3/9/2013

GAMEX.COM NETWORK DOCUMENTATION

Network Administrator | Williams J. Saraiva

Gamex.com Diagram

Master Login: Administrator

Password: Pa11word
 SITES
Miami Site
Nat-US
OS: Windows Server 2008 RS 2
NIC 1: ISP- 199.1.9.2/24
NIC 2: Miami 172.16.90.1/23
NIC 3: WAN 172.16.94.1/23
Roles: RASS
DC-US.gamex.com - Bridgehead GC PDC/Schema
OS: Windows Server 2008 RS 2
NIC 1: Miami 172.16.90.2
Roles: DC1, DNS and DHCP
DCC.retail.gamex.com - Bridgehead GC
OS: Windows Server 2008 RS 2
NIC 1: Miami 172.16.90.3
Roles: DCC, DNS
DHCP-US.gamex.com
OS: Windows Server 2008 RS 2
NIC 1: Miami 172.16.90.4
Roles: DHCP
Features: RSAT (ADDS Tools and GPM)
Dev1.gamex.com
OS: Windows 7 Professional
NIC 1: Miami Dynamic
Roles: Client
Features: RSAT (ADDS Tools and GPM)
Site 1 - Miami
Berlin Site (Universal Group Cashing Enabled)
Nat-EU
OS: Windows Server 2008 RS 2
NIC 1: ISP- 199.1.9.3/24
NIC 2: Berlin 172.16.100.1/23
NIC 3: WAN 172.16.94.1/23
Roles: RASS
DC-EU.gamex.com Bridgehead GC RID/Naming
OS: Windows Server 2008 RS 2
NIC 1: Miami 172.16.100.2
Roles: DC2, DNS
RODC.gamex.com GC
OS: Windows Server 2008 RS 2
NIC 1: Miami 172.16.100.3
Roles: RODC, DNS
DHCP-EU.gamex.com
OS: Windows Server 2008 RS 2
NIC 1: Miami 172.16.100.4
Roles: DHCP
Features: RSAT (ADDS Tools and GPM)
DCC-EU.retail.gamex.com Infrastructure Master
OS: Windows Server 2008 RS 2
NIC 1: Berlin 172.16.100.5
Roles: DCC, DNS
I. RRAS the first server set up with 3 dedicated interfaces.

A. ISP under the Internet Service Provider subnet with gateway IP

172.16.1.1, mask of 255.255.254.0 and IP assigned to the machine
172.16.1.90.

B. Miami Internal subnet interface 172.16.90.0

C. WAN Link with the European Site or Site 2 under Subnet

172.16.92.0
1. Static route setup

a) Destination subnet 172.16.100.0

b) Mask 255.255.254.0

c) Gateway 172.16.92.2

II. DC-US setup under Miami internal subnet.

A. Forrest Domain gamex.com with its own DNS using the ISP DNS as
a forwarder (172.16.1.2).
1. Functional level at the current OS, Windows Server 2008 R2

B. Sites Setup
1. Miami with subnet 172.16.90.0/23

2. Berlin with subnet 172.16.100.0/23

*Note: Functional level will be at

Windows server 2008 R2 for all

Domain controllers within this

Forrest.
III. DCC-US setup under Miami internal subnet

A. Domain controller created a new domain within an existing

forrest called retail.gamex.com.

B. Child domain also running its own DNS.

1. Forrest domain refers inquiries to child domain and child domain host
a copy of forest domains hos records and does not need to inquire forest
domain.

IV. DHCP-US Set up under Miami subnet

A. Scope 172.16.90.1 to 172.16.91.254

B. IP Exclusion list, 172.16.90.1 thru 172.16.90.10 (reserved for

static servers)

C. Lease duration set up for 8 days

V. Clients with DEV prefix set up such as DEV-1

A. All Windows 7 machines with RSAT installed with Active Directory

tools and Group Policy Manager features enabled.
1. RSAT is required to be downloaded from the Microsoft website in
order to have its features enables within the client.
Notes:
Time zone used was (UTC-05:00) Eastern Time (US & Canada). Due to site being located
in Miami, USA.

Subnet Mask throughout this whole site is /23 (includes ISP)

Site 2 Berlin

VI. RRAS the first server set up with 3 dedicated interfaces.

A. ISP under the Internet Service Provider subnet with gateway IP

172.16.1.1, mask of 255.255.254.0 and IP assigned to the machine
172.16.1.100.

B. Berlin Internal subnet interface 172.16.100.0

C. WAN Link with the European Site or Site 2 under Subnet

172.16.92.0
1. Static route setup

a) Destination subnet 172.16.90.0

b) Mask 255.255.254.0

c) Gateway 172.16.102.3

VII. DC-EU setup under Berlin internal subnet.

A. Added this Domain controller to existing domain called,

gamex.com with its own DNS using the ISP DNS as a forwarder
(172.16.1.2).
1. Functional level at the current OS, Windows Server 2008 R2

*Note: Functional level will be at

Windows server 2008 R2 for all

Domain controllers within this

Forest.
VIII. RODC setup under Berlin internal subnet

A. Added this Domain controller to existing domain called,

gamex.com with its own DNS using the ISP DNS as a forwarder
(172.16.1.2).Child domain also running its own DNS.

IX. DHCP-US Set up under Berlin subnet

A. Scope 172.16.100.1 to 172.16.101.254

B. IP Exclusion list, 172.16.100.1 thru 172.16.100.10 (reserved for

static servers)

C. Lease duration set up for 8 days

X. DCC-EU setup under Berlin internal subnet

A. Added this Domain controller to existing domain called,

gamex.com with its own DNS using the ISP DNS as a forwarder
(172.16.1.2).

