HiLCoE

School of Computer Science and Technology

Network Administration (CS465)

Assignment I
DRB1802B

By:

Israel Asefa
Kaleab Cherinet
Kapital Girma
Menna Yohannes
Mussie Fekadu
Nathnael Tesfaye
Natnael Zewdalem
Wongel Hailemichael

September 2022
 Table of Contents

Domain and Forest Structure ................................................................................................ 1

Trust Relationship ................................................................................................................ 1

Sites and Site Links ............................................................................................................... 2

Subnets, IP Address Assignment and Server Configurations................................................... 2

DHCP and DNS ...................................................................................................................... 6

DHCP ................................................................................................................. 6

DNS.................................................................................................................... 7

Organizational Units ............................................................................................................. 8

Group Policy ......................................................................................................................... 9

Domain and Forest Structure
AD DS can be used to organize elements of a network, such as users, computers, and other
devices, into a hierarchical containment structure. It is not a tangible entity in its own right,
and it is made up of many core components that collaborate to deliver Active Directory
functionality to a Windows system. The Active Directory Forest, domains within the forest,
and organizational units (OUs) inside each domain comprise the hierarchical confinement
structure. All of this data is saved in the Active Directory database. These structures have
different roles within the AD DS environment.

A domain logically groups objects that share a common directory database and domain
namespace and, the domain controller is the server that contains the copy of the Active
Directory database. Forests represent the largest scope of management AD DS, and they
mainly are responsible for logically grouping of one or more domains or domain trees that are
separate and independent. Domains in a forest share the same schema. Information about
forests is kept by the global catalogue which stores a searchable partial representation of
every object in the forest.

In this scenario, there are three different domains with the following domain namespaces:

1. ABC.com
2. XYZ.org
3. HiLCoE.edu
Each domain represents each organization, by configuring a trust relationship, it’s possible to
allow users in one domain to access resources in another, such as being able to use shared
folders or being able to sign on locally to machines that are members of a different domain
than the one that holds the user’s account. Some trusts are created automatically, for
example, domains in the same forest automatically trust each other, but forest trusts must be
created manually.

Trust Relationship
The domains, ABC.com and XYZ.org, exist in the same forest and are linked by a two-way
domain trust transitive relationship, that is created automatically. This allows users of XYZ.org
domain to access resources from the ABC.com domain and members of the ABC.com domain
to manage resources of the XYZ.org domain. On the other hand, the domain HiLCoE.edu exists
in its own forest. The two forests are linked with one-way incoming forest trust transitive
relationship using selective authentication. The trusted forest is the forest containing XYZ.org
and ABC.com, and the trusting forest is the forest containing HiLCoE.edu. Selective
authentication is used to allow only selected users, i.e. members of the ABC.com and XYZ.org
domains, to authenticate in HiLCoE.edu. The forest trust enables administrators of the
ABC.com and XYZ.org domain to manage tasks in the HiLCoE.edu domain. The domain and
forest structure are illustrated in the figure below.

1
Sites and Site Links
Active Directory sites are used to represent the physical structure of your network, and the
sites are connected by site links. The sites are used to manage replication traffic and facilitate
service localization. To authenticate clients efficiently, the sites contain a writable domain
controller, and the replication between the sites is scheduled.

Sites in ABC.com

To improve service availability, ABC.com has four different sites, which correspond to the four
branches, and the sites are located in the same domain under the ABC.com namespace. The
sites are linked using leased line from Ethio-Telecom.

The sites at Field Office 1, Field Office 2 and Field Office 3 each contain a single physical server
configured with two virtual machine instances consisting a domain controller and file server.
The site at Addis Abeba on the other hand will hold three physical servers and two domain
controllers. There are three site links and two backup links between the three field offices:

• Field Office 1 to Addis Ababa,

• Field Office 2 to Addis Ababa,
• Field Office 3 to Addis Ababa.

