Completed July 12, 2026 · Personal nonproduction lab

Proxmox isolated restore validation across four systems.

I restored Linux01, WS01, DC01, and pfSense backup archives to temporary Proxmox VMs, isolated every restored NIC before first boot, performed bounded local checks, shut each guest down cleanly, removed the temporary resources, and verified that production VMs 100, 200, 300, and 400 remained protected.

Validation Overview

A completed restore exercise with conservative classifications.

The final source reviews classify Linux01 as PASS, pfSense as a narrow PASS, and WS01 and DC01 as INCONCLUSIVE. Every label describes only the isolated objectives directly supported by the evidence.

4

Systems included

Linux01, WS01, DC01, and pfSense.

4

Restores completed

Each selected archive restored to a temporary VM.

2

Narrow PASS

Linux01 PASS and pfSense narrow PASS.

2

INCONCLUSIVE

WS01 and DC01 retained explicit validation gaps.

0

Production VMs affected

No production impact was observed during the documented exercises.

0

Temporary VMs remaining

All temporary VMs and their restored disks were removed.

Scope

What I set out to validate.

The exercise tested whether specific backup archives could be restored safely, isolated before boot, inspected locally within authorization boundaries, shut down, and removed without changing the four production VMs.

Included

Environment

A personal Proxmox VE lab with pfSense, Windows Server/Active Directory, a Windows workstation, and Ubuntu Linux workloads.

Included

Integrity and traceability

Supported archive checks, screenshot review, evidence manifests, SHA-256 records, Git branch review, and source pull request completion.

Safety Controls

Production protection was part of the test design.

ID

Temporary VM IDs

I used VM 401 for Linux01, 301 for WS01, 201 for DC01, and 101 for pfSense after verifying each ID was available.

NIC

Preboot isolation

I applied and verified link_down=1 before first boot; both restored pfSense NICs remained isolated.

LOC

Bounded local checks

Guest inspection remained local and read-only. No password reset, credential capture, network reconnection, or configuration workaround was used.

DEL

Controlled cleanup

I shut down each restored guest cleanly, verified temporary ownership, removed the temporary VM and disks, and rechecked production state.

Restore Workflow

The same safety sequence bounded every exercise.

01

Precheck

Confirm archive, capacity, temporary ID availability, and production state.

02

Restore stopped

Restore to temporary storage without starting the guest.

03

Isolate

Apply and verify NIC link-down controls before first boot.

04

Inspect locally

Boot and perform only authorized, bounded guest-local checks.

05

Clean up

Shut down, remove temporary resources, and verify production protection.

System-by-System Outcomes

Two narrow PASS results and two INCONCLUSIVE results.

PASS indicates only the scoped isolated-restore objectives that were directly validated. It does not indicate complete production recovery or full disaster recovery.

Final isolated restore-validation results from the source evidence baseline
SystemProduction VMTemporary VMRestoreIsolationBootLocal validationCleanupOverall result
Linux01400401PASSPASSPASSPASS within scopePASSPASS
WS01300301PASSPASSPASS to sign-inNOT TESTEDPASSINCONCLUSIVE
DC01200201PASSPASSPASSSelected checks PASS; LDAP checks INCONCLUSIVEPASSINCONCLUSIVE
pfSense100101PASSPASS on both NICsPASSPASS within scopePASSNarrow PASS
Linux01 · PASS

Linux archive restored and passed bounded local checks.

The isolated guest reached Ubuntu 26.04 LTS, reported the expected hostname, running system state, restored disk and filesystems, disconnected interface, and no failed systemd units. Network, AD authentication, application recovery, RTO, RPO, and full DR were not tested.

WS01 · INCONCLUSIVE

Boot passed; authorized in-guest validation did not occur.

The VM restored, remained isolated, booted to the Windows sign-in screen, shut down cleanly, and was removed without affecting production. In-guest validation was not completed because an authorized local Windows account was unavailable.

DC01 · INCONCLUSIVE

Selected directory-service checks passed; LDAP-dependent checks did not.

The domain controller restored and booted while isolated. Elevated validation confirmed NTDS, selected core services, SYSVOL, and NETLOGON. Local LDAP/RootDSE, localhost AD cmdlets, and LDAP-dependent dcdiag remained inconclusive while strict NIC isolation remained enforced.

pfSense · Narrow PASS

The newest retained archive passed the scoped objective.

Archive vzdump-qemu-100-2026_07_12-02_00_01.vma.zst passed supported integrity checks, restored to VM 101, and booted pfSense 2.8.1-RELEASE with both NICs isolated. Authorized local console-shell access supported FreeBSD, hostname, ZFS/disk, disconnected-interface, selected-process, and configuration-metadata checks. No password reset or credential capture occurred; shutdown and cleanup completed successfully.

Evidence Categories

Selected public screenshots support specific DC01 claims.

I excluded screenshots that displayed unnecessary account names or local workstation paths. The source repository retains the complete evidence package and final reviews.

Evidence Integrity

Source and publication artifacts remain traceable.

The final source package includes an evidence manifest and master SHA-256 checksums. This public subset retains original screenshot filenames and records their hashes in a focused publication manifest.

Limitations

The evidence stops before production or full disaster recovery.

pfSense testing did not exercise live WAN/LAN connectivity, routing, NAT, firewall policy, DHCP clients, DNS forwarding, VPN tunnels, identity integration, certificate workflows, application connectivity, or business-service recovery. DC01 testing did not prove replication, production DNS or Kerberos, client authentication, or forest recovery. WS01 in-guest health was not tested.

RTO: NOT MEASURED · RPO: NOT MEASURED · Full disaster recovery: NOT PROVEN

Source and Traceability

The final merged source commit is the authority.

This portfolio summary traces to jeremy-homelab-ops commit 65899f08cb8d19207c5edad7723368ed04f1f1c4, merged through PR #1. The source reviews and result files take precedence over this presentation layer.