NOTE: All names and some of the assigments were removed because of classified information.

   

1. On Server 1 create an Active Directory domain named Kuku.tst

1.At first we need to prepare the Hyper – V server for our project:

1.1 We change our Hyper-V server name to “Hyper - V 1 by using the PowerShell command “Rename-computer –NewName Hyper-V1 -Restart

1.2 Now we need to install the Hyper – V role using server manager by going to the server manager Add Roles and Features Hyper-V.

1.3 After we installed the Hyper-V Server Role we now need to make an External switch so the VMs can communicate with other VMs and the clients. We do this by opening the Hyper-V role and click on the “Virtual Switch Manager”, when the virtual switch manager opens we can see 3 options:

External: The VMs can communicate with each other, with the physical server that contains them and with other servers that are contained outside the physical server.

Internal: The VMs can communicate with each other and with the physical server that contains them.

Private: The VMs can only communicate with each other.Because we need the VMs to communicate with everyone on our network we need to choose the External Switch. We will call it “Ext Switch”

1.4 Now we can make the servers we need (at this project we need 5) by doing the following: first we go on the Hyper-V Server role and we click New Virtual Machine, at that point a wizard pops up. We choose to store all our VMs on C:\Data\VMs.

Afterwards the wizard gives us 2 options: Generation 1 and Generation 2, because all of our clients and servers are going to be with Windows Server 2012 and Windows 8, we can choose Generation 2.We configure all our servers as follow:

2024MB RAM A VHDX (Newer version of Virtual Hard Disk): 40 GB Connected to: Ext Switch . We choose to install an operating system from a bootable image file and we finish the Installation.

1.5 After we installed the Windows Server 2012 operating system we will now make an Active Directory Domain named Kuku.tst on Server 1 by installing an Active Directory Domain Services (or AD DS) and with that role we will create a new forest. After we installed the AD DS role we will be able to see that there’s a notice that asks us to Promote this server to a Domain Controller (DC). We will see that we have an option to create a new forest which we will because we don’t have a forest. After we chose to create a new forest we will call the Root domain “Kuku.tst”. In the Active Directory wizard we can also and will install a DNS role.

2. Create Server 2

2.1 To create Server 2 we need to do exactly what we did to create Server 1. We go to the Hyper-V server role on our Hyper-V server and click New Virtual Machine. , at that point a wizard pops up. We choose to store all our VMs on C:\Data\VMs.

Afterwards the wizard gives us 2 options: Generation 1 and Generation 2, because all of our clients and servers are going to be with Windows Server 2012 and Windows 8, we can choose Generation 2.We configure all our servers as follow:

2024MB RAM A VHDX (Newer version of Virtual Hard Disk): 40 GB Connected to: Ext Switch.

2.2 We choose to install an operating system from a bootable image file and we finish the Installation. What we need to do that’s different from the last section is that we need to join this computer to the domain. We can do it buy right clicking on This PC on the start menu and choose properties Advanced system settings Computer Name tab Change. At this point you should specify the domain name you would like to join and fill in the credentials.After I created all the firewall rules needed so the clients can connect to the server, I opend the sysprep and activated it (do NOT forget to click on Generalize). This will make sure that when I’ll copy the VHD it won’t copy the SID. Now when I’ll make the other servers the defaults I selected will be applied on them (the Remote desktop connection, Firewall rules disable the paging file) by just copying and pasting the VHD as another name.

3. Make the Active Directory structure and the users:

3.1 At first we need to get the users file from the human recourse in the company, in this case I have made a file that contains a few hundred users, wrote a script that will create all of the OUs, and using the CSV file I’ve organized them in the correct OU.

3.2 The script I used for this is: New-ADOrganizationalUnit -Name Finance -Path "DC=kuku,DC=tst"New-ADOrganizationalUnit -Name Production -Path "DC=kuku,DC=tst"New-ADOrganizationalUnit -Name Sales -Path "DC=kuku,DC=tst"New-ADOrganizationalUnit -Name Architects -Path "DC=kuku,DC=tst"New-ADOrganizationalUnit -Name IT -Path "DC=kuku,DC=tst"New-ADOrganizationalUnit -Name Management -Path "DC=kuku,DC=tst"

Import-Module ActiveDirectoryImport-Csv "C:\Users\Administrator\Desktop\Project 1\Employes\Employes.csv" | ForEach-Object { $userPrincinpal = $_."samAccountName" + "@mydomain.com"New-ADUser -Name $_.Name ` -Path $_."ParentOU" ` -SamAccountName $_."samAccountName" ` -UserPrincipalName $userPrincinpal ` -AccountPassword (ConvertTo-SecureString "Slipknot9!!" -AsPlainText -Force) ` -ChangePasswordAtLogon $false ` -Enabled $true}

4. Allow UserS1 to change the password of all the users in the Sales OU.

4.1 First we need to create a Delegate Control to the Sales OU. We add UserS1 as shown in the exhibit:

Now we choose the “Reset user password and force password change at next logon”. This

will apply the task to UserS1.

