Systems included
Linux01, WS01, DC01, and pfSense.
Completed July 12, 2026 · Personal nonproduction lab
I restored Linux01, WS01, DC01, and pfSense backup archives to temporary Proxmox VMs, isolated every restored NIC before first boot, performed bounded local checks, shut each guest down cleanly, removed the temporary resources, and verified that production VMs 100, 200, 300, and 400 remained protected.
Validation Overview
The final source reviews classify Linux01 as PASS, pfSense as a narrow PASS, and WS01 and DC01 as INCONCLUSIVE. Every label describes only the isolated objectives directly supported by the evidence.
Linux01, WS01, DC01, and pfSense.
Each selected archive restored to a temporary VM.
Linux01 PASS and pfSense narrow PASS.
WS01 and DC01 retained explicit validation gaps.
No production impact was observed during the documented exercises.
All temporary VMs and their restored disks were removed.
Scope
The exercise tested whether specific backup archives could be restored safely, isolated before boot, inspected locally within authorization boundaries, shut down, and removed without changing the four production VMs.
A personal Proxmox VE lab with pfSense, Windows Server/Active Directory, a Windows workstation, and Ubuntu Linux workloads.
Supported archive checks, screenshot review, evidence manifests, SHA-256 records, Git branch review, and source pull request completion.
Safety Controls
I used VM 401 for Linux01, 301 for WS01, 201 for DC01, and 101 for pfSense after verifying each ID was available.
I applied and verified link_down=1 before first boot; both restored pfSense NICs remained isolated.
Guest inspection remained local and read-only. No password reset, credential capture, network reconnection, or configuration workaround was used.
I shut down each restored guest cleanly, verified temporary ownership, removed the temporary VM and disks, and rechecked production state.
Restore Workflow
Confirm archive, capacity, temporary ID availability, and production state.
Restore to temporary storage without starting the guest.
Apply and verify NIC link-down controls before first boot.
Boot and perform only authorized, bounded guest-local checks.
Shut down, remove temporary resources, and verify production protection.
System-by-System Outcomes
PASS indicates only the scoped isolated-restore objectives that were directly validated. It does not indicate complete production recovery or full disaster recovery.
| System | Production VM | Temporary VM | Restore | Isolation | Boot | Local validation | Cleanup | Overall result |
|---|---|---|---|---|---|---|---|---|
| Linux01 | 400 | 401 | PASS | PASS | PASS | PASS within scope | PASS | PASS |
| WS01 | 300 | 301 | PASS | PASS | PASS to sign-in | NOT TESTED | PASS | INCONCLUSIVE |
| DC01 | 200 | 201 | PASS | PASS | PASS | Selected checks PASS; LDAP checks INCONCLUSIVE | PASS | INCONCLUSIVE |
| pfSense | 100 | 101 | PASS | PASS on both NICs | PASS | PASS within scope | PASS | Narrow PASS |
The isolated guest reached Ubuntu 26.04 LTS, reported the expected hostname, running system state, restored disk and filesystems, disconnected interface, and no failed systemd units. Network, AD authentication, application recovery, RTO, RPO, and full DR were not tested.
The VM restored, remained isolated, booted to the Windows sign-in screen, shut down cleanly, and was removed without affecting production. In-guest validation was not completed because an authorized local Windows account was unavailable.
The domain controller restored and booted while isolated. Elevated validation confirmed NTDS, selected core services, SYSVOL, and NETLOGON. Local LDAP/RootDSE, localhost AD cmdlets, and LDAP-dependent dcdiag remained inconclusive while strict NIC isolation remained enforced.
Archive vzdump-qemu-100-2026_07_12-02_00_01.vma.zst passed supported integrity checks, restored to VM 101, and booted pfSense 2.8.1-RELEASE with both NICs isolated. Authorized local console-shell access supported FreeBSD, hostname, ZFS/disk, disconnected-interface, selected-process, and configuration-metadata checks. No password reset or credential capture occurred; shutdown and cleanup completed successfully.
Evidence Categories
I excluded screenshots that displayed unnecessary account names or local workstation paths. The source repository retains the complete evidence package and final reviews.


Evidence Integrity
The final source package includes an evidence manifest and master SHA-256 checksums. This public subset retains original screenshot filenames and records their hashes in a focused publication manifest.
Limitations
pfSense testing did not exercise live WAN/LAN connectivity, routing, NAT, firewall policy, DHCP clients, DNS forwarding, VPN tunnels, identity integration, certificate workflows, application connectivity, or business-service recovery. DC01 testing did not prove replication, production DNS or Kerberos, client authentication, or forest recovery. WS01 in-guest health was not tested.
RTO: NOT MEASURED · RPO: NOT MEASURED · Full disaster recovery: NOT PROVEN
Source and Traceability
This portfolio summary traces to jeremy-homelab-ops commit 65899f08cb8d19207c5edad7723368ed04f1f1c4, merged through PR #1. The source reviews and result files take precedence over this presentation layer.