DEV Community

Cover image for CORP.DZ: Enterprise Infrastructure Home Lab - Salah Eddine Medkour
Salah Eddine Medkour
Salah Eddine Medkour

Posted on

CORP.DZ: Enterprise Infrastructure Home Lab - Salah Eddine Medkour

#virtualmachine #linux #ubuntu #windows

A hybrid enterprise network simulation replicating Small-to-Medium Business (SMB) infrastructure. This project demonstrates the on-premise integration of Windows Active Directory with Linux services, identity management automation, defensive auditing, and network segmentation.

Table of Contents

  • Project Overview
  • Author & Links
  • Laboratory Environment
  • Network Topology
  • Implementation Walkthrough
    • Phase 1: The Foundation (Identity & DNS)
    • Phase 2: Hybrid Services (Linux Integration)
    • Phase 3: Operations & Security (GPO & Audit)
    • Phase 4: Network Engineering (Routing & Hardening)
  • Tools & Utilities
  • Key Configurations
  • Disclaimer

Project Overview

Corp.DZ is a hands-on home lab built to simulate a secure corporate LAN. Unlike cloud-based labs, this environment focuses on on-premise logic, requiring manual configuration of TCP/IP stacks, internal DNS zones, routing tables, and Active Directory forests.

Key Competencies Demonstrated:

  • Air-Gapped Architecture: Designed an isolated internal subnet structure (192.168.10.x / 172.16.20.x) ensuring zero leakage to the host network.
  • Hybrid Integration: Successfully bridged Windows Server 2022 and Ubuntu Linux 24.04 using split-brain DNS.
  • Identity Management: Deployed AD DS, RBAC (Role-Based Access Control), and automated user provisioning via PowerShell.
  • Security Ops: Implemented Least Privilege delegation, SSH hardening (Key-based auth), and conducted internal penetration tests.

Author & Links

Salah Eddine Medkour Junior Network Engineer | Technical Lab Instructor @ Badji Mokhtar University | Masterโ€™s in Networks & Telecommunications

Laboratory Environment

The infrastructure operates on a local workstation using Oracle VirtualBox. VMs are bridged via dedicated "Internal Network" adapters to simulate physical LAN cabling.

*Host Hardware Configuration
*

  • CPU: AMD Ryzen 5 5600 (6 Cores / 12 Threads)
  • GPU: NVIDIA GTX 1650 (Dual Monitor Setup for Admin Center simulation)
  • RAM: 16 GB DDR4 (Dynamically allocated to VMs)
  • Storage: NVMe SSD (Critical for concurrent VM I/O)
  • Network: 1.5 Gbps FTTH (Host-side only for ISO retrieval)

Virtual Machine Inventory (BOM)
CorpDZ-DC

Role: Domain Controller & Router

OS: SERVER_EVAL_x64FRE_en-us.iso (Server 2022)

Network: Static IP (.2) / Dual NIC

1.CorpDZ-Client

  • Role: Employee Workstation
  • OS: en-us_windows_10_enterprise_ltsc_2021...iso
  • Network: DHCP (Relay)
  1. CorpDZ-Web
  • Role: Intranet Server
  • OS: ubuntu-24.04.3-live-server-amd64.iso
  • Network: Static IP (.5)
  1. Kali-Audit
  • Role: Red Team / Audit
  • OS: Kali Linux Rolling 2024
  • Network: DHCP

Network Topology

The lab evolved from a flat network to a segmented architecture to simulate enterprise security zones.

Implementation Walkthrough

*Phase 1: The Foundation (Identity & DNS)
*

  • Establishing the Data Center core.
  • Server Provisioning: Installed Windows Server 2022 and promoted to Domain Controller (corp.dz).
  • IP Management: Configured Static IPs and authorized DHCP Scope OfficeLAN (.100-.200).
  • Client Onboarding: Joined Windows 10 LTSC Client to the domain; verified internal DNS resolution.

