back post for updates as per last Friday

since the last post, been trying to set up our next feature. checked with Mr Kravtiz regarding any specific method/platforms to use for failover clusters. Was told that we need to use iSCSI target on linux system.

Created Debian 5 OS, did basic set up of OS, configured static ip address of 192.168.145.143, joined to nypfypj.com domain.

Tried installed iSCSI target after that, had some problems regarding package not found, tried to look online for solutions regarding installing iSCSI targets. explored abit and found out that we should make use of the ISO images Mr Kravitz passed us (thank you!).

added the packages (from the ISO image) using the Synaptic Package Manager to add all 5 ISO images.

from the debian terminal,
sudo aptitude install iscsitarget iscsitarget-modules-`uname -r`
mounted dvd3 and dvd4 (as requested by installation steps.

nano /etc/default/iscsitarget
ISCSITARGET_ENABLE set to true (control o to save, control x to exit)

tried to use lvcreate -L5gb -n storage vg0 to create a logical volume of 5GB to use as storage (but failed, returned bash lvcreate not found)

researched on how to install lvcreate commands, checked in with Mr Kravtiz on progress made. Told him about problems encounted regarding setting up of debian storage. He came down to take a look at why commands weren't found (as he said that by default LVM (logical volume manager) commands should be installed.

Before he came down, was actually trying to follow these steps to install LVM on debian. But he came down midway and taught us an easier method by searching the source.list for packages avaliable on the computer (through the cds or downloads already made)

aptitude search (package name)
e.g. aptitude search lvm

apt-get install lvm2 (to install lvm commands/functions)

man lvcreate to check that command exists (successful)

tried out following steps
fdisk /dev/hda
You will not be able to write the partition table.
Note:sector size is 2048 (not 512)
Device contains neither a valid DOS partition table nor SUN, SGI or OSF disklabel
Building a new DOS disk identifier 0x3af51ba2.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
enter n (add new partition)

enter e
Partition number (1-4): 1
First cylinder (1-142, default 1): 1
Last cylinder or +size or +sizeM or +sizeK (1-142, default 142):

failed to open dev/hda. failed to write to partition disk

did some research regarding failure to open dev/hda, found out from here that we are able to use fdisk -l command to check what disks are avalible on the system

reverted back to snapshot taken after LVM2 was installed. shut down debian client, edited virtual machine settings of client.
Click add, harddisk, next, 5gb disk size, debian-storage, finish, ok, booted client

opened terminal on debian, su, entered password, fdisk -l (to view disks)

tried out following steps (from 3.1 onwards)
fdisk /dev/sdb
n(new partition), p (physical), (1, 652) w(rite to disk)

fdisk -l (check changes)

fdisk /dev/sdb
p (print partition table)
t (change a partition system id)
select partition: 1
hex code: 8e (changed system type of partition 1 to 8e (Linux LVM)
p (print partition table)
w(rite to table)

pvcreate /dev/sdb1 (physical volume "/dev/sdb1" successfully created)
vgcreate storage /dev/sdb1 (volume group "storage' successfully created)

use vgdisplay -v storage (to view group info)

lvcreate -L 4.8g -n hdd storage (successfully created)

mke2fs /dev/storage/hdd

mount /dev/storage/hdd /mnt
ls /mnt

nano /etc/ietd.conf
comment everything out. Add in below codes
Target iqn.2009-04.com.nypfypj:hdd
IncomingUser someuser secret
OutgoingUser
Lun 0 Path=/dev/storage/hdd,Type=fileio
Alias hdd
#MaxConnections 6

Save file. exit

nano /etc/initiators.allow
iqn.2009-04.com.nypfypj:hdd 192.168.145.141

save file. exit

/etc/init.d/iscsitarget start
Starting iSCSI enterprise target service: succeeded.

on ADS
Control panel -> iSCSI Initiator -> Yes -> Yes
under Targets tab able to see target disk
iqn.2009-04.com.nypfypj:hdd : status inactive
click log on. check atomatically restore this connection when the computer starts and click ok

log in fail. message shown: authentication failed.

