You are on page 1of 37

Assignment front sheet

Qualification

Unit number, Unit Level, Unit Credit and Title

Pearson BTEC HNC Diploma in Computing and


Systems Development

Unit 43: Networking Infrastructure

Student name

Assessor name

Sadaf Farooqi

Himanshu Bhatt

Date issued

Completion date

Submitted on

22 June 2015

27 June 2015

10 July 2015

Assignment title

Understanding of networking infrastructures management (1 of 1)

LO

LO 1

LO 2

Learning
Outcome (LO)

AC

Understand the
principles of
network
infrastructure
management

1.1

Be able to design
complex network
infrastructure
systems

2.1

1.2
1.3

2.2
2.3

LO 3

Be able to
implement
complex network
infrastructure
systems

LO 4

Be able to test
complex network
infrastructure
systems

In this assessment you will have the opportunity


to present evidence that shows you are able to:

Task
no.

Evidence
(Page no)

Evaluate current name resolution services


Discuss the technologies that support network
infrastructure management
Discuss security resources available in network
infrastructure management

1.1

6-8

1.2

1.3

10

Design a network infrastructure for a given


networked environment
Evaluate addressing and deployment solutions for a given
networked environment
Evaluate rights and security requirements for a given
networked environment

2.1
2.2

11
12
13 - 15

3.1

Implement a network infrastructure based on a prepared


design

3.1

16 - 34

4.1

Critically review and test an implemented system

4.1

35

4.2

Evaluate system and user assurance of the implemented


system

4.2

36

Learner declaration

I certify that the work submitted for this assignment is my own and research sources are fully acknowledged.
Student signature:

Date: 10/07/2015

Achievement Summary
Qualification
Unit number, Unit
Level, Unit Credit and
Title

Criteria
Reference
LO 1
1.1
1.2
1.3
LO 2
2.1
2.2
2.3
LO 3
3.1
LO 4
4.1
4.2

Pearson BTEC HND Diploma in


Computing and Systems
Development
Unit 43: Networking Infrastructure

Assessor
name

Himanshu Bhatt

Student name

Sadaf Farooqi

To achieve the criteria the evidence must show that the


student is able to:

Achieved
(tick)

Evaluate current name resolution services


Discuss the technologies that support network infrastructure
management
Discuss security resources available in network infrastructure
management
Design a network infrastructure for a given networked environment
Evaluate addressing and deployment solutions for a given networked
environment
Evaluate rights and security requirements for a given networked
environment
Implement a network infrastructure based on a prepared design
Critically review and test an implemented system
Evaluate system and user assurance of the implemented system
Higher Grade achievements (where applicable)
Grade descriptor

M1: Identify and apply strategies to find


appropriate solutions

Achieved?
(tick)

Grade descriptor

Achieved?
(tick)

D1: Use critical reflection to


evaluate own work and justify
valid conclusions

M2: Select / design and apply


appropriate methods / techniques

D2: Take responsibility for


managing and organising
activities

M3: Present and communicate


appropriate findings

D3: Demonstrate convergent/


lateral/ creative thinking

Assignment Feedback
Formative Feedback: Assessor to Student

Action Plan

Summative feedback

Feedback: Student to Assessor

Assessor Signature

Date

Student Signature

Date

10 July 2015

Evidence
checklist

Summary of evidence required by student

Evidence
presented
6-8

Task 1.1

Evaluate current name resolution services

Task 1.2

Discuss the technologies that support network infrastructure management

Task 1.3

Discuss security resources available in network infrastructure management

10

Task 2.1

Design a network infrastructure for a given networked environment

11

Task 2.2

Evaluate addressing and deployment solutions for a given networked environment

12

Task 2.3

Evaluate rights and security requirements for a given networked environment

13 - 15

Task 3.1

Implement a network infrastructure based on a prepared design

16 - 34

Task 4.1

Critically review and test an implemented system

35

Task 4.2

Evaluate system and user assurance of the implemented system

36

Task 5

Make a critical evaluation of own performance

37

Contents
Task 1: ..................................................................................................................................................................... 6
1.1

Evaluating Name Resolution Services ........................................................................................................... 6

1.2

Network Infrastructure Management Technologies ....................................................................................... 9

1.3

Network Infrastructure Management Security Resources ..............................................................................10

Task 2: ....................................................................................................................................................................11
2.1

Designing a Network Infrastructure ............................................................................................................11

2.2

Evaluating the Network Design ...................................................................................................................12

2.3

Evaluating Rights and Security Requirements ..............................................................................................13

Task 3: ....................................................................................................................................................................16
3.1

Implementing the Network Infrastructure ...................................................................................................16

Task 4: ....................................................................................................................................................................35
4.1

Testing the Network Infrastructure .............................................................................................................35

