back post for updates as per last Friday

since the last post, been trying to set up our next feature. checked with Mr Kravtiz regarding any specific method/platforms to use for failover clusters. Was told that we need to use iSCSI target on linux system.

Created Debian 5 OS, did basic set up of OS, configured static ip address of 192.168.145.143, joined to nypfypj.com domain.

Tried installed iSCSI target after that, had some problems regarding package not found, tried to look online for solutions regarding installing iSCSI targets. explored abit and found out that we should make use of the ISO images Mr Kravitz passed us (thank you!).

added the packages (from the ISO image) using the Synaptic Package Manager to add all 5 ISO images.

from the debian terminal,
sudo aptitude install iscsitarget iscsitarget-modules-`uname -r`
mounted dvd3 and dvd4 (as requested by installation steps.

nano /etc/default/iscsitarget
ISCSITARGET_ENABLE set to true (control o to save, control x to exit)

tried to use lvcreate -L5gb -n storage vg0 to create a logical volume of 5GB to use as storage (but failed, returned bash lvcreate not found)

researched on how to install lvcreate commands, checked in with Mr Kravtiz on progress made. Told him about problems encounted regarding setting up of debian storage. He came down to take a look at why commands weren't found (as he said that by default LVM (logical volume manager) commands should be installed.

Before he came down, was actually trying to follow these steps to install LVM on debian. But he came down midway and taught us an easier method by searching the source.list for packages avaliable on the computer (through the cds or downloads already made)

aptitude search (package name)
e.g. aptitude search lvm

apt-get install lvm2 (to install lvm commands/functions)

man lvcreate to check that command exists (successful)

tried out following steps
fdisk /dev/hda
You will not be able to write the partition table.
Note:sector size is 2048 (not 512)
Device contains neither a valid DOS partition table nor SUN, SGI or OSF disklabel
Building a new DOS disk identifier 0x3af51ba2.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
enter n (add new partition)

enter e
Partition number (1-4): 1
First cylinder (1-142, default 1): 1
Last cylinder or +size or +sizeM or +sizeK (1-142, default 142):

failed to open dev/hda. failed to write to partition disk

did some research regarding failure to open dev/hda, found out from here that we are able to use fdisk -l command to check what disks are avalible on the system

reverted back to snapshot taken after LVM2 was installed. shut down debian client, edited virtual machine settings of client.
Click add, harddisk, next, 5gb disk size, debian-storage, finish, ok, booted client

opened terminal on debian, su, entered password, fdisk -l (to view disks)

tried out following steps (from 3.1 onwards)
fdisk /dev/sdb
n(new partition), p (physical), (1, 652) w(rite to disk)

fdisk -l (check changes)

fdisk /dev/sdb
p (print partition table)
t (change a partition system id)
select partition: 1
hex code: 8e (changed system type of partition 1 to 8e (Linux LVM)
p (print partition table)
w(rite to table)

pvcreate /dev/sdb1 (physical volume "/dev/sdb1" successfully created)
vgcreate storage /dev/sdb1 (volume group "storage' successfully created)

use vgdisplay -v storage (to view group info)

lvcreate -L 4.8g -n hdd storage (successfully created)

mke2fs /dev/storage/hdd

mount /dev/storage/hdd /mnt
ls /mnt

nano /etc/ietd.conf
comment everything out. Add in below codes
Target iqn.2009-04.com.nypfypj:hdd
IncomingUser someuser secret
OutgoingUser
Lun 0 Path=/dev/storage/hdd,Type=fileio
Alias hdd
#MaxConnections 6

Save file. exit

nano /etc/initiators.allow
iqn.2009-04.com.nypfypj:hdd 192.168.145.141

save file. exit

/etc/init.d/iscsitarget start
Starting iSCSI enterprise target service: succeeded.

on ADS
Control panel -> iSCSI Initiator -> Yes -> Yes
under Targets tab able to see target disk
iqn.2009-04.com.nypfypj:hdd : status inactive
click log on. check atomatically restore this connection when the computer starts and click ok

log in fail. message shown: authentication failed.

did some research online, which asked me to try check my CHAP settings or to leave out authentication

back on debian client.
open terminal
nano /etc/ietd.conf
commented out IncomingUser/OutgoingUser

reboot client

refresh target list on ADS
iqn.2009-04.com.nypfypj:hdd : status inactive
click log on. check atomatically restore this connection when the computer starts and click ok

iqn.2009-04.com.nypfypj:hdd : status connected

open Computer management (Compmgmt.msc) -> Disk management
able to see 4.8gb of harddisk space

right click Disk 1, click on Online
right click again, click on Initialize Disk, leave default settings, click ok

right click on the disk, click New Simple Volume, next, next, assign drive letter: E, next, next, finish

opened my computer, checked that able to access new drive E: created a text file typed in some words. saved.