5. Create a policy that will force a complex password using 8 digits and must be changed every 60 days

5.1 First we need to create a new Group Policy Object (GPO) that will be enforced to all the domain. We go to the Group Policy Management Editor using the command “gpmc.msc” and then we click the Computer Configuration Policies Windows Settings Security Settings Account Policies Password Policy. In there you can find the policies that you need to change. You change the Maximum password age to 60, The minimum password length to 8 characters, and make sure that the “Password must meet the complexity requirements” is Enabled.

5.2 In case of 3 failed attempts to log on during 30 minutes the account will be locked to 12 hours.

In the domain GPO we go to Computer Configuration Software Settings Security Settings Account Policies Account lockout policy. In there we can find the Account lockout threshold in there you configure how many attempts a user needs until its locked out (3), the Account lockout duration configures how much the user remains locked before its automatically opens again.

5.3 In the IT department the users must change their password every 30 days.

In the Active Directory Administrative Center you choose your domain and go to the system container. After this you choose the Password Settings Container and you make the PSO as shown in the exhibit:

You make a PSO using AD AC because if you create a new GPO for the IT ou it will only apply for the computers on that OU and the local users of those computers and not the domain users that are in the Active Directory.

6. There will be a DFS Namespace named \\kuku.tst\Share that the files will point to D:\Data\Share of Server1 and Server2

6.1 At first we create a new share folder at C:/Data and then we go to the DFS Management and create a new Namespace by right clicking on the DFS management and then click on New Namespace, then, a wizard opens and asks us to choose the server that will host the namespace. Then, we type the name for our namespace, this name will appear after the server or domain name in the namespace. We choose the domain-based namespace and enable windows 2008 serve mode like shown in the exhibit:

And then we create it. Now we have a new namespace.

6.2 After we made a new namespace we point it at the shared folder by right clicking on the namespace. There we can see the list of all the shared folders in our domain. We choose our folder in C:\Data\Share and add it to the namespace. This is important to do because if you change the source of the file the name will still be the same and users will not need to remember a new path.

7. Each user will have a folder that will be saved in \\kuku.tst\share\users\Username with a quota of 10 GB

7.1 To do so we have to use the File Server Recourse Manager (FSRM) tool to first create the templates to the quotas. You click on Quota Templates and create a new quota. In there you create a 10 GB quota and save it.

Now, after we created the template we create a new quota by right clicking Quotas Create Quota. After we did it we select a path for the quota and we select which quota template should we use. In this case we will use the 10GB template that we made earlier.

now will have to make sure that when a user log on to a server or basically every machine on the network it will automatically create a folder for him. We open the Group policy manager using gpmc.msc. With the introduction of Windows 8 and Windows Server 2012 there is now a new group policy setting called “Set user home folder” and is found under Computer Configuration > Policies > Administrative Templates > System > User Profiles.

As we can see in the exhibit above we set the group policy on Enabled and choose the “On the network” option in the location tab. The path we used is our network path.7.2 As for divisions we do the same thing except we can make the folders manually and create a 100GB Quota template.

8. All the FSMO roles will be transferred to Server2

To Transfer the FSMO roles first we need to divide it to 2 sections: 1: the Domain – specific roles 2: the forest – specific roles.

8.1 Transferring the Domain-Specific Roles: RID, PDC, and Infrastructure Master

1. Click the domain controller which will be the new role holder, and then click OK.2. Right-click Active Directory Users and Computers icon, and then click Operation Masters.

3. In the Change Operations Master dialog box, click the appropriate tab (RID, PDC, or Infra-structure) for the role you want to transfer.

4. Click Change in the Change Operations Master dialog box.

5. Click OK to confirm that you want to transfer the role.6. Click OK.7. Click Close to close the dialog box.

You need to do it for each tab.

8.2 Transferring the Forest – specific roles will be done role by role and not all the roles at once like the domain-specific roles.