4.2

Evaluating User and System Assurance .......................................................................................................36

Task 5: ....................................................................................................................................................................37
References: ..............................................................................................................................................................37

Task 1:
The term Network Infrastructure refers to an interconnected group of computer systems configured and setup in a specific
architecture. A complete Network Infrastructure comprises of individual networked computers, cables, switches, routers,
wireless access points, backbones and network access methodologies.
Corporate intranets are similar to the global intranet but only operate on closed network infrastructures; i.e. they are only
accessible to those within it. This infrastructure in particular is reliant on central data storage and consists of computers
known as servers, Ethernet cabling, routers and switches as well as computer systems with access to the central storage.
Aside from having suitable hardware architecture, network infrastructures also require software components in order to be
functional.

Figure 1: Network Infrastructure

1.1

Evaluating Name Resolution Services

Among the services most prominent in handling Network Infrastructures are a set of rules known as Internet Protocols that
govern the format in which data is transferred over the internet and within networks. The most common Internet Protocol
utilized by nearly every Networking Infrastructure is the DNS or Domain Name Service. This is the primary service
responsible for locating and translating Internet Domain Names into IP Addresses. The DNS service automatically converts
the names typed into the Web browser to the IP addresses of corresponding Web Site servers. The service utilizes a
distributed database for storing name and address information of all public hosts on the internet making it easier for the
users to connect to various websites.
DNS services are also known to provide support for caching requests and redundancy. It is not uncommon to find Operating
Systems configured with Primary, Secondary and Tertiary DNS Servers to allow redundancy. The service itself operates on
a client/server architecture with the computers where the service has been installed operating as the Server and the Clients
are the PCs and additional networking devices accessing the server.
DNS Clients wanting to use the service are required to have the service configured on their network. DNS Servers are
mostly assigned static IP Addresses making it easier for clients to access the servers for queries. Aside from being used as
the primary method of looking up websites, DNS is also used for:

Locating the correct servers for delivering Internet Email.


Reverse lookups that allow IP Addresses to be converted back to Domain Names.

While Internet Protocols such as DNS handle the communication and requests sent over and within the network, it is also
necessary to have internal tools for centralizing and managing accesses to the various resources on the network. Directory
Services are deployed by most organizations as the preferred method for centralizing network information. Different
vendors offer different Directory Services with Windows Active Directory being the mostly common deployed in smaller
organizations. However Novells eDirectory, a service software used for managing internal and Web-based relationships,
is more commonly utilized by corporate giants as their preferred centralizing agent. eDirectory utilizes dynamic rights
inheritance which
Aside from providing centralized management, eDirectory can also be used as a Web Service that can be accessed by
internal and external users through authenticated logons. However both Active Directory and eDirectory have a lot more
to offer aside from an added access to Web Services. Major differences between the two can be seen as below:

Manageability
Scalability

Security

Compatibility

Reliability

Windows Active Directory


Offers
straightforward
and
expandable
management consoles, providing greater coverage
over an organizations infrastructure.
Multi-master model that allows multiple directory
servers to host the same directory however
Windows FSMO roles lead to limited management
functionalities in the event of master failures.
Both services have a similar sized attack services
that can be avoided through proper directory
implementation. Active Directory offers Group
Policy for the management of the networks clients.
However it is only applicable to Windows Clients.
While Active Directory can only be installed on a
Windows OS, it does offer endpoint-to-endpoint
solutions that allow for the easy installation of the
OS and its services across various devices.
While Windows may not be able to catch up to
Novells uptime reputations; Windows offers an
array of ServicePacks, hotfixes and patches to
handle any downtimes.

Novell eDirectory
Offers various tools for the ease of management
across various platforms.
Also offers multi-master models with the noted
difference being that only certified employees
are allowed to perform major tasks such as
schema updates and all on a single dedicated
server.
eDirectorys ZENWorks Suite also offers
client/desktop management. However Novells
security tools are capable of monitoring and
administering clients across various other
platforms as well.
Novell is known for its multi-platform support,
with eDirectory packages available for nearly
every known platform. However it is because of
this that many users prefer to go cross platform
instead of utilizing Novells own endpoint-toendpoint solutions.
Installing Novells eDirectory on a Novell
Netware Sever is considered to be highly reliable
with barely any downtimes recorded.

