LAB RATS INC.

PROJECT PLAN

Project Final

Date: 8-22-2020

This Report was prepared by:

Tyler Higgins

tylhiggi@uat.edu

1|Page
 Executive Summary

Introduction to the report

This report will cover a complete network deployment.

Project Report
In this report I will detail how to deploy an entire network, from creating a domain controller to

setting up a file server.

References for the report

Any references used for this report will be included at the end of this report.

2|Page
 Introduction
This report will cover all the sets needed to plan and deploy an enterprise network, from

setting up an active directory server to getting file shares created and deployed from a standalone

file server.

Project Report

Proposed Timeline for Implementation

For the complete system below to be deployed, it will take ~2 full work weeks. The Jr. System

administrator will require an hourly rate of $64 and the Sr. System administrator will require an

hourly rate of $94. Combined for 2 full work weeks to get this project deployed and fully tested

the labor cost we are looking at is ~$12,640.

Selecting Files and Folders for Backup

The first task that need to be done with any backup solution is choosing what files and

folders to backup. On a system with many different storage locations, or with information stored

in multiple locations this process can be time consuming, but if you don’t select the right sources

you will be missing data when you need to recover your system from a major failure. For my

Linux system, the selection process is simple. I will be backing up my user directory and my apt

folder under /etc. This will not only allow me to recover any of my personal data, but it will also

3|Page
allow me to restore my apt source list so I can quickly restore my applications

Figure 1. Folder Selection. Screen Shot from My Desktop, 2020.

Selecting a Safe Storage Location

Now that we have the files and folders selected that we want to backup, we need to pick a

safe storage location for the .tar file that will be created. If we store the newly created .tar file on

our local system it won’t really do any good if/when the system crashes as the backup will also

be lost.

Storage Selection
In my situation I will be storing my .tar backup file on my local NAS server. This server is

running FreeNAS and has a RAID drive that I will be using to store the backup. Another option

for those that don’t have a NAS server would a USB external hard drive. This drive should never

be connected to the system it backups, unless the backup is being worked with. This will prevent

4|Page
the backup from becoming corrupted or infected with Ransomware. The external drive should be

stored in a safe location.

Figure 2. Storage Location Selection. Screen Shot from My Desktop, 2020.

Creating the Backup File

Now that the files, folder, and storage location has been selected it is time to start the backup

process. Depending on how much data you are trying to backup and the storage media you are

using this part could take a while.

5|Page
Figure 3. Backup Process Started. Screen Shot from My Desktop, 2020.

Restoring From a Backup

Once the backup is complete we need to test that the backup worked by deleting a file located in

the folder that was backed up and then restore it from our backup. This will verify that the

backup worked and that files can be restored in the event of a major loss of data.

6|Page
Figure 4. Backup Process Completed. Screen Shot from My Desktop, 2020.

Figure 5. Backup tar file open/Local Folder. Screen Shot from My Desktop, 2020.

7|Page
Figure 6. Extracting a file from backup to local folder. Screen Shot from My Desktop, 2020.

Figure 3. File Restored from Backup. Screen Shot from My Desktop, 2020.

8|Page
Creating Virtual Machines

How the OS will meet our needs

The primary operating system that will be used to control our organization will be

Windows Server 2016. This server operating system will allow us to create an active directory

environment to control user accounts, allow access to files and folders by the use of security

groups. By setting access to files and folders using security groups we can easily manage access

to any resource in our network. The next features of this server operating system that will be

used are DNS and DHCP. With DNS we can more easily manage our network resources my

assigning names to devices instead of always having to remember the device’s IP address. The

DHCP service will allow a central management of our network be signing out IP addresses to all

the devices in our network. The DHCP services will also automatically check in with each device

at a set interval to see if it still needs the assigned IP address, if the device does not need the IP

address the server will free that address up so it can be used again by a different device. This

operating system will also allow us to set up a file server to handle the storage and will allow us

to place the security groups created in the active directory onto folders and files to make sure

only those that needs access will have access.

The last two services needed in our organization are web and software update services. Both of

these services can be handled by the Windows Server 2016 operating system in the form of an

IIS web server and the Windows Server Update Services.

The Windows Server 2016 operating system will also provide support for future growth as this

company grows so can our environment.

