CA1 Report ST3241: Network and Server Management

Done by: Lim Yiling (P1031243) Ally Tan (P1031045)

DICT 2A/03

Task 1:

You are required to set up a small server/client network with one server and one client for TripSmart Company. The server name is S****** and the client name is C******, where ****** is the admission number of any member in your team. Use 198.168.100.10 and 192.168.100.11 for the IP address of the server and the client respectively

Server Side

Step 1: Log on as administrator in Server01( Windows Server 2008). Step 2: Right-Click the Network icon in the Systems Tray and select Properties. Step 3: Click on View status as shown below:

Step 4: Click on Properties button under the Local Area Connection Status window. Step 5: Double click on Internet Protocol Version 4 (TCP/IPv4). Step 6: Click on OK button after you have filled in as follows:

Step 7: Right-Click the Computer icon on the Desktop and select Properties Step 8: Click Change Settings, then click on Change under Computer Name tab. Step 9: Click on OK button after you have filled in as follows, restart when prompted:

Client Side

Step 10: Log on as administrator in Client01 (Windows XP). Step 11: Fill in the following TCP/IP properties:

Step 12: Right-click on My Computers and select Properties, and click on Change under Computer Name. Step 13: Click on OK button after you have filled in as follows, restart when prompted:

Task 2:

Install Active Directory in the server to promote it to be a domain controller and install DNS accordingly. Create a domain with the domain name that is DM******.com (where ****** is your admission number) and join the client to the domain.

Install DNS Server Role

Step 1: Go to Start > Programs > Administrative Tools > Server Manager. Step 2: Click on Roles and select Add Roles under Roles Summary

Step 3: Click on Next and check on “DNS Server” Option, and click Next again.

Step 4: Install the DNS Server Role.

Install Active Directory Domain Services

Step 5: Repeat Step 1 – 2. Step 6: Click on Next and check on “Active Directory Domain Services” Option, and click Next again.

Step 7: Install the Active Directory Domain Services Role. Step 8: Click on Start > Run, type in “dcpromo.exe”.

Step 9: Click on Next, and Next again. Check “Create a new domain in a new forest”, and Next. Step 10: Click on Next after you have filled in as follows:

Step 11: Select “Windows Server 2008” for the Forest functional level and click Next twice, select Yes when a pop-up screen appears.

Step 12: Click on Next. Input Password as: “P@ssw0rd”, click on Next twice. Step 13: Check on “Reboot on Completion”.

Join Client to the Domain

Step 14: Log on as administrator on Client Step 15: Right-click on My Computers and select Properties, and click on Change under Computer Name.

Step 16: Click on OK button after you have filled in as follows:

Step 17: Enter administrator’s name and password when required.

Task 3:

The TripSmart Company has 3 departments and there is no strong security boundaries required between the departments. a) As an administrator, you have to decide how to setup the network for the company. The user accounts and group memberships are shown in the following table: Department User Account Group Membership Sales Sale1, Sale2, Sale3 Marketing, Domain Users Human Resource Clerk1, Clerk2 HR, Domain Users Technical Support TSO1, TSO2 TSO, Domain Admins Step 1: Logon as administrator in Server Step 2: Click Start > Administrative Tools > Active Directory Users and Computers. Step 3: Right click Users folder and select the New User... option. Step 4: Fill in the following fields in the New User window for all the User Accounts stated above: Username: Full Name: Description: Password: Confirm Password:

Step 5: Open Active Directory Users and Computers tool. Right click DM*******.com and select the New Organization Unit option. Step 6: The new object – group dialog box appears. Enter the name of the group as ‘Sales’, leave the Group scope as ‘Global’ and click OK. Step 7: Repeat Step 6 for both Human Resource and Technical Support. Step 8: Open Active Directory Users and Computers tool. Right click DM*******.com and select the New Group option. Step 9: Create 3 groups named “Marketing”, “HR” and “TSO” b) Configure the security settings to meet the following requirements:

i. The password for the users’ accounts in Technical Support department should never be expired.