Backup Links
• Field Office 1 to Field Office 2
• Field Office 2 to Field Office 3

Subnets, IP Address Assignment and Server Configurations

Operating system functionality is controlled primarily through server roles. A server role is a
collection of operating system components that work together to provide a specific aspect of
server functionality. These roles range from providing directory and infrastructure services to
managing application services. Servers require proper role configuration to function across
different requirements. Furthermore, there needs to be proper configuration for all network
devices with both IP address assignment and subnet identification.

2
IPv4 private addresses are used in all domains, and Windows Server 2012 R2 is the domain
and forest functional level for every domain and forest.

ABC.com

ABC.com domain has a total of 6 physical servers, three located at the headquarter and the
other three located at each branch site. The site at the headquarter uses Windows server
2012 R2 Standard Edition for the two physical servers and Datacenter edition on the third
physical server with server core installation. On the other hand, Windows server 2012 R2
Standard Edition is installed on the servers of the other sites. To manage the server with server
core installation RSAT (Remote Server Administration Tools) are installed on client computers.

➢ Site 1: Addis Ababa Subnet: 192.168.32.0 / 20

❖ Physical Server 1 (IP: 192.168.32.2/20, Subnet Mask: 255.255.240.0)

• Domain Controller
• Global Catalog
• DNS Server
• Schema Master Role
• Domain Naming Server Role
• DHCP Server

❖ Physical Server 2:
o Virtual Machine 1: (IP: 192.168.32.3/20, Subnet Mask: 255.255.240.0)
• Domain Controller
• DNS Server
o Virtual Machine 2: (IP: 192.168.32.4/20, Subnet Mask: 255.255.240.0)
• Network Policy and Access Services
• Print and Document Services Server Role

❖ Physical Server 3
o Virtual Machine 1: (IP: 192.168.32.5/20, Subnet Mask: 255.255.240.0)
• Application Server
• Hosts ERP
o Virtual Machine 2: (IP: 192.168.32.6/20, Subnet Mask: 255.255.240.0)
• File and Storage Services Server Role
• Windows Server Backup and Recovery Features

3
 ➢ Site 2: Field Office 1 Subnet: 192.168.64.0 / 20

❖ Physical Server 4:
o Virtual Machine 1: (IP: 192.168.64.2/20, Subnet Mask: 255.255.240.0)
• Domain Controller
• Global Catalog
• DNS Server
• DHCP Server
o Virtual Machine 2: (IP: 192.168.64.3/20, Subnet Mask: 255.255.240.0)

• File and Storage Services Server Role

• Print and Document Services Server Role

➢ Site 3: Field Office 2 Subnet: 192.168.48.0 / 20

❖ Physical Server 5:
o Virtual Machine 1: (IP: 192.168.48.2/20, Subnet Mask: 255.255.240.0)
• Domain Controller
• Global Catalog
• DNS Server
• DHCP Server
o Virtual Machine 2: (IP: 192.168.48.3/20, Subnet Mask: 255.255.240.0)
• File and Storage Services Server Role
• Print and Document Services Server Role

➢ Site 4: Field Office 3 Subnet: 192.168.16.0 / 20

❖ Physical Server 6:
o Virtual Machine 1: (IP: 192.168.16.2/20, Subnet Mask: 255.255.240.0)
• Domain Controller
• Global Catalog
• DNS Server
• DHCP Server
o Virtual Machine 2: (IP: 192.168.16.3/20, Subnet Mask: 255.255.240.0)
• File and Storage Services Server Role
• Print and Document Services Server Role

4
XYZ.org

XYZ.org has two physical servers with one of them running two virtual machines, and
Windows server 2012 R2 Standard Edition is installed on the server.

❖ Physical Server 1: (IP: 10.16.0.2/12, Subnet Mask: 255.240.0.0)

• Domain Controller
• Global Catalog
• DNS Server
• DHCP Server

❖ Physical Server 2:
o Virtual Machine 1: (IP: 10.16.0.3/12, Subnet Mask: 255.240.0.0)
• Domain Controller
o Virtual Machine 2: (IP: 10.16.0.4/12, Subnet Mask: 255.240.0.0)
• File and Storage Services Server Role
• Print and Document Services Server Role

HiLCoE.edu

HiLCoE.edu domain has two physical servers with one of them running two virtual machines,
and Windows server 2012 R2 Standard Edition is installed on the server.

