System Administration (CS-584)

Assignment 1 (Due Date: 8/11/19)

Purpose: Demonstrate the Windows 2012 server Active Directory Configuration ;Implementing and
Explain Active Directory , sites, Global Catalog and FSMO roles , Administration, Security Planning
, Group Policy , Maintenance, Troubleshooting , Disaster Recovery , Name Resolution and Certificate
Services in an organisation.
Aim: The assessment aim is towards achieving competency in candidate performance of
demonstrating knowledge of Active Directory Configuration.
You will be required to demonstrate the competency in the following aspects through submitted
written/demonstrate work on the assessment Tasks.
 Demonstrate the Windows 2012 Active Directory Configuration.
 Demonstrate the function Group policy in Windows 2012 server.
 An explanation that gives a range of Active directory sites, Global Catalog,
Troubleshooting, Disaster Recovery, Name Resolution.
Topic 1: Installing Active Directory Domain Services.
Topic 2: Working with Active Directory Sites.
Topic 3: Active Directory Administration and Security planning and Administrative
delegation.

Topic 4: Introduction to Group policy and configuring the user and computer environment
using Group Policy.

Topic 5: Performing software installation with Group Policy.

Topic 6: Planning a Group policy management and implementation strategy.

Topic 7: Active Directory Maintenance, Troubleshooting and disaster recovery.

Topic 8: Configuring Name Resolution and Additional Services.

Topic 9: Configuring Active Directory Certificate Services.

Assessment: Task One Practical Questions

Practical LAB

Demonstrate all the following Lab exercises.

Lab1:
In 2012, HiTech a security equipment manufacturer company introduce new surveillance camera in
the market based in Auckland. As the business grows the management decided to upgrade the peer-to-
peer networks to domain based network.

1
 As an IT technical support your role is to implement and configure domain based network system
with the following specification provided in Table 1:

Table 1: System requirement from Hi-Tech

Computer Name Server 1 Server 2 Client 1

Operating System Windows Server 2012 Windows Server Windows 7/8/10

32/64 Bit 201232/64 Bit 32/64 Bit
IP Address 192.168.30.1 192.168.30.2 192.168.30.3
Services  Domain Controller  Windows Update
 DNS Server

Task 1: Install and configure the Server 1 as Domain Controller with DNS service.

1.1. Analyse the system requirement to implement Active Directory

1.2. Install the Active Directory Domain Services (ADDS)
1.3. Install a new Forest called hitech.com as FQDN (Fully Qualified Domain Name)
1.4. Install a child Domain named as camera.hitech.com (SERVER2)
1.5. Install DNS role on freshly installed AD
1.6. Install a domain controller from Install from Media (IFM)
1.7. Configure a global Catalog server on SERVER 1
1.8. Configure and Manage default Active Directory containers
Task 2: Introduction to Group policy and configuring the user and computer environment
using Group Policy and
Active Directory Administration and Security planning and Administrative delegation.

2.1. Create OUs and Groups according to following table 2:

Table 2: OUs and Groups
Departments OU Name Groups
Sales OU-SALE&MKT Sales, Marketing
Administration OU-ADMIN Managers, Team leaders
Finance OU-FINANCE Finance

2.2. Create Users and add them to specified groups as shown in table 3:
(Remove the password complexity and set the minimum password length to 4)

Table 3: List of Users in different groups

First Name Last Name Username Password Groups
Peter Wilson peterw Asdf1 Sales
Tom Hanks tomh Asdf2 Manager
Julia Roberts juliar Asdf3 Finance
Kevin Thomson kevint Asdf4 Teamleader
Jack Sharp jacks Asdf5 Marketing
Jassica Simpson jassicas Asdf6 Sales

2
David Cameron davidc Asdf7 Manager
Jan Homan Janh Asdf8 Finance
Richard Liu richardl Asdf9 Teamleader
James Robert jamesr Asdf0 Sales

2.3. Add Management staff to new Roles as following:

Table 4: Administrative Role

Tom Hanks tomh Asdf2 CEO Enterprise

Administrator
David Cameron davidc Asdf7 Manager Administrator

2.4. Create a new Group “Market Analyst” under Sales Group and add Peter Wilson and
James Robert under Market Analyst Group.
2.5. Delegating Authority: Assign Delegating Administrative Authority to Market Analyst
Group
2.6. Enable the AD Recycle Bin
Task 3: Create two share folders in C drive as i) C:\Hi-Tech\Sales and ii) C:\Hi-Tech\Training. Now
perform the following:

3.1. Sales folder can only be access by Sales department with full control.
3.2. Training folder is access by Teamleader department in Read only mode and Manager
Group should have full control.

Task 4: Introduction to Group policy and configuring the user and computer environment
using Group Policy.

