Self-Directed Case Study · Windows Endpoint & Server Administration

From the Endpoint
to the Domain

Two environments. One lab-simulated enterprise Windows environment — built from scratch, documented step by step, and verified with screenshots. This case study covers Windows 11 workstation configuration from the client side, and Windows Server 2022 domain deployment from the server side.

Windows Server 2022 Windows 11 Enterprise AD DS · DHCP · DNS · GPO Evidence-Based Lab
2Environments Built
158Screenshots Taken
19Tasks & Phases
2+1Servers + Workstation
01

Windows 11 Enterprise Workstation Administration

Deploying, configuring, and hardening a Windows 11 workstation from scratch inside VMware Fusion on macOS — covering provisioning, local policies, PowerShell network management, Storage Spaces, and file sharing.

VMware Fusion Windows 11 PowerShell Storage Spaces Local Policy
TASK 01 Install Windows 11 on VMware Fusion — Named to Lab Convention

Every enterprise build starts the same way — a blank virtual machine. For this task, I deployed a fresh Windows 11 installation inside VMware Fusion on my MacBook, using a consistent lab naming convention so each later configuration step could be traced clearly.

Getting Windows 11 to install on Fusion required downloading the ISO, creating the VM with sufficient specs, and navigating through the Setup wizard. The machine name followed the lab convention during initial configuration — a detail that mattered for identification across subsequent screenshots.

VMware Fusion — Windows 11 desktop running with identifiers redacted
VMware Fusion — Windows 11 desktop running with identifiers redacted
VMware page & Windows 11 installation running side by side on macOS
VMware page & Windows 11 installation running side by side on macOS
Windows 11 installation progress — setup copying files
Windows 11 installation progress — setup copying files
VM resources configured — CPU, RAM, and storage allocated for Windows 11
VM resources configured — CPU, RAM, and storage allocated for Windows 11
Windows 11 successfully booted with public identifiers redacted
Windows 11 successfully booted with public identifiers redacted
TASK 02 Provisioning Package — Create Local Admin Account via Windows Configuration Designer

In enterprise environments, IT teams rarely configure each PC manually — they use provisioning packages to automate setup. This task required creating a .ppkg file using Windows Configuration Designer (WCD) that would create a lab-only local administrator account and apply it to the VM.

I built the package step by step in WCD: selecting the account settings, defining local sign-in details, exporting the .ppkg file, and then applying it to the Windows 11 VM. After application, the account appeared under local users — confirming the package deployed correctly.

Windows Configuration Designer open — starting a new provisioning package
Windows Configuration Designer open — starting a new provisioning package
Configuring account settings inside WCD — local admin account details entered
Configuring account settings inside WCD — local admin account details entered
Provisioning package settings review before export
Provisioning package settings review before export
Package exported successfully as .ppkg file
Package exported successfully as .ppkg file
Applying the provisioning package to Windows 11 VM
Applying the provisioning package to Windows 11 VM
Package installation confirmation — applying settings
Package installation confirmation — applying settings
Local Users and Groups — lab admin account appears post-provisioning
Local Users and Groups — lab admin account appears post-provisioning
Account verified in Computer Management
Account verified in Computer Management
Admin account confirmed active with correct group membership
Admin account confirmed active with correct group membership
TASK 03 Local Security Policy — Enforce UAC Dialog Box & Secure Desktop Dimming

Security hardening is non-negotiable in any enterprise environment. This task required configuring Local Security Policy to enforce UAC (User Account Control) behavior — specifically, ensuring that any privileged action triggers a secure authentication prompt and dims the desktop (Secure Desktop mode). This prevents malware from spoofing the UAC dialog.

I accessed secpol.msc, navigated to Local Policies → Security Options, and located the UAC settings. I configured the elevation prompt for administrators in Admin Approval Mode to require authentication on the secure desktop. Screenshots captured the before/after state of each policy setting.

