School of Computer Science and Technology Network Administration (CS465) Group Assignment 1 Members of the Group with ID No. • • • • • • • • • Abrham Daniel - RW2073 Adil Abas - BH2555 Alazar Samuel – UL4233 Amanuael Estifanos - FA1583 Amanuel Sisay - OB7430 Ananya Girma – KX4420 Bisrat Asfaw - OU3676 Biniyam Mengistu - ZW0362 Esrom Tesfaye - NG8384 Submitted to: Inst. Taye Abdulkadir September 18, 2022 Introduction This is a design and administration to mission critical system for the organization called ABC.com having a sister company called XYZ.org and recently to acquire a new organization called HiLCoE.edu. ABC.com have a central data center in Addis Ababa, having field offices in three other cities in the country, where as XYZ having its own organization name and organizational structure, and headquarter in Addis Ababa different from ABC. While HiLCoE.edu needs to establish a trust relationship with administrators of ABC for efficient file sharing and ERP system of the companies. Proposed General Structure of the Organization ABC domain have three different sites, having a branch office at Adama, Bishoftu, and Kombolcha. The domain has four controllers, one for the headquarter and the other three controllers for each site, the three sites are connected to headquarters via VLAN on the public network, and Namespace for the domain is ABC.com. The other Domain XYZ has one domain controller XYZ.com and XYZ is in the forest structure of ABC. The new domain (HiLCoE.edu) to be acquired by the company needs to be in a different forest but should be able to communicate with the other forest. Detailed Implementation of the Structure Installation of Domain Controllers Twelve domain controllers will be present in total, six for each site (two per site), four for each domain, four for each forest, and one global catalog. While having one domain structure and Redundancy is required because in the event of a server failure, the other will serve as the domain controller. Windows Server 2008 R2 powers every domain controller. The following prerequisites must be met in order to install a domain controller; • • • • Static IP Address DNS infrastructure First Domain controller need to in local administrator Run DC promo to promote a server to a dc Sites A model of a physical network or a collection of interconnected networks is called a site. As was already mentioned, there needs to be linkage between Addis Ababa and the locations in other field offices. According to our requirements, we will have Adama, Bishoftu, and Kombolcha as our three sites. We will build new sites and link them to the following network subnet using Active Directory tools. Sites 164.100.2.0/24 164.100.3.0/24 164.100.4.0/24 Subnets Adama Bishoftu Kombolcha Namespace Adama.ABC.com Bishoftu.ABC.com Kombolcha.ABC.com The domain controller needs to be installed at each location. Defend against unintentional deletion of the object. This will stop things from being accidentally deleted from sites. We use intersite replication to replicate the domain controller across the three sites and the headquarters. The network infrastructure provided by the ISP will be used to establish communication between the sites. Trust There shall be a trust relationship between ABC with HiLCoE for the ERP system and file sharing. Between the two domains, we require a type of trust called a tree trust. Active Directory will automatically create this trust. To enforce trust between the two forests is another sort of trust that is necessary. This type of trust needs to be manually created by an administrator, the direction of trust needs to be two-way, and the level of outgoing trust authentication needs to be selected. ABC Domain will handle a certain duty that the administrator selects. Service Account The system's service account is used to oversee the services it offers. This is accomplished by creating service accounts for each of the relevant services that the system makes available to a certain user. A specific user is granted the fewest privileges by the service account. Make sure to check the box that reads "user cannot change the password" when creating a service account in the wizard. Additionally, we must ensure that the password won't expire. The new group that will be used to include the new service account must then be created. Service account will be the group's name, and its global group scope will only include user accounts. Then, using the member of tab, add the group to the service account. Domain User Accounts In order for users to access the organizational system in accordance with their privileges, domain accounts must be created. Account templates will be used when creating user accounts. User Account Password Policies Polices are enforced for a proper and efficient user management of users in the running system. The following polices are user account management policies; i. ii. iii. iv. v. vi. vii. Password complexity requirement – must have at least uppercase and numbers must not contain symbols. Password history - Not to use the same password as the previous one. Maximum password age – 2 month Minimum password age – 10 days Minimum password length – At least 8 characters Account lockout – 5 wrong attempts Account lockout threshold - After account lockout threshold reached, the user will have to wait for 30 minute to another attempt Organizational Unit structure OUs act like containers within AD DS, allowing to organize Active Directory objects in a logical way that makes it easier to administer and manage those objects. They are useful in delegation of administration and application of group policy. Organizational units will be created per the departments of each organization to reflect the functional structure. Each OU contains the users, computers, security global groups and resources of the respective department. ABC There are OUs for IT, sales, HR, finance, and management on the ABC.com domain. The Addis AbebaIT, AdamaIT, BishoftuIT, and KombolchaIT OUs are among the child OUs of the IT OU. The Addis AbebaSales, AdamaSales, BishoftuSales, and KombolchaSales child OUs are all part of the Sales OU. The Addis Ababa, Adama, Bishoftu, and Kombolcha sites' servers are situated in the corresponding Addis Ababa, Adama, Bishoftu, and Kombolcha OUs. Create, delete, and manage user and group accounts, change group membership, and reset user passwords are all responsibilities of the ABC IT OU. The Friends Addis Abeba OU is responsible for managing group policy links and active directory objects, including as user, group, computer, OU, sites, and trusted domain objects. XYZ IT and HR OUs are present in the XYZ.org domain. The IT OU is in charge of maintaining user and group accounts, changing group membership, and resetting user passwords. It also holds the organization's servers. Group policy links and Active Directory objects, such as user, group, and computer objects, are also managed by it. HiLCoE.edu The domain hiLCoE.edu has OUs for IT, sales, and HR. The IT OU is in charge of maintaining user and group accounts, changing group membership, resetting user passwords, and holding the organization's servers. Group policy links and Active Directory objects, such as user, group, and computer objects, are also managed by it. Group Policy Password and Account Lockout Policy A password is often used to secure and authorize user accounts. Passwords are regulated through the customization of password policy settings, which may include mandating users to update their passwords frequently, defining a minimum length for passwords, and imposing complexity standards on passwords. For each domain, the following password and account lockout policy settings are in effect• Enforce password history = 5 • Maximum password age = 30 days • Minimum password age = 5 days • Minimum password length = 8 characters • Account lockout threshold = 4 • Account lockout duration = 20 min • Reset account lockout counter after = 20 min • Store passwords by using reversible encryption = Disabled ✓ Password complexity: • Contains a combination of at least three of the following characters: uppercase letters, lowercase letters, numbers, and symbols (punctuation marks). • Do not contain the user’s user name or screen name. For IT OUs in ABC.com, XYZ.org, and HiLcoE.edu domain, the above password and account policy is applied as IT_Password_Policy group policy object with the following modifications: • Maximum password age = 30 days • Minimum password age = 5 days • Minimum password length = 8 characters • Account lockout threshold = 4 • Account lockout duration = 20 min • Reset account lockout counter after = 20 min Delegation of Administration • • • • • • Manage groups, manage user accounts Reset password Control group policy Force password change at next login and reset password Manage, create, and remove user accounts Modify a group's membership