Additional management concerns faced by any Networking Infrastructure, include the management of users, resources and
access rights to either one of them. Different Operating Systems deal with these concerns through different tools. Windows
Server OS offers a variety of feature to tackle each issue separately. The tasks handled by these features can be seen as
below:
Resource Management
Infrastructure Resource Management is the collective term utilized by large IT corporations when referring to the practises
tools and procedures used in the management of their vast resource pools. Large IT corporations such as Data Centres
require high-end resource management to address effective resource usage in delivering the established level of services
and functionalities.
However smaller organizations such as Company A do not require such extensive management methods and can make do
with the features bundled with the Operating System running on the network. A noted example would be the Windows
System Resource Manager or WSRM; it enables the allocation of resources such as CPU and memory based on task
priorities. Administrators have the rights to set limits for the amount of hardware resources that users and running
applications are allowed to use. WSRM is also capable of allocating resources among the multiple applications running
within the network, applying calendar rules to different policies for delegating resources, collecting and analysing daily
resource usage data as well as automatically selecting resource policies based on server properties and events.
User Management
Securing a network on the outside may seem like the most important task in building a network, however it is equally
important to secure the network from within; i.e. configuring network security policies and allocating user permissions. Not
everyone in an organization is required to have the same level of access to an organizations resources. Aside from the
misuse of confidential data stored on the network, administrators face various other user related issues which can be
handled through proper user management, such as:

Novice Internet Users Though they may not have any harmful intentions, their inexpertise can lead to the
exposure of sensitive enterprise data to the outside world through accidentally downloaded spyware.
Intensive Bandwidth Users Bandwidth hogging users pose a serious threat to an organizations workflow by
clogging the networks bandwidth through unnecessary downloads and access to non-work related sites. This can
be handled by allocating Bandwidths per user basis.
Password Assignments Weak passwords pose a serious threat to an organization. Policies can be applied to
users to ensure passwords meet certain requirements and are changed at intervals.

Windows Active Directory services can also be used for the creation and centralization of users within the organization.
Assigning individual users to specific User Groups and Organizational Units makes the management of said users a lot
easier.
Access Control
Additional features dedicated to securing the internal network include Access Control. Through Access Control
administrators can assign policies to users, groups and computers either restricting them or granting them access to objects
on the network. Access Control can be implemented through one of the following methods:

Permissions: Permissions define the type of access granted to a user, group or object. Access Control allows
administrators to set NTFS permissions for objects such as files, registry objects, processes and Active Directory
Objects. Permissions available for an object can vary depending on the type of object in question; however most
objects are assigned one of the following Read, Modify, Change Owner and Delete. Another form of permissions
available to Access Control users is the Inherited Permissions. This feature automatically causes objects within a
container to inherit all the inheritable permissions of that container.
User Rights: User rights grant specific privileges and logon rights to users and groups within the network.
Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize
users to perform specific actions, such as logging on to a system interactively or backing up files and directories.
User Rights differ from Permissions in that they are applied to users, whereas Permissions are attached to objects.
Object Auditing: This feature is used to view and analyse the policies and permissions assigned within the
network. It allows administrators to log both successful and unsuccessful access attempts to objects.

1.2

Network Infrastructure Management Technologies

A Server is a Networking Hardware that supports most of the organizations functions. It is often referred to as the backbone
of the infrastructure. Therefore it is highly important to select networking hardware that is compatible with the infrastructure
in mind. The term Infrastructure does not only refer to an organizations collection of servers but all the various devices
connected to the network. Functionality of a network structure is highly dependent on the hardware implemented in the
infrastructure which is why it is essential to design the required network infrastructure for an organization before selecting
the hardware. In order for an infrastructure to be truly functional, it is important for the hardware on the network to be
implemented appropriately with regular checks for monitoring and managing operations and services.
Larger Infrastructures such as Data Centres require equally powerful severs and therefore almost always settle for Rack
Servers. Smaller organizations in comparison can make do with smaller Tower Servers depending on the size of the
organization. A server on its own is only capable of handling the tasks deployed on it, to be able to manage and monitor
the infrastructure the server needs to be configured with software known as Operating Systems. The OS selected also
varies depending on the needs and size of the infrastructure.
A small organization such as Company A can make do with a couple of HP ProLiant servers configured with Microsoft
Windows Server OS. Windows Server OS is known for offering a variety of management tools from Resource Monitor to
Access Control. Additional devices and hardware required to build a fully operational networking infrastructure, include:

Routers & Switches: Commonly seen as the traffic coordinators of the Network Infrastructure, routers and
switches are responsible for the transfer of data within and across networks. As the numbers of IT infrastructure
devices, applications, and network connections grow and traffic volume increases, so, too, does the importance of
switches and routers in the overall network performance and user productivity. Up to date router and switch
management can ensure packet loss protection, higher performances as well as support for redundancy
management.
Firewalls: Firewall Configuration and Infrastructure Security are two issues highly dependent on each. Having a
robust firewall with proper configurations, that only allow traffic in the network where required is essential in
maintaining a networks security. They can be implemented in both hardware and software or as a combination of
both. Generally, firewalls are configured to protect against unauthenticated interactive logins from the outside
world.
Wireless Access: Providing secure and efficient wireless access is a vital component of any effective network
management strategy, no matter the size of the business. Wireless Access not only reduces the additional cabling
costs that go into wired networks but also opens up a larger platform for the accessing the networks resources.
Remote Access: When setting up management solutions for a network, it is important to configure remote access
as well. Remote Access not presents a cost-effective mode of network management but also allows any networking
issues faced to be addressed at a moments notice even when support personnel are not physically present.

