LOMBA KETERAMPILAN SISWA
SEKOLAH MENENGAH KEJURUAN
TINGKAT NASIONAL XXV 2017

MODUL B
SYSTEM INTEGRATION ISLAND

IT NETWORK SYSTEMS
ADMINISTRATION
LKS2017_ITNSA_MODULB

ISLAND 2 – SYSTEM INTEGRATION ISLAND
CONTENTS
This Test Project proposal consists of the following document/file:
LKSN2017_ITNSA_MODUL2.pdf

INTRODUCTION
The competition has a fixed start and finish time. You must decide how to best divide your
time.
Please carefully read the following instructions!
When the competition time ends, please leave your station in a running state.

Please do not touch the VMware configuration as well as the configuration of the VM
itself except the CD-ROM / HDD drives
PHYSICAL MACHINE (HOST)
FOLDER PATHS
Virtual Machines:
E:\Virtual Machine
ISO Images:
E:\Apps

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

PART I
WORK TASK INSTALLATION (WINSRV1, WINSRV2,
LNXSRV1, LNXSRV2)
Note Please use the default configuration if you are not given details.
WORK TASK SERVER WINSRV1
Configure the server with the hostname, domain and IP specified in the appendix.

o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for indonesiahebat.net.
 Create a new Organization Unit named InaHebat2017. All new users and groups must be
created in this OU.
 Create the user and security global group with members as indicated in the table in
Appendix. Use Jakarta2017 as the password for all user accounts.
o DNS
 Create a forward zone alled indonesiahebat.net
 Create a reverse zone for the IP range.
 Create 3 subdomain:
- info.indoneisahebat.net
- training.indonesiahebat.net
- competition.indonesiahebat.net
 Create a secondary zone for smkhebat.org and use this server as the backup DNS
for the smkhebat.org domain
 Host and service records have to be created in DNS for all servers and clients.
o PKI (Public Key Infrastructure)
 Install and configure Certificate Service
 I stall o l the Certifi ate Authorit
 Create a template for Clients AND Servers

- Na e the te plate ITNSA-Clie t“er erCert
- Publish the the template in Active Directory
- “et the su je t a e for at to o
o a e
o GPO – Password Policies
 Ensure the company user password must meet the following criteria:
- Domain passwords will be at least 6 characters.
- Strong passwords need not be enforced.
- Passwords will not be stored with reversible encryption.
- Passwords will be changed exactly every 90 days.
- Accounts will be locked out for 30 minutes after three invalid logon attempts.
 The password of the users in IT group must meet the following criteria:
- Domain passwords will be at least 10 characters.
- Strong passwords will be enforced.
- Passwords will not be stored with reversible encryption.
- Passwords will be changed exactly every 30 days.
- Accounts will be locked out for 15 minutes after two invalid logon attempts.

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

o

o

GPO – Security Policies
 At logon on WINCLT2, users should see this message before logging in: Message Title:
Wel o e to Indonesiahebat2017 ith Message Te t O l authorized perso el allo ed
to a ess. a d prohi it this essage o all ser ers.
 All users, except the IT group, are not allowed to access the display settings on the Control
Panel.
 disable "First Sign-in Animation" for all Windows 8.1 clients
 disa le the use of
d a d ru for the Visitor group
VPN SERVER (RRAS)
 setup and configure the VPN service (RRAS)
 use the following IP Range for the VPN Clients: 192.168.50.100 – 192.168.50.150 (provided
by RRAS service)

 With a VPN connection the user should be able to access to the shares on WINSRV2
 Only users in the sales group should be able to connect to the VPN server
 Remote Clients should be able to access the vpn server via the ip address 143.25.100.1

WORK TASK SERVER WINSRV2
Configure the server with the hostname, domain and IP specified in the appendix.
o Modify the default Firewall rules to allow ICMP (ping) traffic
o Install Active Directory Domain Services for smkhebat.org.
 Administrator password should be Jakarta2017
 Enable two-way trust between indonesiahebat.net forest and smkhebat.org forest.
 Users from each of the forests are able to access resources in both forests.
o DNS
 Create a for ard zo e alled smkhebat.org
 Create a reverse zone for the IP range defined in VLAN 31.
 Create a secondary zone for indonesiahebat.net and use this server as the backup DNS for
the indonesiahebat.net domain
 Host and service records have to be created in DNS for all servers and clients.
o Web Server (IIS)
 Setup the company web server www.smkhebat.org

