As I have been on vacation for the past week, I figured I would get right back into by researching some projects I can play around with. While a few of these have already been completed by me, they still hold a lot of value for beginners in IT. Good luck!

If you’re into networking, tech tinkering, or just want to level up your IT skills at home or in the office, setting up a smart network lab with UniFi equipment and a Windows Server can be a rewarding project. Not only does it sharpen your skills with real-world tools, but it also creates a safe, isolated space to experiment with enterprise-grade features like VLAN segmentation, firewall rules, and Active Directory.

In this post, we’ll walk through a complete setup using a UniFi firewall (UDM, UDM Pro, or USG), UniFi switch, and a Windows Server 2019/2022 VM or physical install. The goal? A segmented, secure, and remotely accessible lab you can use to simulate business IT environments, learn advanced network management, or even host internal services like DNS, file sharing, or custom web apps.

🔧 Hardware & Software Requirements

UniFi Hardware

• UniFi Firewall (UDM, UDM SE, UDM Pro, or USG)
• UniFi Managed Switch (Layer 2 or Layer 3)
• UniFi Controller (UDM has it built-in, or use a Cloud Key / Docker / Windows/Linux box)
• Access Point (Optional, for wireless testing)

Server & Client

• Windows Server 2019 or 2022
  • Physical or virtual (e.g., Hyper-V, VirtualBox, VMware)
• 1–2 Windows 10/11 Clients (Optional but great for AD testing)
• PC or Laptop for configuration

🧱 Step 1: Planning Your Network

First, let’s map out our goal:

We want to simulate a business-like environment with separate VLANs for:

• LAN (Mgmt) – 192.168.1.0/24
• LAB Servers – 192.168.10.0/24
• Clients – 192.168.20.0/24
• Guest/IoT – 192.168.30.0/24

This allows us to:

• Segment and secure traffic
• Apply UniFi firewall rules between VLANs
• Control access to the Windows Server
• Test AD/DNS/DHCP/GPO from scratch

🛠️ Step 2: VLAN Setup on UniFi

1. Create VLAN Networks in UniFi Controller

Go to Settings > Networks, then:

• Create a LAN network for each VLAN.
• Assign unique subnets and VLAN IDs (e.g., LAB Servers = VLAN 10).
• Enable DHCP on each (unless you want Server DHCP later).

🧩 Step 3: Switch Port Profiles

Assign VLANs to specific switch ports via Profiles:

• Mgmt VLAN for your admin PC
• Trunk ports for anything with multiple VLANs (e.g., Hyper-V host)
• Access ports for regular devices

Use Settings > Profiles > Switch Ports and define profiles like:

• “Trunk All”
• “VLAN 10 – LAB”
• “VLAN 20 – Clients”

Then go to Devices > [Your Switch] > Ports and apply profiles.

🧰 Step 4: Deploy the Windows Server

Set up your Windows Server either as a VM or on a physical machine.

Suggested Specs:

• RAM: 8GB minimum
• CPU: 2+ cores
• Storage: 100GB+
• NIC: At least 1 bridged to your LAB VLAN

Role Setup

Once installed, configure:

• Static IP (e.g., 192.168.10.10/24)
• Set DNS to itself or UniFi Gateway for now
• Enable Remote Desktop (optional)

Install the following roles via Server Manager or PowerShell:

powershellCopyEditInstall-WindowsFeature -Name AD-Domain-Services, DNS, DHCP, File-Services

🏗️ Step 5: Build Your Domain

Use Server Manager > Promote this server to a domain controller.

Setup:

• New Forest: lab.local
• NetBIOS: LAB
• DSRM Password: [secure password]

Let it reboot, then log in as LAB\Administrator.

Now you’ve got an AD environment to experiment with!

📂 Step 6: Add DHCP & DNS (Optional)

If you want your server to handle DHCP for the LAB VLAN:

• Disable DHCP for VLAN 10 in UniFi Controller
• Add a new DHCP scope in Server Manager

DNS:

Your server is now a DNS server for lab.local. Point LAB clients to 192.168.10.10 as primary DNS.

Test it:

cmdCopyEditnslookup lab.local

👥 Step 7: Join Clients to the Domain

Spin up a VM or plug in a laptop into the Clients VLAN.

Settings:

• IP from 192.168.20.x via DHCP
• Set DNS to point to 192.168.10.10 (DC)

Join it to the domain:

cmdCopyEditSystem > About > Join Domain

Use: lab.local and enter credentials.

Now you’ve got a domain-joined machine to test GPO, RDP, shared drives, etc.

🔒 Step 8: Configure Firewall Rules

Time to lock things down!