Note: Some screens include redaction where lab identifiers appeared. The visible policy windows remain the relevant evidence for this task.

secpol.msc open — Local Security Policy console
secpol.msc open — Local Security Policy console
Security Options list — UAC policies visible
Security Options list — UAC policies visible
UAC — elevation prompt configured for secure authentication
UAC — elevation prompt configured for secure authentication
Secure Desktop dimming policy — enabled
Secure Desktop dimming policy — enabled
Policy confirmation — UAC elevation on secure desktop configured
Policy confirmation — UAC elevation on secure desktop configured
Local policy settings verified — all UAC options correctly set
Local policy settings verified — all UAC options correctly set
Additional UAC verification screenshot
Additional UAC verification screenshot
Policy applied — testing UAC prompt triggers correctly
Policy applied — testing UAC prompt triggers correctly
Screen dims on UAC trigger — secure desktop active
Screen dims on UAC trigger — secure desktop active
UAC authentication dialog visible
UAC authentication dialog visible
Final policy state confirmed in secpol.msc
Final policy state confirmed in secpol.msc
TASK 04 Pin Microsoft News to Start Menu & Export Taskbar Layout via PowerShell

Standardized Start menu and taskbar layouts are a common enterprise requirement — IT departments often deploy a locked-down layout to ensure consistency across all endpoints. This task required pinning the Microsoft News app to the Start menu, then exporting the taskbar configuration to an XML file using PowerShell.

I pinned the app through the Start menu UI, then used Export-StartLayout and related cmdlets in PowerShell to export the configuration. The resulting layout file could be deployed company-wide through Group Policy — a direct bridge to what I'd implement on the server side later.

Start menu open — Microsoft News app located for pinning
Start menu open — Microsoft News app located for pinning
Microsoft News pinned to Start menu — confirmation
Microsoft News pinned to Start menu — confirmation
PowerShell open — Export-StartLayout command ready
PowerShell open — Export-StartLayout command ready
Taskbar layout exported to XML file successfully
Taskbar layout exported to XML file successfully
XML layout file verified in File Explorer
XML layout file verified in File Explorer
Layout file contents — pinned apps visible in XML
Layout file contents — pinned apps visible in XML
TASK 05 PowerShell Network Configuration — Set Static IPv4 Address

Network configuration via PowerShell is a core sysadmin skill. Rather than using the GUI, this task required setting a static IPv4 address of redacted lab IPv4 address directly through the command line using New-NetIPAddress. This approach is scriptable, repeatable, and deployable at scale — exactly how enterprise teams manage endpoints.

I identified the correct adapter using Get-NetAdapter, removed any existing DHCP-assigned address, and applied the static configuration. Running ipconfig /all after confirmed the address was correctly assigned to the adapter.

PowerShell — Get-NetAdapter showing available network interfaces
PowerShell — Get-NetAdapter showing available network interfaces
New-NetIPAddress command executed — static IP redacted lab IPv4 address applied
New-NetIPAddress command executed — static IP redacted lab IPv4 address applied
ipconfig /all output — static IP confirmed on adapter
ipconfig /all output — static IP confirmed on adapter
Network adapter properties — static IP visible in settings
Network adapter properties — static IP visible in settings
Final verification — adapter showing redacted lab IPv4 address assigned
Final verification — adapter showing redacted lab IPv4 address assigned
TASK 06 Storage Spaces — Create a 2-Way Mirror Storage Pool

Storage Spaces is Windows' software-defined storage solution — it pools physical disks into resilient volumes. A 2-way mirror writes data to two disks simultaneously, providing fault tolerance if one drive fails. This task required creating a Storage Pool from available virtual disks, then creating a 2-way mirror virtual disk on top of it.

I navigated to Server Manager → File and Storage Services → Storage Pools, added the available disks to a pool, and created the mirrored virtual disk. The resulting volume was mounted and ready for use — setting up the foundation for the file sharing tasks that followed.

Storage Spaces wizard open — creating new storage pool
Storage Spaces wizard open — creating new storage pool
Selecting physical disks for the storage pool
Selecting physical disks for the storage pool
2-Way Mirror selected as resiliency type
2-Way Mirror selected as resiliency type
Storage pool and virtual disk being created
Storage pool and virtual disk being created
Storage pool successfully created and visible in File Explorer
Storage pool successfully created and visible in File Explorer
TASK 07 Create "File Share" Folder on the Storage Space Volume

With the storage pool created, the next step was creating the File Share folder on the new volume — this would serve as the shared network resource for the next task. Placing it on the mirrored storage space ensures any data stored here has redundancy built in.