Step 1: Right click “Properties” on both TSO users’ accounts, select the “Account” tab and check “Password never expires” under Account options.

ii. The users in the Sales department are allowed to log into the domain during the office hours (from 9am to 5pm, Monday to Friday).

Step 1: Right click “Properties” on all 3 Sale users’ accounts, select the “Account” tab and click “Logon Hours”….

Step 2: Select Monday to Friday and then permit working hours from 9am to 5pm for all 3 Sale Accounts.

iii. Clerk2 is on two month no‐pay leave starting from 15 November 2011.

Step 1: Right click “Properties” on Clerk2’s user account, select the “Account” tab and select End of: Tuesday, November 15, 2011 under “Account expires”….

iv. The users in the Sales department are not allowed to access to the

Control Panel. Step 1: Logon as Administrator on Server, open Group Policy Management and right click on Sales OU, select Create a GPO in this domain, and Link it here.

Step 2: Name the new policy as Default Sales Policy. Click OK and right click on the newly created Default Sales Policy and select Edit. Step 3: Under User Configuration console tree, expand Administrative Templates and then Control Panel and enable the following setting:

Prohibit access to the Control Panel

Step 4: Run gpupdate /force to refresh the policy settings.

v. The users in the Human Resource department are not allowed to use the Run menu from Start Menu

Step 1: Logon as Administrator on Server, open Group Policy Management and right click on Human Resource OU, select Create a GPO in this domain, and Link it here. Step 2: Name the new policy as Default HR Policy. Click OK and right click on the newly created Default Sales Policy and select Edit. Step 3: Under User Configuration console tree, expand Administrative Templates and then Start Menu and Taskbar and enable the following setting:

Remove Run menu from Start Menu

Step 4: Run gpupdate /force to refresh the policy settings. vi. All Users must change their password every 3 months and cannot re-use any of

the 3 recent passwords he/she has used for his/her account. Step 1: Logon as Administrator on Server, open Group Policy Management and right click on Default Domain Policy, select Edit. Step 2: Under Computer Configuration console tree, expand Windows Settings and then Security Settings > Account Policies. Step 3: Select Password Policy and change the settings for the following:

Enforce password history- Keep password history for 3 passwords remembered.

Maximum password age- Password will expire in 90days/3months

Step 4: Run gpupdate /force to refresh the policy settings. vii. All Users would require the administrator to unlock the account after 5

unsuccessful attempts. Step 1: Logon as Administrator on Server, open Group Policy Management and right click on Default Domain Policy, select Edit. Step 2: Under Computer Configuration console tree, expand Windows Settings and then Security Settings > Account Policies. Step 3: Select Account Lockout Policy and change the settings for the following:

Account lockout threshold- Account will lock out after 5 invalid logon attempts

Task 4:

The users from the Sales and Human Resource departments have requested to create two shared folders in the domain controller: StaffData and SalesData. The appropriate permissions must be set in order to meet the following requirements: a) For StaffData folder: The users in Human Resource department can have Modify (Change) permission when they access the folder locally or across the network. Other users should have no access to this folder.

Step 1: Create a StaffData folder in Local Disk (C:), right click and select Properties > Sharing > Advanced Sharing… > Check the box for Share this folder.

Step 2: Select permissions under Advanced Sharing and add the HR group. Check Allow for Change and automatically Read will be allowed too.

When accessing across network

Add Everyone and check Allow for Read only. Add Administrators and check Allow for Full Control and Change and Read would be automatically allowed too. Apply and click OK.

When accessing locally

Step 3: Properties > Security, then click Edit to change permissions. Add the HR group and check Allow for Modify and automatically Read & Execute, List folder contents, Read and Write will be allowed too. Add Administrators and check Allow for Full Control and Modify, Read & Execute, List folder contents, read and write will be automatically allowed too. Apply and click OK. You should be able to see this if other users try to access this folder:

b) For SalesData folder: The users in the Sales department have Modify permission when they access the folder locally but only have Read permission when they access the folder across the network.

