You are on page 1of 12

LOMBA KETERAMPILAN SISWA

SEKOLAH MENENGAH KEJURUAN


TINGKAT NASIONAL XXV 2017

MODUL B
SYSTEM INTEGRATION ISLAND

IT NETWORK SYSTEMS
ADMINISTRATION
LKS2017_ITNSA_MODULB
ISLAND 2 SYSTEM INTEGRATION ISLAND
CONTENTS
This Test Project proposal consists of the following document/file:
LKSN2017_ITNSA_MODUL2.pdf

INTRODUCTION
The competition has a fixed start and finish time. You must decide how to best divide your
time.
Please carefully read the following instructions!
When the competition time ends, please leave your station in a running state.
Please do not touch the VMware configuration as well as the configuration of the VM
itself except the CD-ROM / HDD drives
PHYSICAL MACHINE (HOST)
FOLDER PATHS
Virtual Machines: E:\Virtual Machine
ISO Images: E:\Apps

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
PART I
WORK TASK INSTALLATION (WINSRV1, WINSRV2,
LNXSRV1, LNXSRV2)
Note Please use the default configuration if you are not given details.

WORK TASK SERVER WINSRV1


Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for indonesiahebat.net.
Create a new Organization Unit named InaHebat2017. All new users and groups must be
created in this OU.
Create the user and security global group with members as indicated in the table in
Appendix. Use Jakarta2017 as the password for all user accounts.
o DNS
Create a forward zone called indonesiahebat.net
Create a reverse zone for the IP range.
Create 3 subdomain:
- info.indoneisahebat.net
- training.indonesiahebat.net
- competition.indonesiahebat.net
Create a secondary zone for smkhebat.org and use this server as the backup DNS
for the smkhebat.org domain
Host and service records have to be created in DNS for all servers and clients.
o PKI (Public Key Infrastructure)
Install and configure Certificate Service
Install only the Certificate Authority
Create a template for Clients AND Servers
- Name the template ITNSA-ClientServerCert
- Publish the the template in Active Directory
- Set the subject name format to common name
o GPO Password Policies
Ensure the company user password must meet the following criteria:
- Domain passwords will be at least 6 characters.
- Strong passwords need not be enforced.
- Passwords will not be stored with reversible encryption.
- Passwords will be changed exactly every 90 days.
- Accounts will be locked out for 30 minutes after three invalid logon attempts.
The password of the users in IT group must meet the following criteria:
- Domain passwords will be at least 10 characters.
- Strong passwords will be enforced.
- Passwords will not be stored with reversible encryption.
- Passwords will be changed exactly every 30 days.
- Accounts will be locked out for 15 minutes after two invalid logon attempts.

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
o GPO Security Policies
At logon on WINCLT2, users should see this message before logging in: Message Title:
Welcome to Indonesiahebat2017 with Message Text Only authorized personnel allowed
to access. and prohibit this message on all servers.
All users, except the IT group, are not allowed to access the display settings on the Control
Panel.
disable "First Sign-in Animation" for all Windows 8.1 clients
disable the use of cmd and run for the Visitor group
o VPN SERVER (RRAS)
setup and configure the VPN service (RRAS)
use the following IP Range for the VPN Clients: 192.168.50.100 192.168.50.150 (provided
by RRAS service)
With a VPN connection the user should be able to access to the shares on WINSRV2
Only users in the sales group should be able to connect to the VPN server
Remote Clients should be able to access the vpn server via the ip address 143.25.100.1

WORK TASK SERVER WINSRV2


Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for smkhebat.org.
Administrator password should be Jakarta2017
Enable two-way trust between indonesiahebat.net forest and smkhebat.org forest.
Users from each of the forests are able to access resources in both forests.
o DNS
Create a forward zone called smkhebat.org
Create a reverse zone for the IP range defined in VLAN 31.
Create a secondary zone for indonesiahebat.net and use this server as the backup DNS for
the indonesiahebat.net domain
Host and service records have to be created in DNS for all servers and clients.
o Web Server (IIS)
Setup the company web server www.smkhebat.org

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
WORK TASK SERVER WINSRV1 & WINSRV2
o Install Distributed File System
Create skills as the root DFS Namespace in a Domain-based namespace in 2008 mode.
Create DFS share folders and configure the folder targets as indicated in the following table.
Enable DFS Replication between WINSRV1 and WINSRV2.