In UniFi Controller:

Go to Settings > Firewall & Security > Internet Rules and LAN IN Rules

Examples:

• Block Clients VLAN from accessing LAB VLAN
• Allow Mgmt VLAN full access
• Allow RDP from Mgmt VLAN to LAB VLAN

Rule: Block Clients → LAB

• Action: Drop
• From: Clients (192.168.20.0/24)
• To: LAB (192.168.10.0/24)
• Protocol: Any

Test isolation and refine as needed.

🌐 Step 9: Remote Access with RDP + VPN (Optional)

Enable RDP on your domain controller or clients and allow it through the UniFi firewall from Mgmt VLAN.

For remote VPN:

• Use UniFi L2TP VPN or WireGuard on a VM
• Map routes to internal VLANs

Now you can connect from anywhere securely to your lab!

🧪 Bonus Ideas for Expansion

Now that you’ve got your lab running, here are some things to try:

1. Group Policy Lab

• Lock down USB ports
• Map shared drives
• Configure Windows Firewall

2. Web Server

• Install IIS and host a test site
• Add a local DNS entry for intranet.lab.local

3. Syslog/Monitoring

• Use Uptime Kuma, Graylog, or PRTG
• Forward UniFi logs to the Windows Server

4. WireGuard VPN Server

• Install WireGuard on the server and test remote access

5. Security Testing

• Try Nmap or Wireshark from Clients VLAN to test firewall rules
• Set up honeypots in IoT VLAN

📊 What You’ll Learn

Through this project, you’ll get hands-on with:

• VLAN architecture & Layer 2/3 switching
• Windows Server administration
• AD, DNS, DHCP in an isolated lab
• Firewall best practices
• Remote access configuration
• Security testing and segmentation

This is the type of project you can keep adding to as your skills grow. It’s perfect for IT pros, students studying for certifications (like CompTIA, MCSA, or CCNA), or anyone who enjoys geeking out with networking.

📦 Final Thoughts

UniFi makes enterprise networking accessible, and combining it with a Windows Server environment opens up tons of learning and tinkering opportunities. Whether you’re prepping for a career move, setting up a secure home office, or just want a cool weekend project, this smart lab setup is a solid foundation.

You’ll end up with a powerful little IT sandbox—and a deeper understanding of how real-world networks work.

🧪 Part 2: Bonus Projects Using UniFi Gear + Windows Server

Once you’ve built your base lab, don’t stop there! With a UniFi firewall, switch, and your Windows Server in place, you can launch into even more exciting projects. These can help you gain real-world IT experience, build certifications labs, or just have fun experimenting safely.

🚀 Project 1: Setup a Centralized Syslog and Network Monitoring System

Objective:

Monitor your UniFi network, clients, and even Windows logs in one place.

Tools:

• Windows Server with WEC / Event Forwarding
• Install PRTG, Graylog, Uptime Kuma, or Wazuh
• Enable Syslog export in UniFi (Settings > System > Remote Logging)

Steps:

1. Set up Graylog or PRTG on Windows Server or a Linux VM.
2. Forward UniFi logs to the server via Syslog.
3. Install WEC on the Windows Server to collect event logs from domain-joined clients.
4. Add SNMP or API integration to monitor CPU, memory, or traffic stats from UniFi switch or firewall.

What You’ll Learn:

• Log aggregation
• Network monitoring and alerting
• Working with SNMP, Syslog, and Windows event forwarding

🌍 Project 2: Internal Web Hosting & DNS

Objective:

Host internal websites like dashboards, intranet pages, or helpdesk tools using IIS or Apache.

Example Use Cases:

• Company Wiki (wiki.lab.local)
• Uptime Kuma dashboard
• Helpdesk software like osTicket or GLPI

Steps:

1. Install IIS or Apache on the Windows Server.
2. Add host records in your AD DNS (intranet.lab.local → 192.168.10.10).
3. Secure with internal-only firewall rules.
4. Create Group Policy for domain clients to open the intranet on login.

What You’ll Learn:

• Web hosting basics
• DNS internal resolution
• GPO automation

🧰 Project 3: DIY RADIUS Authentication for Wi-Fi

Objective:

Use your Windows Server as a RADIUS server so only domain users can connect to certain Wi-Fi SSIDs.

Setup:

• Windows NPS (Network Policy Server)
• UniFi SSID with WPA Enterprise
• Users authenticate using domain credentials

Steps:

1. Add NPS role to Windows Server.
2. Register the NPS server in Active Directory.
3. In UniFi, create a new SSID using WPA Enterprise.
4. Set RADIUS server as your Windows box (192.168.10.10).
5. Create a group policy in NPS to allow specific users/groups.

What You’ll Learn:

• Enterprise Wi-Fi security
• RADIUS authentication
• Role-based access control

🏢 Project 4: Site-to-Site VPN with a Remote Office or Home

Objective:

Securely connect your main office lab with another remote network using a UniFi Site-to-Site VPN.

Scenario:

You have another UniFi setup at home or a friend’s house—link them together!