Note: The administrator has Full Control permission for both folders regardless of whether the folders are accessed locally or across the network. Step 1: Create a SalesData folder in Local Disk (C:), right click and select Properties > Sharing > Advanced Sharing… > Check the box for Share this folder. Step 2: Select permissions under Advanced Sharing and add the Marketing group. Check Allow for Read only. Add Administrators and check Allow for Full Control and Change and Read would be automatically allowed too. Apply and click OK. You should be able to see this if the users in the Sales department try to modify the folder:

Task 5:

As the StaffData folder contains confidential data, it is required to keep track of all users’ access to the folder. Step 1: Logon as Administrator on Server, open Group Policy Management, right-click on “Default Domain Policy”, select Edit.

Step 2: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy

Step 3: Right-click on “Audit object access”, select “Properties”, check the boxes as below:

Step 4: Go to “Computer” > “Local Disk (C:)”. Right-click on StaffData > Properties > Security > Advanced > Auditing > Edit Step 5: Click on Add, type in Everyone and select Check Name. Check the “Successful” and “Failed” box for “List folder / read data”, and select OK. Step 6: Logon to Sale1 in Client to test the failed audit. Step 7: My Network Places > Entire Network > Microsoft Windows Network > DM1031243 > S1031243 > StaffData. You should be unable to access the folder. Step 8: In Server side, click on Administrator Tools > Event Viewer > Windows Logs > Security. You should see “Audit Failure”:

Step 9: Logon to Clerk1 in Client to test the success audit. Step 10: My Network Places > Entire Network > Microsoft Windows Network > DM1031243 > S1031243 > StaffData. You should be able to access the folder. Step 11: In Server side, click on Administrator Tools > Event Viewer > Windows Logs > Security. You should see “Audit Success”:

b) The auditing records may be very large, how can you use the filter feature to allow the system to show only the events associated with the failure object access? Step 12: Click on Administrator Tools > Event Viewer Windows Logs > Security. Step 13: Click on Filter Current Log and set the settings like the following:

Step 13: Click “OK”. You should only be able to see failed object events only.

Task 6:

The TSO group would need to require to have some commands run automatically each time they log on to the domain. The commands should accomplish the following tasks: a) Display the global groups in the domain. b) Display the list of computer or shared resources available in the domain. Step 1: Click on Computers > Local Disk (C:) > Windows > System32 Step 2: Create repl folder, inside repl folder, create import folder, inside import folder, create scripts folder. Step 3: Open Notepad, type in the followings: @echo off net group net share pause

Step 4: Save it as cmd file. Name it as “logon_test”. Step 5: Open Active Directory Users and Computers, select Technical Support. Step 6: Right-click on TSO1 > Properties > Profile. Step 7: Fill in the followings:

Step 8: Repeat step 7 for TSO2. Step 9: Login to TSO1 in Server side. Step 10: You should be able to see the logon script:

a) How should you configure your system in order to complete the following task?

Task 7:

You want to start a performance counter log to monitor Interrupts/sec counter at an interval of 3 seconds for the period of 15 minutes when the processor utilization goes above 80%. The log file name is Interrupt.blg. Step 1: Click on Start > Programs > Administrative Tools > Reliability and Performance Monitor > Data Collector Sets Step 2: Right-click on User Defined > New > Data Collector Set Step 3: Name it as Interrupts, check on Create manually (Advanced), Next. Step 4: Check on Create data logs and Performance counter. Step 5: Click on Add, expand Processor, select Interrupts/sec from Available counters, and click on Add>> to the Added counters. Click OK. Step 6: Under Sample interval, change from 15 to 3.

Step 7: Click on Next and Finish. Step 8: Right-click on User Defined > New > Data Collector Set Step 9: Name it as Alert, check on Create manually (Advanced).