❖ Physical Server 1: (IP: 172.18.0.2/16, Subnet Mask: 255.255.0.0)

• Domain Controller
• Global Catalog
• DNS Server
• Schema Master Role
• Domain Naming Master Role
• DHCP Server Role

❖ Physical Server 2:
o Virtual Machine 1: (IP: 172.18.0.3/16, Subnet Mask: 255.255.0.0)
• Domain Controller
o Virtual Machine 2: (IP: 172.18.0.4/16, Subnet Mask: 255.255.0.0)
• File and Storage Services Server Role
• Print and Document Services Server Role

5
 Domain Controllers & Operation Master Roles
In an Active Directory domain, all domain controllers are equivalent. They are all capable of
writing to the Active Directory database and replicating changes to other domain controllers.
However, certain operations must be performed by only one system. Operation masters are
domain controllers that perform a specific function within the domain. They provide the
option to assign functions that must be done by specific server across the domain or forest.

The domain controller responsible for the schema master and domain naming master roles of
the forest containing ABC.com and XYZ.org resides on the physical server of the ABC.com
Domain which is placed at Addis Ababa site. This will be used for making any changes to the
forest’s schema. All other domain controllers within the forest hold read-only replicas of the
schema. Whereas the schema master and domain naming master roles of the forest
containing HiLCoE.edu is placed on the primary domain controller of HiLCoE.edu. Since the
forest containing HiLCoE.edu consists only one domain, infrastructure master role is not
included.

DHCP and DNS

DHCP

DHCP is used to assign (lease) IPv4-based IP addresses and other network settings to
computers and devices, which are enabled as DHCP clients. Windows infrastructure services
roles provides DHCP Server Role that can be used to automatically allocates IP addresses and
IP configuration information to clients.

IP addresses for domain controllers, DNS and DHCP servers are assigned statically, and the
addresses are listed in the DHCP exclusion list. Reservation list is created for file servers and
application servers.

Domain IP Address DHCP DHCP Lease Network ID Subnet Mask

Range Exclusion Reservation Duration
List List

ABC.com Addis 192.168.32.2 192.168.32. 192.168.32. 3 Days 192.168.32. 255.255.240.

Ababa - 2 4 0 0
192.168.32.2 192.168.32. 192.168.32.
54 3 5
192.168.32.
6

6
 Field 192.168.64.2 192.168.64. 192.168.64. 3 Days 192.168.64. 255.255.240.
Office - 2 3 0 0
1 192.168.64.5
2
Field 192.168.16.2 192.168.16. 192.168.16. 3 Days 192.168.16. 255.255.240.
Office - 2 3 0 0
2 192.168.16.5
2
Field 192.168.48.2 192.168.48. 192.168.48. 3 Days 192.168.48. 255.255.240.
Office 3 - 2 3 0 0
192.168.48.5
2
XYZ.org 10.16.0.2 10.16.0.2 10.16.0.4 3 Days 10.16.0.0 255.240.0.0
- 10.16.0.3
10.16.0.102

HiLCoE.edu 172.18.0.2 172.18.0.2 172.18.0.4 3 Days 172.18.0.0 255.255.0.0

- 172.18.0.3
172.18.0.102

DNS

DNS provides name resolution and service location to clients on the network. The DNS server
role is a critical component of any Windows Server domain infrastructure. The name
resolution can be from IP address to DNS domain name (forward lookup) or from domain
name to IP address (reverse lookup). A DNS zone hosts all or a portion of a DNS domain, and
it is typically configured to be a forward or a reverse lookup zone and can be replicated to
additional DNS servers for redundancy. Zone data can be stored in a local file that contains
the mapping information, or a zone can be integrated into Active Directory.

Since all DNS servers in all domains and sites are AD DS domain controllers, DNS zone data is
stored in AD database, i.e., using active directory integrated zones. Replication of the DNS
zone information is handled during replication of the domain controllers in the respective
domains. Active directory integrated zone also allows secure dynamic updates.