Notes:
Time zone used was (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna).
Due to site being located in Berlin, Germany.

Other Configurations
XI. On DC-US

A. Under Active Directory Sites > Inter-Site Tansport > IP

1. Replication is configured as follows :
From 1100 to 1400 Mon-Fri, and 0200 to 0500 on Sunday at a rate of
every 15 minutes. If it does not look like the image bellow it is not
correct.
XII. Global Catalog and Infrastructure master FSMO role

A. On Forest Domain all DCs are GCs so there is no need to move the
Infrastructure Master from DC-US.

B. On Child Domain the DCC-EU it is not a GC therefore the

Infrastructure Master has to be moved from DCC-US to DCC-EU since
DCC-US is a GC.
1. The reason this had to be done here and it was not done on the forest
root domain is that Unless there is only one domain controller in the domain,
the infrastructure master role should not be assigned to the domain controller
that is hosting the global catalog. If the infrastructure master and global
catalog are on the same domain controller, the infrastructure master will not
function. The infrastructure master will never find data that is out of date, so
it will never replicate any changes to the other domain controllers in the
domain.

a) However if all DCs are GCs like forest root then data its always up
to date regardless for the Infrastructure being up to date or not.

XIII. Bridgehead Servers

A. DC-US for Miami Site and DC-EU for the Berlin Site
 B. This can be changed as needed.

C. Universal group caching is enabled in DC-EU however it is not

needed as all domain controller on the Berlin Site are also Global
Catalogs.

XIV. Other FSMO Roles

A. Naming master (Forrest role) has been transferred from DC-US to

DC-EU.

B. Relative ID Master (Domain Role) has also been transferred from

DC-US to DC-EU.

On a side note:

The RODC cannot become a

Preffered Bridgehead or hold FSMO roles

However it can be a Global Catalog.

Organizational Units and GPOs Part 1

XV. Script created to facilitate the creation of OUs, Groups and Users

A. Below is a text copy of script

dsadd ou OU=Testing,DC=gamex,DC=Com -desc "Testing Group Organizational Unit"

dsadd group CN=Testers,OU=Testing,DC=gamex,DC=Com -scope g

dsadd user CN=tester1,OU=VSD,DC=gamex,DC=Com -samid tester1 -memberof

"CN=Testers,OU=Testing,DC=gamex,DC=Com" -pwd Pa11word -desc "Test user 1" -mustchpwd no -
disabled no
dsadd user CN=tester2,OU=VSD,DC=gamex,DC=Com -samid tester2 -memberof
"CN=Testers,OU=Testing,DC=gamex,DC=Com" -pwd Pa11word -desc "Test user 2" -mustchpwd no -
disabled no

dsadd user CN=tester3,OU=VSD,DC=gamex,DC=Com -samid tester3 -memberof

"CN=Testers,OU=Testing,DC=gamex,DC=Com" -pwd Pa11word -desc "Test user 3" -mustchpwd no -
disabled no

XVI. Move User and Delete Active Directory Object text Template

A. Move User:
dsmove "CN=Tester1,OU=testing,DC=gamex,DC=Com" -newparent
OU=Betatest,DC=retail,DC=gamex,DC=Com

B. DEL Object:
dsrm "CN=tester3,OU=testing,DC=gamex,DC=Com"

XVII. Engineering OU

A. Engineering group was created with several users and groups

B. Engineering Admins group created

1. Epalpatine made member of the Engineering Admins group

2. Used the Delegation control wizard under the Engineering OU to

delegate control to the group of Engineering Admins to do the following.

a) Add, delete, and modify users and groups.

b) Reset passwords for user accounts

c) Link GPOs

d) Look at security permissions ACL for the OU.

XVIII. Roaming Profiles
1. Under the user object properties select the profile tab and type
\\dc-us\profiles\%username%

XIX. Lockdown GPO policy for Engineering users

A. Solitaire being ran at log on

B. No desktop Icons, no run command in start menu and no
documents or my documents icon on start menu. Disable lock computer
control panel and task manager. Also not able to shut down machine.

C. \\DC-US\Docs share mapped to P: drive at logon

 D. Making sure Engineering admins inside the same OU are not
affected by these policies.

XX. Making sure Domain accounts may have simple passwords (as few
as 3 characters long)and that Domain Users can log in into second
Domain.
XXI. Other Domain options

A. No reason for shutdown

B. Domain Admins always member of local admins

XXII. Make so Computers in site 2 display logon message with title and
that ctrl alt del reqs. Are disabled and hides last user that logged on.

Organizational Units and GPOs Part 2

XXIII. GPO that makes the Engineering OU member have their own
individual my documents, pictures and music folders on a network
share. However, the Videos also on a share but this folder is to be the
used by all members.

Docs
Music

Pictures

Shared Video
XXIV. GPO to deploy Word and PowerPoint viewers

A. PowerPoint viewer is to not automatically install but made

available for installation to users inside the Death Star Project OU.
However if the user is to change OUs it needs to be uninstalled at the
next login.

B. Word Viewer is to be automatically installed whenever the

computer restarts. And automatically uninstalled if when it restarts it
has moved to a different OU.
XXV. Restrict Computers from Death Star Project OU from Using
Notepad.exe and from executing any programs on c:\Windows\Temp
regardless of the users NTFS permissions

All other configuration within this GPO were default.

XXVI. Picasso must not be allowed to run mspaint.exe not matter

what computer he tries. So a User software restriction was made for him.
XXVII. Make so Computers in site 2 display logon message with title
and that ctrl alt del reqs are disabled. Only Windows 7 Workstations can
be affected now. WMI Filters need to be used.