Storage space volume visible in File Explorer
Storage space volume visible in File Explorer
File Share folder created on the mirrored volume
File Share folder created on the mirrored volume
Folder properties — confirming location on storage pool drive
Folder properties — confirming location on storage pool drive
File Share folder ready for permissions configuration
File Share folder ready for permissions configuration
TASK 08 Configure Network Share & NTFS Permissions on File Share Folder

File sharing permissions in Windows are a two-layer system: Share permissions control network access at the share level, while NTFS permissions control access at the file system level. The effective permissions are the most restrictive of the two. This task required sharing the File Share folder with specific user access levels — read vs. read/write — matching a permission matrix defined in the course.

I right-clicked the folder, set up sharing through Advanced Sharing, configured the share permissions, then drilled into Security to set NTFS permissions. Each user/group was assigned the correct permission level and verified by reviewing the access control list.

Advanced Sharing dialog — folder being shared on network
Advanced Sharing dialog — folder being shared on network
Share permissions dialog — user permissions being configured
Share permissions dialog — user permissions being configured
Security tab — NTFS permissions for the File Share folder
Security tab — NTFS permissions for the File Share folder
Read permission assigned to designated user
Read permission assigned to designated user
Read/Write permissions assigned to second user
Read/Write permissions assigned to second user
Permission summary — all users configured correctly
Permission summary — all users configured correctly
Network path verified — folder accessible via UNC path
Network path verified — folder accessible via UNC path
Final NTFS permission ACL confirmed
Final NTFS permission ACL confirmed
TASK 09 Deploy Microsoft Whiteboard from Microsoft Store

Application deployment from the Microsoft Store is a standard workflow in modern endpoint management. This task required installing Microsoft Whiteboard from the Store — simulating how IT might push a collaboration app to a managed workstation. Post-install verification confirmed the app launched correctly and was visible in the Start menu.

Microsoft Store open — searching for Microsoft Whiteboard
Microsoft Store open — searching for Microsoft Whiteboard
Whiteboard app page — clicking Install
Whiteboard app page — clicking Install
Installation in progress — downloading and installing
Installation in progress — downloading and installing
Whiteboard successfully installed — visible in Start menu
Whiteboard successfully installed — visible in Start menu
Microsoft Whiteboard launched and running on Windows 11
Microsoft Whiteboard launched and running on Windows 11
App verified — Whiteboard interface open and functional
App verified — Whiteboard interface open and functional
Whiteboard confirmed working — installation task complete
Whiteboard confirmed working — installation task complete
TASK 10 Configure File History — 30-Day Retention on Storage Space

File History is Windows' built-in backup and versioning solution — it automatically saves copies of files to a designated drive, allowing recovery of older versions. This task required configuring it to keep historical copies for 30 days, pointed at the storage space volume created earlier.

Note to evaluator: For this task, I was on my Mac just like all other tasks. The File History configuration steps were completed within the VMware environment — some screens may vary slightly due to virtualization layer differences with storage device detection.

File History settings — selecting the storage space as backup drive
File History settings — selecting the storage space as backup drive
Advanced Settings — Keep saved versions set to 30 days
Advanced Settings — Keep saved versions set to 30 days
File History running — first backup in progress
File History running — first backup in progress
Backup confirmed — File History active on storage space volume
Backup confirmed — File History active on storage space volume
02

Windows Server 2022 Enterprise Domain

Building a full multi-server Windows Server 2022 domain from the ground up inside UTM on an Apple Silicon MacBook — two servers, one workstation, a complete Active Directory domain, DHCP, DNS, GPOs, and file services, all verified and documented.

Windows Server 2022 Active Directory DHCP / DNS Group Policy UTM · Apple Silicon NTFS Permissions
PHASE 01 Virtual Machine Provisioning — Windows Server 2022 on UTM (Apple Silicon)

The first challenge wasn't the server — it was the hardware. Building Windows Server 2022 on an Apple Silicon MacBook Air required using UTM, a virtualization platform for macOS that supports both ARM and x86 emulation. I created the primary Domain Controller VM (LAB-DC01) with 4 vCPUs, 8GB RAM, and 64GB storage in x86_64 mode, then installed Windows Server 2022 Datacenter Evaluation (Desktop Experience) for full GUI access.

