Cloud Network Capstone

Gordon Pont

13 April 2017

1.1 Executive Summary..1

2.0 Project Plan.2
3.0 Network Diagram.4
4.0 Overview of Software Used.5
5.0 Milestones Overview.8
6.0 Conclusion...17
 1.0

Executive Summary

This project consists of creating an Infrastructure-as-a-service Platform

where we will be able to host network resources for businesses. This is a service that

will particularly benefit small companies that are unable to justify paying thousands

of dollars to configure their own datacenter. Whether it be one server to host a web

site or hosting all network services for the client, we will have the flexibility to work

with any company.

Our platform is based upon vCenter, a virtualization software provided by EMC.

Using vCenter, we will be able to use several machines in a cluster, allowing us to

more efficiently utilize the hardware resources we have. Initially, we will start with a

cluster of three machines for our first client. However, as time goes on, we will need

to add more machines to accommodate an increase in clients.

This project will use the following software;

VMWare

vCenter

vSphere

Windows Server 2012 R2

Windows Server 2016

 CentOS 7

2.0 Project Plan

Our first client is a small company of around 250 employees. They have asked

us to host the following services at a minimum;

1 Web Server

1 File/Print Server

2 Domain Controllers (1 for Redundancy)

Secure environment using Group Policy Objects and Active Directory

Backup Services

To accomplish this, we will need the following resources;

4 PCs with 12 GB of memory each

1 Network Switch

2 Monitors

4 display cables

5 power cables

5 Ethernet Cables

2 keyboard/mouse sets

Windows Server 2012 R2

 Windows Server 2016

Cent OS 7

VMWare/ESXI/vSphere

Project Schedule

Milestone Completion Date

1 - Set up Physical Machines and Install January 26, 2017

ESXi/vSphere/vCenter
2 Create Virtual Machine on Personal February 2, 2017

computer and successfully migrate to cluster

3 Install Operating Systems and roles and February 9, 2017

features that will be needed

4 - Configure Group Policy and run security February 23, 2017

tests.
5 - Automate User creation and expand to 250 March 2, 2017

employees
6 Install web server/print server/file server March 23, 2017

7 Work on Stretch goals April 6, 2017

 By accomplishing these milestones, we will have a functional business network

set up. Each department will have their own secure folders to store project files in,

the systems will be secure through group policy and there will be a web server that

will host a website for the company.

3.0 Network Diagram
 4.0

Overview of Software Used

ESXi

ESXi is a hypervisor software that is installed on a machine in place of the

Operating System. It is a platform that allows you to utilize the resources on a

machine more effectively by hosting multiple virtual machines on a single host.

vCenter

If you have more than a couple of ESXi hosts, it can be hard to manage each

host one by one. vCenter takes ESXi to the next level, with vCenter, you can cluster

several machines together and allow them to share resources such as storage and
memory. Using vCenter, you have the ability to manage all of your ESXi hosts from

one place.

vSphere

vSphere is an application you install your machine that allow you to manage

ESXi hosts or a vCenter Cluster. Without vSphere, your ESXi hosts are going to be

useless. The great thing about vSphere is that you can access it from anywhere within

the network. You dont have to be in the server room to manage the cluster.

Windows Operating Systems

Windows is the core of this business network. Using Windows Server 2012 R2

and Windows Server 2016, I will be building a network that provides services such as a
print server, file server and security through Group Policy. Client computers are

Windows 7 and are attached to the domain.

CENTOS 7

CentOS 7 is a very popular Linux variant that is commonly used as enterprise

level servers. In our case, we will be using CENTOS to set up a LAMP Web Server.

5.0

Milestone Overview

Milestone 1: Set up Physical Machines and Install ESXi/vSphere/vCenter

The first step in the project was to set up the physical machines and connect

them together with a switch. I had to reset the network switch to defaults to

overwrite any VLANs that existed previously. Once everything was set up, I installed

Windows Server 2012 R2 on one machine and ESXi on the other three physical

machines.

Without vCenter installed, are unable to cluster the machines together. I

needed to use vSphere to access each machine individually and manage them until I

was able to get vCenter installed and configured.

[ESXi Image]
 I created the domain, Capstone.com to serve as my base domain for vCenter.

Once I had set up the domain on the physical Windows Server 2012 machine, I used

vSphere to create another Windows Server 2012 machine to host vCenter. The biggest

problem I ran into while installing vCenter was setting up the virtual machine with the

correct hardware to meet the requirements for vCenter. The minimum requirement

was at least 8 GB dedicated for the server hosting vCenter. I decided to upgrade each

host to 12 GB of physical memory. In doing so, I was able to assign enough memory to

the vCenter host to accommodate the requirements to install.

[vCenter Image]

Once I had vCenter configured, all I had to do was add the 3 ESXi hosts by IP

address into vCenter.