did some research online, which asked me to try check my CHAP settings or to leave out authentication

back on debian client.
open terminal
nano /etc/ietd.conf
commented out IncomingUser/OutgoingUser

reboot client

refresh target list on ADS
iqn.2009-04.com.nypfypj:hdd : status inactive
click log on. check atomatically restore this connection when the computer starts and click ok

iqn.2009-04.com.nypfypj:hdd : status connected

open Computer management (Compmgmt.msc) -> Disk management
able to see 4.8gb of harddisk space

right click Disk 1, click on Online
right click again, click on Initialize Disk, leave default settings, click ok

right click on the disk, click New Simple Volume, next, next, assign drive letter: E, next, next, finish

opened my computer, checked that able to access new drive E: created a text file typed in some words. saved.

above steps are found in a mixture of websites which helped enable us to create debian storage which can be used on windows server 2008 (ads)
- setting up of iSCSI on debian 5

- connecting windows server 2008 to iSCSI server

Noticed on friday while doing trouble shooting of NAP, that while VistaBiz was assigned (192.168.145.145) an ip address set in the dhcp scope range (192.168.145.145 - 192.168.145.254), client2 (192.168.145.143) was not. Which we think is the cause of health policy's not working properly (as it isn't using dhcp enforcement, properly)

Asked Mr Kravitz if he had any idea what was causing this dhcp assigning to be wrong, and told us that instead of using NAT as our network adapter settings to use a customed setting (VMnet2) instead.

After changing network adaptor settings for all the stations, restarted all of the machines.

client2 now assigned with a proper address (192.168.145.146) within the range, tested out auto-remediation of firewall by turning firewall off.
health alert shows limited connectivity and lack of anti virus.

created client3 by copying client2 and renaming machine. checked ip address to make sure it's in the scope range. Installed Symantec EndPoint anti virus on client3. Rebooted. Check health status.
Lack of update of health status due to no internet connectivity (using customed network). Tried to use VMnet8 (nat) to which allowed internet connection for domain controller (ADS) and VMnet2 for the rest(NAP, client2, client3) but unable to connect to ads. reverted back to VMnet2.

Installed Symantec EndPoint on VistaBiz. Windows Security Health Agent alert that was showing originally (Anti-virus missing) doesn't show anymore. Tried to turn off anti-virus protection & windows firewall (to check for auto-remediation). Nothing happens. tried to release ip and renew ip address. No change.

Created second vista business client named client2, with just basic softwares.

add client2 to NAP enforced computers/group, joined nypfypj network.

health alert randomly pops up upon releasing/renewing ip address at command prompt, re-enabling of firewall is not stable (sometimes it happens sometimes it doesnt)

check NAP to confirm auto-remediation is configured (yes) reboot NAP

checked configurations using cmd
checked netsh nap client show grouppolicy

in results displayed found out DHCP Quarantine Enforcement Client isnt enabled
enable DHCP Quarantine Enforcement Client
- netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE"

some useful commands learnt in context to Network Access Protection
- netsh nap client show state
- netsh nap client show config
- netsh nap client show grouppolicy
- net stop napagent && net start napagent

Mr Kravitz came to check on our progress yesterday afternoon, when he was here we tried out auto-remediation on client2. It worked. Then after he left, we tried again. It didn't work again. >.<

He also taught us how to use VM snapshots, which is a similar feature to restore point on normal windows.

While double checking and trying to troubleshoot NAP today, found out that dynamic ip given to the work stations aren't in the DHCP address range set on the DHCP server, we're hoping this is the reason for the on and off working remediation.

Mid term presentation!

Mid term presentation is over!

It was a bit scary going through the presentation, us being the first group in our presentation lab. It was like going through that mysterious black hole.

Mr Albert Chua disappeared and a Mr Siva took his place instead, along with Mr Adrian See as our assessors.

Some comments given by our assessors regarding our presentation
- be more clear regarding project requirements/objectives
- don't use so many technical jargon, use lay man terms instead
- Samantha needs to speak slower
- Good that we weren't reading off the slides and referring to cards instead

uninstall AVG from VistaBiz

Reboot all clients

VistaBiz gets restricted due to health policy set.
Windows Security Health Agent failed to apply remediation.
Anti-Virus not found.