*Phase 2: Hybrid Services (Linux Integration)
*

  • Bridging OS environments.
  • Linux Deployment: Deployed Ubuntu Server; configured Netplan (YAML) for static networking pointing to the Windows DC for DNS.
  • Intranet Services: Installed Nginx and deployed a custom "Authorized Personnel Only" dashboard.
  • Resolution: Created a Windows DNS A-Record mapping www.corp.dz to the Linux server IP. Validated access from client browsers.

*Phase 3: Advanced Administration (GPO & Security)
*

  • Simulating real-world SysAdmin tasks.
  • Automation: Scripted bulk user onboarding via PowerShell (CSV import).
  • Least Privilege: Created a "Junior Admin" account (Adam.Helpdesk) and Delegated Control for specific OUs only.
  • Disaster Recovery: Implemented Folder Redirection GPO. User Desktop data automatically syncs to a central server share (\CorpDZ-DC\UserFiles).
  • Policy Management: Managed GPO Precedence (LSDOU), utilizing "Enforced" policies to resolve conflicting wallpaper settings.

*Phase 4: Network Engineering (Routing & Hardening)
*

  • Breaking the network to rebuild it stronger.
  • Segmentation: Split the network into two subnets (Server vs. Staff) to isolate critical assets.
  • Software Routing: Configured RRAS on Windows Server to route traffic between virtual interfaces.
  • DHCP Relay: Configured a Relay Agent to forward IP requests from the isolated Staff LAN to the central DHCP server.
  • SSH Hardening: Generated 4096-bit RSA keys, installed them on Linux, and disabled password authentication (PasswordAuthentication no).
  • Penetration Test: Deployed Kali Linux internally and attempted a brute-force attack (Hydra) against the hardened server. Result: Attack Failed (Access Denied).

Tools & Utilities

Key tools leveraged for management, automation, and troubleshooting:

  1. 99SAK - Powershell Swiss Army Knife : A custom single-file, portable admin toolkit I developed. It features 99 menu-driven operations for Windows, including network triage, system maintenance, and log analysis. Used extensively during this lab for rapid diagnostics.
  2. RSAT: Remote Server Administration Tools for AD management from the client.
  3. PuTTY: SSH client for remote Linux management.
  4. Nmap & Hydra: Offensive security tools used for auditing network visibility and defense validation.

Key Configurations

  1. Ubuntu Netplan Config (/etc/netplan/50-cloud-init.yaml)

Critical configuration for pointing Linux DNS to the Windows Controller.
network:
ethernets:
enp0s3:
addresses: [192.168.10.5/24]
routes:
- to: default
via: 192.168.10.2 # Gateway is the Windows Server
nameservers:
addresses: [192.168.10.2] # DNS is the Windows Server
version: 2

  1. PowerShell Bulk User Import (Snippet)

Automation logic used for HR onboarding.
Import-Csv "C:\HR_Data.csv" | ForEach-Object {
New-ADUser -Name $_.Name -Path "OU=Sales,DC=corp,DC=dz" -Enabled $true
}

  1. Folder Redirection Strategy
  • GPO Setting: User Configuration > Policies > Windows Settings > Folder Redirection
  • Target Path: \192.168.10.2\UserFiles\%USERNAME%\Desktop
  • Rationale: Using the IP address in the UNC path ensures the policy applies even if DNS services are slow to start during the boot sequence.

Validation Checklist

The following tests were performed to verify infrastructure integrity:

  • DNS Resolution: ping www.corp.dz resolves to 192.168.10.5 from client workstations.
  • RBAC Enforcement: Adam.Helpdesk receives "Access Denied" when attempting to reset IT Admin passwords.
  • Routing: ICMP traffic flows successfully between Zone A (Server) and Zone B (Staff).
  • Defense Hardening: Hydra brute-force attack against the Linux server fails due to public-key enforcement.
  • Data Persistence: User files persist on the server even after client VM deletion.

Disclaimer

This project is a Home Lab simulation intended for educational purposes and professional skill development. While it utilizes enterprise-grade software and configurations (AD, GPO, Linux Servers), it represents a controlled testing environment.

ยฉ 2026 Salah Eddine Medkour. Documented as part of personal "Zero-to-Hero" Infrastructure Sprint.

Repo : For More Info

Top comments (0)