LOMBA KETERAMPILAN SISWA
SEKOLAH MENENGAH KEJURUAN
TINGKAT NASIONAL XXV 2017
IT NETWORK SYSTEMS
ADMINISTRATION
LKS2017_ITNSA_MODULB
MODUL B
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017
ISLAND 2
–
SYSTEM INTEGRATION ISLAND
CONTENTS
This Test Project proposal consists of the following document/file:
LKSN2017_ITNSA_MODUL2.pdf
INTRODUCTION
The competition has a fixed start and finish time. You must decide how to best divide your
time.
Please
carefully
read the following instructions!
When the competition time ends, please leave your station in a running state.
Please do not touch the VMware configuration as well as the configuration of the VM
itself except the CD-ROM / HDD drives
PHYSICAL MACHINE (HOST)
FOLDER PATHS
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017
PART I
WORK TASK INSTALLATION (WINSRV1, WINSRV2,
LNXSRV1, LNXSRV2)
Note Please use the default configuration if you are not given details.
WORK TASK SERVER WINSRV1
Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for indonesiahebat.net.
Create a new Organization Unit named InaHebat2017. All new users and groups must be created in this OU.
Create the user and security global group with membersas indicated in the table in Appendix. Use Jakarta2017 as the password for all user accounts.
o DNS
Create a forward zone alled indonesiahebat.net
Create a reverse zone for the IP range.
Create 3 subdomain:
- info.indoneisahebat.net
- training.indonesiahebat.net
- competition.indonesiahebat.net
Create a secondary zone for smkhebat.org and use this server as the backup DNS for the smkhebat.org domain
Host and service records have to be created in DNS for all servers and clients.
o PKI (Public Key Infrastructure)
Install and configure Certificate Service
I stall o l the Certifi ate Authorit
Create a template for Clients AND Servers - Na e the te plate ITNSA-Clie t“er erCert - Publish the the template in Active Directory - “et the su je t a e for at to o o a e
o GPO – Password Policies
Ensure the company user password must meet the following criteria: - Domain passwords will be at least 6 characters.
- Strong passwords need not be enforced.
- Passwords will not be stored with reversible encryption. - Passwords will be changed exactly every 90 days.
- Accounts will be locked out for 30 minutes after three invalid logon attempts.
The password of the users in IT group must meet the following criteria: - Domain passwords will be at least 10 characters.
- Strong passwords will be enforced.
- Passwords will not be stored with reversible encryption. - Passwords will be changed exactly every 30 days.
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017 o GPO – Security Policies
At logon on WINCLT2, users should see this message before logging in: Message Title:
Wel o e to Indonesiahebat2017 ith Message Te t O l authorized perso el allo ed
to a ess. a d prohi it this essage o all ser ers.
All users, except the IT group, are not allowed to access the display settings on the Control Panel.
disable "First Sign-in Animation" for all Windows 8.1 clients
disa le the use of d a d ru for the Visitor group
o VPN SERVER (RRAS)
setup and configure the VPN service (RRAS)
use the following IP Range for the VPN Clients: 192.168.50.100 – 192.168.50.150 (provided by RRAS service)
With a VPN connection the user should be able to access to the shares on WINSRV2
Only users in the sales group should be able to connect to the VPN server
Remote Clients should be able to access the vpn server via the ip address 143.25.100.1
WORK TASK SERVER WINSRV2
Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for smkhebat.org.
Administrator password should be Jakarta2017
Enable two-way trust between indonesiahebat.net forest and smkhebat.org forest.
Users from each of the forests are able to access resources in both forests.
o DNS
Create a for ard zo e alled smkhebat.org
Create a reverse zone for the IP range defined in VLAN 31.
Create a secondary zone for indonesiahebat.net and use this server as the backup DNS for the indonesiahebat.net domain
Host and service records have to be created in DNS for all servers and clients.
o Web Server (IIS)
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017 WORK TASK SERVER WINSRV1 & WINSRV2
o Install Distributed File System
Create skills as the root DF“ Na espa e i a Do ai -based namespace in 2008 mode.
Create DFS share folders and configure the folder targets as indicated in the following table.
Enable DFS Replication between WINSRV1 and WINSRV2.