DNS clients use a forward lookup zone to resolve an IP address to a DNS domain name or a
network service while a reverse lookup zone is used resolve a DNS domain name to an IP
address. Primary DNS zones hold read/write copy of the DNS database, and stub zones
provide information about authoritative name server. Both, primary and stub zones, can be
store data in Active Directory.

7
The forward lookup zones include:

• Primary zones: ABC.com, XYZ.org, HiLCoE.edu in the respective domains and

• Stub zones: XYZ.org (10.16.0.2) and HiLCoE.edu (172.18.0.2) in ABC.com
domain, ABC.com (192.168.32.2) and HiLCoE.edu in XYZ.org domain and
ABC.com and XYZ.org in HiLCoE.edu domain

Reverse lookup zones are created in ABC.com namespace for the subnet 10.16.0.0 of XYZ.org;
this enhances security by validating IP addresses requesting access to the ERP system located
in the ABC.com domain. Pointer records for the IP addresses of the domain controllers of
XYZ.org domain is added into the zone.

DNS Dynamic update provides many advantages for automatically adding records to the DNS
database. However, there may be times when stale records are not automatically removed
when devices leave the network. DNS server role provides options to remove resource records
from the DNS database using manual or automatic deletion(scavenging). Automatic
scavenging of stale records takes place every 10 days; whereas, zone aging and scavenging
takes place using the default 7 days no refresh/refresh interval.

Organizational Units
OUs act like containers within AD DS, allowing to organize Active Directory objects in a logical
way that makes it easier to administer and manage those objects. They are useful in
delegation of administration and application of group policy. Organizational units will be
created per the departments of each organization to reflect the functional structure. Each OU
contains the users, computers, security global groups and resources of the respective
department.

ABC.com

ABC.com domain contains five organizational units namely; Finance, Human Resource,
Logistics, Customer Relations, and IT. The IT OU holds the following child OUs: AAIT, FO1IT,
FO2IT and FO3IT. The Logistics OU comprises the AALogistics, FO3SLogistics and FO2Logistics
child OUs. The servers at Addis Ababa, Field Office 1, Field Office 2 and Field Office 3 sites are
placed in the AAIT, FO1IT, FO2IT and FO3IT OUs respectively.

The ABC.com IT OU is responsible for creating, deleting and managing user and group
accounts, modify group membership and reset user password. Managing group policy links
and active directory objects, including user, group, computer, OU, sites and trusted domain
objects, is performed by the ABC.com AAIT OU.

8
XYZ.org

XYZ.org domain contains IT, Sales and HR OUs. The IT OU holds the servers of the organization
and is responsible for creating, deleting and managing user and group accounts, modify group
membership, reset user password. It also manages group policy links and active directory
objects, including user, group, computer objects.

HiLCoE.edu

HiLCoE.edu domain contains IT, Manufacturing, Sales and HR OUs. The IT OU holds the servers
of the organization and is responsible for creating, deleting and managing user and group
accounts, modify group membership, and reset user password. It also manages group policy
links and active directory objects, including user, group, computer objects.

Group Policy
Password & Account Lockout Policy

User accounts are typically protected and authorized by a password. Passwords are managed
by customizing password policy settings, including requiring users to change their password
regularly, specifying a minimum length for passwords, and requiring passwords to meet
certain complexity requirements. The following password and account lockout policy settings
is applied for each domain.
• Enforce password history = 5
• Maximum password age = 30 days
• Minimum password age = 5 days
• Minimum password length = 8 characters
• Account lockout threshold = 4
• Account lockout duration = 20 min
• Reset account lockout counter after = 20 min
• Store passwords by using reversible encryption = Disabled
• Password complexity:
o Contain a combination of at least three of the following characters: uppercase letters,
lowercase letters, numbers, symbols (punctuation marks).
o Do not contain the user's user name or screen name

For IT OUs in ABC.com, XYZ.org and HiLCoE.edu domain, the above password and account
policy is applied as a group policy object with the following modifications:
• Maximum password age = 5 days
• Minimum password age = 1 day
• Minimum password length = 10 characters
• Account lockout threshold = 3
• Account lockout duration = 30 min
• Reset account lockout counter after = 30 min
9