9|Page
Future Growth
Windows Server 2016 can support an unlimited number of cores and processors, however

a separate license may be required after two physical processors. The Windows Server 2016 OS

can support a maximum of 24 TB of RAM and can host large amounts of storage. The server

operating system also supports the use of network teaming to combine two or more NIC’s into

one active connection when throughput is bottle necked.

Cost benefit analysis

To start with a single copy of the Windows Server 2016 Standard operating system that

supports up to 16 cores costs around $680 at Newegg.com. This will provide a good starting

point. This will allows a growing company to get setup and as the company grows more servers

can be added. The benefit of using this operating system over an operating system like Linux is

the support packages Microsoft provides. Also when it comes to setting up an active directory

environment Windows Server makes it very easy to get setup right out of the box; there is very

little configuration required to get an enterprise network setup and functioning. The setup

process can normally be done in an afternoon at a new company.

Step 1
The first step will be the same for both of our virtual machines. The first thing we need to

do is select the type of VM we will be creating. For this assignment and for most situations a

typical VM configuration will be what we want. A typical configuration is the default, so we will

click on “Next” to move on.

10 | P a g e
Figure 1. Virtual Machine Type Selection. Screen Shot from My desktop, 2020

11 | P a g e
Step 2

Once we have

moved from type selection we will need to select an ISO image to install the VM from. To do

this select “Browse” under the “Use ISO image” option to navigate to the correct ISO image.

For this assignment I will be using the Windows 10 Consumer Edition with a version of 2004,

and the Windows Server 2016 Feb 2018 updated version.

Figure 2. Windows 10 ISO Selection. Screen Shot from My desktop, 2020

12 | P a g e
Figure 2a. Windows Server 2016 ISO Selection. Screen Shot from My desktop, 2020

Step 3

Once the correct image for the VM that is being created has been selected click “Next” to

move on.

Figure 3. Windows 10. Screen Shot from My desktop, 2020

13 | P a g e
Figure 3a. Windows Server 2016. Screen Shot from My desktop, 2020

Step 4

After the correct image for each virtual machine has been selected we need to provide a

product key for activation latter and the primary user account that will be used. For security the

product key has been blurred out in both images.

14 | P a g e
Figure 4 Windows 10 Product key and account creation. Screen Shot from My desktop, 2020

Figure 4a. Windows Server 2016 Product key and account creation. Screen Shot from My

desktop, 2020

Step 5

15 | P a g e
 Now we need set a name and storage location for both of the VM’s. When selecting the

storage location we need to keep in mind how much storage is needed for each VM and how

much space the storage location has. VMWare will default to your local user folder; if a

different storage location is needed click “Browse” to the right of the “Location” label.

Figure 5. Windows 10 Storage Locaion. Screen Shot from My desktop, 2020

16 | P a g e
Figure 5a. Windows Server 2016 Storage Location. Screen Shot from My desktop, 2020

Step 6

Next a maximum disk size needs to be set, luckly VMWare Workstation Pro will set the

size to a recommended value. If this size is not going to be enough it can be increased, for this

assignment I will leave the default value for both VM’s. I will also leave it at split virtual disks.

17 | P a g e
Figure 6. Windows 10 Disk Creation. Screen Shot from My desktop, 2020

Figure 6a. Windows Server 2016 Disk Creation. Screen Shot from My desktop, 2020

Step 7

18 | P a g e
 We are almost done creating the VM’s. The last step before installation is setting the

hardware up for the systems. For both systems I have selected 4 GB RAM and 4 processors

cores. After activation and updating the guest systems both VM’s will be set to a Host-Only

network, that is showing in Figure 7, In Figure 7a a NAT network is set for updates and

activation.

Figure 7. Windows 10 Hardware. Screen Shot from My desktop, 2020

19 | P a g e
Figure 7a. Windows Server 2016 Hardware. Screen Shot from My desktop, 2020

Step 8

Now we have started the install process. Since we are using VMWare Workstation Pro

15 this process is fully automated. If a different hypervisor is used this is where you would enter

the product key and setup the hard disk.