DFS Namespace Share Folders Folder Target Local Folder on both Servers Description
\\indonesiahebat.net\skills\rfol \\WINSRV1\rfolders C:\share\rfolders On WINSRV1 Folder
ders \\WINSRV2\rfolders E:\share\rfolders On WINSRV2 Redirection &
home folder
\\indonesiahebat.net\skills\IT \\WINSRV1\IT C:\share\IT On WINSRV1 Departmental
\\WINSRV2\IT E:\share\IT On WINSRV2 Share for IT
\\indonesiahebat.net\skills\Sal \\WINSRV1\Sales C:\share\Sales On WINSRV1 Departmental
es \\WINSRV2\Sales E:\share\Sales On WINSRV2 Share for Sales
\\indonesiahebat.net\skills\Ma \\WINSRV1\Mkt C:\share\Mkt On WINSRV1 Departmental
rketing \\WINSRV2\Mkt E:\share\Mkt On WINSRV2 Share for
Marketing

o Configure users profiles and share folders:


Create users home folder \\indonesiahebat.net\skills\rfolders \username and ensure it is
mapped to Z: at each logon automatically.
- limit the storage space to every home folder to 50MB
- Prevent any .exe and .bat files to be stored on the home folder.
Redirect the Documents folder to
\\indonesiahebat.net\skills\rfolders\username\Documents.
Create departmental share folders on \\indonesiahebat.net\skills\IT,
\\indonesiahebat.net\skills\Sales and \\indonesiahebat.net\skills\Marketing and map the
respective share folder to Y: at logon, depending on the department the user is in. Users
should not be allowed to access other departments or users home shares.

WOTK TASK SERVER LNXSRV1


Configure the server with the hostname, domain and IP specified in the appendix.
o Create 50 local UNIX users (userxx) with password Jakarta2017
o FreeRadius Server
Configure radius server for router and switch access authentication. Use Secret1234 as
share key.
Create SW1 with password LKSN2017. Will be used for switch access authentication.
Create RO1 with password LKSN2017. Will be used for router access authentication.
o NTP Server
Set NTP server service. Use local clock as time server source
o DHCP Server
Pool AOCC
Range: 10.99.111.51 10.99.111.100
Netmask: /25

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
Gateway: 10.99.111.1
DNS: 10.99.112.2

Pool OUTSIDE
Range: 220.17.8.36 220.17.8.40
Netmask: /28
Gateway: 220.17.8.45
DNS: 220.17.8.42

WORK TASK SERVER LNXSRV2


Configure the server with the hostname, domain and IP specified in the appendix.
o Web Server (nginx)
Create 3 virtual webhost for info.indonesiahebat.net; training.indonesiahebat.net;
competition.indonesiahebat.net
Make sure http:// training.indonesiahebat.net is protected by authentication
o Create users from client01 to client02
o Mail Server & Web Mail
Create users budi and ani
Make sure they have access via POP3, IMAP and SMTP
Before you finish your project make sure you send an email message from budi to ani and
another message from ani to budi
Do not delete these email messages.
o Cacti
Install Cacti
Create an admin-user master with password Jakarta2017
Create a graph showing the statistics of the CPU, Memory and interfaces traffic of the
LNXSRV1, RO1 and SW1

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
PART II
WORK TASK NETWORK CONFIGURATION (RO1, SW1)
Note Please use the default configuration if you are not given details.