above steps are found in a mixture of websites which helped enable us to create debian storage which can be used on windows server 2008 (ads)
- setting up of iSCSI on debian 5

- connecting windows server 2008 to iSCSI server

Noticed on friday while doing trouble shooting of NAP, that while VistaBiz was assigned (192.168.145.145) an ip address set in the dhcp scope range (192.168.145.145 - 192.168.145.254), client2 (192.168.145.143) was not. Which we think is the cause of health policy's not working properly (as it isn't using dhcp enforcement, properly)

Asked Mr Kravitz if he had any idea what was causing this dhcp assigning to be wrong, and told us that instead of using NAT as our network adapter settings to use a customed setting (VMnet2) instead.

After changing network adaptor settings for all the stations, restarted all of the machines.

client2 now assigned with a proper address (192.168.145.146) within the range, tested out auto-remediation of firewall by turning firewall off.
health alert shows limited connectivity and lack of anti virus.

created client3 by copying client2 and renaming machine. checked ip address to make sure it's in the scope range. Installed Symantec EndPoint anti virus on client3. Rebooted. Check health status.
Lack of update of health status due to no internet connectivity (using customed network). Tried to use VMnet8 (nat) to which allowed internet connection for domain controller (ADS) and VMnet2 for the rest(NAP, client2, client3) but unable to connect to ads. reverted back to VMnet2.

Installed Symantec EndPoint on VistaBiz. Windows Security Health Agent alert that was showing originally (Anti-virus missing) doesn't show anymore. Tried to turn off anti-virus protection & windows firewall (to check for auto-remediation). Nothing happens. tried to release ip and renew ip address. No change.

Created second vista business client named client2, with just basic softwares.

add client2 to NAP enforced computers/group, joined nypfypj network.

health alert randomly pops up upon releasing/renewing ip address at command prompt, re-enabling of firewall is not stable (sometimes it happens sometimes it doesnt)

check NAP to confirm auto-remediation is configured (yes) reboot NAP

checked configurations using cmd
checked netsh nap client show grouppolicy

in results displayed found out DHCP Quarantine Enforcement Client isnt enabled
enable DHCP Quarantine Enforcement Client
- netsh nap client set enforcement ID = 79617 ADMIN = "ENABLE"

some useful commands learnt in context to Network Access Protection
- netsh nap client show state
- netsh nap client show config
- netsh nap client show grouppolicy
- net stop napagent && net start napagent

Mr Kravitz came to check on our progress yesterday afternoon, when he was here we tried out auto-remediation on client2. It worked. Then after he left, we tried again. It didn't work again. >.<

He also taught us how to use VM snapshots, which is a similar feature to restore point on normal windows.

While double checking and trying to troubleshoot NAP today, found out that dynamic ip given to the work stations aren't in the DHCP address range set on the DHCP server, we're hoping this is the reason for the on and off working remediation.

Mid term presentation!

Mid term presentation is over!

It was a bit scary going through the presentation, us being the first group in our presentation lab. It was like going through that mysterious black hole.

Mr Albert Chua disappeared and a Mr Siva took his place instead, along with Mr Adrian See as our assessors.

Some comments given by our assessors regarding our presentation
- be more clear regarding project requirements/objectives
- don't use so many technical jargon, use lay man terms instead
- Samantha needs to speak slower
- Good that we weren't reading off the slides and referring to cards instead

uninstall AVG from VistaBiz

Reboot all clients

VistaBiz gets restricted due to health policy set.
Windows Security Health Agent failed to apply remediation.
Anti-Virus not found.

Reinstall AVG

Same alert shown as above.

Restart VistaBiz

Created new domain user

Log into VistaBiz with new domain user. Check if same alert still showing despite installation of anti-virus

Alert for Windows Security Health Agent still appears. But is slightly different this time

Checked online about fixing anti-virus updates. Found out here that setting Auto-remediation will not install software for you unless system health agent (SHA) is specifically designed to do installation. and Windows SHA does not do auto-remediation for all anti-viruses. In this case, us using a third party software. And in some cases, using a third party SHA may allow auto-remediation to change settings in the application to initiate download of a newer version, execute some other update, and perhaps even reboot the computer if needed.

Started on creating powerpoint for mid term presentation.

Network Access Protection

Reconfigured and renamed Domain Server to ADS for easier reference.

