CA1 ReportST3241: Network and Server Management Done by: Lim Yiling (P1031243) Ally Tan (P1031045) DICT 2A/03
Task 1:You are required to set up a small server/client network with one server and one client forTripSmart Company. The server name is S****** and the client name is C******, where****** is the admission number of any member in your team. Use 22.214.171.124 and192.168.100.11 for the IP address of the server and the client respectively Server SideStep 1: Log on as administrator in Server01( Windows Server 2008).Step 2: Right-Click the Network icon in the Systems Tray and select Properties.Step 3: Click on View status as shown below:Step 4: Click on Properties button under the Local Area Connection Status window.Step 5: Double click on Internet Protocol Version 4 (TCP/IPv4).Step 6: Click on OK button after you have filled in as follows:
Step 7: Right-Click the Computer icon on the Desktop and select PropertiesStep 8: Click Change Settings, then click on Change under Computer Name tab.Step 9: Click on OK button after you have filled in as follows, restart when prompted:
Client SideStep 10: Log on as administrator in Client01 (Windows XP).Step 11: Fill in the following TCP/IP properties:Step 12: Right-click on My Computers and select Properties, and click on Change underComputer Name.Step 13: Click on OK button after you have filled in as follows, restart when prompted:
Task 2:Install Active Directory in the server to promote it to be a domain controller and installDNS accordingly. Create a domain with the domain name that is DM******.com(where ****** is your admission number) and join the client to the domain. Install DNS Server RoleStep 1: Go to Start > Programs > Administrative Tools > Server Manager.Step 2: Click on Roles and select Add Roles under Roles SummaryStep 3: Click on Next and check on “DNS Server” Option, and click Next again.
Step 4: Install the DNS Server Role. Install Active Directory Domain ServicesStep 5: Repeat Step 1 – 2.Step 6: Click on Next and check on “Active Directory Domain Services” Option, andclick Next again.Step 7: Install the Active Directory Domain Services Role.Step 8: Click on Start > Run, type in “dcpromo.exe”.
Step 9: Click on Next, and Next again. Check “Create a new domain in a new forest”,and Next.Step 10: Click on Next after you have filled in as follows:Step 11: Select “Windows Server 2008” for the Forest functional level and click Nexttwice, select Yes when a pop-up screen appears.Step 12: Click on Next. Input Password as: “P@ssw0rd”, click on Next twice.Step 13: Check on “Reboot on Completion”. Join Client to the DomainStep 14: Log on as administrator on ClientStep 15: Right-click on My Computers and select Properties, and click on Change underComputer Name.
Step 16: Click on OK button after you have filled in as follows:Step 17: Enter administrator’s name and password when required.Task 3:The TripSmart Company has 3 departments and there is no strong security boundariesrequired between the departments.a) As an administrator, you have to decide how to setup the network for the company.The user accounts and group memberships are shown in the following table:Department User Account Group MembershipSales Sale1, Sale2, Sale3 Marketing, Domain UsersHuman Resource Clerk1, Clerk2 HR, Domain UsersTechnical Support TSO1, TSO2 TSO, Domain AdminsStep 1: Logon as administrator in ServerStep 2: Click Start > Administrative Tools > Active Directory Users and Computers.Step 3: Right click Users folder and select the New User... option.Step 4: Fill in the following fields in the New User window for all the User Accountsstated above:Username:Full Name:Description:Password:Confirm Password:
Step 5: Open Active Directory Users and Computers tool. Right clickDM*******.com and select the New Organization Unit option.Step 6: The new object – group dialog box appears. Enter the name of the group as‘Sales’, leave the Group scope as ‘Global’ and click OK.Step 7: Repeat Step 6 for both Human Resource and Technical Support.Step 8: Open Active Directory Users and Computers tool. Right clickDM*******.com and select the New Group option.Step 9: Create 3 groups named “Marketing”, “HR” and “TSO”b) Configure the security settings to meet the following requirements: i. The password for the users’ accounts in Technical Support department should never be expired.Step 1: Right click “Properties” on both TSO users’ accounts, select the “Account” taband check “Password never expires” under Account options. ii. The users in the Sales department are allowed to log into the domain during the office hours (from 9am to 5pm, Monday to Friday).Step 1: Right click “Properties” on all 3 Sale users’ accounts, select the “Account” taband click “Logon Hours”….