8.3 Transferring the Domain Naming Master role:

1. On Server 2 go to  Active Directory Domains and Trusts.2. Right-click Active Directory Domains and Trusts, and then click Operation Mas-

ters.3. In the Change Operations Master dialog box, click Change4. Click OK to confirm that you want to transfer the role.5. Click OK.

8.3 Transferring the Schema master role:

1. At first we open the command- line tool and type in: regsvr32 schmmgmt.dll this will allow the access to the Active Directory Schema.

2. Open MMC and add the Active Directory Schema snap-in 3. Right-click the Active Directory Schema icon, and then click Change Domain Controller

NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer

4. Click Specify Domain Controller, type the name of the domain controller that will be the new role holder, and then click OK.

5. Right-click Active Directory Schema, and then click Operation Masters.6. In the Change Schema Master Dialog box, click Change.

9. Make the Control Panel and the CMD blocked for all of the Production users

9.1 To do so, we need to create a GPO that prohibits the access to the Control Panel and the CMD and link it to the Production OU. You go to the gpmsc.msc, right click on the production OU Create GPO in this domain and link it here.

9.2 Now, right click on the GPO and click edit. In there we go to the following path: User Configuration Policies Control Panel – in there you can you find the Prohibit access to Control Panel. Enable it and then go to the following path User Configuration Policies System and there you can fine the Prevent access to command prompt. Enable both of them and save it GPO.

10. Map Z:\\ drive to Kuku.tst\share\General and make sure that you can only save txt files.

10.1 We right click on This PC and choose map a drive like shown in the Exhibit:

After we do so, we will get a window which in there we can map the drive and assign it a latter. At our path we type \\kuku.tst\share\general and assign the latter Z:.

10.2 To make sure we can only save txt files we open the FSRM tool and then create a Filescreen Template and mark to block all the types of file except txt files. Like shown in the exhibit:

Then, we create a new file screen and choose our template and path which is \\kuku.tst\share\General .

14. All the hosts must have 7.zip installed.

First we put the 7.zip installation on the shared network folder and then we open end edit our main GPO. In there on the computer configuration Software. We right click on the Software Installation New Package. In the path section you enter the path where the software installation is in as shown in the exhibit:

15. \\Server3\PrinterX will be installed on every computer

After the successful installation of the Print Server go to the "Tools Menu" provided at the upper

right hand corner.

In the Tools Menu go to "Print Management" and click on it.

Now, In the Print Management Window go to the "Print Servers" option and expand it. It will ex-

pand to show your Print Server, again expand this and you will find a "Printers" option available at

the bottom of this Print Server. Right-click on the "Printers" option to "Add Printer".

Now the Printer Wizard will be opened, first you must select the Installation Method. Click on sec-

ond option i.e. "Add a TCP/IP or Web Services Printer by IP Address or Host Name".

After selecting the second option click on the "Next" button.

Now you must provide the "Printer's Network Name or it's I.P Address".

In the "Type of Device" option you can either specify it is TCP/IP or use the Auto-detect option. As

you can see I chose the Auto-Detect option.

After providing the IP Address and Type of Device click on the "Next" Button.

Now the Printer's Name and Sharing Option will be opened. The Printer's name will be automati-

cally provided to you. Click on "Sharing" option if you want to share this Printer with many users. If

you choose to share this printer then you must provide the location and Share Name for this

printer and then click on the "Next" button.

Now your printer will be ready to install and all its information will be shown to you. Click on the

"Next" button after checking all the information for the last time. Clicking the Next Button will in-

stall the printer.

Now your printer will be successfully installed. Click on the "Finish" button to finish the installation.

Now when you go to the Print Management Window you will see that your printer is installed.

S

After we installed the printer we create an Empty GPO called “Printer”. Then go to the printers tab and right

click on the new printer we just made and click Deploy with Group Policy.

Now this printer will be shown to all the users connected to your server and they don't need to in-

stall the printer separately on their system.

16. Create a WDS server and import a boot image

16.1 First we need to install the Windows Deployment Services on Server 1 by using “Add Roles and Features” from the server manager. We install the WDS role and make sure we choose on the Active Directory WDS. Then we shut down Server 1. Now, from our Hyper-V server we mount the VHD of Server 1 and add the Boot.wim and Install.wim to the VHD. NOTE : Make sure you delete the checkpoint if you have one.

We start Server 1 and then go to the WDS management role, right click on the install images and choose “Add install image”, which will open us a wizard.