4.1. Configure the GPO of OU-Finance to do the followings:

Organizational
Users GPO GPO Settings
Unit
 Unable to Change Desktop
 Deny users to read and/or write data from CDs,
DVD, removable drives etc
 Disable PST file creation
 Disable forced system restarts
OU-Finance  Disable Guest Account
Jan
GPOA  Run these programs at user logon policy setting
Homan
 Allow users to access only some of the
applications found on your computer
 Block users' access to the Control Panel and to
the Settings app
 Specify the wallpaper used on the Desktop and
block users from changing it.

3
  Unable to access Registry tools
 Unable to set password screen saver
Julia GPOA  Prevent Windows from storing LAN manager hash
Roberts  Control access to Command Prompt
 Disable anonymous SID enumeration

Task 5: Planning a Group policy management and implementation strategy.

5.1. Configure a Domain wide password policy for the users are required to use 14 characters.
5.2. Implement two factor authentications in group policy
5.3. Configure a Domain wide account lockout policy for user’s three invalid logon attempts
(3 attempts).
5.4. Configure audit policies for the confidential files.
5.5. Create and configure Backup Security Group Filters
5.6. Generate Log File
5.7. Configure a Central Store
5.8. Configure security filtering
5.9. Configure WMI filtering

Task 6: Implementing fine-grained password policies

6.1 Assign policies to groups instead of individual users for easier management.
6.2 Assign a unique preference value to each fine-grained password policy you create within
a domain.
6.3 Create a fallback policy for the domain so that users who don’t belong to any groups that
specifically have fine-grained password policies assigned to them will still have
password and account lockout restrictions apply when they try to log on to the network.
This fallback policy can be either of the following:
6.3.1 The password and account lockout policies defined in the Default Domain Policy
GPO
6.3.2 A fine-grained password policy that has a higher precedence value than any other
policy

Task 7: Active Directory Maintenance, Troubleshooting and disaster recovery .

7.1 Perform Windows server Backup at daily basis

7.2 Perform an Authoritative restore
7.3 Backing up and restoring GPOs
7.3.1 You need to configure the GPMC to back up for your GPOs. For that, you can also
restore a deleted or previous version of an existing GPO, copy a GPO, import the

4
 settings from a GPO, or migrate a GPO to a different domain. By backing up GPOs,
you can quickly restore your Group Policy infrastructure in the event of a disaster.

Lab2:
As demand grows, recently company open one new branch in Wellington. Now as system admin your
task is to join two different sites or subnets as shown in figure 1.

Auckland DC1 Wellington DC2

192.168.25.1 192.168.30.1

192.168.25.254 192.168.30.254

Software Router

Switch 1 Switch 2

Client 1 Client 2
192.168.25.2 192.168.30.2

Figure 1: Network topology of Hi-Tech

Task 1: Working with Active Directory Sites.

Configure Software Router server as Router.

1.1 Router server has two LAN cards one facing at Auckland DC1 – 192.168.25.254 and
another one at Wellington DC2 – 192.168.30.254.
1.2 Install Routing and Remote access Role at Router server.
1.3 Configure Remote access Role
Task 2: Configure the Wellington DC2 (e.g. Domain Controller 2).

2.1: Move a computer from one site to another

2.2: Create a site link object and verify the replication

LAB 3:
Configuring Name Resolution and Additional Services.

5
In order to support the software updates of security equipment, Hi-Tech (hitech.com) sign a
partnership with Outsource (outsource.com) company. As a network admin it is required to
established Trust between the two domains i.e. hitech.com and outsource.com. Both parties agreed on
the following principles:

A) Access the designated resources (e.g. file share) with restricted privilege.
B) Both parties are allowed to access the resources in either way.

hitech.com outsource.com
192.168.25.1 192.168.30.1

192.168.25.254 192.168.30.254

Software Router

Switch 1 Switch 2

Client 1 Client 2
192.168.25.2 192.168.30.2

Figure 2: Network Trust topology between Hi-Tech and Outsource

Task 1: Explain the concept of Trust in Windows Server 2012 and identify the Trust requirements
for the problem mentioned above.

Task 2: Create Trust between two Domains using following steps:

i) Setting up Forwarders
ii) Configure Reverse Lookup Zone
iii) Create Trust

Task 3: Share the resources and check from user end.

Lab 4:
Performing software installation with Group Policy.

6
Hi-Tech management decided that users in the domain should be able to install a custom application
that has an associated .msi package. Perform the following tasks by using any software tools in the
software package that manager want to distribute:

Task 1: Prepare Software distribution share.

Task 2: Publish software using Group Policy Objects.

Task 3: Assign software using Group Policy Objects.

Configuring Property Filters for Administrative Templates

To filter the settings displayed, you need to select or deselect the following filter options:

 Managed or Non-Managed settings

 Configured or Not Configured

 Keyword Filters

 Requirements Filters

Lab 5:
Configuring Active Directory Certificate Services.

For further business expansion, Hi-Tech recently hire a business risk analyst for six months. As a
network admin you are requested to create a user profile which will terminate after six months.

Task 1: Install Active Directory Certificate Services.

 Configure CA to issue OCSP Response Signing Certificates

Task 2: Install and configure the Online Responder and link with ADDS for security.