A functional Windows Server 2022 and Windows 11 enterprise lab environment.
The goal of this project was to build a functional, secure enterprise network environment using Oracle VirtualBox. This lab simulates a real-world corporate infrastructure, focusing on identity management, network configuration, and security principles like Least Privilege.
- Hypervisor: Oracle VirtualBox
- Operating Systems: Windows Server 2022, Windows 11 Pro
- Services: Active Directory Domain Services (AD DS), DNS, SMB File Sharing, Group Policy (GPO)
| Asset Name | Operating System | Role / Service | Network Configuration |
|---|---|---|---|
| LAB-DC01 | Windows Server 2022 | Domain Controller, DNS, DHCP | Static: 192.168.56.10 |
| LAB-WS01 | Windows 11 Pro | Client Workstation | DHCP Assigned |
| S: Drive | SMB Share | Centralized User Backups | Hosted on DC01 |
To ensure security and isolation, I implemented a dual-adapter network topology.
- Internal Network (Host-Only): Dedicated for private communication between the Domain Controller and Client.
- NAT: Provided controlled internet access for system updates and software installation.
- I deployed Windows Server 2022 as a Domain Controller for the LAB.local forest.
- Created a custom Organizational Unit (OU) named "Accounts" to organize staff members.
- Provisioned domain users with standardized naming conventions.
- Advanced OU Design: Developed a scalable Organizational Unit (OU) structure consisting of departmental containers (Finance, IT, HR) to allow for granular GPO application.
- Security Group Management: Centralized all Security Groups into a dedicated "Groups" OU to separate access permissions from user objects.
-
Domain Handshake: Successfully integrated the Windows 11 Pro workstation into the
LAB.localforest. -
Trust Verification: Utilized
sysdm.cplto verify the trust relationship between the client and the Domain Controller.
I implemented departmental file sharing to simulate a corporate environment using a combination of GPO and scripting.
- Folder Permissions: Configured NTFS and Share permissions to restrict access based on security groups.
- Mapped Drives: Verified that the IT user automatically received the correct network drive upon login.
- Automated Drive Mapping: Authored and deployed
.batlogon scripts via Group Policy to dynamically map theB:drive based on the user's specific department.
- Security Isolation: Verified that while the drive is mapped via GPO, users are strictly blocked from accessing the folders outside their assigned security group.
To transition the lab from a basic setup to a secure enterprise environment, I implemented critical infrastructure services and defensive policies.
- DHCP Server Deployment: Configured a managed DHCP scope on the Domain Controller. Verified successful IP allocation (192.168.56.103) to the Windows 11 client via the DHCP Lease console and client-side
ipconfigverification.
- Transition to Automated Networking: Migrated the client from a static configuration to a dynamic DHCP-managed environment. As shown in the
ipconfigresults, the client now automatically receives its IP allocation and DNS pointers from the Domain Controller, ensuring centralized network management.
- Brute-Force Protection: Authored a "Security_Hardening_Policy" GPO to enforce an Account Lockout Threshold of 3 attempts.
- Defensive Verification: Successfully triggered and verified a lockout event on the Windows 11 workstation after multiple failed authentication attempts, simulating a real-world response to a brute-force attack.
To simulate a Junior IT Engineer's daily responsibilities, I managed a local mail infrastructure and implemented a platform-agnostic disaster recovery plan for end-user data.
-
Logic-Based Troubleshooting: Demonstrated that technical support principles are transferable across platforms. While utilizing Thunderbird for this lab, the methodology applied (Profile Management and Configuration File manipulation) directly simulates enterprise Microsoft Outlook troubleshooting (e.g., resolving .PST/.OST corruption).
-
Advanced Troubleshooting (Root Cause Analysis): Successfully simulated and resolved a "Corrupt Profile" failure. By identifying and manipulating the
profiles.ini(Configuration Settings) file, I demonstrated the ability to restore application functionality without data loss, bypassing the need for a full re-install.
-
Data Migration & Redundancy: Executed a manual migration of local application databases (AppData/Roaming) from the Windows 11 workstation to a cross-platform Shared Drive (S: Drive) hosted on the Domain Controller.
-
Archival Compliance: Built a structured archival hierarchy (
2025_Executive_Archive) and validated the ingestion of "orphan" data files (.eml) into the local mail database.
To transition from a "working" lab to a "managed" enterprise environment, I implemented a maintenance and security monitoring framework to ensure high availability and audit compliance.
- Domain Health Diagnostics: Executed
dcdiagto verify the health of theLAB.localforest. Confirmed successful status for core services including Connectivity, Advertising, MachineAccount, and NetLogons.
- Advanced Security Auditing: Structured Active Directory Organizational Units (OUs) to enforce Advanced Audit Policies. By moving the workstation from a default container to a managed OU, I enabled granular tracking of authentication events.
- Incident Capture & Log Correlation: Successfully simulated a brute-force attack and validated the detection of Event ID 4625 (Logon Failure) on the Windows 11 endpoint, correlating it with Event ID 4740 (Account Lockout) on the Domain Controller.
- Performance Baselining: Utilized Windows Resource Monitor to baseline CPU, Disk, and Network throughput. Verified server stability during active file-share utilization and high-volume data transfers.
- Issue: Encountered a "Version Mismatch" where Windows 11 Home could not join a domain.
- Solution: Successfully upgraded the VM to Windows 11 Pro to enable enterprise features.
- Issue: Kerberos Time Skew. Encountered an error where the computer clock was not synchronized with the Domain Controller.
- Solution: Identified a VM clock drift mismatch and utilized
w32tm /resyncto align the client with the DC's NTP source - Security: Implemented Account Lockout Policies to mitigate brute-force attacks.
- Issue: Application setup blocked by non-standard network environment (Thunderbird Wizard)
- Solution: Utilized the Profile Manager (
Pflag) and Advanced Configuration toggles to initialize the application database manually, ensuring laboratory tasks could proceed despite UI limitations. - Issue: GPO settings (Audit Policies) were not applying to the Windows 11 workstation.
- Root Cause: The workstation was located in the default "Computers" container, which does not support GPO linking.
- Solution: Created a dedicated Workstation OU, moved the computer object, and performed a
gpupdate /forceto successfully trigger policy inheritance.
- Issue: Event Viewer GUI "Query Timeout" or hang on the client machine.
- Solution: Pivoted to PowerShell-based forensics using
Get-EventLogto bypass GUI limitations and extract security data directly from the.evtxbuffer.
- Solution: Pivoted to PowerShell-based forensics using
To further expand this lab and simulate a more complex enterprise environment, I plan to implement:
- Item-Level Targeting: Consolidating multiple department rules into a single, high-effciency GPO.
- WSUS (Windows Server Update Services): Setting up a centralized server to manage and distribute patches and updates to all workstations in the domain.
- Splunk/SIEM Integration: Installing a Universal Forwarder on the Windows machines to ship logs to a SIEM for real-time security monitoring and threat detection.
- VPN & Remote Access: Configuring a Routing and Remote Access Service (RRAS) to simulate secure remote work connections.