Click Next and then we will need to browse our Install.wim file as shown in the exhibit:

Now it asks us to select the images we want to add to the server such as: Windows Server 2012 StandardWindows Server 2012 Standard Core installation Windows Server 2012 Datacenter Windows Server 2012 Datacenter Core Installation.

We select the images that we want to be able to install on the server and click next. After we do so it will check the integrity of our source and will finish the Wizard.

16.2 Now we need to do the same thing for out Boot.wim file. We start Server 1 and then go to the WDS management role, right click on the Boot images and choose “Add boot image”, which will open us a wizard. We choose the location of our boot.wim file

Then the wizard will ask us to put a name and a description to the image file, I rather carry on with the defaults as shown here:

We click next and the wizard shows us a summary of the installation. After we click next it will check the integrity of our source file. When it will say that the image is successfully added to our WDS server.

16.3 Now, because we have WDS roles and DHCP role on the same server, they both try to work on port 67. That’s why the service stops. We need to configure WDS to stop listening on port 67.We can do so by following these steps:

1. Click Start, click Run, type wdsmgmt.msc, and then press OK.

2. In the Windows Deployment Services window, expand Servers, right-click the WDS server name, and then click Properties.

3. In the Server Properties dialog box, click the DHCP tab.

4. Click to select the Do not listen on port 67 check box, and then click Apply.

After we finished with adding all the files we need we can see that the service is stopped like shown here:

The little stop mark we see on the server icon says that the WDS Service is off and to activate it we need to do it manually.

We go to the services windows using run command Services.msc and look for Windows Deployment Services Server click it and click start.

If the service won’t start we need to change the Registry key value to 0 buy going through this path:

sNow, the WDS will not listen to DHCP ports and will run correctly. I checked it through the Event Viewer and saw the error code. The error code was 0x2740 which means that the WDS is still listening to DHCP port.

17. Create a new virtual machine and install OS with PXE.

17.1 We need to create a new Virtual machine Generation 1 and add a Legacy Network Adapter. Then in the BIOS we move up the Legacy network adapter so the server can boot from PXE. After it boots from PXE we install the OS regularly.

NOTE: Remember when the OS is installed to remove the legacy network adapter and add a network adapter.

18. The RDS Servers will allow to activate Calc and mspaint as a remote app which can be activated through Web

18.1 RDS simple deployment: we logged on to server 2 and added servers 3, 4 and 5.

18.2 using the management GUI selection add new roles and features and chose Remote Desktop Services

Installation. We select standard deployment and then we select Session based desktop deployment.

Now, the wizard asks us to specify the server host of the RD Connection Broker which is Server 3 as shown in the exhibit:

We click Next and then the wizard ask us to specify the host server that the RD Web Access will be installed on. We just marked the “Install the RD Web Access role service on the RD Connection Broker Server

Now we need to select the servers from the server pool on which to install the RD Virtualization Host role service. We chose server4 and Server5.

18.3 If this problem is showing that means that there’s a pending reboot that won’t start.

To solve this we need to go through the Registry to HKEY-LOCAL-MACHINE\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" and delete this value. (We need to do it on both of the servers). Now just restart the servers and this should work. 18.4 Now we can see in the exhibit below that we got the RD Session host which is basically the servers we connect to. Right click on the RD Session host and choose Create session Collection.

It will open up a wizard that will first tell us to add the name of our collection:

It will ask us to select the RD Session from the server pool to add the collection, we choose both servers 4 and 5. We select the groups that should have access to connect to the collection (Domain Users).The next option will determine if you want to save the users profile on a shared folder / disk. For now we will disable this option.

We click next then click Create. Now the session collection is being created.

Now we go to our Collection 1 tab and choose Publish remote app programs

Which will open up a wizard that will allow us to select the programs required:

We click next and publish.

Now, we open our Internet Explorer and type in the following URL: https://server3/RDWeb (This is the web access we installed earlier).Because we have no Certificate Authority you will be prompted through a lot of warnings that the site is not secure, ignore the warnings and you will be prompted to a page which you can choose to run Paint or Calculator.

19. The WSUS will update all the network with only one update to your choice

The procedures in this step describe how to: • Save and download information about your upstream server and proxy server. • Choose the language of the updates you want. • Choose the products for which you want to get updates. • Choose the classifications of updates you want. 

