← All projects
windows · 22 Apr 2025 · 4 min read

Running Windows Server in my home lab: AD, DNS, and Group Policy

Setting up a Windows Server VM in Proxmox for Active Directory, DNS, and Group Policy — and why it's worth having even in a home lab.

Most home lab setups are entirely Linux. Mine mostly is too — but a Windows Server VM running Active Directory has been one of the most valuable additions to the lab. It gives me a local environment to test Group Policy, practice AD administration, understand Entra ID hybrid identity, and replicate the kind of environment I manage professionally.

VM setup in Proxmox

Windows Server needs a full VM rather than an LXC. VirtIO drivers are essential for decent performance.

VM configuration:

CPU:    4 cores (host type for best performance)
RAM:    8192MB
Disk:   60GB (VirtIO SCSI)
NIC:    VirtIO (vmbr0, Trusted VLAN)
CD 1:   Windows Server 2022 Evaluation ISO
CD 2:   VirtIO drivers ISO (from fedorapeople.org/groups/virt/virtio-win)

During Windows installation, when the disk selection screen appears with no disks visible, click “Load driver” and browse the VirtIO CD to \amd64\w11\ to load the storage driver. The disk will then appear.

Windows Server installation

Download Windows Server 2022 Evaluation from Microsoft (180-day free trial, no licence key needed for lab use). Install with Desktop Experience for the full GUI.

Post-install essentials:

# Rename the computer before promoting to DC
Rename-Computer -NewName "DC01" -Restart

# Set a static IP (critical before AD promotion)
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 192.168.1.10 -PrefixLength 24 -DefaultGateway 192.168.1.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 127.0.0.1

Installing Active Directory

# Install the AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote to domain controller
Import-Module ADDSDeployment
Install-ADDSForest `
    -DomainName "lab.local" `
    -DomainNetbiosName "LAB" `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
    -InstallDns:$true `
    -Force:$true

The server reboots automatically after promotion. On login, you’re now a domain administrator.

DNS configuration

AD relies heavily on DNS. The DC runs its own DNS server automatically after promotion. Configure pfSense/UniFi to forward lab.local queries to the DC:

In pfSense, under Services → DNS Resolver → Domain Overrides:

Domain:     lab.local
IP address: 192.168.1.10 (DC IP)

Clients on the LAN will now resolve lab.local domains via the DC while everything else goes through the normal upstream resolver.

Creating users and OUs

# Create Organisational Units
New-ADOrganizationalUnit -Name "Lab Users" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Lab Computers" -Path "DC=lab,DC=local"
New-ADOrganizationalUnit -Name "Lab Servers" -Path "DC=lab,DC=local"

# Create a test user
New-ADUser `
    -Name "Test User" `
    -GivenName "Test" `
    -Surname "User" `
    -SamAccountName "testuser" `
    -UserPrincipalName "testuser@lab.local" `
    -Path "OU=Lab Users,DC=lab,DC=local" `
    -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
    -Enabled $true

Group Policy

Group Policy is where AD becomes genuinely powerful. A few useful GPOs for the lab:

Create and link a baseline GPO:

New-GPO -Name "Lab Baseline Policy" | `
    New-GPLink -Target "DC=lab,DC=local"

Useful settings to configure via Group Policy Management Console (gpmc.msc):

Computer Configuration → Windows Settings → Security Settings:
  - Minimum password length: 12
  - Account lockout threshold: 5 attempts
  - Lockout duration: 30 minutes

Computer Configuration → Administrative Templates → Windows Components → Windows Update:
  - Configure automatic updates: Notify for download

User Configuration → Windows Settings → Scripts → Logon:
  - Map network drives automatically

Force a GPO update on domain-joined machines:

Invoke-GPUpdate -Computer "DESKTOP01" -Force

Joining a Windows client to the domain

On a Windows 10/11 VM on the same VLAN:

# Set DNS to point at the DC
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 192.168.1.10

# Join the domain
Add-Computer -DomainName "lab.local" -Credential LAB\Administrator -Restart

Connecting to Entra ID with Entra Connect

If you have a Microsoft 365 tenant, you can sync on-prem AD to the cloud using Entra Connect (formerly Azure AD Connect). This replicates how most real organisations operate.

Download Entra Connect from Microsoft and install on the DC:

  1. Choose Express Settings for a lab setup
  2. Enter your Microsoft 365 Global Admin credentials
  3. Enter your on-prem AD credentials
  4. Enable Password Hash Synchronisation
  5. Complete the wizard — sync runs every 30 minutes

Users created in lab.local will sync to Entra ID with a UPN of user@yourtenant.onmicrosoft.com, and can sign in to Microsoft 365 with their AD password. This is the foundation of hybrid identity.

Snapshots

Take a Proxmox snapshot after a clean, working AD setup. Windows VMs are expensive to rebuild — a snapshot means you can experiment with GPO or AD changes and roll back if anything breaks.

# From Proxmox host
qm snapshot <VMID> clean-ad-baseline --description "Clean AD with Entra Connect"
Layer 8