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

WORK TASK SERVER WINSRV1 & WINSRV2
o Install Distributed File System
 Create skills as the root DF“ Na espa e i a Do ai -based namespace in 2008 mode.
 Create DFS share folders and configure the folder targets as indicated in the following table.
 Enable DFS Replication between WINSRV1 and WINSRV2.
DFS Namespace Share Folders
\\indonesiahebat.net\skills\rfol
ders

Folder Target
\\WINSRV1\rfolders
\\WINSRV2\rfolders

Local Folder on both Servers
C:\share\rfolders On WINSRV1

E:\share\rfolders On WINSRV2

\\indonesiahebat.net\skills\IT

\\WINSRV1\IT
\\WINSRV2\IT
\\WINSRV1\Sales
\\WINSRV2\Sales
\\WINSRV1\Mkt
\\WINSRV2\Mkt

C:\share\IT On WINSRV1
E:\share\IT On WINSRV2
C:\share\Sales On WINSRV1
E:\share\Sales On WINSRV2
C:\share\Mkt On WINSRV1
E:\share\Mkt On WINSRV2

\\indonesiahebat.net\skills\Sal
es

\\indonesiahebat.net\skills\Ma
rketing

o

Description
Folder
Redirection &
home folder
Departmental
Share for IT
Departmental
Share for Sales
Departmental
Share for
Marketing

Configure users profiles and share folders:
 Create users’ ho e folder \\indonesiahebat.net\skills\rfolders \username and ensure it is
mapped to Z: at each logon automatically.

- limit the storage space to every home folder to 50MB
- Prevent any .exe and .bat files to be stored on the home folder.
 Redirect the Documents folder to
\\indonesiahebat.net\skills\rfolders\username\Documents.
 Create departmental share folders on \\indonesiahebat.net\skills\IT,
\\indonesiahebat.net\skills\Sales and \\indonesiahebat.net\skills\Marketing and map the
respective share folder to Y: at logon, depending on the department the user is in. Users
should ot e allo ed to a ess other depart e ts’ or users ho e shares.

WOTK TASK SERVER LNXSRV1
Configure the server with the hostname, domain and IP specified in the appendix.
o Create 50 local UNIX users (userxx) ith pass ord Jakarta2017
o FreeRadius Server
 Co figure radius ser er for router a d s it h a ess authe ti atio . Use “e ret
as
share key.
 Create SW1 ith pass ord LK“N2017 . Will e used for s it h a ess authe ti atio .
 Create RO
ith pass ord LK“N2017 . Will be used for router access authentication.
o NTP Server

 Set NTP server service. Use local clock as time server source
o DHCP Server
Pool AOCC
 Range: 10.99.111.51– 10.99.111.100
 Netmask: /25

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017




Gateway: 10.99.111.1
DNS: 10.99.112.2

Pool OUTSIDE
 Range: 220.17.8.36– 220.17.8.40
 Netmask: /28

 Gateway: 220.17.8.45
 DNS: 220.17.8.42

WORK TASK SERVER LNXSRV2
Configure the server with the hostname, domain and IP specified in the appendix.
o Web Server (nginx)
 Create 3 virtual webhost for info.indonesiahebat.net; training.indonesiahebat.net;
competition.indonesiahebat.net
 Make sure http:// training.indonesiahebat.net is prote ted authe ti atio
o Create users fro
lie t
to lie t
o Mail Server & Web Mail
 Create users budi and ani
 Make sure they have access via POP3, IMAP and SMTP
 Before you finish your project make sure you send an email message from budi to ani and
another message from ani to budi
 Do not delete these email messages.
o Cacti
 Install Cacti
 Create an admin-user aster ith pass ord Jakarta2017
 Create a graph showing the statistics of the CPU, Memory and interfaces traffic of the
LNXSRV1, RO1 and SW1

