lan is intentionally separate from homelab.lan (Proxmox infra FQDN) — no collision with existing DNS resolution.
Technical parameters
| Parameter | Value |
|---|---|
| Proxmox VM | vm-dc-01 (VMID 502) |
| Host node | PVE-02 (HP ProDesk 600 G2, 24/7) |
| Windows hostname | DC01 → FQDN DC01.corp.homelab.lan |
| OS | Windows Server 2022 Standard Core (180-day eval, no Desktop Experience) |
| Static IP | Fixed IP on VLAN 10 MGMT |
| Gateway | pfSense (VLAN 10 MGMT) |
| DNS (post-promotion) | 127.0.0.1 + forwarder → AdGuard Home (VLAN 10 MGMT) |
| AD domain | corp.homelab.lan (new forest, functional level WinThreshold/2016) |
| VM resources | 2 vCPU (host), 4096 MB RAM (balloon off), 60 GB VirtIO SCSI |
| Firmware | UEFI (OVMF) + q35 machine type |
What I did
Phase 1 — Windows Server 2022 Core VM
- Created the VM via CLI
qm create 502(q35/OVMF, VirtIO SCSI, VirtIO NIC on vmbr0 without VLAN tag → VLAN 10 MGMT access) - Installed Windows Server 2022 Standard Core (no Desktop Experience — lighter footprint, CLI/PowerShell practice)
- Loaded VirtIO drivers from the virtual CD (
vioscsi\2k22\amd64) so the disk is detected - Installed QEMU Guest Agent (
virtio-win-guest-tools.exe) — Proxmox now shows the VM's IP - PowerShell configuration: hostname
DC01, static VLAN 10 MGMT IP, temp DNS to AdGuard, Europe/Paris timezone - Enabled RDP for remote administration (from VLAN 10 via
mstsc) - Ejected ISOs and locked boot to VirtIO disk
Phase 2 — AD DS promotion + DNS corp.homelab.lan
- Installed the AD DS role (
Install-WindowsFeature AD-Domain-Services) - Created a new forest
corp.homelab.lan(first DC) - Configured AD-integrated DNS:
- Authoritative zone
corp.homelab.lan(AD-integrated, auto-replication) - Forwarder → AdGuard Home for external queries (preserves split-horizon filtering)
- Authoritative zone
- NTP synchronisation (Kerberos requires < 5 min clock skew)
- Created OU hierarchy: Users, Computers, Groups, Servers
Group Policy (GPO)
- Password policy GPO: minimum 12 characters, complexity, 90-day expiry
- Restrictions GPO: Control Panel disabled, USB storage blocked
- Workstation GPO: network drive mapping, wallpaper enforcement
- Verified with
gpresult /randgpupdate /forcefrom client machines
Architecture decisions
| Topic | Decision | Reason |
|---|---|---|
| OS mode | Core (no Desktop Experience) | ~4 GB RAM, CLI/PowerShell = real SISR practice |
| Host node | PVE-02 (24/7) | DC must stay available continuously |
| VLAN | VLAN 10 MGMT | No recabling needed, uplink already in VLAN 10 access mode |
| DHCP | No DHCP role on DC | Kea/pfSense stays the VLAN 10 DHCP server |
| Domain | corp.homelab.lan |
Zero collision with homelab.lan or services domain |
Skills covered
Active Directory is the foundation of digital identity management (B3.2) and IT asset management (B1.1). GPOs enable centralised equipment and usage hardening (B3.3). The integrated DNS configuration covers directory service deployment (B2.2).