Running a full Active Directory environment in your home lab doesn’t require a GUI-heavy Windows Server install. Server Core keeps the resource footprint small, it’s closer to how real enterprise environments run, and managing it entirely through PowerShell is a genuinely useful skill. In this guide I’ll walk through creating a Windows Server 2025 Core VM in Proxmox, promoting it to a domain controller, joining a Windows 11 machine to the domain, and installing RSAT so you can manage everything from a familiar GUI β without ever needing one on the server itself.
The server restarts. After rebooting, send Ctrl+Alt+Delete via the Proxmox console extra keys panel and log back in as Administrator.
Wait for the installation to complete β it reports Success: True when done.
You’ll be prompted to set a Safe Mode Administrator Password (DSRM password) β this is used for AD recovery scenarios, so make it strong and store it somewhere safe. The server reboots automatically and comes back as a domain controller.
Once installed, open Active Directory Users and Computers from the Start menu. You’ll see your domain, the default containers, and the user accounts you created.
Then move your user accounts and the Windows 11 computer object into the appropriate OUs using RSAT’s drag-and-drop interface, or via PowerShell:
π₯Watch the Video Tutorial
π‘Why Windows Server Core?
Server Core is Windows Server without the desktop experience β no Explorer, no Start menu, just a command prompt and PowerShell. It uses significantly less RAM and disk space than the Desktop Experience install, boots faster, and has a smaller attack surface. For a home lab domain controller it’s the right choice: lean, practical, and it mirrors what you’d encounter in a real enterprise environment. In this guide, our domain will beithomelab.local and the domain controller will be named HLDC01 (Home Lab Domain Controller 01). The naming convention is deliberate β if you want to add additional domain controllers later for replication and redundancy, you can simply increment: HLDC02, HLDC03, and so on.
βΉοΈNote: Hardware used: Dell Latitude 5411 β 32GB RAM, 512GB SSD running Proxmox VE. The domain controller VM runs with just 2 cores and 4GB RAM β Server Core is that lightweight.
π What You’ll Need
- Proxmox VE installed β see: Proxmox VE Home Lab Setup
- Windows Server 2025 evaluation ISO (free 180-day eval) β uploaded to Proxmox
- A Windows 11 VM or physical machine to join to the domain
- Basic familiarity with PowerShell β all commands are provided below
πStep-by-Step Setup
1. Create the Windows Server 2025 Core VM in Proxmox
In the Proxmox web UI click Create VM. Work through the wizard with these settings:- OS: Select your Windows Server 2025 ISO. Type: Microsoft Windows, Version: 11/2022/2025
- System: Machine:
q35, BIOS:OVMF (UEFI). Add TPM β select your storage and set version to v2.0 (required by Server 2025) - Disk: 60 GB, change disk type to SATA for out-of-the-box driver compatibility
- CPU: 2 cores β Server Core is lightweight and doesn’t need more for a home lab DC
- Memory: 4096 MB β more than enough for a Core installation
- Network: Change to VirtIO (or Intel E1000 if you prefer guaranteed out-of-box driver support). Bridge:
vmbr0
2. Install Windows Server 2025 Core
Work through the Windows setup wizard:- Language: your preference. Time/currency: set to your region (e.g. Australia)
- Keyboard: US Standard
- Click Install Now β accept the license terms
- Select edition carefully: choose Windows Server 2025 Standard β the top option without ‘(Desktop Experience)’. This is the Core installation
- Installation type: Custom (clean install)
- Select the detected disk and click Next
β οΈ Warning: To send Ctrl+Alt+Delete in Proxmox console, use the Extra Keys panel on the right side of the console toolbar. Click the panel icon and select Ctrl+Alt+Delete from the options.
3. Rename the server
After first login you land at a Command Prompt. Switch to PowerShell and rename the server:powershell\nRename-Computer -NewName \"HLDC01\" -Restart
4. Set a static IP address
A domain controller must have a static IP. You can do this through the Server Configuration menu (option 8 insconfig) or directly in PowerShell.
π‘ Tip: A good IP addressing convention for domain controllers: reserve .1β.9 for network hardware (routers, switches, firewalls) and start domain controllers at .10. HLDC01 = 10.0.2.10, HLDC02 = 10.0.2.11, and so on. Keeps your network organised as it grows.
β οΈ Warning: If you get an IP conflict (address already in use on your network), change the IP to the next available address β e.g. 10.0.2.9. You’ll also need to update the DNS setting on any machines already pointing to the old address.
