Brillaint Answer

Windows Server Proposal for Dynamic Solar

Kelvin Le

CMIT370

Professor Joseph Marshall

10/11/2016

As an Information Technology consultant, I have gathered up important and beneficial ideas that will help Dynamic Solar manufacture and distribute solar panels successfully to the consumer market. The company has three locations which are spread out evenly across the country. These locations are San Diego, Houston, and Baltimore. Due to increase cost in electricity, the demand and growth of solar panels are also increasing which make it necessary to make data security a priority since patent and trademarks are at stake. San Diego will be the headquarters of this operation and the Baltimore and Houston sales personnel will need secure remote access to the San Diego office.

In this proposal, I will cover Active Directory, Group Policy, DNS, File Services, Remote Services, and WSUS.

Active Directory:

Active Directory is a centralized database that contains user account and security information. In a workgroup, security and management takes place on each computer, with each computer holding information about users and resources. With Active Directory, all computers share the same central database. In this case, Dynamic Solar would want the Houston and Baltimore location to share the same central database as the San Diego since it is the headquarters. Dynamic Solar should implement the Trees and Forests model. In this model, multiple domains are grouped together. There will be one Forest for Dynamic Solar which will help establish the relationship between trees that have different DNS name spaces. The Forest would be called Corp.DynamicSolar.Com that will span across the three different locations. The domains in a tree would be connected with a two-transitive trust so that way all domains in the forest would be able to trust one another. They would also share a common schema. This defines the object classes that can be created in Active Directory and the attributes they contain. Lastly, they would have common global catalogs. Within this domain an organization unit will be used to subdivide and organize network resources within the domain. San Diego will have primary and backup server to serve as a global catalog. The global catalog allows for users to authenticate to the domain and to utilize network resources.

The domain controllers should be placed at the San Diego headquarters site since data security is a priority. Read-only domain controller is an additional controller for a domain that hosts read-only partitions of the Active Directory database. The features from RODC that will help improve security measures and prevent the system from being compromised is the Administrator role separation, unidirectional replication, read-only data, and password replication. The administrator role separation allows RODCs to provide a secure mechanism for granting non-administrative domain users the right to log on to a domain controller without jeopardizing the security of AD DS. This is helpful in preventing the Active Directory from being accidentally modified and compromised when installing drivers or doing security updates on the system. Next, the unidirectional replication feature will stop any replication of corruption that a malicious user might make at branch locations from the RODC to the rest of the forest. Password replication allows for a writable domain controller to replicate user or computer credentials to an RODC. This allows the admin to specify which accounts and passwords to be cache on the RODC. Using these features from RODC will help the Active Directory.

Flexible Single-Master Operation roles are specialized domain controller tasks assigned to a domain controller in the domain of Dynamic Solar. Schema master and domain naming master forest roles will be used to maintain the Active directory for the forest and ensuring that the domain names are unique and accessible from the forest. The primary Domain controller deals password updates for computers and user accounts. FSMO placement will be easier to keep track if placed on domain controllers within the sites especially if there are fewer computers.

In the event that Dynamic Solar has a system failure or power outage, it is important to have a strategy for backup and recovery. Should implement proper backups while everything is working correctly and perform it regularly. Restoring from a system state backup is faster than restoring from a full server backup. Windows Server backup utility will be installed through GUI. As stated before, periodic system state backups will be performed by using the backup schedule action in Windows Server Backup to be scheduled weekly at 11pm. Another feature that should be implemented is the snapshot feature that allows you to see what the active directory looked at the time that the snapshot was taken. Snapshots use the Volume shadow copy service and only have the read only capability. Snapshots do not allow you to restore data from the snapshot itself, but allow you to manually record object information.