Set static addresses to ADS

IPv4 IP Address: 192.168.145.141

IPv4 Subnet: 255.255.255.0

IPv4 Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.2

Tested internet connection. Successful

Run dcpromo on ADS to configure it as Domain Controller.
FQDN of forest root domain: nypfypj.com

Forest functional level: Windows Server 2008

Added in a new member server (named: NAP) to be used as a Network Policy Server

Set static addresses to NAP

IPv4 IP Address: 192.168.145.142

IPv4 Subnet: 255.255.255.0IPv4

Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.141

Tested internet connection. Successful

Join NAP to nypfypj.com

Set static addresses to VistaBiz

IPv4 IP Address: 192.168.145.143

IPv4 Subnet: 255.255.255.0

IPv4 Default Gateway: 192.168.145.2

IPv4 DNS Server: 192.168.145.141

Tested internet connection. Successful

Join VistaBiz to nypfypj.com

Configured DHCP Server and Network Policy and Access Services role to NAP server. After installing, configured NPS (Network Policy Server) to use DHCP.

Back on ADS Server

Created new Group Policy named NAP Client Settings. Configured NAP Client Settings to enable Network Access Protection Agent and DHCP Quarantine Enforcement Client. Set this group policy to be used on the (Users) group NAP Enforced Computers. Added VistaBiz to the NAP Enforced Computers group so that the Group Policy is applied to that computer.

Rebooted all the clients (2 servers and vista client)

run gpupdate /force on VistaBiz to force update group policies

Tested auto-remediation feature by turning VistaBiz firewall off. Test successful. Firewall was automatically turned back on and alert was shown

Now that we know this works, we can modify it to fit our requirements on having a anti-virus software installed and updated.

Continued from yesterday

Group Policy Management
Right click Group Policy Objects -> New -> New GPO
Name: NAP Client Settings

After GPO created, right click NAP Client Settings -> Edit
Expand Computer Configuration, Policies, Windows Settings, Security Settings -> System Services

Double click Network Access Protection Agent, check Define this policy setting, select Automatic option [ok]

Expand Computer Configuration, Windows Settings, Network Access Protection, NAP Client Configuration -> Enforcement Clients
Right click DHCP Quarantine Enforcement Client, click Enable

Click on NAP Client Configuration, right click NAP Client Configuration, click Apply. (Make sure NAP Client Configuration is Enabled)

Group Policy Management, expand Forest, Domains, click on NAP Client Settings GPO
Security Filtering, click Authenticated Users, click Remove
You will see a Group Policy Management dialog box asking if Do you want to remove this delegation privilege? Click OK.

Click Add, enter NAP Enforced Computers (Check names) [ok]

Active Directory Users and Computers -> Users
Double click NAP Enforced Computers -> Members tab -> Add
Tried to add LH-P61NQL342ZDZ to NAP Enforced Computers group. Failed to add (refer to image)

Computer was found under Domain Computers but still not found via adding.

Went to the Domain Computers and selected LH-P61NQL342ZDZ and added it to Member of NAP Enforced Computers instead.


Rename LH-P61NQL342ZDZ to VistaBiz (for easier reference)

Restart both server and workstation

ipconfig settings

print route settings

test auto-remediation feature by turning VistaBiz firewall off.
test failed. ideal situation, Firewall is automatically turned back on. Discrepancy also found in example and actual test. Difference being our settings showing as Public domain instead of private domain.

Tried to install Norton Antivirus 10.1.6 (from R drive) on Vista Business (TESTING\samantha account)
Failed to install: This version of Symantec AntiVirus does not support Windows Vista platforms.
Log out. Log back in using Local\Administrator account
Removed static ip addresses to access internet.
Download AVG Anti-Virus Free Edition 8.5
Stopped updates (so that able to test out health policy later)

Put back IP address for domain logon.

Was reading online about how to deploy Health policies properly. Came across this that made me think of not using static ip to connect to server. but getting an ip address from the server (which will probably allow me access to internet instead of domain only)

Removed static IP on workstation.
Sucessful log in to domain using domain user (on workstation)
Check that account was able to go to the internet (so that able to recieve anti virus updates)





















http://blogs.technet.com/nap/archive/2007/07/28/network-access-protection-deployment-planning.aspx

NOTE: Address leases not appearing in server when workstation is logged into domain

Delete all reference to existing NAP DHCP under Network Policy Server

Steps from http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part1.html
Configure NAP Server
Network Policy Server -> Configure NAP
Network Connection Method: DHCP
Policy Name: NAP DHCP
RADIUS clients [next]
DHCP scopes [next]
Machine group [next]
Remediation Server Group
New group
Group name: DC
IP add: 192.168.145.100
Friendly name: VM-2008 [ok] [next]
Define NAP Health Policy [next] [finish]