Step 2: Select Monday to Friday and then permit working hours from 9am to 5pm for all3 Sale Accounts. iii. Clerk2 is on two month no‐pay leave starting from 15 November 2011.Step 1: Right click “Properties” on Clerk2’s user account, select the “Account” tab andselect End of: Tuesday, November 15, 2011 under “Account expires”…. iv. The users in the Sales department are not allowed to access to the Control Panel.Step 1: Logon as Administrator on Server, open Group Policy Management and rightclick on Sales OU, select Create a GPO in this domain, and Link it here.
Step 2: Name the new policy as Default Sales Policy. Click OK and right click on thenewly created Default Sales Policy and select Edit.Step 3: Under User Configuration console tree, expand Administrative Templates andthen Control Panel and enable the following setting: Prohibit access to the Control PanelStep 4: Run gpupdate /force to refresh the policy settings. v. The users in the Human Resource department are not allowed to use the Run menu from Start MenuStep 1: Logon as Administrator on Server, open Group Policy Management and rightclick on Human Resource OU, select Create a GPO in this domain, and Link it here.Step 2: Name the new policy as Default HR Policy. Click OK and right click on thenewly created Default Sales Policy and select Edit.Step 3: Under User Configuration console tree, expand Administrative Templates andthen Start Menu and Taskbar and enable the following setting:
Remove Run menu from Start MenuStep 4: Run gpupdate /force to refresh the policy settings. vi. All Users must change their password every 3 months and cannot re-use any of the 3 recent passwords he/she has used for his/her account.Step 1: Logon as Administrator on Server, open Group Policy Management and rightclick on Default Domain Policy, select Edit.Step 2: Under Computer Configuration console tree, expand Windows Settings andthen Security Settings > Account Policies.Step 3: Select Password Policy and change the settings for the following:
Enforce password history- Keep password history for 3 passwords remembered. Maximum password age- Password will expire in 90days/3monthsStep 4: Run gpupdate /force to refresh the policy settings.vii. All Users would require the administrator to unlock the account after 5 unsuccessful attempts.Step 1: Logon as Administrator on Server, open Group Policy Management and rightclick on Default Domain Policy, select Edit.Step 2: Under Computer Configuration console tree, expand Windows Settings andthen Security Settings > Account Policies.Step 3: Select Account Lockout Policy and change the settings for the following: Account lockout threshold- Account will lock out after 5 invalid logon attemptsTask 4:The users from the Sales and Human Resource departments have requested to createtwo shared folders in the domain controller: StaffData and SalesData. The appropriatepermissions must be set in order to meet the following requirements:a) For StaffData folder: The users in Human Resource department can haveModify (Change) permission when they access the folder locally or across thenetwork. Other users should have no access to this folder.
Step 1: Create a StaffData folder in Local Disk (C:), right click and select Properties >Sharing > Advanced Sharing… > Check the box for Share this folder.When accessing across networkStep 2: Select permissions under Advanced Sharing and add the HR group. Check Allowfor Change and automatically Read will be allowed too.Add Everyone and check Allow for Read only.Add Administrators and check Allow for Full Control and Change and Read would beautomatically allowed too. Apply and click OK.When accessing locallyStep 3: Properties > Security, then click Edit to change permissions. Add the HR groupand check Allow for Modify and automatically Read & Execute, List folder contents,Read and Write will be allowed too.Add Administrators and check Allow for Full Control and Modify, Read & Execute,List folder contents, read and write will be automatically allowed too. Apply and clickOK.You should be able to see this if other users try to access this folder:b) For SalesData folder: The users in the Sales department have Modify permissionwhen they access the folder locally but only have Read permission when they access thefolder across the network.