1.3

Network Infrastructure Management Security Resources

Security resources available in any given Network Infrastructure are highly dependent on the software supporting said
infrastructure. Different OS include different levels of support of different issues targeting a Network Infrastructure. The
OS in question here, Microsoft Windows Server 2008, offers a variety of management and support tools, all of which are
fairly easy to configure. Among the most commonly used of these features are:

Rights Management: Windows Server OS manages Rights Assignments through its AD RMS or Active Directory
Rights Management Service. Through AD RMS administrators can safeguard digital information against
unauthorized use, both online and offline. Rights configured are applied to the files themselves, where they stay
regardless of where and how the file has been distributed. With add-ons administrators are also capable of applying
these policies to third-party document formats.
User Management: Creating, monitoring and administering user accounts and activities is mostly handled
through the Active Directory Users and Computers feature of the Windows OS. Through Users and Computers an
administrator can create local user accounts, reset passwords, disable or activate accounts, rename local accounts
as well as assigning logon scripts to said user accounts.
Group Allocation: Group Allocation is a term that covers the allocation of resources for various different user and
group related activities. Different Sever 2008 features handle the allocation of different resources. Windows System
Resource Manager is responsible for the allocation of hardware resources such as memory and processor to highend applications and functions. Whereas by configuring certain policies on user accounts it is possible to allocate
storage spaces for each user.
Encryption: Every organization frets over the accidental disclosure of valuable information such as customer
databases and financial information. Encrypting valuable information is the easiest way to ensure it remains unseen
from prying eyes, however the task of individually encrypting every file and folder containing valuable information
can be very off-putting. Windows Encrypting File System or EFS, is a powerful tool that simplifies the encryption
of files and folders on servers and client computers. EFS policies apply to not only the devices physically present
within the network but to remote servers and clients as well. With EFS an administrator can restrict access to the
extent where even users who have access to the servers and its file systems are unable to view the data they
should not.
Virtual Private Network: VPN or Virtual Private Networks are a form of encrypted connections utilized over less
secure networks. Using a VPN ensures the appropriate level of security to the connected systems when the
underlying network infrastructure alone cannot provide it. VPN connections help enable cost-effective, secure
remote access to private networks. It allows administrators to take advantage of the Internet to help provide the
functionality and security of private WAN connections at a lower cost, making Network Infrastructure management
that much more accessible.
RADIUS: Remote Access Dial In Support or the RADIUS Servers are a Windows platform that provide centralized
connection authentication and authorization for network access to wireless and VPN connections among others.
IPSec: Internet Protocol Security is a Windows Server OS feature that makes use of cryptographic security services
for the protection of communications over the Internet Protocol Networks. IPsec supports network-level peer
authentication, data origin authentication, data integrity, and data confidentiality (encryption) as well as replay
protection. IPSec Policies can be configured via the Windows Firewall with Advanced Security snap-in.

10

Task 2:
2.1

Designing a Network Infrastructure

Designing a Network Infrastructure from scratch is dream job for most Network Administrators. However when designing
a network, it is essential to keep the organizations IT expertise in mind. It would be counterproductive to design an
Infrastructure too complex to be handled by the organization themselves. Setting up a Network involves both hardware
and software resources, with the latter even more important once the network is up and running to manage and maintain
hardware resources. Given the size and architecture of Company A, the administrator has presented a network design
catering to the needs of both onsite and remote users. For this summary, the administrator has decided to focuses on the
software roles to be implemented in the network.

11

No.
1.

Target Area
Deployment

2.

Addressing

3.

Rights

4.

Security

Services
Servers: Microsoft Windows Server 2008
Clients: Microsoft Windows 7
Since it is a small organization, the administrator has opted for manual
OS Deployment.
A DNS Server has been configured to allow client computers to
connect to the Domain.
Clients are set to receive IP Addresses via the DHCP Server.
Active Directory Domain Services
Active Directory Rights Management Services
File Services
Network Policy and Access Services
Remote Desktop Services
Terminal Services
Windows Server Update Services

Most of the features presented above lean towards the management of the Network, rather than focusing on the hardware
architecture of the network.

2.2

Evaluating the Network Design

The administrator intends to configure both DNS and DHCP as the IP Addressing platform for the network. Having previously
elaborated on DNS, the administrator will now explain DHCP and its functionalities to the IT department of company A.