DHCP
Scope options -> right click Scope Options -> Advance tab
User class: Default Network Access Protection Class
check 006 DNS Servers
Add 192.168.145.2 to IP addresses

check 015 DNS Domain Name
String value: restricted.testing.fyp.com [ok]

Right click on Scope -> Scope Properties -> Network Access Protection tab
Check enable for this scope, use default network access protection profile [ok]

STOP AT http://www.windowsecurity.com/articles/Using-Group-Policy-Filtering-Part4.html
CONFIGURE NAP SETTINGS IN GROUP POLICY


Some things to take note about using DHCP:
- DHCP enforcement is for IPv4 currently
- DHCP enforcement requires a NAP-enabled DHCP server
- DHCP enforcement can be overriden by assigning static IP to client computer. Because DHCP
enforcement is based on entries in the IPv4 routing table, it cannot prevent a malicious user who is a local administrator from manually changing the IPv4 routing table and gaining access to the
protected network, thus bypassing NAP policy enforcement.
- not the most secure method

Had to recreate Vista Business. Because after all the updates, ran out of machine space. Downloaded and installed updates.

Tried out some NAP stuff to configure health policys following the StepByStep found here.

Installed new server role, (DHCP and Network Policy and Access Services) so that able to configure System Health Validators to make sure that Anti Virus is enabled/updated. Had to do slightly different from the step by step because in my test system, We're only using one server and one work station.

Welcome!

Mr Waigo came to surprise us today. He brought our new supervisor to meet us and to introduce us.

Welcome Mr Kravitz.

Quick one before log out for the day. Still have yet to test out RMS.

Check that server has AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, and Message Queuing, Active Directory, Domain Name System (DNS)

Currently Installed
- AD RMS
- IIS 6.0 (with WWW Publishing Service)
- DNS

Running windows update to get IIS 7.0

(This are the things needed that we read from the internet before to set up rms.)

To do list!

Test connectivity of workstation
Test logging into domain with newly created user account tomorrow
Try out RMS
Check on those nasty warnings on the server.

Tested to log in with new account created on server terminal. Successfully managed to log into domain with account created through server.

Tested for internet connectivity. Connected to network but not connected to internet.

Installed Microsoft Office 2007 for testing out of RMS

PS: running 3 os on a computer is very slow :(

Rights Management Service Part I

Created new user/group for Rights Management Service.

Added new server role, Active directory rights management service. While doing installation of active directory rights management service, ran into some errors during specifying of service account. had an error that said password could not be validated.

Checked out user account that was newly created. Tested that it could log into the machine. Failed to log in. Logged back into administrator account and joined new user account to group that allows login to server terminal.

Tried to install active directory rights management service again. able to install properly this time.

Checked with Mr Wagio regarding the testing of rights management service, told us we were supposed to test it out with the vista os and microsoft office.

Went to Helpdesk to get Microsoft office 2007. Vincent said he'll come down to the lab tomorrow morning to install office for us.

Played with the ip settings on win server 08 so that we'll be able to connect to the internet.
Changed IP settings
IPv4: 192.168.145.100
Subnet: 255.255.255.0
Default Gateway: 192.168.145.2
DNS Server: 192.168.145.2

Successful connection to internet. Loaded www.google.com

Changed IP settings on Windows Vista to enable connectivity to internet
IPv4: 192.168.145.105
Subnet: 255.255.255.0
Default Gateway: 192.168.145.100
DNS Server: 192.168.145.100

Time to clock out! Will need to test connectivity + logging into domain with newly created user account tomorrow + RMS and check on those nasty warnings on the server.

Active Directory Domain Service

We tried out what Mr Wagio asked us to do today.

First thing we did was to set up active directory domain service on the windows server 2008 and run the domain service installation wizard to set up a new domain. Had to make sure static ip was set as the machine was meant for server use, as well as the administrator account had to have a strong password before the installation wizard was run.

IP settings used
IPv4: 192.168.1.100
Subnet Mask: 255.255.255.0

While doing installation of active directory. ran into a bit of a problem regarding some warning regarding ip address not set to static (Windows Server 2008 has both IPv4 and IPv6) We had only set the static ip address for IPv4. Fixed the warning by disabling IPv6.

After successfully managing to install active directory, the next thing to do was to join the work station to the domain created. Had to set the vista business to have static ip and to change the computer domain to testing.fyp.com.