Milestone 2: Create Virtual Machine on Personal computer and

successfully migrate to cluster

I wanted to be able to learn how to migrate a machine created using VMWare

workstation onto a vCenter cluster. I created and configured my LAMP server at home

using VMWare. When the server was built and ready to be added to the domain, I

brought my laptop to the school and used the Upload feature of VMWare to upload

the machine to one of my ESXi hosts. However, I ran into a problem here. I have

VMWare workstation version 12 installed on my laptop. The version of ESXi and

vCenter I was using is only compatible with machines created in VMWare workstation

11 or lower. To resolve this, I changed the hardware compatibility using VMWare to

Workstation 11. Once this was completed, all I had to do was follow the upload steps

and fill out the correct information and my virtual machine was uploaded to an ESXi

host.
Milestone 3: Install Operating Systems and roles and features that will

be needed

Blue Nebula Studios has requested that we configure a network that will allow

them to be able to have a secure environment, authenticate and print centrally and

host a web page. I installed the following features in Windows Server 2012 R2 and

Windows Server 2016;

Active Directory Domain Services (for BNS.com domain)

o Active Directory Domain Services is the Role that allows you to create

domain controllers and domains. Once I installed AD DS, I created the

 BNS.com domain for the client. I also created user accounts and

Organizational Units (Similar to folders in the File Explorer).

Active Directory Rights Management Services (File Security)

o AD RMS is a role that allows you to set templates and secure documents

using templates which allow you to restrict access to certain computers

and users in the domain. I was only able to get this 75% functional as it

requires email addresses instead of usernames when granting access to

people. I need to set up an Exchange Server in order to have full

functionality of this role.

File and Storage Services (NFS Shares)

o Using this feature, I was able to set up NFS shares for each team

member. These shares have permissions which restrict access to only

those who need it. The shares are backed up using Volume Shadow

Copies and Weekly backup.

Group Policy (For Account and PC security)

o Group policy allows you to restrict the capabilities of user and

computers. Group policy will be configured in a later milestone.

Print and Document Services (Print Server)

o The print server allows administrators to centrally manage all printers

and print jobs on the network.

Windows Server Backup

 o Windows server backup is the service that allows an administrator to

create backups of the drives connected to the machine, System State

and System Reserved. You can also configure Volume Shadow Copies

using Windows Server backup.

DHCP & DNS

o DNS is required for a fully functional domain. DNS is the service that

allows hosts to resolve computer hostnames into IP addresses and vice

versa. Without DNS, the computers would not be able to talk to each

other, thus rendering the whole network useless. For extra security, I

implemented DNSSEC or Domain Name System Security Extensions.

DNSSEC signs your DNS records and helps protect against attacks such as

DNS spoofing.

Milestone 4: Configure Group Policy and Run Security Tests

Getting security tests to pass was one of the more difficult things to

accomplish. I was able to get everything to pass except for the installation of one

Important Windows Update. I am confident that it was because not all of my Windows

Server 2012 R2 Operating Systems were activated.

 Group Policy is one of the fundamental ways to secure an environment.

Through Group Policy, you are able to limit the number of attempts a user has before

their account is locked and they need to contact an administrator. You can also set

auditing policies to keep track of changes that are made on your systems. Below are

the policies I decided to use in securing my network.

Password requirement

o Passwords remembered - 24

o Maximum Password Age - 90

o Minimum Password Age - 1

o Minimum password length - 8

o Password must meet complexity requirements (This means you must

have an upper-case letter, a lower-case letter and a number in your

password

Account Lockout Policy

o Account lockout Duration - 30 Minutes

o Account Lockout Threshold - 5 invalid Attempts

 o Reset account lockout after 30 minutes

Audit Policies

o Audit Account Logon events - Success & Failure

o Audit Privilege use - Success & Failure

o Audit Policy Change - Success & Failure

o Audit System Events (Power down/restart etc.)

Security Settings

o Guest account - Disabled

o Do not display last username - Enabled

o Interactive Logon: Message title for users attempting to log in : Blue

Nebula Studios

o Interactive Logon: Prompt user to change password before expiring: 3

Days

o Interactive Logon: Require domain controller authentication to unlock

workstation: Enabled

o Network Access: Allow anonymous SID/Name Translation: Disabled

o Network Access: Let Everyone permissions apply to anonymous users:

Disabled

o User Account Control: Detect application installations and prompt for

elevation: Enabled

There are many other things you can do with group policy, for example, you

can force a default home page for every user. I was very excited to delve
 deeper into how Group Policy can be implemented. A great thing I was able to

set up was login scripts to map a particular network drive when they log in.

This is a very widely used feature that you can easily implement with Group

Policy. The biggest issue I came across while implementing Group Policy was

finding all of the settings I wanted to implement. Group Policy is tough to

navigate if you arent sure what you are looking for. I spent the time to go

through each option and remember where they are located and what each item

does. It was a great learning experience.

Milestone 5: Automate User creation and Expand to 250 Employees

Milestone 6: Install Web Server/Print Server/File Server

The main purpose of this milestone is to provide more availability

for our client. Each of these services will allow users to have access to

the resources they need to effectively accomplish their goals.

I have created an NFS file share for each department to store their

project files. I have also created file shares for server backups and IT

admin files.

I was able to set up the print server itself and have been able to get

it to work with the PDF printer pre-installed with windows. However, I

have not been able to get it to recognize a printer that is attached to the
network switch. The problem I kept running into is that I was unable to

find the network printer even though it was connected to the switch. I

am unsure if this is due to my environment being completely virtualized

or whether it is because the printer itself was having hardware problems.

The printer I was using did not have a way to look up the IP address on

the printer itself, so I was unable to try and map it that way.

Making the web server was probably one of my favorite parts of this

project. I used CENT OS 7 to set up my web server. Generally, web

servers using Linux Operating Systems have 4 main components; Linux,

Apache, MySQL and PHP or LAMP. Once you have installed these

components, you can use open source software such as Joomla to create

and design your web page. However, I used the website of the business I

based this project off.

6.0 Conclusion