DHCP or Dynamic Host Configuration Protocol is another Network Protocol that enables servers to automatically assign IP
addresses to client devices on the network. The server hands out IP addresses from a pre-specified range that is assigned
by the administrator during the initial configuration of the server. These ranges are known as Scopes; a single DHCP Server
can have more than one scope at any given time, with different scopes assigned to different regions in the network. DHCP
addresses its clients through the following method:

A client using DHCP is turned on.


A broadcast request called DISCOVER, is sent out to the DHCP Server.
This packet is then redirected by the router to the appropriate DHCP Server.
Once the Server has received the request packet, it will assign an IP Address to the client based on the availabilities
and usage policies set.
The Server then sends the client an OFFER packet with the addressing information. Most times, the server will also
configure DNS, WINS and NTP settings for the client.
Once received by the client, it will send out a REQUEST packet to the server confirming its intention of using the
assigned IP Address.

12

DHCP Servers usually assign IP Addresses on a lease basis, the duration of which is pre-assigned. By default this
duration is set to 8 Days. Using DHCP to assign addresses to the various clients in the network, minimizes IP conflicts
which arises mostly when addressing is done manually (Static Addressing) and at times two or more devices on the
network are assigned a similar IP Address. Since DHCP utilizes dynamic leasing of addresses, it is also able to
automatically reclaim addresses that are no longer in use.
Since the network is reliant on the DHCP Server for its the addressing of its devices, the question of the Servers
scalability is one that is always on the minds of the IT personnel. Theoretically DHCP servers are capable of supporting
an unlimited number of clients, as such a small organization such as Company A with a single subnet environment
need not worry about installing more than one DHCP server on the network.
That being said, it is essential for network administrators and IT personnel to keep track of the IP Address ranges
specified and if said ranges can keep up with any additions to the organization. Management of the DHCP Servers
includes setting exclusion ranges to the scopes, creating IP Address reservations, adjusting lease length durations and
specifying the IP Addressing classes to be used with the scopes. Upon completion, the scope should be activated before
it can provide services to the clients on the network.

2.3

Evaluating Rights and Security Requirements

Windows Server 2008s Group Policy Manager is the preferred mode of managing the various computers and users within
the network. Through Group Policy administrators can configure:

User Group security settings


Folder redirections
Software deployment scripts
Permissions and Inheritance Rights.

In order to configure any of the above it is necessary for the administrator to have understanding of the organizations
business needs, security requirements and service level agreements. Implementing a Group Policy solution entails planning,
designing, deploying and maintaining said solution. To begin with an OU structure should be in place, making it easier for
the administrator to manage the group policies. The design should cover and include:

Group Policy application scopes


Generic policy settings applicable to all corporate users
Users and computers classifications based on roles and locations
Desktop configurations based on user and computer requirements
Recognizing and specifying exceptions to default inheritance policies
Delegating administration of Group Policies
Evaluating results via Group Policy Results

When new user and computer accounts are created in the domain they are not, by default, part of any Organizational Units
making it impossible to assign any group policies to them. Generally Group Policy settings are applied by linking Group
Policy Objects or GPOs to sites, domains and OUs.

13

It should be known, even administrators are incapable of modifying the built-in properties and capabilities of the domain
user and computer accounts. However this does not mean there are no means of administration available. User account
rights provide administrators with the appropriate platform for managing the internal activities affecting a network, despite
not being able to modify default settings. Having access to user rights management allows an administrator to monitor
and decide which user accounts have access to which resources on the network. User Rights themselves can be split into
two categories:

Logon Rights: These rights are specifically assigned to users themselves and define their interaction within the
network.
Privileges: These rights are also assigned directly to users, however they are connected to specific system related
actions.

Though it is possible to assign user rights at individual levels, feasibility-wise it is advisable to apply user rights to group
account basses. This makes it easier for the administrator to apply and monitor rights throughout the domain. An example
of this would be, having a group of users with colour print access rights to the printer. When a new staff joins the
organization, the administrator can simply move them to the group instead of having to reassign the rights to their individual
account. User rights that are assigned to a group are applied to all members of the group while they remain members. If
a user is a member of multiple groups, the user's rights are cumulative, which means that the user has more than one set
of rights and privileges.
The administrator for Company A has decided to assign the following User Rights and Privileges:

Access This Computer from Network


Log On Locally
Log On as a Service
Back Up Files and Directories
Create Permanent Shared Objects
Generate Security Audits
File and Folder Quotas
Take Ownership of Files or Other Object

As mentioned previously, Network Infrastructure management involves setting up and managing both internal and external
connections to the organizations network. External access usually requires the configuration of remote access services
such as Microsofts RAS and VPN.
Routing & Remote Access Services
RRAS or Routing & Remote Access Service is a Microsoft feature that utilizes hardware and software combinations to
connect clients to the host computer also known as the Remote Access Server. When setting up a Remote Access server,
the administrator should have a clear design of the solution at hand. When setting up the RRAS, administrators can either
select from a list of configuration paths predefined in the setup wizard or choose to manually configure the elements most
suitable for their environment. Among the most common Remote Access solutions deployed are:

Virtual Private Network (VPN): This configuration allows remote access clients to connect to the private
network across the internet. Aside from setting the VPN to allow remote clients into the network, administrators
can also configure the VPN to determine whether the clients accessing the network have permissions to do so.