Reinstall AVG

Same alert shown as above.

Restart VistaBiz

Created new domain user

Log into VistaBiz with new domain user. Check if same alert still showing despite installation of anti-virus

Alert for Windows Security Health Agent still appears. But is slightly different this time

Checked online about fixing anti-virus updates. Found out here that setting Auto-remediation will not install software for you unless system health agent (SHA) is specifically designed to do installation. and Windows SHA does not do auto-remediation for all anti-viruses. In this case, us using a third party software. And in some cases, using a third party SHA may allow auto-remediation to change settings in the application to initiate download of a newer version, execute some other update, and perhaps even reboot the computer if needed.

Started on creating powerpoint for mid term presentation.

Network Access Protection

Reconfigured and renamed Domain Server to ADS for easier reference.

Set static addresses to ADS

IPv4 IP Address: 192.168.145.141

IPv4 Subnet: 255.255.255.0

IPv4 Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.2

Tested internet connection. Successful

Run dcpromo on ADS to configure it as Domain Controller.
FQDN of forest root domain: nypfypj.com

Forest functional level: Windows Server 2008

Added in a new member server (named: NAP) to be used as a Network Policy Server

Set static addresses to NAP

IPv4 IP Address: 192.168.145.142

IPv4 Subnet: 255.255.255.0IPv4

Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.141

Tested internet connection. Successful

Join NAP to nypfypj.com

Set static addresses to VistaBiz

IPv4 IP Address: 192.168.145.143

IPv4 Subnet: 255.255.255.0

IPv4 Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.141

Tested internet connection. Successful

Join VistaBiz to nypfypj.com

Configured DHCP Server and Network Policy and Access Services role to NAP server. After installing, configured NPS (Network Policy Server) to use DHCP.

Back on ADS Server

Created new Group Policy named NAP Client Settings. Configured NAP Client Settings to enable Network Access Protection Agent and DHCP Quarantine Enforcement Client. Set this group policy to be used on the (Users) group NAP Enforced Computers. Added VistaBiz to the NAP Enforced Computers group so that the Group Policy is applied to that computer.

Rebooted all the clients (2 servers and vista client)

run gpupdate /force on VistaBiz to force update group policies

Tested auto-remediation feature by turning VistaBiz firewall off. Test successful. Firewall was automatically turned back on and alert was shown

Now that we know this works, we can modify it to fit our requirements on having a anti-virus software installed and updated.

Continued from yesterday

Group Policy Management
Right click Group Policy Objects -> New -> New GPO
Name: NAP Client Settings

After GPO created, right click NAP Client Settings -> Edit
Expand Computer Configuration, Policies, Windows Settings, Security Settings -> System Services

Double click Network Access Protection Agent, check Define this policy setting, select Automatic option [ok]

Expand Computer Configuration, Windows Settings, Network Access Protection, NAP Client Configuration -> Enforcement Clients
Right click DHCP Quarantine Enforcement Client, click Enable

Click on NAP Client Configuration, right click NAP Client Configuration, click Apply. (Make sure NAP Client Configuration is Enabled)

Group Policy Management, expand Forest, Domains, click on NAP Client Settings GPO
Security Filtering, click Authenticated Users, click Remove
You will see a Group Policy Management dialog box asking if Do you want to remove this delegation privilege? Click OK.

Click Add, enter NAP Enforced Computers (Check names) [ok]

Active Directory Users and Computers -> Users
Double click NAP Enforced Computers -> Members tab -> Add
Tried to add LH-P61NQL342ZDZ to NAP Enforced Computers group. Failed to add (refer to image)

Computer was found under Domain Computers but still not found via adding.

Went to the Domain Computers and selected LH-P61NQL342ZDZ and added it to Member of NAP Enforced Computers instead.


Rename LH-P61NQL342ZDZ to VistaBiz (for easier reference)

Restart both server and workstation

ipconfig settings

print route settings

test auto-remediation feature by turning VistaBiz firewall off.
test failed. ideal situation, Firewall is automatically turned back on. Discrepancy also found in example and actual test. Difference being our settings showing as Public domain instead of private domain.