WORK TASK ROUTER (RO1) & SWITCH (SW1)


o Use the Indonesia2017 as secret password
o Line console must login with the password LKSN2017
o Configure AAA login with the lnxsrv1 as Radius Server
o Create username admin and password LKSN2017 for failover user if RADIUS server is not
available
o Enable SSH Access with authentication using radius server (lnxsrv1)
o Encrypt all clear text password
o Configure banner MOTD AUTHORIZED ACCESS ONLY
o Configure VLAN and IP Address
Description /
Device Interface VLAN ID IP Address
VLAN Name
GI0/0 - - 220.17.8.45/28
Gi0/1.30 30 DESC 10.99.110.62/26
GI0/1.31 31 AOCC 10.99.111.1/25
RO1
GI0/1.32 32 VOICE 10.99.111.129/25
Gi0/1.33 33 CDCC 10.99.112.1/27
Gi0/1.99 99 NATIVE 10.0.0.1/28
Fa0/20
99 NATIVE 10.0.0.2/28
Fa0/24
Fa0/1
33 CDCC -
Fa0/4
SW1
Fa0/5 31 Data & 31 = AOCC
-
Fa0/12 32 Voice 32 = VOICE
Fa0/13
30 DESC -
Fa0/20

WORK TASK ROUTER (RO1)


o Configure the server with the hostname RO1
o Configure DHCP Relay for VLAN AOCC to lnxsrv1
o Configure NAT / PAT
Configure NAT Overload using interface gi0/0 with inside local VLAN AOCC
Configure Static NAT
Static NAT to lnxsrv2 with IP address 220.17.8.41
Static NAT to winsrv1 with IP address 220.17.8.42
o Telephony Service
o Number 999 is used for paging all phones of the company

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
o Configure button 2 on hqvph1 to call directly to paging extension
o Configure Intercom service with the extension 199
o Access Control List (ACL)
Configure Access List with rule below
- Ensure outside can access to lnxsrv2 and winsrv1 using IP outside of RO1
- Allow access from outside to web server linxsrv1 and winsrv2
- Deny other traffic from outside to inside
o SNMPP

WORK TASK SWITCH (SW1)


o Configure the server with the hostname SW1
o Configure port interface
Port 24 trunk mode to ro1
Port 1 for lnxsrv1 and lnxsrv2
Port 13 for winsrv1
Port 14 for winsrv2
Port 5 for hqvph1
Port 6 for winclnt1
o Configure port security maximum 3 mac address with violation shutdown for port to lnxsrv1,
lnxsrv2, winsrv1 and winsrv2

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
PART III
WORK TASK WINDOWS CLIENT (WINCLT1, WINCLT2, IP
PHONE)
Note Please use the default configuration if you are not given details.

WORK TASK WINDOWS EXTERNAL (WINCLT1)


Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT1 to the outside RO1
o Configure VPN client for connect to winsrv1

WORK TASK WINDOWS INTERNAL (WINCLT2)


Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT to the switch VLAN AOCC
o Join the notebook to the domain
o Install and configure Cisco IP Communicator with number 101

WORK TASK IP PHONE (HQVPH1)


Note: Please use the default configuration if you are not given the details.
Connect LAN cables and configure IP addresses according to the network diagram in the
appendix
Configure with number 100
Make sure the VoIP-phone is using VLAN19 for its VoIP-traffic
The traffic of the connected computer shall use VLAN11

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
APPENDIX
SPECIFICATIONS

WINSRV1
Computer name: WINSRV1
Operating System MS Windows 2012 R2
Domain Name: indonesiahebat.net
Administrator User name: Administrator
Administrator password: Jakarta2017
IP address: 10.99.122.2/28
Domain NetBIOS Name: HEBAT

WINSRV2
Computer name: WINSRV2
Operating System MS Windows 2012 R2
Domain Name: smkhebat.org
Administrator User name: Administrator
Administrator password: Jakarta2017
IP address: 10.99.122.3/28
Domain NetBIOS Name: HEBAT

LNXSRV1
Computer name: LNXSRV1
Operating System Linux Debian 7.8
User name: root
Password: Jakarta2017