DFS Namespace Share Folders Folder Target Local Folder on both Servers Description
\\indonesiahebat.net\skills\rfol ders
\\WINSRV1\rfolders \\WINSRV2\rfolders
C:\share\rfolders On WINSRV1 E:\share\rfolders On WINSRV2
Folder Redirection & home folder \\indonesiahebat.net\skills\IT \\WINSRV1\IT
\\WINSRV2\IT
C:\share\IT On WINSRV1 E:\share\IT On WINSRV2
Departmental
C:\share\Sales On WINSRV1 E:\share\Sales On WINSRV2
Departmental Share for Sales \\indonesiahebat.net\skills\Ma
rketing
\\WINSRV1\Mkt \\WINSRV2\Mkt
C:\share\Mkt On WINSRV1 E:\share\Mkt On WINSRV2
Departmental Share for Marketing
o Configure users profiles and share folders:
Create users’ ho e folder \\indonesiahebat.net\skills\rfolders \username and ensure it is mapped to Z: at each logon automatically.
- limit the storage space to every home folder to 50MB
- Prevent any .exe and .bat files to be stored on the home folder.
Redirect the Documents folder to
\\indonesiahebat.net\skills\rfolders\username\Documents.
Create departmental share folders on \\indonesiahebat.net\skills\IT,
\\indonesiahebat.net\skills\Sales and \\indonesiahebat.net\skills\Marketing and map the respective share folder to Y: at logon, depending on the department the user is in. Users
should ot e allo ed to a ess other depart e ts’ or users ho e shares.
WOTK TASK SERVER LNXSRV1
Configure the server with the hostname, domain and IP specified in the appendix.
o Create 50 local UNIX users (userxx) ith pass ord Jakarta2017 o FreeRadius Server
Co figure radius ser er for router a d s it h a ess authe ti atio . Use “e ret as
share key.
Create SW1 ith pass ord LK“N2017 . Will e used for s it h a ess authe ti atio .
Create RO ith pass ord LK“N2017 . Will be used for router access authentication.
o NTP Server
Set NTP server service. Use local clock as time server source
o DHCP Server
Pool AOCC
Range: 10.99.111.51– 10.99.111.100
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017
Gateway: 10.99.111.1
DNS: 10.99.112.2
Pool OUTSIDE
Range: 220.17.8.36– 220.17.8.40
Netmask: /28
Gateway: 220.17.8.45
DNS: 220.17.8.42
WORK TASK SERVER LNXSRV2
Configure the server with the hostname, domain and IP specified in the appendix.
o Web Server (nginx)
Create 3 virtual webhost for info.indonesiahebat.net; training.indonesiahebat.net; competition.indonesiahebat.net
Make sure http:// training.indonesiahebat.net is prote ted authe ti atio o Create users fro lie t to lie t
o Mail Server & Web Mail
Create users budi and ani
Make sure they have access via POP3, IMAP and SMTP
Before you finish your project make sure you send an email message from budi to ani and another message from ani to budi
Do not delete these email messages.
o Cacti
Install Cacti
Create an admin-user aster ith pass ord Jakarta2017
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017
PART II
WORK TASK NETWORK CONFIGURATION (RO1, SW1)
Note Please use the default configuration if you are not given details.