VM Specs — SRV01 (Domain Controller): 4 vCPUs · 8 GB RAM · 64 GB storage · x86_64 architecture · Windows Server 2022 Datacenter Evaluation (Desktop Experience)

UTM VM configuration evidence with identifiers redacted
UTM VM configuration evidence with identifiers redacted
UTM VM resource summary — 4 vCPUs, 8GB RAM, 64GB storage confirmed
UTM VM resource summary — 4 vCPUs, 8GB RAM, 64GB storage confirmed
Windows Server 2022 edition selection — Datacenter Evaluation with Desktop Experience
Windows Server 2022 edition selection — Datacenter Evaluation with Desktop Experience
Windows Server 2022 installation progress — files copying
Windows Server 2022 installation progress — files copying
Completing built-in Administrator setup during first-time setup
Completing built-in Administrator setup during first-time setup
Windows Server 2022 boots to lock screen — Ctrl+Alt+Delete prompt
Windows Server 2022 boots to lock screen — Ctrl+Alt+Delete prompt
Server Manager loads automatically after first login
Server Manager loads automatically after first login
PHASE 02 Active Directory Domain Services — Promoting SRV01 to Domain Controller

This was the moment the server transformed from a standalone box into the authority of a lab Active Directory domain. I installed the AD DS role through Server Manager's Add Roles and Features Wizard, selected the lab domain controller as the target, and began the promotion process. Choosing "Add a new forest" created the lab-local root domain.

The promotion wizard walked through DNS integration, Global Catalog designation, recovery-mode setup, and NetBIOS naming. The wizard auto-generated a PowerShell deployment script, showing that the configuration could be repeated and automated. After the final prerequisites check passed with the expected DNS delegation warning in an isolated lab, the server rebooted and came back online as the domain controller.

Server Manager — Local Server overview, ready for role installation
Server Manager — Local Server overview, ready for role installation
Add Roles and Features Wizard — Before You Begin
Add Roles and Features Wizard — Before You Begin
Selecting the lab domain controller as the destination server
Selecting the lab domain controller as the destination server
AD DS role selected for installation
AD DS role selected for installation
AD DS information page — DNS requirements reviewed
AD DS information page — DNS requirements reviewed
AD DS installation confirmation — components listed
AD DS installation confirmation — components listed
AD DS installation in progress on SRV01
AD DS installation in progress on SRV01
AD DS Configuration Wizard — Add New Forest selected for lab domain
AD DS Configuration Wizard — Add New Forest selected for lab domain
Domain Controller Options — DNS and Global Catalog enabled
Domain Controller Options — DNS and Global Catalog enabled
DNS Options — no delegation required in standalone lab environment
DNS Options — no delegation required in standalone lab environment
Additional Options — NetBIOS name ANIK auto-populated
Additional Options — NetBIOS name ANIK auto-populated
AD DS Default Paths — NTDS, SYSVOL confirmed
AD DS Default Paths — NTDS, SYSVOL confirmed
AD DS Prerequisites Check — all checks passed
AD DS Prerequisites Check — all checks passed
First domain-controller logon — promotion confirmed
First domain-controller logon — promotion confirmed
PHASE 03 DHCP Server — Multi-Site Scopes for Toronto & Montreal

With the domain running, the next critical service was DHCP — the mechanism by which clients receive an IP address, gateway, and DNS server automatically. I installed the DHCP Server role on the domain controller after assigning a static IPv4 address so DHCP and DNS services were anchored to a fixed address.

I created one primary lab scope plus four simulated site scopes to model a multi-site enterprise network with offices in Toronto and Montreal. Each scope was configured with subnet ranges, exclusions, and scope options (Router 003, DNS Server 006, DNS Domain Name 015). A DHCP reservation for the member server ensured it would receive a consistent lab address.

Scopes created: one primary lab subnet plus four simulated site scopes for Toronto and Montreal lab/office segments.

