Test Project IT Network System Administration

Module B - Windows Environments

TP39_ASC2016_pre_EN
Submitted by:
Name : Mohamad Ropi Abdullah
Member Country : MY

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

1 of 11

OVERVIEW
1

MODULE B - WINDOWS ENVIRONMENTS ........................................................................... 3

1.1

CONTENTS ........................................................................................................................... 3

1.2

INTRODUCTION .................................................................................................................. 3

1.3

DESCRIPTION OF PROJECT AND TASKS.................................................................... 3

1.4

QUICK SPECIFICATIONS .................................................................................................. 4

1.5

PART 1 (SETUP SAOPAULO.LOCAL DOMAIN) ............................................................ 5

1.6

PART 2 (SETUP DIRECT ACCESS) ................................................................................ 8

1.7

PART 3 (MIGRATE DOMAIN RIO.LOCAL) ...................................................................... 9

INSTRUCTIONS ......................................................................................................................... 10
2.1

INSTRUCTIONS TO THE COMPETITOR ...................................................................... 10

2.2

EQUIPMENT, MACHINERY, INSTALLATIONS AND MATERIALS REQUIRED..... 10

NETWORK DIAGRAM ............................................................................................................... 11

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

2 of 11

1 Module B - Windows Environments

1.1 CONTENTS
This Test Project consists of the following document/file:
TP39_ASC2016_pre_EN_Module-B.docx

1.2 INTRODUCTION
The competition has a fixed start and finish time. You must decide how to best divide your time.

1.3 DESCRIPTION OF PROJECT AND TASKS

You have been hired as an external IT consultant by a Company called Skills39 located in Sao Paulo. In
July Skills39 took over another Company located in Rio.
Your job is to integrate and migrate the Company in Rio to Skills39. You have also to implement a
remote access solution for the sales people that they are able to connect to the companys network.
The Internet services are managed by an external provider. You are not able to modify these settings:
Service for public DHCP:
Range 143.25.0.150 143.25.0.200
Service for public DNS:
da.skills39.net 143.25.0.20
www.msftncsi.com 143.25.0.1
dns.msftncsi.com 131.107.255.255
Service for MSFTNCSI website:
http://www.msftncsi.com/ncsi.txt
this is used for simulate the Internet in a test environment!!!

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

3 of 11

1.4 QUICK SPECIFICATIONS

Internet
Remote Clients

03

Do
m

Domain Controller

Old Domain Controller

Windows Server 2003

Remote Access
Server

Wi

nd

ow

Wi

sS

nd

erv

ow

er

sS

20

erv

er

20

12

R2

ain
to
m

Do
m

ain

igr
ate

ISP

Clients

Clients

Domain: Rio.local

Domain: SaoPaulo.local

ASC2016_TP39_EN

New Domain Controller

Windows Server 2012 R2

Version: 1.0
Date: 16.05.2015

4 of 11

1.5 PART 1 (setup saopaulo.local domain)

NOTE: Please use the default configuration if you are not given the details

WorkTask S-DC Server

Setup the server with the settings specified in the diagram at the end of the document
Modify the default Firewall rules to allow ICMP (ping) traffic
Add an additional virtual hard drive (100MB) as D: drive

ActiveDirectory

Install and configure Active Directory Domain Service for SaoPaulo.local

Create the following global AD Groups:
o BRSP-SalesUser
o BRSP-MktUser
o BRSP-ITUser
o BRSP-HRUser
o BRSP-AcctUser
o BRSP-Visitor
o BRSP-Manager

Create the users by modifying the attached xlsx file and importing in Active Directory
o User Principal Names are defined by company policy to be logon@skills39.net
o All fields in the spreadsheet should be filled in for created user accounts
o All users should be enabled and the password should not be changed at first logon
o Add the users to the neccesary groups

DNS
Install and configure DNS Service
Create a forward zone called saopaulo.local
Create also a reverse zone for the internal subnet
Create static A records for all servers
Create CNAME for the NLS server

DHCP
Install and configure DHCP Service
Range 172.16.10.150 172.16.10.180/24 (Clients)
Default Gateway 172.16.10.1
DNS Server 172.16.10.10

PKI
Install and configure Certificate Service
Install only the Certificate Authority
Create a template for Clients AND Servers
o Name the template Client-Server authentication
o Publish the the template in Active Directory
o Set the subject name format to common name
Create also a template for Webservers

