Why this matters beyond the homelab: Hybrid identity (on-premises AD synced to Entra ID) is the dominant enterprise identity model. Most organizations have not fully migrated to cloud-only identity. This lab covers the full stack: domain controller, Group Policy, Entra Connect sync, and a domain-joined endpoint for end-to-end validation. It maps directly to SC-300 exam objectives and the day-to-day reality of any IAM or sysadmin role.
Why This Existed
Three years at Team Liquid running Google Workspace meant my hands-off time with on-premises Active Directory had accumulated. I could talk through AD concepts. I had managed it at CAA and Fox Studios. But I had not built it from scratch in a while, and “I’ve used it” is a different answer than “I built a forest, domain-joined a workstation, stood up cascading GPOs, and wired Entra Connect” in a hiring conversation.
The BSTG interview was the forcing function. Interview with Daniel Comas and Marcell Houser, April 29, 2026. Two days to build the lab, document it, and be able to walk through every decision.
The Infrastructure
| Component | Details |
|---|---|
| Domain Controller | ALLIANCE-DC01, VM 300 |
| OS | Windows Server 2022 Standard (Desktop Experience) |
| Forest | alliance.lab |
| DC IP | 192.168.1.50, VLAN 1 (Tatooine, Management) |
| Node | QCM1255 (Node-B, CR90 Corvette, ECC RAM) |
| Test Workstation | Canto-Bight, VM 400 |
| Workstation OS | Windows 11 Pro |
| Workstation IP | 192.168.20.86, VLAN 20 (Naboo, Services) |
| Azure Tenant | alliance-fleet-rg, West US 2 |
| Sync Method | Entra Connect, Password Hash Sync |
Node-B was chosen for the DC specifically because of the ECC RAM. NTDS.dit is the most critical file in any Windows environment. Silent bit-flip corruption in the directory database can cause authentication failures that are extremely difficult to diagnose. ECC RAM prevents that class of failure at the hardware level.
Day 1: The DC Build
VM creation: q35 machine type, OVMF (UEFI), TPM 2.0 emulated, VirtIO SCSI controller. Windows Server requires a VirtIO driver disc loaded at install time to detect the storage controller. This is a Proxmox-specific step that catches people off guard: without the VirtIO drivers loaded during setup, the installer does not see the disk.
Forest promotion: PowerShell throughout.
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Import-Module ADDSDeployment
Install-ADDSForest `
-DomainName "alliance.lab" `
-DomainNetbiosName "ALLIANCE" `
-InstallDNS:$true `
-SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssword123!" -AsPlainText -Force) `
-Force:$true
The server rebooted into the alliance.lab domain controller.
OU structure:
alliance.lab
└─ Departments
├─ IT
├─ HR
└─ Finance
Users: john.doe (IT), jane.smith (HR), bob.finance (Finance). Security groups: IT-Staff, HR-Staff, Finance-Staff. Each user is a member of their respective group.
GPOs:
Three GPOs linked at the Departments OU level:
- Password Policy: minimum 12 characters, complexity required, 90-day max age
- Restrict Control Panel: denied for HR and Finance OUs via Security Filtering
- Drive Mapping: maps
\\ALLIANCE-DC01\IT-Sharefor IT-Staff group members
GPO inheritance tested by linking a Deny policy at the Departments level and confirming it cascaded down to all three department OUs. Then adding a block inheritance exception on the IT OU to confirm that works correctly. This is the kind of GPO behavior that shows up in real troubleshooting scenarios.
Break/fix scenarios:
- Account lockout: triggered via
net useSMB authentication with five bad password attempts. Unlocked viaUnlock-ADAccount -Identity john.doe - AD Recycle Bin: enabled, deleted
john.doe, restored viaGet-ADObject -Filter {displayName -eq "john.doe"} -IncludeDeletedObjects | Restore-ADObject
The Server Core Mistake
The first build used Windows Server 2022 Server Core. Server Core is the correct choice for production domain controllers: smaller attack surface, lower memory footprint, no GUI overhead. It is also what the official guidance recommends.