Step10: Check on Performance Counter Alert Step 11: Click on Add, expand Processor, select % Processor Time from Available counters, and click on Add>> to the Added counters. Click OK. Step 12: Under Alert when, change from 1 to 80.

Step 13: Click on Next and Finish. Step 14: Click on Interrupt under User Defined, right-click on DataCollector01 > Properties > File. Change the Log file name to Interrupt. Step 15: Click on Alert under User Defined, right click on DataCollector01 > Properties > Alert Action. Check on “Log an entry in the application event log”. Under “Start a data collector set:” select Interrupts from the dropdown list. b) Which object(s) & counter(s) would you use to monitor/diagnose the followings?

i) You have installed two disk drives in your system and want to determine which one gets used more so you can balance the load between them.

- Object: Physical Disk, Counters: %Disk Time & Avg. Disk Bytes/Transfer ii) You suspect your system does not have enough RAM and want to find out

whether system uses too much paging file or not. - Object: Memory, Counter: Committed Bytes

Task 8:

Set up a practical to verify the following differences between incremental backups and differential backups. Explain how you would do and show your results in the report. An incremental backup clears file’s archive attribute but a differential backup does not. To restore all data back, differential backups are less time‐consuming than incremental backups. No detailed steps are required for this task. You can use any way to explain your method (e.g. diagram, table, flowchart…) as long as it can clearly explain what you would do. You must practically try out your method to see whether it works or not. You should include screen shots of your practical results in the report 1. Create a new folder with Full BU.zip and FullBU1.zip. Setting up an Incremental Backup

2. Full Backup this folder. 3. Create INCRE1.zip into the folder. 4. Backup this folder with incremental backup, only the newly created INCRE1.zip is backed up. 5. Create INCRE2.zip and INCRE2.1 zip into the folder 6. Backup this folder with incremental backup, only the newly created INCRE2.zip and INCRE2.1 are backed up.

Day Monday Wednesday Friday Sunday Type of Backup

Full Incremental Incremental Restore

Before Incremental backup

After Incremental backup

1. Create a new folder with Full BU.zip and FullBU1.zip. Setting up a Differential Backup

2. Full backup this folder. 3. Create DIFF1.zip into the folder. 4. Backup this folder with differential backup, only DIFF.zip is backed up; however, the archive bit is not turned off. 5. Create DIFF2.zip and DIFF2.1 zip into the folder. 6. Backup this folder with differential backup, DIFF.zip, DIFF2.zip and DIFF2.1.zip is backed up, because DIFF1.zip’s archive bit is still on.

Day Monday Wednesday Friday Sunday Type of Backup Full Differential Differential Restore

Before and after Differential backup

Results: Archive Attribute Backup Time Restore Time Incremental Before: ON

After: OFF Full Backup(Monday): 31 Seconds Incremental(Wednesday): 6 Seconds Incremental(Friday): 9 Seconds Total: 46 Seconds

Full Restore: 18 Seconds First & Second Incremental: 7 Seconds, 11 Seconds Total: 36 Seconds

Differential Before: ON After: ON

Full Backup(Monday): 31 Seconds Differential(Wednesday): 4 Seconds Differential(Friday): 12 Seconds Total: 47 Seconds

Full Restore: 18 Seconds Differential Restore: 7 Seconds Total: 25 Seconds

1. Time for first Full Backup on Monday took 31 seconds; subsequent incremental backup took 6 and 9 second respectively.

Incremental

2. Have to restore the entire backup files. 3. First Full Restore took 18 seconds; subsequent restore took 7 and 11 seconds

respectively.

1. Time for first Full Backup on Monday took 31 seconds; subsequent differential backup for Wednesday and Friday took 4 and 12 second respectively, the second one is longer because it backed the files that is on Wednesday too.

Differential

2. Just have to restore the first backup file and the last backup file. 3. First Full Restore took 18 seconds; last backup took 7 seconds.