14

Dial-up Connections: This configuration allows remote clients to tap into the private network by dialling into a
modem bank or similar dial-up equipment. Additional options available for setting up, include the method in which
the server responses to access calls and how the server verifies which clients have access to the private network.

Secure Connections (NAT): Network Address Translations or NAT, allows the creation of a shared connection
between the Remote Access Server and the computers on the private network. This connection utilizes the
translation of traffic between the networks public address and private network. It also allows for the configuration
of additional features such as packet and service filters.

Having explained the solutions available through RRAS, the administrator has decided to deploy the VPN solution for
company A. Before deploying any of the above solutions, there are certain issues that should be addressed:

Determining the interfaces connected to both the internet and the internal private network.
Determining whether remote clients will be addressed via the private networks DHCP server or through the VPN
Server.
Determining the method of authentication.

Trust Management
Trust relationships are a unique feature offered by Microsoft Windows OS that allows two different domains to connect
with and share each others resources. All Active Directory trusts between domains within a forest are transitive, two-way
trusts. Therefore, both domains in a trust relationship are trusted. There a few different trust types that can be implemented
across domains:

External Trusts: These trusts provide access to resources located on domains that are not part of the same
forest. They can be either one-way or two-way depending on the requirement.
Realm Trusts: These are used to form trust relationships between a non-Windows realm and an AD Domain.
Forest Trusts: Forest level trusts are used to share resources between domains of the same forest.
Shortcut Trusts: Applied to a single AD Forest, Shortcut Trusts are used to improve user logon times.

Having briefed on the above, the administrator does not see any need to implement Trust Relationships for Company A at
the present, given that they are a small organization with a single domain.

15

Task 3:
3.1

Implementing the Network Infrastructure

Addressing - DNS
The first step to setting up an Addressing System for the organization is configuring its DNS Sever. Just like any other
Server feature, the DNS Server can installed via the Server Manager.

The installation of the DNS Server role does not require any special efforts. It is the configuration following the installation
that determines the service provided to the network. Configuration of the DNS Server involves setting up both Forward and
Reverse Lookup Zones. The zones themselves also have a few options; Active Directory Integrated, Standard Primary and
Standard Secondary.

16

17

18

Once the Forward Lookup and Reverse Lookup Zones have been configured, the administrator is also required to specify
the name servers for said domain. Once the Name Server has been added, additional settings that also need to be
configured include, Host A and PTR Records. Host A records are responsible for mapping host names to IP Addresses,
making it easier to identify external servers in forward lookup zones. Pointer Records in turn create the appropriate entries
in the reverse lookup zones.
Once the DNS Server has been setup, the administrator needs to configure the DHCP Server as it is the primary source of
addressing for the clients on the network.
Addressing DHCP
Another Server Role that is installed via the Server Manager. In order to be able to configure DHCP, the DNS Server is
required to be operational, as DHCP clients use the DNS IP Address for name resolutions.

19

20

The above screen is through which the administrator specifies the addresses available for allocation to the clients on the
network. Configurations at the above screen include:

Naming the Scope.


Specifying the first available address for clients.
Specifying the last available address for clients.
Specifying the subnet.
Specifying the Default Gateway address.

21

Rights Management
Rights Management involves assigning Permissions and Policies to the User Accounts and Computers part of the domain.
Permissions are applicable to Files Servers and Shared Resources such as Printers, Storage and Folders. Access to these
recourses can be defined through two sets of permission entries; share permissions set on a folder and the NTFS
permissions set on the folder. The final access permissions to a folder are determined by taking into consideration both
share permissions and NTFS permissions.
The administrator has decided to apply Full Control for the Everyone Group and to rely entirely on NTFS permissions to
restrict access.

NTFS Permissions for Shared Folders can be configured in one of the following ways:

New Shared Resources: In this scenario, the NTFS permissions for the folder or volume are changed before it
is shared on the network. These NTFS permissions apply both locally and when accessing the resource over the
network.
Existing Shared Resources: These settings apply to existing shared resources, where the NTFS permissions can
be modified by accessing Permissions tab on the folder or volume.

The administrator also lists down a list if applicable shared permissions and their roles:
No.
1.
2.
3.
4.
5.