IP address: 10.99.110.1/26

LNXSRV2
Computer name: LNXSRV2
Operating System Linux Debian 7.8
User name: root
Password: Jakarta2017

IP address: 10.99.110.2/26

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
WINCLT1
Computer name: WINCLT 1
Operating System MS Windows 8.1
User name: Administrator
Password: Jakarta2017
Domain name: Indonesiahebat.net

IP address: DHCP

WINCLT2
Computer name: WINCLT 2
Operating System MS Windows 8.1
User name: Administrator
Password: Jakarta2017
Domain name: indonesiahebat.net

IP address: DHCP

NETWORK SPESIFICATION
VLAN DESC (ID: 30) 10.99.110.0/26
VLAN AOCC (ID: 31) 10.99.111.0/25
VLAN VOICE (ID: 32) 10.99.111.128/25
VLAN CDCC (ID: 33) 10.99.112.0/27
VLAN NATIVE (ID: 99) 10.0.0.0/28
OUTSIDE 220.17.8.0/28

DOMAIN USER LIST


Group Members
IT itXX (01 50)
Marketing mktXX (01 50)
Visitors vtrXX (01 - 30)
Employees IT, Marketing

Version: 1.0
LKSN2017_ITNSA
Date: 29.11.2017
NETWORK SPESIFICATION

NETWORK DIAGRAM
MODUL B SYSTEM INTEGRATION & CISCO ISLAND

Windows 8.1 Hostmachine (PC1) Windows 8.1 Hostmachine (PC2)

Name : winsrv1
OS : Windows Server 2012 R2 Name : winsrv2
User: Administrator VMnet1 OS : Windows Server 2012 R2
Password: Skills39 VMnet1 User: Administrator
Domain: skillsbetter.com
IP-Address :
SW1 Password: Skills39
Domain: skillsbetter.com
Name : SW1 IP-Address :
172.20.31.5/28
Password:Skills39 172.29.1.5/28
Service:
VLAN: Service:
- AD
VLAN 10: External :200.132.45.33/25 - AD
- DNS
VLAN 20: Windows: 172.20.31.0/28 - DNS
- PKI (Public Key Infrastructure)
VLAN 30: Linux:172.20.30./29 - Web Server
- GPO
VLAN 40: Branch: 172.29.1.0/28
- DFS winsrv1 Service:
- DFS
- SNMP
- Port Security winsrv2 - SNMP
- VPN Server (RRAS)
- VLAN
- SSH
- SNMP

Name : lnxsrv1 RO1


OS : Debian 7.8
User: root
Name : lnxsrv1 VMnet2 Name :winclnt1 (External)
Password: Skills39
Password: Skills39 IP-Address : OS : Windows 8.1
Domain: skillsbetter.com External :200.132.45.33/25 User: Administrator
IP-Address : Gi0/1.10: 172.20.31.1/28 Password: Skills39
172.20.30.3/29 Gi0/1.20::172.20.30.1/29 Domain: skillsbetter.com
Service: Gi0/1.30: 172.29.1.1/28 IP-Address :
- FreeRadius Gi0/1.40: 192.168.0.1/25: DHCP from lnxsrv2
- NTP Server
- DHCP Server
VMnet2 Service Service:
- VPN Client
- Routing
- SNMP - Softphone
lnxsrv1 - NAT
- ACL
lnxclnt1
- Telephony Service
- DHCP Relay
- SNMP

Name : lnxsrv2
OS : Debian 7.8
User: root Name : winclnt2 (Internal)
Password: Skills39
Domain: skillsbetter.com
VMnet3 OS : Windows 8.1
User: Administrator
IP-Address :
172.20.30.4/29
IP Phone Password: Skills39
Domain: skillsbetter.com
Service: IP-Address :
Ext 1002 DHCP Client
- Web Server (nginx)
- Mail Server Service:
- Web Mail - Join Domain
- Cacti - Softphone
- SNMP lnxsrv2 lnxclnt2

You might also like