LOMBA KETERAMPILAN SISWA

SEKOLAH MENENGAH KEJURUAN

TINGKAT NASIONAL XXV 2017

MODUL B
SYSTEM INTEGRATION ISLAND

IT NETWORK SYSTEMS
ADMINISTRATION
LKS2017_ITNSA_MODULB
ISLAND 2 – SYSTEM INTEGRATION ISLAND
CONTENTS
This Test Project proposal consists of the following document/file:
LKSN2017_ITNSA_MODUL2.pdf

INTRODUCTION
The competition has a fixed start and finish time. You must decide how to best divide your
time.
Please carefully read the following instructions!
When the competition time ends, please leave your station in a running state.
Please do not touch the VMware configuration as well as the configuration of the VM
itself except the CD-ROM / HDD drives
PHYSICAL MACHINE (HOST)
FOLDER PATHS
Virtual Machines: E:\Virtual Machine
ISO Images: E:\Apps

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
PART I
WORK TASK INSTALLATION (WINSRV1, WINSRV2,
LNXSRV1, LNXSRV2)
Note Please use the default configuration if you are not given details.

WORK TASK SERVER WINSRV1

Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for indonesiahebat.net.
 Create a new Organization Unit named InaHebat2017. All new users and groups must be
created in this OU.
 Create the user and security global group with members as indicated in the table in
Appendix. Use Jakarta2017 as the password for all user accounts.
o DNS
 Create a forward zone called “indonesiahebat.net”
 Create a reverse zone for the IP range.
 Create 3 subdomain:
- info.indoneisahebat.net
- training.indonesiahebat.net
- competition.indonesiahebat.net
 Create a secondary zone for smkhebat.org and use this server as the backup DNS
for the smkhebat.org domain
 Host and service records have to be created in DNS for all servers and clients.
o PKI (Public Key Infrastructure)
 Install and configure Certificate Service
 Install only the “Certificate Authority”
 Create a template for Clients AND Servers
- Name the template “ITNSA-ClientServerCert”
- Publish the the template in Active Directory
- Set the subject name format to “common name”
o GPO – Password Policies
 Ensure the company user password must meet the following criteria:
- Domain passwords will be at least 6 characters.
- Strong passwords need not be enforced.
- Passwords will not be stored with reversible encryption.
- Passwords will be changed exactly every 90 days.
- Accounts will be locked out for 30 minutes after three invalid logon attempts.
 The password of the users in IT group must meet the following criteria:
- Domain passwords will be at least 10 characters.
- Strong passwords will be enforced.
- Passwords will not be stored with reversible encryption.
- Passwords will be changed exactly every 30 days.
- Accounts will be locked out for 15 minutes after two invalid logon attempts.

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
o GPO – Security Policies
 At logon on WINCLT2, users should see this message before logging in: Message Title:
“Welcome to Indonesiahebat2017” with Message Text “Only authorized personnel allowed
to access.” and prohibit this message on all servers.
 All users, except the IT group, are not allowed to access the display settings on the Control
Panel.
 disable "First Sign-in Animation" for all Windows 8.1 clients
 disable the use of “cmd” and “run” for the Visitor group
o VPN SERVER (RRAS)
 setup and configure the VPN service (RRAS)
 use the following IP Range for the VPN Clients: 192.168.50.100 – 192.168.50.150 (provided
by RRAS service)
 With a VPN connection the user should be able to access to the shares on WINSRV2
 Only users in the sales group should be able to connect to the VPN server
 Remote Clients should be able to access the vpn server via the ip address 143.25.100.1

WORK TASK SERVER WINSRV2

Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for smkhebat.org.
 Administrator password should be Jakarta2017
 Enable two-way trust between indonesiahebat.net forest and smkhebat.org forest.
 Users from each of the forests are able to access resources in both forests.
o DNS
 Create a forward zone called “smkhebat.org”
 Create a reverse zone for the IP range defined in VLAN 31.
 Create a secondary zone for indonesiahebat.net and use this server as the backup DNS for
the indonesiahebat.net domain
 Host and service records have to be created in DNS for all servers and clients.
o Web Server (IIS)
 Setup the company web server www.smkhebat.org

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
 WORK TASK SERVER WINSRV1 & WINSRV2
o Install Distributed File System
 Create “skills” as the root DFS Namespace in a Domain-based namespace in 2008 mode.
 Create DFS share folders and configure the folder targets as indicated in the following table.
 Enable DFS Replication between WINSRV1 and WINSRV2.