1. You should have completed configuration of the upstream server and the proxy server in the configuration wizard, and you should see the Connect to Upstream Server page. 2. Click the Start Connecting button, which will save and upload your settings and get information about available updates. 3. While the connection is being made, the Stop Connecting button will be available. If there are problems with the connection, click Stop Connecting, fix the problems, and restart the connection. 4. After the download has completed successfully, click Next to go to the Choose Languages page, or select a different page from the left panel. Choose update languages 1. The Choose Languages page allows you to get updates from all languages or from a subset of languages. Selecting a subset of languages will save disk space, but it is important to choose all of the languages that will be needed by all of the clients of this WSUS server. 2. If you choose to get updates for only a few languages, select Download updates only in these languages, and select the languages for which you want updates. Click Next to go to the Choose Products page, or select a different page from the left panel. Choose update products 1. The Choose Products page allows you to specify the products for which you want updates. 2. You may check product categories, such as Windows, or specific products, such as Windows Server 2003. Selecting a product category will cause all of the products under it to be selected. Click Next to proceed to the Choose Classifications page, or select a different page from the left panel. Choose the update classifications 1. The Choose Classifications page allows you to choose the update classifications you wish to obtain. You can choose all the classifications or a subset of them. 2. Click Next to proceed to the Configure Sync Schedule page, or select a different page from the left panel. Configure the synchronization schedule 1. You will see the Set Sync Schedule page, which allows you to choose whether to perform synchronization manually or automatically. 2. If you choose to synchronize manually on this server, you will have to initiate the synchronization process from the WSUS administration console. 3. If you choose to synchronize automatically, the WSUS server will synchronize at specified intervals. Set the time of the first synchronization and specify the number of synchronizations per day you wish this server to perform. For example, if you specify that there should be four synchronizations a day, starting at 3:00 A.M., synchronizations will occur at 3:00 A.M., 9:00 A.M., 3:00 P.M., and 9:00 P.M. After you have completed all of the above configuration steps, select the Finished page in the configuration wizard. You can launch the WSUS Administration console by leaving the Launch the Windows Server Update Services Administrations snap-in check box selected, and you can start the first synchronization by leaving the Begin initial synchronization check box selected. Note You cannot save configuration changes that are made while the server is synchronizing. Wait until synchronization is finished to make your changes. 20. Server 3 will hold a website with a picture of your choice.

20.1 We open the IIS server manager (Not the 6.0) and go to the following path as shown in the exhibit:

Now, open Internet Explorer and type the following URL: https://server3.kuku.tst .This is our web site.

20.2 To change the picture in there we can go on to C:\inetpub\wwwroot and we can see two files. A PNG Image called iis-85 and an HTML file called iisstart.

The first way we can change the picture of our website is to edit the picture and put a new picture. The second way is to open the iisstart with notepad and change the values that the HTML file have.

21. Server3 will divide the sessions of server 4 and server 5 equally.

The RD Broker does that by default.

Remote Desktop Connection Broker (RD Connection Broker), formerly Terminal Services Session Broker (TS Session Broker), is a role service that provides the following functionality:

Allows users to reconnect to their existing sessions in a load-balanced RD Session Host server farm. This prevents a user with a disconnected session from being connected to a different RD Session Host server in the farm and starting a new session.

Enables you to evenly distribute the session load among RD Session Host servers in a load-balanced RD Session Host server farm.

Provides users access to virtual desktops hosted on RD Virtualization Host servers and to Re-moteApp programs hosted on RD Session Host servers through RemoteApp and Desktop Connection.

Kuku Backup Policy

PurposeDocumentation of Backup infrastructure, Backup and Recovery policy.

IntroductionKuku Ltd is a growing Architecture Company based in lev Hagalil.With the resent growth of the company the backup strategy was revisited.

ScopeThe service was designed with disaster recovery and Archiving needs of the companyThe ‘data’ backups covers all systems managed by the IT department. Data held and managed on local users systems (PC/Laptops/Tablets/Mobile) are not covered.Every user is instructed to keep any business critical data on local network drives provided by the IT team. All staff are reminded that they are individually responsible for data held locally on their devices.

Backup PolicyFull Backups of KukuLtd are preformed weekly and retained for 4 months on Disk based storage system before being overwritten.Incremental backups are preformed daily and retained for 1 month on Disk based storage system before being overwritten, this insures faster restore time in case data is deleted or corrupted.Backups are to run nightly unless specified otherwise.Backups most be manually restored and cheeked at least ones in 6 months.Backups are replicated to DR site.