Uploaded by Alazar Samuel

Network Administration Group Assignment I

advertisement
School of Computer Science and Technology
Network Administration (CS465) Group Assignment 1
Members of the Group with ID No.
•
•
•
•
•
•
•
•
•
Abrham Daniel - RW2073
Adil Abas - BH2555
Alazar Samuel – UL4233
Amanuael Estifanos - FA1583
Amanuel Sisay - OB7430
Ananya Girma – KX4420
Bisrat Asfaw - OU3676
Biniyam Mengistu - ZW0362
Esrom Tesfaye - NG8384
Submitted to: Inst. Taye Abdulkadir
September 18, 2022
Introduction
This is a design and administration to mission critical system for the organization called ABC.com having
a sister company called XYZ.org and recently to acquire a new organization called HiLCoE.edu.
ABC.com have a central data center in Addis Ababa, having field offices in three other cities in the country,
where as XYZ having its own organization name and organizational structure, and headquarter in Addis
Ababa different from ABC. While HiLCoE.edu needs to establish a trust relationship with administrators
of ABC for efficient file sharing and ERP system of the companies.
Proposed General Structure of the Organization
ABC domain have three different sites, having a branch office at Adama, Bishoftu, and Kombolcha. The
domain has four controllers, one for the headquarter and the other three controllers for each site, the three
sites are connected to headquarters via VLAN on the public network, and Namespace for the domain is
ABC.com. The other Domain XYZ has one domain controller XYZ.com and XYZ is in the forest structure
of ABC. The new domain (HiLCoE.edu) to be acquired by the company needs to be in a different forest
but should be able to communicate with the other forest.
Detailed Implementation of the Structure
Installation of Domain Controllers
Twelve domain controllers will be present in total, six for each site (two per site), four for each
domain, four for each forest, and one global catalog. While having one domain structure and
Redundancy is required because in the event of a server failure, the other will serve as the domain
controller. Windows Server 2008 R2 powers every domain controller. The following prerequisites
must be met in order to install a domain controller;
•
•
•
•
Static IP Address
DNS infrastructure
First Domain controller need to in local administrator
Run DC promo to promote a server to a dc
Sites
A model of a physical network or a collection of interconnected networks is called a site. As was
already mentioned, there needs to be linkage between Addis Ababa and the locations in other field
offices. According to our requirements, we will have Adama, Bishoftu, and Kombolcha as our
three sites. We will build new sites and link them to the following network subnet using Active
Directory tools.
Sites
164.100.2.0/24
164.100.3.0/24
164.100.4.0/24
Subnets
Adama
Bishoftu
Kombolcha
Namespace
Adama.ABC.com
Bishoftu.ABC.com
Kombolcha.ABC.com
The domain controller needs to be installed at each location. Defend against unintentional deletion
of the object. This will stop things from being accidentally deleted from sites. We use intersite
replication to replicate the domain controller across the three sites and the headquarters. The
network infrastructure provided by the ISP will be used to establish communication between the
sites.
Trust
There shall be a trust relationship between ABC with HiLCoE for the ERP system and file sharing.
Between the two domains, we require a type of trust called a tree trust. Active Directory will
automatically create this trust. To enforce trust between the two forests is another sort of trust that
is necessary. This type of trust needs to be manually created by an administrator, the direction of
trust needs to be two-way, and the level of outgoing trust authentication needs to be selected. ABC
Domain will handle a certain duty that the administrator selects.
Service Account
The system's service account is used to oversee the services it offers. This is accomplished by
creating service accounts for each of the relevant services that the system makes available to a
certain user. A specific user is granted the fewest privileges by the service account. Make sure to
check the box that reads "user cannot change the password" when creating a service account in the
wizard. Additionally, we must ensure that the password won't expire. The new group that will be
used to include the new service account must then be created. Service account will be the group's
name, and its global group scope will only include user accounts. Then, using the member of tab,
add the group to the service account.
Domain User Accounts
In order for users to access the organizational system in accordance with their privileges, domain
accounts must be created. Account templates will be used when creating user accounts.
User Account Password Policies
Polices are enforced for a proper and efficient user management of users in the running system.
The following polices are user account management policies;
i.
ii.
iii.
iv.
v.
vi.
vii.
Password complexity requirement – must have at least uppercase and numbers must
not contain symbols.
Password history - Not to use the same password as the previous one.
Maximum password age – 2 month
Minimum password age – 10 days
Minimum password length – At least 8 characters
Account lockout – 5 wrong attempts
Account lockout threshold - After account lockout threshold reached, the user will have
to wait for 30 minute to another attempt
Organizational Unit structure
OUs act like containers within AD DS, allowing to organize Active Directory objects in a logical
way that makes it easier to administer and manage those objects. They are useful in delegation of
administration and application of group policy. Organizational units will be created per the
departments of each organization to reflect the functional structure. Each OU contains the users,
computers, security global groups and resources of the respective department.
ABC
There are OUs for IT, sales, HR, finance, and management on the ABC.com domain. The Addis
AbebaIT, AdamaIT, BishoftuIT, and KombolchaIT OUs are among the child OUs of the IT OU.
The Addis AbebaSales, AdamaSales, BishoftuSales, and KombolchaSales child OUs are all part
of the Sales OU. The Addis Ababa, Adama, Bishoftu, and Kombolcha sites' servers are situated in
the corresponding Addis Ababa, Adama, Bishoftu, and Kombolcha OUs. Create, delete, and
manage user and group accounts, change group membership, and reset user passwords are all
responsibilities of the ABC IT OU. The Friends Addis Abeba OU is responsible for managing
group policy links and active directory objects, including as user, group, computer, OU, sites, and
trusted domain objects.
XYZ
IT and HR OUs are present in the XYZ.org domain. The IT OU is in charge of maintaining user
and group accounts, changing group membership, and resetting user passwords. It also holds the
organization's servers. Group policy links and Active Directory objects, such as user, group, and
computer objects, are also managed by it.
HiLCoE.edu
The domain hiLCoE.edu has OUs for IT, sales, and HR. The IT OU is in charge of maintaining
user and group accounts, changing group membership, resetting user passwords, and holding the
organization's servers. Group policy links and Active Directory objects, such as user, group, and
computer objects, are also managed by it.
Group Policy
Password and Account Lockout Policy
A password is often used to secure and authorize user accounts. Passwords are regulated through
the customization of password policy settings, which may include mandating users to update their
passwords frequently, defining a minimum length for passwords, and imposing complexity
standards on passwords. For each domain, the following password and account lockout policy
settings are in effect• Enforce password history = 5
• Maximum password age = 30 days
• Minimum password age = 5 days
• Minimum password length = 8 characters
• Account lockout threshold = 4
• Account lockout duration = 20 min
• Reset account lockout counter after = 20 min
• Store passwords by using reversible encryption = Disabled
✓ Password complexity:
• Contains a combination of at least three of the following characters: uppercase
letters, lowercase letters, numbers, and symbols (punctuation marks).
• Do not contain the user’s user name or screen name.
For IT OUs in ABC.com, XYZ.org, and HiLcoE.edu domain, the above password and account
policy is applied as IT_Password_Policy group policy object with the following modifications:
• Maximum password age = 30 days
• Minimum password age = 5 days
• Minimum password length = 8 characters
• Account lockout threshold = 4
• Account lockout duration = 20 min
• Reset account lockout counter after = 20 min
Delegation of Administration
•
•
•
•
•
•
Manage groups, manage user accounts
Reset password
Control group policy
Force password change at next login and reset password
Manage, create, and remove user accounts
Modify a group's membership
Download