DFS Namespace Share Folders Folder Target Local Folder on both Servers Description
\\indonesiahebat.net\skills\rfol \\WINSRV1\rfolders C:\share\rfolders On WINSRV1 Folder
ders \\WINSRV2\rfolders E:\share\rfolders On WINSRV2 Redirection &
home folder
\\indonesiahebat.net\skills\IT \\WINSRV1\IT C:\share\IT On WINSRV1 Departmental
\\WINSRV2\IT E:\share\IT On WINSRV2 Share for IT
\\indonesiahebat.net\skills\Sal \\WINSRV1\Sales C:\share\Sales On WINSRV1 Departmental
es \\WINSRV2\Sales E:\share\Sales On WINSRV2 Share for Sales
\\indonesiahebat.net\skills\Ma \\WINSRV1\Mkt C:\share\Mkt On WINSRV1 Departmental
rketing \\WINSRV2\Mkt E:\share\Mkt On WINSRV2 Share for
Marketing

o Configure users profiles and share folders:

 Create users’ home folder \\indonesiahebat.net\skills\rfolders \username and ensure it is
mapped to Z: at each logon automatically.
- limit the storage space to every home folder to 50MB
- Prevent any .exe and .bat files to be stored on the home folder.
 Redirect the Documents folder to
\\indonesiahebat.net\skills\rfolders\username\Documents.
 Create departmental share folders on \\indonesiahebat.net\skills\IT,
\\indonesiahebat.net\skills\Sales and \\indonesiahebat.net\skills\Marketing and map the
respective share folder to Y: at logon, depending on the department the user is in. Users
should not be allowed to access other departments’ or users home shares.

WOTK TASK SERVER LNXSRV1

Configure the server with the hostname, domain and IP specified in the appendix.
o Create 50 local UNIX users (userxx) with password “Jakarta2017”
o FreeRadius Server
 Configure radius server for router and switch access authentication. Use “Secret1234” as
share key.
 Create “SW1” with password “LKSN2017”. Will be used for switch access authentication.
 Create “RO1” with password “LKSN2017”. Will be used for router access authentication.
o NTP Server
 Set NTP server service. Use local clock as time server source
o DHCP Server
Pool AOCC
 Range: 10.99.111.51– 10.99.111.100
 Netmask: /25

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
  Gateway: 10.99.111.1
 DNS: 10.99.112.2

Pool OUTSIDE
 Range: 220.17.8.36– 220.17.8.40
 Netmask: /28
 Gateway: 220.17.8.45
 DNS: 220.17.8.42

WORK TASK SERVER LNXSRV2

Configure the server with the hostname, domain and IP specified in the appendix.
o Web Server (nginx)
 Create 3 virtual webhost for info.indonesiahebat.net; training.indonesiahebat.net;
competition.indonesiahebat.net
 Make sure “http:// training.indonesiahebat.net” is protected by authentication
o Create users from “client01” to “client02”
o Mail Server & Web Mail
 Create users budi and ani
 Make sure they have access via POP3, IMAP and SMTP
 Before you finish your project make sure you send an email message from budi to ani and
another message from ani to budi
 Do not delete these email messages.
o Cacti
 Install Cacti
 Create an admin-user “master” with password “Jakarta2017”
 Create a graph showing the statistics of the CPU, Memory and interfaces traffic of the
LNXSRV1, RO1 and SW1

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
PART II
WORK TASK NETWORK CONFIGURATION (RO1, SW1)
Note Please use the default configuration if you are not given details.