IP settings used
IPv4: 192.168.1.105
Subnet Mask: 255.255.255.0
DNS server: 192.168.1.100

in the afternoon Mr Wagio talked to us regarding our progress of our project. He also asked us to try out the installation of active directory and domain service and try out Rights Management System to be simulated using server + workstation (vista).

Found out from Mr Wagio what exactly happened to our actual server. The CNC staff shutdown the port to the server hence cutting off the connectivity from our network as well as the staff's network to the server. and now the server is isolated without any connectivity. So now what they're going to do is to create a separate VLAN between our computers and the server so that we'll be able to have access again.

Before we left for the day, I installed a new vista os for testing out of RMS to be done.

Network Access Protection

Here's some things that we've read about Network Access Protection

Network Access Protection (NAP) is a new Microsoft technology for controlling network access of a computer host based on the system health of the host It is also able to control access to network resources based on a client computer's identity and compliance with corporate governance policy.

NAP allows network administrators to define granular levels of network access based on who a client is, the groups to which the client belongs, and the degree to which that client is compliant with corporate governance policy. If a client is not compliant, NAP provides a mechanism to automatically bring the client back into compliance and then dynamically increase its level of network access.

Here are some additional information for your reading
Network Access Protection Policies in Windows Server 2008

Network Access Protection Step by Step guides

Windows Server 2008 and Microsoft virtualization blog

Windows Server Administration

Just thoughts.

Are the Win 08 Server's domain servers?
What kind of network storage to be used for failover?
When will the server be back up? >.<

High-availability clusters

Been reading up on the high-availability clusters feature that we're using in Windows Server 2008.

Failover Clustering is a feature which gives high-availability to services and applications.

High-availability clusters (also known as HA Clusters or Failover Clusters) are computer clusters that are implemented primarily for the purpose of providing high availability of services which the cluster provides. They operate by having redundant computers or nodes which are then used to provide service when system components fail. Normally, if a server with a particular application crashes, the application will be unavailable until someone fixes the crashed server. HA clustering remedies this situation by detecting hardware/software faults, and immediately restarting the application on another system without requiring administrative intervention, a process known as Failover. As part of this process, clustering software may configure the node before starting the application on it. For example, appropriate file systems may need to be imported and mounted, network hardware may have to be configured, and some supporting applications may need to be running as well.

HA Clusters are used in:
- critical databases
- file sharing on a network
- business applications
- customer services such as electronic commerce websites

Steps to install failover cluster feature
1. If you recently installed Windows Server 2008, the Initial Configuration Tasks interface is displayed. Under Customize This Server, click Add features. Then skip to step 3.
2. If the Initial Configuration Tasks interface is not displayed and Server Manager is not running, click Start, click Administrative Tools, and then click Server Manager. (If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.)
In Server Manager, under Features Summary, click Add Features.
3. In the Add Features Wizard, click Failover Clustering, and then click Install.
4. Follow the instructions in the wizard to complete the installation of the feature. When the wizard finishes, close it.
5. Repeat the process for the second server.

Some additional information about failover clusters:
Requirements for failover clusters:
http://technet.microsoft.com/en-us/library/cc771404.aspx

Hyper-V Step-by-Step Guide: Hyper-V and Failover Clustering:
http://technet.microsoft.com/en-us/library/cc732181.aspx

Met Mr Wagio today. Found out what we were supposed to work on for our final year project.

Brief explanation of our project, this project was started by the previous batch of fyp students, who's documentation can be seen from http://enterprisenetworksetupwagio.blogspot.com. They've already completed one segment of the network, we'll be continuing the project and adding on to the network.

The part which we are working on uses windows server 2008.

The features of Windows Server 2008 that we're supposed to configure and use are:
High availability
- create a windows failover cluster
- inside the failover cluster, create a pair of highly available file server
- testing the failover

Network Access Protection
- Install the NAP member server
- Activate the health validator to ensure connecting client compiles with Antivirus application on and the virus defination file is up to date
- If the antivirus is not up to date, the client will be redirected to remediation server to update the anti virus.

Right management system
- Install the RMS server
- Configure the RMS client
- Install microsoft office with the RMS add ins
- Compose a document, limit certain users to view the document

Outcome
Multiple windows 2008 server can fail-over to each other providing the service on Network Access Protection and Right Management

First day of fyp

We have just created our new blogspot where we will update what ever new things that we dicovered.
Now we will continue reading from the continuous of the previous students work documentation at
http://enterprisenetworksetupwagio.blogspot.com

Write something about win2008

Please blog what you have found during the reading up of the win2008 as well as trying out the win2008 server.