DHCP installation warning — static IP required before proceeding
DHCP installation warning — static IP required before proceeding
Static IPv4 address applied to the domain controller
Static IPv4 address applied to the domain controller
DHCP Server role selected for installation
DHCP Server role selected for installation
DHCP Server role installation in progress
DHCP Server role installation in progress
New Scope Wizard — primary lab scope named and described
New Scope Wizard — primary lab scope named and described
DHCP scope activated — Yes, activate now selected
DHCP scope activated — Yes, activate now selected
Primary lab scope visible and active under IPv4 in DHCP Manager
Primary lab scope visible and active under IPv4 in DHCP Manager
Multiple scopes visible — Toronto and Montreal sites all configured
Multiple scopes visible — Toronto and Montreal sites all configured
PHASE 04 Second Server Deployment — SRV02 Joins the Domain

A single-server domain is a lab — an enterprise network normally includes member servers. I deployed a second Windows Server 2022 VM, LAB-SRV02, as a member server for domain lab services. The process mirrored the first server installation: create the UTM VM, install Windows Server 2022 Datacenter, complete first-time setup, rename the machine, and then complete the domain join.

Joining the domain required pointing the member server's DNS to the domain controller, completing domain authentication, and confirming the successful domain join. A static IP and DHCP reservation were then configured, with hardware identifiers redacted in public evidence.

UTM VM creation for SRV02 — default Windows template, x86_64
UTM VM creation for SRV02 — default Windows template, x86_64
SRV02 first boot — Windows Server 2022 setup begins
SRV02 first boot — Windows Server 2022 setup begins
Windows Server 2022 edition selection for SRV02
Windows Server 2022 edition selection for SRV02
Drive 0 selected for OS installation
Drive 0 selected for OS installation
Windows Server 2022 installation progress on SRV02
Windows Server 2022 installation progress on SRV02
SRV02 first boot completing service initialization
SRV02 first boot completing service initialization
SRV02 login screen — first boot after Windows Server 2022 install
SRV02 login screen — first boot after Windows Server 2022 install
Server Manager on SRV02 — local server properties on first login
Server Manager on SRV02 — local server properties on first login
Member server renamed to lab convention — restart required
Member server renamed to lab convention — restart required
Member server successfully joined to the lab domain
Member server successfully joined to the lab domain
Logging into SRV02 with domain authentication
Logging into SRV02 with domain authentication
Static IP and DNS configured on SRV02 — pointing to the domain controller
Static IP and DNS configured on SRV02 — pointing to the domain controller
SRV02 network adapter — static IP and DNS settings confirmed
SRV02 network adapter — static IP and DNS settings confirmed
Re-applying static IPv4 on SRV02 post-domain join
Re-applying static IPv4 on SRV02 post-domain join
ipconfig confirms static IP and gateway on SRV02
ipconfig confirms static IP and gateway on SRV02
DHCP reservation for SRV02 created in DHCP Manager
DHCP reservation for SRV02 created in DHCP Manager
PHASE 05 Organizational Units, Users & Security Groups

Active Directory's power comes from organization. I opened Active Directory Users and Computers (ADUC) on the domain controller and built a full OU hierarchy under lab.local: Toronto, Montreal, Servers, Workstations, Groups, and Users — mirroring how a real enterprise organizes its directory structure by geography and function.

Inside each location OU, I created user accounts with proper UPN suffixes (lab user account, lab user account), enforced first-logon account-change policies, and built Global Security GroupsToronto-Users and Montreal-Users — adding each user to their respective group. This group structure would directly drive NTFS permissions and GPO filtering later.