20 | P a g e
Figure 8. Windows 10 Installation Starting. Screen Shot from My desktop, 2020

Figure 8a. Windows Server 2016 Installation Starting. Screen Shot from My desktop, 2020

Steps 9-10

21 | P a g e
Now the VM’s are booted up and ready to be updated. To do this we will click on the four

square flag in the lower left corner of the start menu and click on the gear icon, then click on

Update and Security. Once in that menu click on check for updates and reboot as needed until

Windows tells you the system is up to date.

Figure 9. Windows 10 Update Check. Screen Shot from My desktop, 2020

22 | P a g e
Figure 9a. Windows Server 2016 Update Check. Screen Shot from My desktop, 2020

Figure 10. Windows 10 Up to Date. Screen Shot from My desktop, 2020

23 | P a g e
Figure 10a. Windows Server 2016 Up to Date. Screen Shot from My desktop, 2020

Step 11

The

last step in this process is to change the name of both the Windows 10 and Windows Server

VM’s. To do this, from the update page click on Home above the search bar on the left hand

menu. Go to “Settings” then scroll down to the bottom and click on “About”. Inside the

“About” page there is a button labeled “Rename this PC” or “Rename PC” click on that button

and provide a new name. Then let the system reboot to complete.

24 | P a g e
Figure 11 Windows 10 Renaming. Screen Shot from My desktop, 2020

Figure 11a. Windows Server 2016 Renaming. Screen Shot from My desktop, 2020

25 | P a g e
 Creating an Active Directory Environment
Set a Static IP Address
The first step that we need to take care if is setting a static IP address for the server. Since

this will be the head of our network, providing account information, DNS information, and

DHCP address it needs to always be reachable by the same address. This process can be done

from PowerShell; but for this example I used the Server Manager. To set a static IP address from

the Server Manager click on Local Server on the left hand menu; then locate Ethernet and click

on the blue link that shows “IPv4 address assigned by DHCP”. This will bring up a new dialog

box, right click on your main adapter to bring up a menu and click “Properties”. In the new

dialog box double click on “Internet Protocol Version 4 (TCP/IPv4)”. Now click on the “Use thje

following IP address:” radial button and enter an address, netmask, gateway, and on the lower

section for DNS servers enter “127.0.0.1” in the top box and any public DNS server in the

second box. Once all these address have been entered click “OK” twice and close the “Network

Connections” window.

Refresh the Server Manager window and you should see your static IP address now. Now

that a static address has been entered lets move into PowerShell and install our services.

26 | P a g e
27 | P a g e
28 | P a g e
29 | P a g e
Installing Active Directory, DNS, DHCP Services
Lets open PowerShell and start installing our services. To open PowerShell click on the

Windows Start menu or press the “Windows” key on your keyboard. In the search box type

PowerShell. After Windows has found PowerShell right click on the application and click “run

as administrator”. Once the PowerShell is open you can check the available packages by using

the “Get-WindowsFeature” command.

30 | P a g e
31 | P a g e
To install Active Directory we will use the command “Install-WindowsFeature”. We need to
provide the name of the service we want to install and we will also want to install the
management tools. The completed command looks like this “Install-WindowsFeature -Name
ADDomain-Services -IncludeManagementTools” This command will fully install the domain
controller.

32 | P a g e
33 | P a g e
Now we can check what options we have and create our new domain forest. To check what
commands we have run “Get-Command Module ADDSDeployment”. To create our new forest
we need to run “Install-ADDSForest DomainName “UATNTW216.local”. When it is complete
you will be signed out and the system will reboot to finish creating the new forest. Once the
system comes back online reopen PowerShell and run “Get-ADDomain” to verify the new forest
name.

34 | P a g e
35 | P a g e
During the domain installation the DNS server should have been installed. You can check that by
running “Get-WindowsFeature | where {($_.name -like “DNS”)}” is you see an “X” by DNS
Server you can move to the next step. If not use the Install command that was used to install AD
to install the DNS server.