WORK TASK ROUTER (RO1) & SWITCH (SW1) o Use the Indonesia2017 as secret password
o Line console must login with the password LKSN2017 o Configure AAA login with the lnxsrv1 as Radius Server
o Create username admin and password LKSN2017 for failover user if RADIUS server is not available
o Enable SSH Access with authentication using radius server (lnxsrv1) o Encrypt all clear text password
o Co figure a er MOTD AUTHORIZED ACCESS ONLY o Configure VLAN and IP Address
Device Interface VLAN ID Description /
VLAN Name IP Address
RO1
GI0/0 - - 220.17.8.45/28 Gi0/1.30 30 DESC 10.99.110.62/26 GI0/1.31 31 AOCC 10.99.111.1/25 GI0/1.32 32 VOICE 10.99.111.129/25 Gi0/1.33 33 CDCC 10.99.112.1/27
WORK TASK ROUTER (RO1)
o Configure the server with the hostname RO1
o Co figure DHCP Rela for VLAN AOCC to l sr o Configure NAT / PAT
Configure NAT Overload using interface gi0/0 with inside local VLAN AOCC
Configure Static NAT
Static NAT to lnxsrv2 with IP address 220.17.8.41
Static NAT to winsrv1 with IP address 220.17.8.42
o Telephony Service
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017 o Configure button 2 on hqvph1to call directly to paging extension
o Configure Intercom service with the extension 199 o Access Control List (ACL)
Configure Access List with rule below
- Ensure outside can access to lnxsrv2 and winsrv1 using IP outside of RO1 - Allow access from outside to web server linxsrv1 and winsrv2
- Deny other traffic from outside to inside
o SNMPP
WORK TASK SWITCH (SW1)
o Configure the server with the hostname SW1 o Configure port interface
Port 24 trunk mode to ro1
Port 1 for lnxsrv1 and lnxsrv2
Port 13 for winsrv1
Port 14 for winsrv2
Port 5 for hqvph1
Port 6 for winclnt1
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017
PART III
WORK TASK WINDOWS CLIENT (WINCLT1, WINCLT2, IP
PHONE)
Note Please use the default configuration if you are not given details.
WORK TASK WINDOWS EXTERNAL (WINCLT1)
Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT1 to the outside RO1 o Configure VPN client for connect to winsrv1
WORK TASK WINDOWS INTERNAL (WINCLT2)
Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT to the switch VLAN AOCC
o Join the notebook to the domain
o Install and configure Cisco IP Communicator with number 101
WORK TASK IP PHONE (HQVPH1)
Note: Please use the default configuration if you are not given the details.
Connect LAN cables and configure IP addresses according to the network diagram in the appendix
Configure with number 100
Make sure the VoIP-phone is using VLAN19 for its VoIP-traffic
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017
APPENDIX
SPECIFICATIONS
WINSRV1
Computer name: WINSRV1
Operating System MS Windows 2012 R2 Domain Name: indonesiahebat.net Administrator User name: Administrator Administrator password: Jakarta2017 IP address: 10.99.122.2/28 Domain NetBIOS Name: HEBAT
WINSRV2
Computer name: WINSRV2
Operating System MS Windows 2012 R2 Domain Name: smkhebat.org
Administrator User name: Administrator Administrator password: Jakarta2017 IP address: 10.99.122.3/28 Domain NetBIOS Name: HEBAT
LNXSRV1
Computer name: LNXSRV1
Operating System Linux Debian 7.8 User name: root
Password: Jakarta2017
IP address: 10.99.110.1/26
LNXSRV2
Computer name: LNXSRV2
Operating System Linux Debian 7.8 User name: root
Password: Jakarta2017
LKSN2017_ITNSA Version: 1.0 Date: 29.11.2017 WINCLT1
Computer name: WINCLT 1
Operating System MS Windows 8.1 User name: Administrator Password: Jakarta2017 Domain name: Indonesiahebat.net
IP address: DHCP
WINCLT2
Computer name: WINCLT 2
Operating System MS Windows 8.1 User name: Administrator Password: Jakarta2017
Domain name: indonesiahebat.net
IP address: DHCP
NETWORK SPESIFICATION
VLAN DESC (ID: 30) 10.99.110.0/26 VLAN AOCC (ID: 31) 10.99.111.0/25 VLAN VOICE (ID: 32) 10.99.111.128/25 VLAN CDCC (ID: 33) 10.99.112.0/27 VLAN NATIVE (ID: 99) 10.0.0.0/28
OUTSIDE 220.17.8.0/28
DOMAIN USER LIST
Group Members
NETWORK SPESIFICATION
winsrv1
lnxsrv1 lnxclnt1
NETWORK DIAGRAM
MODUL B
–
SYSTEM INTEGRATION & CISCO ISLAND
Windows 8.1 Hostmachine (PC1) Windows 8.1 Hostmachine (PC2)
lnxclnt2
Name : winsrv1 OS : Windows Server 2012 R2 User: Administrator
- PKI (Public Key Inf rastructure) - GPO
- DFS - SNMP - VPN Server (RRAS)
Name : lnxsrv1
Name : winclnt2 (Internal) OS : Windows 8.1 - Web Server (nginx) - Mail Server OS : Windows Server 2012 R2 User: Administrator