WORK TASK ROUTER (RO1) & SWITCH (SW1)

o Use the Indonesia2017 as secret password
o Line console must login with the password LKSN2017
o Configure AAA login with the lnxsrv1 as Radius Server
o Create username admin and password LKSN2017 for failover user if RADIUS server is not
available
o Enable SSH Access with authentication using radius server (lnxsrv1)
o Encrypt all clear text password
o Configure banner MOTD “AUTHORIZED ACCESS ONLY”
o Configure VLAN and IP Address
Description /
Device Interface VLAN ID IP Address
VLAN Name
GI0/0 - - 220.17.8.45/28
Gi0/1.30 30 DESC 10.99.110.62/26
GI0/1.31 31 AOCC 10.99.111.1/25
RO1
GI0/1.32 32 VOICE 10.99.111.129/25
Gi0/1.33 33 CDCC 10.99.112.1/27
Gi0/1.99 99 NATIVE 10.0.0.1/28
Fa0/20 –
99 NATIVE 10.0.0.2/28
Fa0/24
Fa0/1 –
33 CDCC -
Fa0/4
SW1
Fa0/5 – 31 Data & 31 = AOCC
-
Fa0/12 32 Voice 32 = VOICE
Fa0/13 –
30 DESC -
Fa0/20

WORK TASK ROUTER (RO1)

o Configure the server with the hostname RO1
o Configure DHCP Relay for VLAN “AOCC” to lnxsrv1
o Configure NAT / PAT
 Configure NAT Overload using interface gi0/0 with inside local VLAN AOCC
 Configure Static NAT
 Static NAT to lnxsrv2 with IP address 220.17.8.41
 Static NAT to winsrv1 with IP address 220.17.8.42
o Telephony Service
o Number 999 is used for paging all phones of the company

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
 o Configure button 2 on hqvph1 to call directly to paging extension
o Configure Intercom service with the extension 199
o Access Control List (ACL)
 Configure Access List with rule below
- Ensure outside can access to lnxsrv2 and winsrv1 using IP outside of RO1
- Allow access from outside to web server linxsrv1 and winsrv2
- Deny other traffic from outside to inside
o SNMPP

WORK TASK SWITCH (SW1)

o Configure the server with the hostname SW1
o Configure port interface
 Port 24 trunk mode to ro1
 Port 1 for lnxsrv1 and lnxsrv2
 Port 13 for winsrv1
 Port 14 for winsrv2
 Port 5 for hqvph1
 Port 6 for winclnt1
o Configure port security maximum 3 mac address with violation shutdown for port to lnxsrv1,
lnxsrv2, winsrv1 and winsrv2

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
PART III
WORK TASK WINDOWS CLIENT (WINCLT1, WINCLT2, IP
PHONE)
Note Please use the default configuration if you are not given details.

WORK TASK WINDOWS EXTERNAL (WINCLT1)

Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT1 to the outside RO1
o Configure VPN client for connect to winsrv1

WORK TASK WINDOWS INTERNAL (WINCLT2)

Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT to the switch VLAN AOCC
o Join the notebook to the domain
o Install and configure Cisco IP Communicator with number 101

WORK TASK IP PHONE (HQVPH1)

Note: Please use the default configuration if you are not given the details.
 Connect LAN cables and configure IP addresses according to the network diagram in the
appendix
 Configure with number 100
 Make sure the VoIP-phone is using VLAN19 for its VoIP-traffic
 The traffic of the connected computer shall use VLAN11

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
APPENDIX
SPECIFICATIONS

WINSRV1
Computer name: WINSRV1
Operating System MS Windows 2012 R2
Domain Name: indonesiahebat.net
Administrator User name: Administrator
Administrator password: Jakarta2017
IP address: 10.99.122.2/28
Domain NetBIOS Name: HEBAT

WINSRV2
Computer name: WINSRV2
Operating System MS Windows 2012 R2
Domain Name: smkhebat.org
Administrator User name: Administrator
Administrator password: Jakarta2017
IP address: 10.99.122.3/28
Domain NetBIOS Name: HEBAT