Group Policy:

Group policy enables the admin to specify settings for groups of users and computers, registry based policy settings, security settings, software installation, scripts, and folder redirection. The admin is allowed to configure and change the settings for multiple workstations within the domain. These settings could be to change the time zone, install printers, repair network connections, and disable user interface settings. Group policy objects are linked to sites, domains, and organization units. Settings in a GPO apply to all objects beneath the linked object. Settings in a GPO linked to the domain apply to all objects in the domain and settings in a GPO linked to an OU apply to all objects inside the OU. This is efficient because through GPO, you can change and modify the Windows Firewall settings and link it to the domain.

DNS:

Dynamic Solar will use an internal private domain. The DNS name space will be SD.Solardynamic.localhost and HOU.Solardynamic.localhost as the parent and BAL.Solardynamic.localhost as the child domain. The San Diego should be the primary zone since it is headquarters. It will be the master copy of a standard zone database while Baltimore and Houston are going to be the secondary zone which will only be a read-only copy of a standard zone database. Baltimore and Houston will not be able to make changes to the records and can copy zone data from the primary server or other secondary servers.

File Services:

The shares will be secured through EFS which is a component of the NTFS file system. Files and folders will be encrypted and decrypted as users use them. Access to encrypted data is controlled by EFS and you must have the write permission to a folder or file to encrypt it. Only users who originally encrypted the file or any users designated as authorized users can open the encrypted file. EFS keys will be protected by the user’s password and in order to make that password secure, a strong password policy rule will be implemented to make sure it is secure.

File Server Resource Manager will be configured to allow admins to understand, control, and manage the quantity and type of data stored on their servers. FSRM quotas will be used in order to monitor the space limits on a volume or folder. I will set a hard quota that sets a limit on the amount of space that the volume or folder contents can use. If the limit is reached, no new files can be saved in the volume or folder. To make sure there will be notifications before the limit is reached, I will implement notifications when 90% of the quota limit is reached. E-mail notifications will be sent out to the users in the case of a quota limit is almost being reached. I will also implement the File screening features that prevent specific types of files from being saved in the specified volume or folder. This will prevent users from downloading and saving pirate/unknown files which might hold/cause viruses.

Distributed file system will be used to provide organized shared folders on multiple servers into a single logical folder. Users can access multiple shared folders from a single network path at all different locations using DFS. DNS replication will be utilized by configuring multiple copies of shared folders across all three servers. Doing so, will prevent any issues to arise.

Remote Services:

The Routing and Remote access role will be installed to provide secure remote access for users. A Virtual private network will be used to support secured communications over an untrusted network. The VPN protocol that will be used will be the Secure Socket Tunneling Protocol (SSTP) because it supports password and certificate based authentication plus includes encryption through SSL. Authentication protocols ensure that remote users have the necessary credentials for remote access. Microsoft challenge handshake authentication protocol version2 (MS-CHAPv2) is the highest level of authentication possible without using EAP will be implemented. The protocol uses a challenge/response mechanism, encrypts the shared secret, allows for mutual authentication, and allows users to change the password.

WSUS:

Windows server update services is a client-server application that allows you to use a server on your intranet as a centralized point for updating software. Without the use of WSUS, clients must communicate with the Microsoft update web site to download and install patches or other updates. Since security is an issue for Dynamic Solar, I propose a setup of a disconnected WSUS server. I would have WSUS server A on a separate network that is connected to the internet and a server that is not connected to the server but connected to the company intranet. Server A would be responsible for maintaining and uploading the updates and patches and after it is clear and looked at thoroughly, import it onto an external drive and then deploy that drive to server B which will then be distributed to the company intranet.

Conclusion:

In conclusion, I have proposed and implemented a plan for Dynamic Solar in order to meet their criteria. The San Diego, Houston, and Baltimore location will be secured and efficient with these propose plan that cover Active Directory, Group policy, DNS, File services, Remote services, and WSUS.

References:

[1] Microsoft (n.d) FSMO placement and optimazation on Active Directory domain controllers

Retrieved from: https://support.microsoft.com/en-us/kb/223346

[2] Active Directory Security (n.d) Active Directory FSMO Placement Guidance