Permission
Full Control
Modify
Read and Execute
Write
Read

Description
Permission to
Permission to
Permission to
Permission to
Permission to

read, write, change and delete the file.


read and write to and delete the file.
view file contents and execute file.
write to the file.
view the files contents.

22

Aside from configuring Folder Permissions, the administrator has also decided to implement Group Policies across the
domain to tighten network security and provide easier modes of administration.

The above console contains the Default Domain Policy, a policy that is auto created upon the installation of the AD DS
server role. It contains policy settings that apply to all users and computers in the domain. This Default Domain Policy is a
Group Policy Object or GPO that is linked to the Organization Units (OU) under this domain.

23

A linked GPO applies to everything falling under the container it was applied to, this includes child OUs and all users and
computers linked to them as well. To avoid GPOs from overlapping, the administrator can either link GPOs to individual
OUs or remove inherited policies from applying to child OUs.
Once a GPO is created, it can be further edited to specify the policies the administrator wants to enforce.

24

Security Management
As discussed previously, the administrator has decided to implement a VPN Server as the networks preferred mode of
Remote Access. In order for the VPN Server setup to be functional, the network needs to be configured with DHCP, DNS
and Certificate Services. To fully establish the VPN Server, the following steps need to be undertaken:

Installing IIS on the VPN Server


Requesting a certificate through IIS for the VPN Server.
Installing the RRAS role on the dedicated server.
Configuring the RRAS Role to operate as a VPN Server

25

26

27

28

29

30

Once the RRAS Server Role has been installed, the administrator has to enables the RRAS service before enabling the VPN
Server Feature and the NAT Service. Enabling the NAT Service is essential as it allows external clients to gain access to the
Certificate Server, which is required to establish the SSTP VPN connection.

31

Remote Desktop
The administrator has also decided to install the Remote Desktop Services roles for the environment. Remote Desktop
Services allows users to access Windows-based programs that installed on a RD Session Host server either from within the
corporate network or over the internet. The installation for the Remote Desktop Services Roles is handled the same way
as every other Server Role; via the Server Manager. Once the role has been selected, the administrator can specify which
sub-roles are required by the network and configure each accordingly. The roles included in RDS are:

Remote
Remote
Remote
Remote
Remote
Remote

Desktop
Desktop
Desktop
Desktop
Desktop
Desktop

Session Host
Virtualization Host
Connection Broker
Licensing
Gateway
Web Access

For the current environment, the administrator will proceed with configuring Remote Desktop Licensing and Remote
Desktop Web Access.

32

33

34

Security Audit Policies


Aside from configuring server roles and features for aiding in the remote management of the network, the administrator
has also decided to configure Security Audit Policies. The administrator has explained, having a well-defined, timely auditing
strategy is essential in maintaining a secure environment. The administrator intends to utilize Windows Advanced Audit
Policy Settings to configure the required settings.
The Audit strategy proposed by the administrator covers the users, computers and resources within the domain. A summary
of the Audit Strategy is as shown below:

Classifying user account types.


Specifying the resources & data in terms of user accessibility.
Monitoring administrator user accounts activities.
Keeping track off and analysing the computers and applications that are part of the domain.
Auditing User Account credential validations.
Monitoring how shared content is accessed by tracking source of request and user account used for it.
Monitoring Account Management related activities such as attempts to create, delete, or modify user or computer
accounts, security groups, or distribution groups.

Task 4:
4.1

Testing the Network Infrastructure

Test Plan
No.

1.

Network
Infrastructure
Feature
Addressing DNS

2.

Addressing DHCP

3.

User Rights
Logon Rights

4.

User Rights
Shared Resources

5.

User Rights
Group Policy
Settings

6.

Security Remote
Access

7.

Security Audit
Logs

Objective

Result

Analysis

Verify network clients are


able to access network
resources

Replies received from


PING messages sent to
devices on the network

Verify network clients


receive IP Addresses as
defined in the DHCP
Scopes
Verify
users
with
Administrative Rights

Auto-IP
addresses
assigned
to
client
machines on the network

The DNS configurations are


functional and accessible by
the various devices on the
network
The DHCP Server Scopes are
active and able to provide IP
addressing to devices on the
network
OU
configurations
and
policies have been linked
appropriately
NTFS Permissions are the
primary source regulating
folder rights

Verify
user
account
permissions for shared
files and folders
Verify password policies
and
account
lockout
settings
Verify successful remote
user access

Verify
the
successful
implementation of the
above policies and settings

Users of Administrators
Group able to access
Server files and folders
Only users of designated
groups such as the
Administrators Group are
able to modify and delete
shared resources
All user accounts are
required to change their
passwords within 7 Days
Remote
users
were
successfully able to logon
through secure VPN
Audit Logs clearly display
successful
and
unsuccessful
attempts
made to access network
resources.