LNXSRV1
Computer name: LNXSRV1
Operating System Linux Debian 7.8
User name: root
Password: Jakarta2017

IP address: 10.99.110.1/26

LNXSRV2
Computer name: LNXSRV2
Operating System Linux Debian 7.8
User name: root
Password: Jakarta2017

IP address: 10.99.110.2/26

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
WINCLT1
Computer name: WINCLT 1
Operating System MS Windows 8.1
User name: Administrator
Password: Jakarta2017
Domain name: Indonesiahebat.net

IP address: DHCP

WINCLT2
Computer name: WINCLT 2
Operating System MS Windows 8.1
User name: Administrator
Password: Jakarta2017
Domain name: indonesiahebat.net

IP address: DHCP

NETWORK SPESIFICATION
VLAN DESC (ID: 30) 10.99.110.0/26
VLAN AOCC (ID: 31) 10.99.111.0/25
VLAN VOICE (ID: 32) 10.99.111.128/25
VLAN CDCC (ID: 33) 10.99.112.0/27
VLAN NATIVE (ID: 99) 10.0.0.0/28
OUTSIDE 220.17.8.0/28

DOMAIN USER LIST

Group Members
IT itXX (01 – 50)
Marketing mktXX (01 – 50)
Visitors vtrXX (01 - 30)
Employees IT, Marketing

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
 NETWORK SPESIFICATION

NETWORK DIAGRAM
MODUL B –
SYSTEM INTEGRATION & CISCO ISLAND

Windows 8.1 Hostmachine (PC1) Windows 8.1 Hostmachine (PC2)

Name : winsrv1
OS : Windows Server 2012 R2 Name : winsrv2
User: Administrator VMnet1 OS : Windows Server 2012 R2
Password: Skills39 VMnet1 User: Administrator
Domain: skillsbetter.com
IP-Address :
SW1 Password: Skills39
Domain: skillsbetter.com
Name : SW1 IP-Address :
172.20.31.5/28
Password:Skills39 172.29.1.5/28
Service:
VLAN: Service:
- AD
VLAN 10: External :200.132.45.33/25 - AD
- DNS
VLAN 20: Windows: 172.20.31.0/28 - DNS
- PKI (Public Key Infrastructure)
VLAN 30: Linux:172.20.30./29 - Web Server
- GPO
VLAN 40: Branch: 172.29.1.0/28
- DFS winsrv1 Service:
- DFS
- SNMP
- Port Security winsrv2 - SNMP
- VPN Server (RRAS)
- VLAN
- SSH
- SNMP

Name : lnxsrv1 RO1

OS : Debian 7.8
User: root
Name : lnxsrv1 VMnet2 Name :winclnt1 (External)
Password: Skills39
Password: Skills39 IP-Address : OS : Windows 8.1
Domain: skillsbetter.com External :200.132.45.33/25 User: Administrator
IP-Address : Gi0/1.10: 172.20.31.1/28 Password: Skills39
172.20.30.3/29 Gi0/1.20::172.20.30.1/29 Domain: skillsbetter.com
Service: Gi0/1.30: 172.29.1.1/28 IP-Address :
- FreeRadius Gi0/1.40: 192.168.0.1/25: DHCP from lnxsrv2
- NTP Server
- DHCP Server
VMnet2 Service Service:
- VPN Client
- Routing
- SNMP - Softphone
lnxsrv1 - NAT
- ACL
lnxclnt1
- Telephony Service
- DHCP Relay
- SNMP

Name : lnxsrv2
OS : Debian 7.8
User: root Name : winclnt2 (Internal)
Password: Skills39
Domain: skillsbetter.com
VMnet3 OS : Windows 8.1
User: Administrator
IP-Address :
172.20.30.4/29
IP Phone Password: Skills39
Domain: skillsbetter.com
Service: IP-Address :
Ext 1002 DHCP Client
- Web Server (nginx)
- Mail Server Service:
- Web Mail - Join Domain
- Cacti - Softphone
- SNMP lnxsrv2 lnxclnt2