ADUC open — default domain container lab.local
ADUC open — default domain container lab.local
OU creation — Montreal and Toronto OUs being built
OU creation — Montreal and Toronto OUs being built
Toronto OU with Computers sub-OU visible
Toronto OU with Computers sub-OU visible
Montreal OU and Computers sub-OU structure confirmed
Montreal OU and Computers sub-OU structure confirmed
Final OU structure: Montreal, Toronto, Servers, Workstations, Groups, Users
Final OU structure: Montreal, Toronto, Servers, Workstations, Groups, Users
New user creation — lab user account in Montreal OU
New user creation — lab user account in Montreal OU
Account policy for Montreal user — change at next logon enabled
Account policy for Montreal user — change at next logon enabled
Montreal user account successfully created
Montreal user account successfully created
Montreal OU showing lab user object
Montreal OU showing lab user object
Creating Toronto user — lab user account
Creating Toronto user — lab user account
Toronto OU showing lab user object
Toronto OU showing lab user object
Creating Toronto-Users security group — Global/Security type
Creating Toronto-Users security group — Global/Security type
Toronto-Users group successfully created in Groups OU
Toronto-Users group successfully created in Groups OU
Adding lab user to Toronto-Users group
Adding lab user to Toronto-Users group
Toronto user confirmed as member of Toronto-Users
Toronto user confirmed as member of Toronto-Users
Both Toronto-Users and Montreal-Users groups visible in Groups OU
Both Toronto-Users and Montreal-Users groups visible in Groups OU
Montreal-Users group membership — lab user added
Montreal-Users group membership — lab user added
PHASE 06 Group Policy Objects — Lockdown Policy & Domain Account Policy

Group Policy is the central nervous system of Windows domain management. I configured lab policy settings to validate workstation/user policy behavior, including a UI restriction policy and a domain-wide account policy enforcing complexity, minimum length, history, and account lockout.

I opened the Group Policy Management Console (GPMC), created a lab lockdown GPO, and validated policy application from the workstation. Inside the policy editor, I navigated through Administrative Templates and enabled a UI restriction. For the account policy, I modified the Default Domain Policy: minimum length, complexity, maximum password age, and account lockout after repeated failed attempts.

After applying changes with gpupdate /force, I ran gpresult /r on the workstation to confirm policy receipt. I then deliberately triggered the account lockout with repeated failed sign-in attempts, validating the lockout behavior in the lab. In production, user-side restrictions would be linked to the proper user OU or implemented with loopback processing where computer-targeted scope is required.

Group Policy Management Console open — lab.local domain structure
Group Policy Management Console open — lab.local domain structure
Default Domain Policy — GPO tree structure viewed
Default Domain Policy — GPO tree structure viewed
Account policy settings — history, minimum length, complexity visible
Account policy settings — history, minimum length, complexity visible
TOR-UserLockdown-GPO linked to Toronto → Computers OU
TOR-UserLockdown-GPO linked to Toronto → Computers OU
GPO Scope confirmed — Authenticated Users in security filtering
GPO Scope confirmed — Authenticated Users in security filtering
GPO editor — Administrative Templates → Control Panel open
GPO editor — Administrative Templates → Control Panel open
Prevent changing Start Menu background — Enabled
Prevent changing Start Menu background — Enabled
Account policy applied — min length 7, complexity on, max age 42 days
Account policy applied — min length 7, complexity on, max age 42 days
Account Lockout Policy — 5 failed attempts, 15 min lockout
Account Lockout Policy — 5 failed attempts, 15 min lockout
gpupdate /force executed in PowerShell on domain controller
gpupdate /force executed in PowerShell on domain controller
gpresult /r on workstation — Default Domain Policy and custom GPO applied
gpresult /r on workstation — Default Domain Policy and custom GPO applied
Account lockout simulation — Toronto user locked after failed attempts
Account lockout simulation — Toronto user locked after failed attempts
Lockout delay confirmed — policy enforced in real time
Lockout delay confirmed — policy enforced in real time
PHASE 07 File Services — CompanyShare Folder with NTFS & Share Permissions

File sharing in a domain environment brings together everything built so far: users, groups, permissions, and the servers. I created a CompanyShare folder in the domain lab, shared it over the network, and configured layered share and NTFS permissions for the Toronto and Montreal security groups. Administrators retained Full Control.

From the workstation, I mapped Drive Z: using a domain user account and tested file access behavior to confirm the restrictions were applied.