Note: The administrator has Full Control permission for both foldersregardless of whether the folders are accessed locally or across the network.Step 1: Create a SalesData folder in Local Disk (C:), right click and select Properties >Sharing > Advanced Sharing… > Check the box for Share this folder.Step 2: Select permissions under Advanced Sharing and add the Marketing group.Check Allow for Read only.Add Administrators and check Allow for Full Control and Change and Read would beautomatically allowed too. Apply and click OK.You should be able to see this if the users in the Sales department try to modify thefolder:Task 5:As the StaffData folder contains confidential data, it is required to keep track of allusers’ access to the folder.Step 1: Logon as Administrator on Server, open Group Policy Management, right-clickon “Default Domain Policy”, select Edit.Step 2: Computer Configuration > Policies > Windows Settings > Security Settings >Local Policies > Audit Policy
Step 3: Right-click on “Audit object access”, select “Properties”, check the boxes asbelow:Step 4: Go to “Computer” > “Local Disk (C:)”. Right-click on StaffData > Properties> Security > Advanced > Auditing > EditStep 5: Click on Add, type in Everyone and select Check Name. Check the“Successful” and “Failed” box for “List folder / read data”, and select OK.Step 6: Logon to Sale1 in Client to test the failed audit.Step 7: My Network Places > Entire Network > Microsoft Windows Network >DM1031243 > S1031243 > StaffData. You should be unable to access the folder.Step 8: In Server side, click on Administrator Tools > Event Viewer > Windows Logs> Security. You should see “Audit Failure”:
Step 9: Logon to Clerk1 in Client to test the success audit.Step 10: My Network Places > Entire Network > Microsoft Windows Network >DM1031243 > S1031243 > StaffData. You should be able to access the folder.Step 11: In Server side, click on Administrator Tools > Event Viewer > WindowsLogs > Security. You should see “Audit Success”:
b) The auditing records may be very large, how can you use the filter feature to allowthe system to show only the events associated with the failure object access?Step 12: Click on Administrator Tools > Event Viewer Windows Logs > Security.Step 13: Click on Filter Current Log and set the settings like the following:Step 13: Click “OK”. You should only be able to see failed object events only.Task 6:The TSO group would need to require to have some commands run automatically eachtime they log on to the domain. The commands should accomplish the following tasks:a) Display the global groups in the domain.b) Display the list of computer or shared resources available in the domain.Step 1: Click on Computers > Local Disk (C:) > Windows > System32Step 2: Create repl folder, inside repl folder, create import folder, inside import folder,create scripts folder.Step 3: Open Notepad, type in the followings:@echo offnet groupnet sharepause
Step 4: Save it as cmd file. Name it as “logon_test”.Step 5: Open Active Directory Users and Computers, select Technical Support.Step 6: Right-click on TSO1 > Properties > Profile.Step 7: Fill in the followings:Step 8: Repeat step 7 for TSO2.Step 9: Login to TSO1 in Server side.Step 10: You should be able to see the logon script:
Task 7:a) How should you configure your system in order to complete the following task?You want to start a performance counter log to monitor Interrupts/sec counter at aninterval of 3 seconds for the period of 15 minutes when the processor utilization goesabove 80%. The log file name is Interrupt.blg.Step 1: Click on Start > Programs > Administrative Tools > Reliability andPerformance Monitor > Data Collector SetsStep 2: Right-click on User Defined > New > Data Collector SetStep 3: Name it as Interrupts, check on Create manually (Advanced), Next.Step 4: Check on Create data logs and Performance counter.Step 5: Click on Add, expand Processor, select Interrupts/sec from Available counters,and click on Add>> to the Added counters. Click OK.Step 6: Under Sample interval, change from 15 to 3.Step 7: Click on Next and Finish.Step 8: Right-click on User Defined > New > Data Collector SetStep 9: Name it as Alert, check on Create manually (Advanced).