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

5 of 11

GPO
Install and configure Policy Management
Setup the following settings
o All users should receive a login banner that reads Welcome to Skill39. Only authorized
personnel allowed to access
Prohibit this message on all servers!!!
o Autoenrollment of the Client-Server authentication Certificate to all clients and servers
o Include the BRSP-ITUsers to the local Administrators group for all computers
o Disable the use of cmd and run for the BRSP-Visitor group
o Hide all local drives for the BRSP-Visitor group
o Create a fine grained password policy required 7 character non-complex passwords for
regular users, 8 characters complex password for members of the BRSP-ITUser group
o Users in SaoPaulo should have the Registry editing utilities restricted
o Members of BRSP-Sales group should have the ability to use the task manager restricted and
should not be able to access cmd.exe regardless of location

Fileservice
Configure user profiles, home drives and shared folders
Home folders
o Create a Homefolder for every user
o Local path on the server d:\users\homes\%username%
o Map the Homefolder automatically to drive H: \\S-DC.saopaulo.local\homes\%username%
o Set the quota for every homedrive folder to 20MB
Roaming profiles
o Local path on the server d:\users\profiles\%username%
o Create roaming profiles for all users \\S-DC.saopaulo.local\profiles\%username%
Department shares
o Local path on the server
d:\shares\HR
d:\shares\IT
d:\shares\Sales
d:\shares\Mkt
d:\shares\Acct
o All users should have READ access on other department shares (except ACCT), MODIFY for
their own departement and FULLCONTROL for documents they create
o Only the AcctUsers should be able to see and access the Acct share
o automatically map the department share (d:\shares) to drive S: \\SDC.saopaulo.local\department
o Prevent any .exe and .cmd files on the department shares
o Setup DFS between SaoPaulo (S-DC) and Rio (R-DC1) so document changes in one location are
reflected in the other
Use SKILLS39 as the root DFS namespace

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

6 of 11

WorkTask S-Client

Setup the client with the settings specified in the diagram at the end of the document
Modify the default Firewall rules to allow ICMP (ping) traffic
Set the local admin password to SaoPaulo15
Join the computer to the saopaulo.local domain
Set the power configuration so the client will never go to sleep while plugged in

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

7 of 11

1.6 PART 2 (setup Direct Access)

NOTE: Please use the default configuration if you are not given the details

WorkTask S-Edge Server

Setup the server with the settings specified in the diagram at the end of the document
Modify the default Firewall rules to allow ICMP (ping) traffic
This server is to operate as a Windows Server 2012 R2 CORE installation with no GUI

Install and configure Remote Access Service

Setup DirectAccess only
Create an Active Directory Group BRSP-DirectAccessClients and add all clients to this group
Configure this group for enabling DirectAccess clients
use S-DC.saopaulo.local as the Network Conectivity Assistant NCA
set DA Skills39 as the DirectAccess connection name
use da.skills39.net as the public name for DirectAccess Clients to connect
always use certificates from the Certificate Authority. Do NOT use self-signed certificates
use https://nls.saopaulo.local as the Network Location Server NLS

WorkTask S-Remote

connect the Client to the internal network

Setup the client with the settings specified in the diagram at the end of the document
Modify the default Firewall rules to allow ICMP (ping) traffic
Set the local admin password to SaoPaulo15
Join the computer to the saopaulo.local domain
Set the power configuration so the client will never go to sleep while plugged in

Connect the client to the Internet network

Client should automatically connect to the internal network with DirectAccess
Check the access to all internal ressources

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

8 of 11

1.7 PART 3 (migrate domain rio.local)

NOTE: Please use the default configuration if you are not given the details

WorkTask R-DC1 and R-DC2

Your task is to migrate rio.local forest on the same level than saopaulo.local.
At the end of the task the old server (R-DC2) should be shutted down.