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

PART II
WORK TASK NETWORK CONFIGURATION (RO1, SW1)
Note Please use the default configuration if you are not given details.
WORK TASK ROUTER (RO1) & SWITCH (SW1)
o Use the Indonesia2017 as secret password
o Line console must login with the password LKSN2017
o Configure AAA login with the lnxsrv1 as Radius Server
o Create username admin and password LKSN2017 for failover user if RADIUS server is not
available
o Enable SSH Access with authentication using radius server (lnxsrv1)
o Encrypt all clear text password
o Co figure a er MOTD AUTHORIZED ACCESS ONLY
o Configure VLAN and IP Address
Description /
Device
Interface
VLAN ID
IP Address
VLAN Name
GI0/0
220.17.8.45/28
Gi0/1.30
30
DESC
10.99.110.62/26
GI0/1.31
31
AOCC
10.99.111.1/25
RO1
GI0/1.32
32
VOICE
10.99.111.129/25
Gi0/1.33
33
CDCC
10.99.112.1/27
Gi0/1.99
99
NATIVE
10.0.0.1/28
Fa0/20 –
99
NATIVE
10.0.0.2/28
Fa0/24
Fa0/1 –
33
CDCC
Fa0/4
SW1
Fa0/5 –
31 Data &
31 = AOCC
Fa0/12
32 Voice
32 = VOICE
Fa0/13 –
30
DESC
Fa0/20

WORK TASK ROUTER (RO1)
o Configure the server with the hostname RO1
o Co figure DHCP Rela for VLAN AOCC to l sr
o Configure NAT / PAT
 Configure NAT Overload using interface gi0/0 with inside local VLAN AOCC
 Configure Static NAT
 Static NAT to lnxsrv2 with IP address 220.17.8.41
 Static NAT to winsrv1 with IP address 220.17.8.42
o Telephony Service
o Number 999 is used for paging all phones of the company

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

o

o

o Configure button 2 on hqvph1 to call directly to paging extension
o Configure Intercom service with the extension 199
Access Control List (ACL)
 Configure Access List with rule below
- Ensure outside can access to lnxsrv2 and winsrv1 using IP outside of RO1
- Allow access from outside to web server linxsrv1 and winsrv2
- Deny other traffic from outside to inside
SNMPP

WORK TASK SWITCH (SW1)
o Configure the server with the hostname SW1
o Configure port interface
 Port 24 trunk mode to ro1
 Port 1 for lnxsrv1 and lnxsrv2
 Port 13 for winsrv1
 Port 14 for winsrv2
 Port 5 for hqvph1
 Port 6 for winclnt1
o Configure port security maximum 3 mac address with violation shutdown for port to lnxsrv1,
lnxsrv2, winsrv1 and winsrv2

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

PART III
WORK TASK WINDOWS CLIENT (WINCLT1, WINCLT2, IP
PHONE)
Note Please use the default configuration if you are not given details.
WORK TASK WINDOWS EXTERNAL (WINCLT1)
Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT1 to the outside RO1
o Configure VPN client for connect to winsrv1
WORK TASK WINDOWS INTERNAL (WINCLT2)
Configure the server with the hostname, domain and IP specified in the appendix.
o Connect the WINCLT to the switch VLAN AOCC
o Join the notebook to the domain
o Install and configure Cisco IP Communicator with number 101
WORK TASK IP PHONE (HQVPH1)
Note: Please use the default configuration if you are not given the details.
 Connect LAN cables and configure IP addresses according to the network diagram in the
appendix
 Configure with number 100
 Make sure the VoIP-phone is using VLAN19 for its VoIP-traffic
 The traffic of the connected computer shall use VLAN11

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

APPENDIX
SPECIFICATIONS
WINSRV1
Computer name:

WINSRV1

Operating System

MS Windows 2012 R2

Domain Name:

indonesiahebat.net

Administrator User name:

Administrator

Administrator password:

Jakarta2017

IP address:

10.99.122.2/28

Domain NetBIOS Name:

HEBAT

WINSRV2
Computer name:

WINSRV2

Operating System

MS Windows 2012 R2

Domain Name:

smkhebat.org

Administrator User name:

Administrator

Administrator password:

Jakarta2017

IP address:

10.99.122.3/28

Domain NetBIOS Name:

HEBAT

LNXSRV1
Computer name:

LNXSRV1

Operating System

Linux Debian 7.8

User name:

root

Password:

Jakarta2017

IP address:

10.99.110.1/26

LNXSRV2
Computer name:

LNXSRV2

Operating System

Linux Debian 7.8

User name:

root

Password:

Jakarta2017

IP address:

10.99.110.2/26

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

WINCLT1
Computer name:

WINCLT 1

Operating System

MS Windows 8.1

User name:

Administrator

Password:

Jakarta2017

Domain name:

Indonesiahebat.net

IP address:

DHCP

WINCLT2
Computer name:

WINCLT 2

Operating System

MS Windows 8.1

User name:

Administrator

Password:

Jakarta2017

Domain name:

indonesiahebat.net

IP address:

DHCP

NETWORK SPESIFICATION
VLAN DESC (ID: 30)

10.99.110.0/26

VLAN AOCC (ID: 31)

10.99.111.0/25

VLAN VOICE (ID: 32)

10.99.111.128/25

VLAN CDCC (ID: 33)

10.99.112.0/27

VLAN NATIVE (ID: 99)
OUTSIDE

10.0.0.0/28
220.17.8.0/28

DOMAIN USER LIST
Group
Members
IT
itXX (01 – 50)
Marketing
mktXX (01 – 50)
Visitors
vtrXX (01 - 30)
Employees
IT, Marketing

LKSN2017_ITNSA

Version: 1.0
Date: 29.11.2017

NETWORK SPESIFICATION
NETWORK DIAGRAM
MODUL B –
SYSTEM INTEGRATION & CISCO ISLAND
Windows 8.1 Hostmachine (PC1)
Name : winsrv1
OS : Windows Server 2012 R2
User: Administrator
Password: Skills39
Domain: skillsbetter.com
IP-Address :
172.20.31.5/28
Service:
- AD
- DNS
- PKI (Public Key Infrastructure)
- GPO
- DFS
- SNMP
- VPN Server (RRAS)

VMnet1

Name : lnxsrv2
OS : Debian 7.8
User: root
Password: Skills39
Domain: skillsbetter.com
IP-Address :
172.20.30.4/29
Service:
- Web Server (nginx)
- Mail Server
- Web Mail
- Cacti
- SNMP

VMnet1

SW1
Name : SW1
Password:Skills39
VLAN:
VLAN 10: External :200.132.45.33/25
VLAN 20: Windows: 172.20.31.0/28
VLAN 30: Linux:172.20.30./29
VLAN 40: Branch: 172.29.1.0/28
Service:
- Port Security
- VLAN
- SSH
- SNMP

winsrv1

Name : lnxsrv1
OS : Debian 7.8
User: root
Password: Skills39
Domain: skillsbetter.com
IP-Address :
172.20.30.3/29
Service:
- FreeRadius
- NTP Server
- DHCP Server
- SNMP

Windows 8.1 Hostmachine (PC2)

winsrv2

RO1
Name : lnxsrv1
Password: Skills39
IP-Address :
External :200.132.45.33/25
Gi0/1.10: 172.20.31.1/28
Gi0/1.20::172.20.30.1/29
Gi0/1.30: 172.29.1.1/28
Gi0/1.40: 192.168.0.1/25:
Service
- Routing
- NAT
- ACL
- Telephony Service
- DHCP Relay
- SNMP

VMnet2

lnxsrv1

VMnet2

lnxclnt1

VMnet3
IP Phone
Ext 1002

lnxsrv2

lnxclnt2

Name : winsrv2
OS : Windows Server 2012 R2
User: Administrator
Password: Skills39
Domain: skillsbetter.com
IP-Address :
172.29.1.5/28
Service:
- AD
- DNS
- Web Server
- DFS
- SNMP

Name :winclnt1 (External)
OS : Windows 8.1
User: Administrator
Password: Skills39
Domain: skillsbetter.com
IP-Address :
DHCP from lnxsrv2
Service:
- VPN Client
- Softphone

Name : winclnt2 (Internal)
OS : Windows 8.1
User: Administrator
Password: Skills39
Domain: skillsbetter.com
IP-Address :
DHCP Client
Service:
- Join Domain
- Softphone