The Challenge: Running x86 on Apple Silicon

Building a proper Security Operations Centre (SOC) homelab is critical for getting hands-on experience with threat detection, identity management, and network defence. However, doing this on a modern Mac with an M1 chip presents a major hurdle: enterprise Microsoft environments natively require x86_64 architecture, not ARM.

To get around this, I set up a virtualisation pipeline using the UTM hypervisor, which allowed me to successfully emulate a complete x86_64 infrastructure on my Mac without crashing the host system. This post breaks down exactly how I planned the architecture, the specific errors I encountered (and how I fixed them), and how I established central governance over the network.

Phase 1: Planning and Architecture

Before downloading a single ISO file, I needed a strict resource allocation plan. My MacBook has 16 GB of unified memory. If I starved the host operating system, the entire machine would lock up. I decided to dedicate exactly half my RAM to the lab, leaving 8 GB for macOS.

I mapped out the following topology:

  • Hypervisor: UTM (using QEMU x86_64 Emulation)
  • Virtual Subnet: 192.168.64.0/24 (NAT)
  • Default Gateway (Virtual Router): 192.168.64.1
  • Domain Controller (DC01): Windows Server 2022 Standard
    • Allocation: 4 Cores, 4 GB RAM, 64 GB Storage
    • Static IP: 192.168.64.20
  • Client Endpoint (WIN11-CLIENT01): Windows 11 Enterprise
    • Allocation: 4 Cores, 4 GB RAM, 64 GB Storage
    • Static IP: 192.168.64.30

Phase 2: Building the Domain Controller

With the plan in place, I created the first virtual machine in UTM and loaded the Windows Server 2022 ISO. Immediately, I hit my first major roadblock.

Error 1: The “License Terms Not Found” WinPE Loop

When booting the VM for the first time, the Windows Preinstallation Environment (WinPE) crashed with an error stating: “Windows cannot find the Microsoft Software License Terms. Make sure the installation sources are valid and restart the installation.”

  • The Cause: By default, UTM mounts two virtual CD-ROM drives: one for the OS ISO, and one containing the SPICE guest tools. The Windows setup utility gets confused and searches the SPICE tools drive for the license files instead of the OS drive.
  • The Fix: Before starting the VM, I opened the UTM settings, navigated to the Drives section, and completely deleted the drive containing the utm-guest-tools-latest.iso.

Once removed, the server booted perfectly, and I was able to complete a clean, bare-metal installation. After reaching the desktop, I used the UTM toolbar to inject the SPICE tools ISO back in and installed the drivers to fix the display resolution and mouse scaling.

Phase 3: Network Lockdown and Active Directory Promotion

Directory services will break if the server’s IP address keeps changing. I needed to lock down the server’s identity on the UTM network.

  1. Static IP Configuration: I opened the network adapter properties and manually assigned the IPv4 address 192.168.64.20, the gateway 192.168.64.1, and set the DNS server to 127.0.0.1 (the loopback address, meaning the server looks at itself for name resolution).
  2. Host Identification: I renamed the server to DC01 and restarted the machine. You must do this before installing Active Directory, or you risk corrupting the database.
  3. Domain Promotion: Through Server Manager, I installed the Active Directory Domain Services (AD DS) role. I then promoted the server, creating a brand new forest and domain named cyberlab.local.
  4. Organisational Structure: Inside Active Directory Users and Computers (ADUC), I built out the logical structure by creating specific Organisational Units (OUs) for the IT Department and Security Operations. I also created a standard administrative user account for myself, ensuring I didn’t rely on the highly privileged, default “Administrator” account for daily tasks.

Phase 4: Provisioning the Windows 11 Endpoint

To actually test policies and generate telemetry, I needed a client workstation. I spun up a Windows 11 Enterprise VM using the same hardware template (4 Cores, 4 GB RAM).

Once installed, I configured its network adapter to sit on the same subnet (192.168.64.30) and explicitly set its Preferred DNS Server to point to DC01 (192.168.64.20).

Error 2: The Domain Join Rejection

I opened the command prompt on Windows 11 and ran ping cyberlab.local. It returned successful replies from .20. However, when I went to the System Properties to actually join the domain, it failed, stating the Domain Controller could not be contacted.

  • The Cause: The ping command relies on ICMP (a very simple protocol). Joining a domain requires highly complex traffic (LDAP, RPC, and SMB). While ICMP was getting through, the Windows Defender Firewall on DC01 was blocking the complex traffic because it hadn’t registered the new “Domain” network profile yet. Furthermore, Windows 11 was trying to resolve the domain using IPv6, which wasn’t configured in my IPv4-only lab.
  • The Fix: I switched over to the Server and temporarily turned off all Windows Defender Firewall profiles. Then, on the Windows 11 client, I went into the adapter properties and completely unchecked “Internet Protocol Version 6 (TCP/IPv6)”.

I attempted the join again. The cryptographic handshake went through immediately, prompting me for my Domain Admin credentials, followed by the highly satisfying message: “Welcome to the cyberlab.local domain.”

Phase 5: Moving Forward with Centralised Governance (GPOs)

A fresh Windows 11 install is noisy and likes to run its own updates, which is a nightmare in a controlled lab environment. To move forward, I needed to bring the client in line with strict enterprise security standards using Group Policy Objects (GPOs).

  • Disabling Auto-Updates: On the Domain Controller, I opened the Group Policy Management Console. I created a new GPO named Endpoint_Hardening_Baseline and linked it to the IT Department OU. Navigating to Computer Configuration → Administrative Templates → Windows Components → Windows Update, I enabled the policy to explicitly disable automatic updates. This gives me complete control over when the client reboots or patches.
  • Enforcing Password Complexity: To secure the directory, I modified the Default Domain Policy (password policies must be applied at the root level). I set a 14-character minimum length, mandated complexity requirements (uppercase, lowercase, numbers, specials), and set a 24-password history limit to prevent credential reuse.
  • The Push: I opened the command prompt on the Windows 11 client and ran gpupdate /force. This pulled the new policies directly from the server and applied them instantly to the local machine.

Conclusion and Next Steps

Getting an Active Directory lab running smoothly under emulation on an M1 Mac is a massive technical hurdle. However, pushing through those architectural conflicts and networking errors resulted in a perfectly sterile, stable, and centrally managed baseline environment.

With the foundational IT infrastructure completely operational, the next phase of this homelab will shift entirely toward Security Operations. Moving forward, I will be integrating a SIEM to ingest the Windows Event Logs from both machines, configuring vulnerability scanning tools, and running proactive threat-hunting exercises against the hardened Windows 11 endpoint.