Directory Services

Install a new domain controller (R-DC1)

Setup the server with the settings specified in the diagram at the end of the document
Raise domain- and forest functional levels to 2012 R2
Transfer all FSMO roles to new server
De-promote server 2003 from domain correctly and shut it down
Create conditional forward with saopaulo.local
Create two-way trust with saopaulo.local

DHCP services

Migrate all DHCP scopes to new server

Any leases or reservations may not disappear

File services

Move all old files from \\R-DC2\users$ to DFS-share \\rio39\users$

All Sharing or NTFS permissions should be same in the new share
Change users to access files directly from new server (Home-folder connection)
Setup DFS between Rio (R-DC1) and SaoPaulo (S-DC) so document changes in one location are
reflected in the other
o Use SKILLS39 as the root DFS namespace

Certificate services

Migrate Certificate Services from old to new server

All issued certificates should be still valid and old Certificate Authority works correctly

Web server

Migrate the website http://intra.rio.local to new server so it answers to the same URL
Authentication to intranet site should be changed from basic authentication to certificate based user
authentication

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

9 of 11

2 INSTRUCTIONS
2.1 INSTRUCTIONS TO THE COMPETITOR

Do not bring any materials with you to the competition.

Mobile phones are not to be used.
Do not disclose any competition material / information to any person during each days competition.
Read the whole competition script prior to you starting work.
Be aware different tasks attract a percentage of the overall mark. Plan your time carefully.

2.2 EQUIPMENT, MACHINERY, INSTALLATIONS AND MATERIALS

REQUIRED

Workstation

PC Processor Intel Core i7-3930K Extreme Edition 3.2 Ghz

16 GB RAM DDR3 - 1333 MHz
HD 500 GB SATA 7200 RPM
CD/DVD RW ROM
Ethernet 10/100/1000 RJ-45
USB 2.0 3.0
1x USB for local files if required
2x 22 inch monitors
1 Network Connection to ESXi server

Software on PC

VMWare Workstation (Trial version) (For connection to VMWare server with this interface)
Microsoft Office (In case project requires documentation)
Cisco Packet tracer (For Cisco Packet Tracer challenge on C4)

Software on ESXi Server

Windows 8.1 Enterprise ISO

Windows Server 2012 R2 ISO
Base system hosted VMs as built by development team These machines will be pre-connected to
existing virtual networks (vlans etc.) as required by development team and virtual networking
cannot be changed by competitor. Likewise, access to all other VMs on the Server will be restricted by
user account.
Any other iso files required by test project as identified by development team.

ASC2016_TP39_EN

Version: 1.0
Date: 16.05.2015

10 of

3 NETWORK DIAGRAM
Name:
S-Client.saopaulo.local
Operation System
Windows 8.1 Enterprise
Network Addresses
DHCP
Services:
?

S-Client

Name:
S-Edge.saopaulo.local
Operation System
Windows Server 2012 R2 CORE
Network Addresses
IP internal: 172.16.10.20
IP external: 143.25.0.20
Services:
- Direct Access
- IIS

Name:
S-DC.saopaulo.local
Operation System
Windows Server 2012 R2
Network Addresses
IP internal: 172.16.10.10
Services:
Active Directory
DNS
DHCP
Files
DFS
PKI
IIS
NLS for Direct Access

Name:
R-Client.rio.local
Operation System
Windows 8.1 Enterprise
Network Addresses
DHCP
Services:
?

R-Client

S-DC

Name:
R-DC1.rio.local
Operation System
Windows Server 2012 R2
Network Addresses
172.16.20.10
Services:
All services migrated from R-DC2
DFS

Name:
R-DC2.rio.local
Operation System
Windows Server 2003
(Installed and configured as DC)
Network Addresses
172.16.20.20
Services:
Active Directory
DNS
DHCP
PKI
Fileservice

ASC2016_TP39_EN

SaoPaulo.local
172.16.10.0/24
Hosted on ESX Environment

S-Edge

ISP

R-DC1

Name:
ISP
Operation System
Preconfigured Debian Server
Network Addresses
RIO: 172.16.20.1
SAOPAULO: 172.16.10.1
Internet: 143.25.0.1
Services:
DNS for Internet Network
DHCP for Internet Network
Routing
Firewall
Website NCSI

S-Remote

R-DC2

Rio.local
172.16.20.0/24
Hosted on Competitor Workstation

Name:
S-Remote.saopaulo.local
Operation System
Windows 8.1 Enterprise
Network Addresses
DHCP
Services:
Direct Access Client

Internet
143.25.0.0/24
Hosted on ESX Environment

Version: 1.0
Date: 16/05/2015

11 of 11