Steps:

1. In UniFi, go to Settings > VPN > Site-to-Site VPN.
2. Set remote IP addresses, pre-shared keys, and tunnel parameters.
3. Route specific VLANs or subnets.
4. Test reachability and firewall rules.

Optional:

• Replicate domain controller across sites
• Host failover or backup services

What You’ll Learn:

• IPsec VPN setup
• Inter-VLAN routing
• Firewall security across WAN

🔄 Project 5: Redundant DNS & DHCP Setup

Objective:

Avoid a single point of failure in your network by deploying a backup DHCP and DNS setup.

Steps:

1. Promote a second Windows Server as an additional DC.
2. Set DHCP failover with 50/50 load balancing.
3. Configure AD-integrated DNS zones to replicate.
4. Update DHCP scope options to list both DNS servers.

What You’ll Learn:

• High availability network services
• AD replication
• Redundancy planning

🕵️ Project 6: Internal Penetration Testing & VLAN Hardening

Objective:

Simulate a penetration test or rogue client on your network and evaluate your segmentation.

Tools:

• Kali Linux (VM or physical)
• Nmap, Wireshark, or Metasploit

Steps:

1. Connect Kali to the IoT or Guest VLAN.
2. Run scans to test if any other VLANs are visible.
3. Try spoofing MACs or VLAN tags (dot1q).
4. Harden firewall rules to prevent any lateral movement.

What You’ll Learn:

• Ethical hacking basics
• Network defense techniques
• Real-world network vulnerabilities

🔄 Project 7: Automated Backups & Replication

Objective:

Create regular backups of your AD, DHCP, and shared files, and store them on a remote or NAS share.

Tools:

• Windows Server Backup
• Robocopy / PowerShell scripts
• Optional: Veeam Agent for Windows

Steps:

1. Schedule Windows Server Backups.
2. Use robocopy to copy file shares to a backup folder daily.
3. Push backups to an SMB share on another VLAN or NAS.
4. Automate status emails with Task Scheduler or PowerShell.

What You’ll Learn:

• Backup strategy design
• PowerShell scripting
• Data protection best practices

📁 Project 8: Build Your Own Active Directory Certificate Services (ADCS)

Objective:

Set up an internal CA and issue certificates to your domain-joined devices and services.

Use Cases:

• Secure RDP with internal certs
• Set up HTTPS for intranet sites
• Auto-enroll certs via GPO

Steps:

1. Add ADCS role on your Windows Server.
2. Configure Enterprise Root CA.
3. Create and publish templates (e.g., Web Server, Workstation Auth).
4. Set up auto-enrollment via Group Policy.

What You’ll Learn:

• Internal PKI setup
• Certificate-based authentication
• Securing internal services

🔐 Project 9: Deploy and Test a Privileged Access Workstation (PAW)

Objective:

Build a locked-down workstation that is only used for sensitive tasks like firewall config, RDP, etc.

Scenario:

This is a Windows 11 client that’s highly restricted:

• No internet browsing
• Only able to RDP into your DC
• USB and Wi-Fi disabled

Steps:

1. Create a new OU in AD.
2. Apply hardened GPOs (disable external access, restrict apps).
3. Use AppLocker to only allow RDP and PowerShell ISE.
4. Isolate it in its own VLAN if desired.

What You’ll Learn:

• Security baseline configuration
• Windows hardening techniques
• GPO and OU separation

🧠 Project 10: Create a Full Dev/Test Environment

Objective:

Set up a small developer environment with source control, build server, and database server.

Tools:

• GitLab or Gitea (self-hosted Git)
• Jenkins or GitHub Actions Runner
• SQL Server Express or PostgreSQL
• VS Code remote development

Steps:

1. Host Git and CI on Windows Server or separate VMs.
2. Create test pipelines that trigger builds.
3. Enable HTTPS with self-signed or AD-issued certs.
4. Limit access via UniFi firewall.

What You’ll Learn:

• DevOps fundamentals
• CI/CD pipeline design
• Secure internal development

🧯 Bonus: Simulated Disaster Recovery Exercise

Scenario:

Pretend your domain controller goes offline due to hardware failure. Can you recover?

Test Steps:

1. Shut down your domain controller VM.
2. Use your backup to restore the image to a new VM.
3. Reconfigure network settings.
4. Confirm clients can still authenticate and use DNS.

What You’ll Learn:

• Disaster recovery strategy
• Imaging and restore techniques
• Importance of DNS and AD roles

💬 Wrapping Up

By expanding your UniFi + Windows Server lab, you’re not just creating a cool tech toy—you’re building a mini enterprise environment. These hands-on projects simulate real-world tasks you’d encounter in small business IT, MSPs, or even enterprise roles.

Whether you’re studying for certs, training a junior admin, or brushing up your skills before a new job, this is the perfect playground to do it safely and privately.