The problem: Entra Connect’s setup wizard is a WPF/XAML application. It requires a graphical desktop environment to render. Server Core has no desktop. When the installer ran, it threw:
XamlParseException: Failed to create a 'UIElement' from the text 'System.Windows.Controls.Grid'
Get-WindowsFeature confirmed there is no in-place upgrade path from Core to Desktop Experience. The only option is a full rebuild.
Decision made in about thirty seconds: wipe the VM, rebuild with Standard (Desktop Experience). Four hours lost but the lesson is worth having. In production, the right answer is to install Entra Connect on a separate member server, not the DC. The DC should stay Core. In this lab environment with one VM, Desktop Experience was the pragmatic call.
Day 2: Domain Join and Entra Connect
Domain joining Canto-Bight:
Canto-Bight (Windows 11 Pro, VM 400, 192.168.20.86, VLAN 20) is on a different VLAN from ALLIANCE-DC01 (192.168.1.50, VLAN 1). Domain join requires DNS resolution of alliance.lab. The workstation was pointing to AdGuard Home at 192.168.1.4 for DNS, which did not have the alliance.lab zone.
The fix: update the DNS server on Canto-Bight’s NIC to point to 192.168.1.50 (the DC) instead of AdGuard. The DC runs DNS for alliance.lab. After the DNS change, nslookup alliance.lab resolved correctly and domain join completed.
Add-Computer -DomainName "alliance.lab" -Credential (Get-Credential) -Restart
Post-join validation: logged in as ALLIANCE\john.doe, confirmed the Drive Mapping GPO applied and Z:\ was mapped to \\ALLIANCE-DC01\IT-Share.
DC migration to Node-B:
The DC was initially built on Node-A (FCM2250) and needed to move to Node-B (QCM1255) for the ECC RAM. Proxmox live migration threw:
Cannot migrate VM with local CD/DVD drive
The Windows Server evaluation ISO was still mounted on the virtual CD/DVD drive. Detached it via Proxmox > VM 300 > Hardware > CD/DVD Drive > Do not use any media. Migration completed without issue.
Entra Connect configuration:
Prerequisites on the DC before running the installer:
# TLS 1.2 required by Entra Connect
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -Name "Enabled" -Value 1
Authentication for Entra Connect requires a native (non-guest) Global Administrator account in the Azure tenant. Guest accounts cannot authorize the sync. A dedicated syncadmin@ndomatesollcgmail.onmicrosoft.com account was created with Global Administrator for the setup, then scoped down to Hybrid Identity Administrator post-configuration.
Express settings: Password Hash Sync enabled, sync all users and groups from the alliance.lab domain.
After the first sync cycle (approximately 30 minutes), john.doe, jane.smith, and bob.finance appeared in Entra ID with their on-premises UPNs. The password hashes synced correctly. Logging into john.doe@ndomatesollcgmail.onmicrosoft.com with the on-premises password worked.
What This Covers for SC-300 and AZ-104
This lab is not just portfolio decoration. The specific skills it demonstrates map to real exam objectives:
SC-300 (Microsoft Identity and Access Administrator):
- Implement and manage hybrid identity (Entra Connect, PHS)
- Manage AD DS (OU structure, groups, users)
- Configure authentication methods (password hash sync)
- Monitor and troubleshoot Entra Connect sync
AZ-104 (Azure Administrator):
- Manage Azure AD (now Entra ID) identities
- Implement and manage hybrid identities
- Configure RBAC and administrative units
- Monitor identity operations
The Server Core rebuild decision is also worth mentioning in any interview discussion of this project. Knowing when to stop fighting a constraint and take the pragmatic path is a real engineering judgment call.
Current State
ALLIANCE-DC01 is running on Node-B. Entra Connect is syncing on its default 30-minute cycle. Canto-Bight is domain-joined and receives GPOs. The lab is stable and used periodically for break/fix scenario practice and SC-300 study.