Step10: Check on Performance Counter AlertStep 11: Click on Add, expand Processor, select % Processor Time from Availablecounters, and click on Add>> to the Added counters. Click OK.Step 12: Under Alert when, change from 1 to 80.Step 13: Click on Next and Finish.Step 14: Click on Interrupt under User Defined, right-click on DataCollector01 >Properties > File. Change the Log file name to Interrupt.Step 15: Click on Alert under User Defined, right click on DataCollector01 >Properties > Alert Action. Check on “Log an entry in the application event log”.Under “Start a data collector set:” select Interrupts from the dropdown list.b) Which object(s) & counter(s) would you use to monitor/diagnose the followings? i) You have installed two disk drives in your system and want to determine which one gets used more so you can balance the load between them. - Object: Physical Disk, Counters: %Disk Time & Avg. Disk Bytes/Transfer ii) You suspect your system does not have enough RAM and want to find out whether system uses too much paging file or not. - Object: Memory, Counter: Committed Bytes
Task 8:Set up a practical to verify the following differences between incremental backups anddifferential backups. Explain how you would do and show your results in the report.An incremental backup clears file’s archive attribute but a differential backup does not.To restore all data back, differential backups are less time‐consuming than incrementalbackups.No detailed steps are required for this task. You can use any way to explain your method(e.g. diagram, table, flowchart…) as long as it can clearly explain what you would do.You must practically try out your method to see whether it works or not. You shouldinclude screen shots of your practical results in the reportSetting up an Incremental Backup1. Create a new folder with Full BU.zip and FullBU1.zip.2. Full Backup this folder.3. Create INCRE1.zip into the folder.4. Backup this folder with incremental backup, only the newly created INCRE1.zipis backed up.5. Create INCRE2.zip and INCRE2.1 zip into the folder6. Backup this folder with incremental backup, only the newly created INCRE2.zipand INCRE2.1 are backed up.Day Monday Wednesday Friday SundayType of Full Incremental Incremental RestoreBackup Before Incremental backup
After Incremental backupSetting up a Differential Backup1. Create a new folder with Full BU.zip and FullBU1.zip.2. Full backup this folder.3. Create DIFF1.zip into the folder.4. Backup this folder with differential backup, only DIFF.zip is backed up; however,the archive bit is not turned off.5. Create DIFF2.zip and DIFF2.1 zip into the folder.6. Backup this folder with differential backup, DIFF.zip, DIFF2.zip and DIFF2.1.zipis backed up, because DIFF1.zip’s archive bit is still on.Day Monday Wednesday Friday SundayType of Backup Full Differential Differential Restore Before and after Differential backup
Results: Archive Attribute Backup Time Restore TimeIncremental Before: ON Full Backup(Monday): Full Restore: After: OFF 31 Seconds 18 Seconds Incremental(Wednesday): First & Second 6 Seconds Incremental: Incremental(Friday): 7 Seconds, 11 Seconds 9 Seconds Total: 36 Seconds Total: 46 SecondsDifferential Before: ON Full Backup(Monday): Full Restore: 18 After: ON 31 Seconds Seconds Differential(Wednesday): Differential Restore: 7 4 Seconds Seconds Differential(Friday): 12 Seconds Total: 25 Seconds Total: 47 SecondsIncremental 1. Time for first Full Backup on Monday took 31 seconds; subsequent incremental backup took 6 and 9 second respectively. 2. Have to restore the entire backup files. 3. First Full Restore took 18 seconds; subsequent restore took 7 and 11 seconds respectively.Differential 1. Time for first Full Backup on Monday took 31 seconds; subsequent differential backup for Wednesday and Friday took 4 and 12 second respectively, the second one is longer because it backed the files that is on Wednesday too. 2. Just have to restore the first backup file and the last backup file. 3. First Full Restore took 18 seconds; last backup took 7 seconds.