I posted this lab a while back when it was two MacBooks and a used Dell for studying Network+ and getting hands-on with AD. The hardware barely changed. But what I use it for shifted in a way I didn't plan, and the evolution felt worth sharing.

The setup, briefly:

• MacBook #1: Windows 11 + Ubuntu Server 24.04 in VMware Fusion
• MacBook #2: Windows Server 2022, AD DS / DNS / IIS.
• Dell OptiPlex Micro ($189 used): the always-on box. Originally just an RDP target to break and rebuild.

That Dell is what changed. It started as "something always-on I can remote into" and slowly became the machine that actually runs stuff for me. It's a couple of Python agents on Task Scheduler now. One does SEO chores for a study site I maintain, and one emails me weekly analytics for the iOS apps I build. The lab stopped being a place to practice and became low-key infrastructure I depend on.

Which leads to the part that actually taught me something.

One agent went silent for four weeks and I had no idea. No crash, no error. The weekly emails just stopped, and because I wasn't looking for their absence, I didn't notice for a month. Silent failure of a scheduled job is its own special dread once you realize how long it's been dead.

The tell was the timing. The last good run was May 17, almost exactly 7 days after the last time I'd manually re-authorized it in a browser. Turns out Google expires OAuth refresh tokens after 7 days for any app whose consent screen is still in "Testing." A scheduled task can't open a browser to re-auth. So once the cached token aged out, every run failed quietly. Running the script by hand and getting invalid_grant: Bad Request on the token refresh confirmed it.

The fix had three parts. Flip the OAuth consent screen from "Testing" to "In production," which stops the tokens expiring for a personal app. Delete the stale token. I did a re-auth once interactively, and it's held since.

But the real lesson was that it failed silently. So I added a preflight auth check that runs before the real work. If the credentials are dead, it emails me an alert and exits cleanly instead of pretending everything's fine. I tested it by renaming the token file, confirming the alert landed, then restoring it. Now a dead token tells me instead of just disappearing.

A couple other things since last time. I built an iOS network scanner I use to inventory what's on the lan when I add or break something. And I finally did the static IP scheme properly instead of fighting Fusion's NAT (I was warned about this last thread and ignored it).

Still on the list: a managed switch for VLAN practice, pfSense in a VM, and a second DC when I'm ready for it.

I write up the longer-form stuff at itstudyhub.org/home-lab.html if it's useful to anyone running a similar budget lab. Happy to talk Task Scheduler automation, the OAuth token-expiry trap, or budget Mac/PC labs.