GPOs
are
configured
accurately and linked to the
required OUs
SSL features of the VPN
server are active and provide
the
required
levels
of
authentication to the those
accessing the network
Audit Logging has been
configured to cover all the
important components of
Network
Infrastructure
Management

35

4.2

Evaluating User and System Assurance

A final step in assuring that the implemented network is able to cater to and manage the requirements of the environment,
involves the evaluation of the policies and settings applied. The evaluation as suggested by the administrator should cover
both system and user assurance. The administrator has come up with a report to display the evaluation results.
Evaluation Report
Based on the configurations of the system implemented the administrator puts to test the firewall and SSL settings applied
to the Networks VPN Server and Remote Access features. To ensure system security, the administrator invites members
of User Groups, not part of the Remote Access group, to access the network resources from personal computers not
connected to the network. The SSL configuration applied to the VPN provides a secured bidirectional transport medium
with authentication required at the server end. SSL not only makes it difficult for attackers to penetrate the environment
but also offers confidentiality and integrity during an active session.

In addition to evaluating the ease through which attackers could access the resources, the test also covered visibility of
resources. Users in the Remote Access group were asked to individually access the network and attempt to access resources
not assigned to them. The NTFS Permissions applied to Private and Confidential resources such as the files and folders
belonging to the Accounting Group, along with the Group Policies linked to the Remote Access group will not allow users
not belonging to the Accounting Group to view, access or modify the data linked to its OU. Remote Access users are only
able to view and access network resources that have been linked to the VPN Server, after providing their network
credentials.

36

In addition to evaluating system security and accessibility, the administrator has


also tested the infrastructures policy settings, specifically those related to
inheritance. Inherited Permissions is a default characteristic applicable to all
Windows Folders and Objects, it is designed to ease the task of managing
permissions and ensuring consistency of rules applicable to objects within a
given container. However the networks architecture is such that not all
Organizational Units require the Inherited Permissions to be applied to all sub
containers.
For example the Administrator Group includes 5 members, however as per the
requirements of the organization, not all administrators are to have access to
certain files and folders. Permission Policies are generally applied to an OU,
which in this scenario is the Administrators Group. The general policy for this
OU has been set to not allow the users within it to access said files and folders.
To grant permission to the appointed Administrator, the user account is
configured to not accept the inheritance of permissions applied to parent
objects. During the evaluation only said Administrator was able to access and
modify the data within the restricted folders ensure that the policies have been
applied as per the requirements of the organization.
The above report, along with the System Test and Analysis presented earlier
offer the organization surety in the efficiency of the newly implemented network
infrastructure management system while also providing it with a better
understanding of the workings of the features supporting the infrastructure.

Task 5:
Assignment review
I am very grateful for this opportunity that was presented to me in taking this assignment. Intending to sit for my Microsoft
Server 2008 certification, I found this to be a great opportunity to relook at several server services and features that I had
forgotten. Though my classroom training provided highly useful hands-on practise sessions, there is only so much that can
be covered during study sessions bound by time. Looking up and researching on topics and reading actual documentation
for certain procedures was certainly taxing but rewarding at the same time.
This assignment provided an opportunity for me to re-visit all that I had learned during my training and apply it to real life
scenarios. It also allowed me to brush-up my practical skills by getting involved in hands-on tasks. It further helped me in
improving my analytical thinking skills by providing scenarios that required me to question what, which and how.
It has also provided an opportunity for me to update myself on server hardware and related technology being used
currently.
Lastly, I would like to note that while this submission may have weak points I gave it my best try and would like to continue
improving myself for future assignments.

References:
No.
1
2
3
4
5
6
7
8
9
10
11

Website
http://www.wisegeek.org/what-is-network-infrastructure.htm
http://compnetworking.about.com/cs/domainnamesystem/g/bldef_dns.htm
https://www.novell.com/developer/develop_to_edirectory.html
https://dirteam.com/sander/2006/10/08/active-directory-and-edirectory/
https://en.wikipedia.org/wiki/Windows_System_Resource_Manager
http://blog.pluralsight.com/windows-server-2008-active-directory-user-groups
https://kb.iu.edu/d/adov
https://technet.microsoft.com/en-us/library/dd349804%28v=ws.10%29.aspx?f=255&MSPPError=2147217396
http://www.howtogeek.com/99723/how-to-set-up-dhcp-in-server-2008-r2/
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Top5-Security-Settings-GroupPolicy-Windows-Server-2008.html
http://searchsecurity.techtarget.com/definition/SSL-VPN

Section
Task 1
Task 1
Task 1
Task 1
Task 1
Task 1
Task 2
Task 2
Task 3
Task 3
Task 4

37