Microsoft Home Lab Architecture

Part 02- Microsoft Home Lab Architecture


In the previous article, we introduced the concept of creating a Microsoft Home Lab. Today, we embark on this exciting journey. Let’s start by examining the architecture we aim to establish in our environment

The idea is as follows. Below is an illustration that we will describe more in the explanation area.

You can find this file on my Github repository

NOTE: Please note that the final architecture may change a bit.
The fields highlighted in green represent the server roles that are installed on the server. Because this is a Home Lab environment we will minimize the number of servers and we will run different server roles on it. This is not recommended for the production.

Explanation area

Microsoft Azure:

On Azure, we will create two subscriptions. One subscription will be used to establish a Site-to-Site VPN connection with the On-Prem environment. We will follow Microsoft’s best practices, specifically the Hub-Spoke architecture, which we will limit due to increased costs. The second subscription will serve all other resources. There will be a peering connection between the subscriptions, allowing other resources to use S2S VPN connections to the On-Premise environment.

Additionally, we will deploy an extra Domain Controller in the cloud, join it to our domain, enable replication, and set up Azure Arc for seamless connectivity with our On-Premise Servers.

In the future, we will gradually add new Azure services.


In the On-Premise environment, we will leverage the Hyper-V virtualization tool to create our setup. We will illustrate the structure of the virtualization environment, deploying servers and client devices. We will also demonstrate how to create templates, use differencing disks to save space, and utilize Sys-Prep for preparing new devices.


We will use the RRAS function to enable NAT for all servers and clients and establish a connection to the Azure environment. We will also demonstrate everything needed for this, including Port Forwarding.

Once this setup is ready, we will proceed to set up the domain, which will include Active Directory Domain Services (AD DS), organizational unit structure, group policies, DHCP, DNS, etc.

We will also prepare a Root Certificate Authority enabling certificate issuance and NPS which will be responsible for certificate authentication such as 802.1x. We will demonstrate how to deploy Microsoft Certificate Connector to issue certificates in the cloud (SCEP).

In the future, we will gradually add new services.

Microsoft 365 :

We will set up Microsoft 365 Tenant, Microsoft Intune, and Microsoft Entra. We will demonstrate how to customize the cloud environment to reflect our lab’s identity using Microsoft AI technologies.

Solutions such as Always On VPN, Global Secure Access, Microsoft Tunnel, Microsoft LAPS, Windows Hello for Business, and Autopilot will be implemented. Additionally, we will set up the Intune Connector for device enrollment and WHFB Cloud Trust to allow authentication to servers using Biometrics such as PINs, FIDO keys, Face Recognition, etc.

We will also demonstrate how to set up / deploy Android and Apple devices (MDM and MAM).


Windows Devices Deploy

We will demonstrate the deployment of three types of devices: Microsoft Entra AD Joined, Microsoft Entra Hybrid Joined, and Microsoft Active Directory Joined. We will explain the differences between these different types of enrollment.



Keep in mind that architecture is likely to change a bit through this project. See ya in the next post 🙂

Leave a Reply