5. Install AD Domain Services and DNS
Install-WindowsFeature -Name AD-Domain-Services, DNS -IncludeManagementTools
6. Promote to domain controller and create a new forest
Replaceithomelab.local with your preferred internal domain name. The NetbiosName is the short domain name used for legacy compatibility β typically the first part of your domain in uppercase:
Install-ADDSForest `\n -DomainName \"ithomelab.local\" `\n -DomainNetbiosName \"ITHOMELAB\" `\n -ForestMode \"WinThreshold\" `\n -DomainMode \"WinThreshold\" `\n -InstallDns:$true `\n -Force:$true
7. Create domain admin and standard user accounts
Log back in as Administrator. Drop to PowerShell and create your accounts:# Create a domain admin account (Neo in this example β use your own name)\nNew-ADUser `\n -Name \"Neo\" `\n -SamAccountName \"neo\" `\n -UserPrincipalName \"neo@ithomelab.local\" `\n -AccountPassword (Read-Host -AsSecureString \"Enter password\") `\n -PasswordNeverExpires $true `\n -Enabled $true\n\n# Add Neo to Domain Admins, Enterprise Admins, and Schema Admins\nAdd-ADGroupMember -Identity \"Domain Admins\" -Members \"neo\"\nAdd-ADGroupMember -Identity \"Enterprise Admins\" -Members \"neo\"\nAdd-ADGroupMember -Identity \"Schema Admins\" -Members \"neo\"\n\n# Create a standard user account (Trinity in this example)\nNew-ADUser `\n -Name \"Trinity\" `\n -SamAccountName \"trinity\" `\n -UserPrincipalName \"trinity@ithomelab.local\" `\n -AccountPassword (Read-Host -AsSecureString \"Enter password\") `\n -Enabled $true
π‘ Tip: Best practice: don’t use your domain admin account for day-to-day logins on workstations. Create a separate standard user account for everyday use and only elevate to the admin account when needed. This limits the blast radius if a workstation is compromised.
8. Verify the admin account and disable the built-in Administrator
Before disabling the built-in Administrator account, reboot and confirm you can log in with the new domain admin account. In Proxmox console, send Ctrl+Alt+Delete β select Other User β log in asITHOMELAB\\neo with the password you set.
Once confirmed working, drop to PowerShell as Neo and disable the built-in Administrator:
Disable-ADAccount -Identity \"Administrator\"
β οΈ Warning: Only disable the built-in Administrator account after you’ve confirmed your new domain admin account can log in and has full admin rights. If you lock yourself out, you’ll need to boot into DSRM using the recovery password you set during forest creation to recover.
9. Join a Windows 11 machine to the domain
On the Windows 11 machine, first update the DNS server to point to your domain controller:- Go to Settings β Network & Internet β Ethernet β DNS server assignment β Manual
- Set Preferred DNS to your DC’s IP (e.g.
10.0.2.10) - Set Alternate DNS to a public DNS (e.g.
8.8.8.8) as a fallback
- Go to Settings β System β About β Domain or workgroup
- Click Change β select Domain β enter
ithomelab.local - Enter your domain admin credentials when prompted (
ITHOMELAB\\neo) - Restart when prompted
10. Install RSAT on Windows 11
After the Windows 11 machine reboots and you log in with a domain account, install RSAT so you can manage Active Directory from a GUI:- Go to Settings β System β Optional features β View features
- Search for RSAT
- Install RSAT: Active Directory Domain Services and Lightweight Directory Services Tools
Add-WindowsCapability -Online -Name \"Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0\"
11. Organise your domain with OUs
The default Active Directory containers (like the built-in Computers container) don’t support Group Policy. Move computers and users into proper Organisational Units so you can apply GPOs to them later. A clean OU structure to start with:# Create top-level OU for your organisation\nNew-ADOrganizationalUnit -Name \"ITHomeLab\" -Path \"DC=ithomelab,DC=local\"\n\n# Create sub-OUs for users\nNew-ADOrganizationalUnit -Name \"Users\" -Path \"OU=ITHomeLab,DC=ithomelab,DC=local\"\nNew-ADOrganizationalUnit -Name \"Elevated Accounts\" -Path \"OU=ITHomeLab,DC=ithomelab,DC=local\"\nNew-ADOrganizationalUnit -Name \"Standard Accounts\" -Path \"OU=ITHomeLab,DC=ithomelab,DC=local\"\n\n# Create sub-OUs for devices\nNew-ADOrganizationalUnit -Name \"Devices\" -Path \"OU=ITHomeLab,DC=ithomelab,DC=local\"\nNew-ADOrganizationalUnit -Name \"Servers\" -Path \"OU=Devices,OU=ITHomeLab,DC=ithomelab,DC=local\"\nNew-ADOrganizationalUnit -Name \"Workstations\" -Path \"OU=Devices,OU=ITHomeLab,DC=ithomelab,DC=local\"
# Move Neo to Elevated Accounts\nMove-ADObject -Identity (Get-ADUser neo) `\n -TargetPath \"OU=Elevated Accounts,OU=ITHomeLab,DC=ithomelab,DC=local\"\n\n# Move Trinity to Standard Accounts\nMove-ADObject -Identity (Get-ADUser trinity) `\n -TargetPath \"OU=Standard Accounts,OU=ITHomeLab,DC=ithomelab,DC=local\"
π‘ Tip: Moving computers out of the default Computers container into a proper OU is important β the Computers container is a container, not an OU, and Group Policy Objects cannot be linked to it. Any GPOs you create won’t apply to machines sitting in the default Computers container.