CompanyShare folder created under C:\ in the domain lab
CompanyShare folder created under C:\ in the domain lab
Share permissions — Toronto-Users granted Read access
Share permissions — Toronto-Users granted Read access
Share permissions — Montreal-Users granted Change + Read
Share permissions — Montreal-Users granted Change + Read
NTFS permissions — Toronto-Users assigned Modify + Read
NTFS permissions — Toronto-Users assigned Modify + Read
NTFS permissions — Montreal-Users granted Modify + Read
NTFS permissions — Montreal-Users granted Modify + Read
Drive Z mapped on workstation using a domain user
Drive Z mapped on workstation using a domain user
Access restriction test — file creation attempt blocked
Access restriction test — file creation attempt blocked
PHASE 08 DNS Configuration & External Resolution Testing

DNS is the backbone of an Active Directory domain — without it, nothing resolves. I opened DNS Manager on the domain controller, reviewed the server's network interface bindings, and configured an external DNS forwarder to handle queries outside the lab namespace.

External forwarder validation was limited in this lab because UTM on Apple Silicon used NAT-only networking. Internal AD DNS behavior remained the main validation target, while external lookup behavior was documented as a platform constraint rather than treated as production-ready DNS validation.

DNS Manager open on LAB-DC01 — server interfaces reviewed
DNS Manager open on LAB-DC01 — server interfaces reviewed
DNS Forwarders — external resolver configured for lab testing
DNS Forwarders — external resolver configured for lab testing
nslookup test — timeout expected due to UTM NAT-only networking
nslookup test — timeout expected due to UTM NAT-only networking
DNS zones visible — lab.local forward and reverse lookup zones
DNS zones visible — lab.local forward and reverse lookup zones
PHASE 09 Workstation Integration — Joining the Lab Domain & Verifying Services

The final proof of a working domain is the workstation. I configured the Windows 11 VM (LAB-WS01) with DNS pointing to the domain controller, verified a successful ping to the DC, and ran nslookup to confirm name resolution. The domain join prompt required domain authentication — and returned the "Welcome to the lab domain" confirmation.

Post-join, the workstation received its DHCP-assigned IP, applied both computer and user GPOs (confirmed via gpresult /r), and successfully connected to the CompanyShare folder. Every service built throughout this case study — DHCP, DNS, AD DS, GPO, file sharing — was verified to be working end-to-end from a domain-joined client.

Workstation system properties — hostname LAB-WS01, currently in WORKGROUP
Workstation system properties — hostname LAB-WS01, currently in WORKGROUP
ipconfig — workstation lease and DNS settings verified
ipconfig — workstation lease and DNS settings verified
Ping to domain controller — successful, network confirmed
Ping to domain controller — successful, network confirmed
Domain join prompt — completing lab.local authentication
Domain join prompt — completing lab.local authentication
Welcome to the lab domain — domain join confirmed
Welcome to the lab domain — domain join confirmed
DHCP verification — ipconfig /all showing correct lease from Toronto scope
DHCP verification — ipconfig /all showing correct lease from Toronto scope
gpupdate /force on workstation — policies refreshed
gpupdate /force on workstation — policies refreshed
gpresult /r — Default Domain Policy and TOR-UserLockdown-GPO both applied
gpresult /r — Default Domain Policy and TOR-UserLockdown-GPO both applied
Project Reflection

What This Built in Me

These two case studies weren't just coursework — they were a complete walkthrough of the enterprise Windows stack from both ends. On the client side, I learned how IT teams provision, harden, and manage endpoints at scale. On the server side, I built the infrastructure those endpoints connect to.

Working within hardware constraints — Apple Silicon, UTM's NAT networking — forced me to understand why configurations are done the way they are, not just how to click through wizards. Every limitation I documented taught me something a lab manual couldn't.

The skills demonstrated here are foundational systems administration work: AD DS, DHCP, GPO, NTFS permissions, PowerShell, Storage Spaces, provisioning packages, and verification discipline.

Active Directory & Identity

Forest creation, DC promotion, OU hierarchy, user/group administration, ADUC

Network Services

DHCP multi-scope design, static IP assignment, DNS configuration, forwarders

Group Policy

GPO creation, linking, Administrative Templates, account policy, lockout simulation

Storage & File Services

Storage Spaces 2-way mirror, CompanyShare, NTFS + share permission layering

Endpoint Administration

Windows 11 deployment, provisioning packages, local security policy, File History

PowerShell

Static IP assignment, gpupdate /force, Export-StartLayout, verification commands