36 | P a g e
Setting up DNS
Now we need to set up our DNS zone. To setup our DNS zone is easy with the following

command. Use “Add-DNSServerPrimaryZone -NetworkID “IP Address” -ZoneFile “File

Name”. For my setup I am using “Add-DNSServerPrimaryZone -NetworkID 172.16.125.0/24 -

ZoneFile “127.16.125.1.in-addr.arpa.dns”

37 | P a g e
Now we can check to see if our DNS configuration worked. Run “Test-DNSServer -IPAddress
“IP Address” -ZoneName “Name”. I will use “Test-DNSServer -IPAddress 172.16.125.1 -
ZoneName “UATNTW216.local”

38 | P a g e
Setting up DHCP
Now we need to set up our DHCP server. To do this we will use the same install

command we used to install Active Directory. “Install-WindowsFeature DHCP

IncludeManagmentTools”. This will install the DHCP server. Once the server has been installed

we will need to restart the service using “Restartservice dhcpserver”

39 | P a g e
40 | P a g e
 Once the server has restarted we need to create our scope. This is
what will assign IP Addresses to client computers. To create the new scope we will use “Add-
DHCPServerv4Scope -Name “Scope Name” -StartRange “Starting IP Address” -EndRange
“Ending IP Address” -SubnetMask “Netmask” -State Active. For my install I used “ Add-
DHCPServerv4Scope -Name “LAB” -StartRange 172.16.125.50 -EndRange 172.16.125.150 -
SubnetMask 255.255.255.0 -State Active”. Once the scope has been created we can change the
lease duration. To change the duration to one day use “SetDhcpServerv4Scope -ScopeID
“Network ID” -LeaseDuration 1.00:00:00. I used “SetDhcpServerv4Scope -ScopeID
172.16.125.0 -LeaseDuration 1.00:00:00. Now we can set our scope options.

To do that use “Set-DhcpServerv4OptionValue -ScopeID 172.16.125.0 -DnsDomain

UATNTW216.local -DnsServer 172.16.125.1 -Router 172.16.125.254”. Next we need to add the
DHCP server to our domain. Adding a DHCP server to your domain is easy with the “Add-
DhcpServerInDC” command. This looks like this “Add-DhcpServerInDC -DnsName
UATNTW216.local -IPAddress 172.16.125.1”
Lastly we can check our DHCP scope using “Get-DhcpServerv4Scope”.

41 | P a g e
42 | P a g e
43 | P a g e
Setting up IIS Web Server
Now that our Domain is fully set up we can install the IIS web server. Once again we will

use the “Install-WindowsFeature” command. This looks like “Install-WindowsFeature -Name

Web-Server -IncludeManagementTools”. That is all it takes to get a base install done for the IIS

web server.

44 | P a g e
45 | P a g e
46 | P a g e
Client Verification
Now that everything is installed we can verify it is working using a Windows 10 client. If

the DHCP server and Domain has been set up correctly you will get an IP Address from the

server. To check, click on the Windows logo or use the “Windows” key on the keyboard, click

on the gear icon to go to settings, then go to Network and click on Ethernet. You should see your

IP Address information.

47 | P a g e
 Securing The System with GPO’s
Group policies can be used for a lot of things, there are a lot of features included in

GPO’s. We will go over a few of the features that can help secure a network. Lets start off with

setting up a password policy to make sure the passwords used in the company are secure and

change at a regular interval. In this step we will set a minimum length of 12 characters, require a

password change at least every 60 days and require the password to be at least 1 day old. We will

also set a history for passwords; we will set the history to 10 which means the previous 10

passwords cannot be used. Lastly we will set the complexity rule to enable. This means a

password cannot just be number and letters, it must also include symbols. Lets get started setting

up our password GPO.

Creating a Password GPO

First we need to open the GP editor. To do this click on Tools in Server Manager, and

click Group Policy Management. Once the Group Policy Manager opens expand

“Forest/Domains/UATNTW216.local”. At the top you will see an policy labeled “Default

Domain Policy”; right click on that policy. This will bring up a menu, click on “Edit”.

48 | P a g e
49 | P a g e
50 | P a g e
51 | P a g e
 Once we are inside the Default Domain Policy we will want to expand “Computer
Configuration/Policies/Windows Settings/Security Settings/Account Policies”. This will take us
the all the password settings.

52 | P a g e
 To get started we will click on “Password Policy”. Here is where are will set all of our
password policies. We want to set a password history, a minimum and maximum age; we also
want to set the minimum length and complexity requirements.

53 | P a g e
Setting a Custom Desktop Image.
Next we want to set a custom desktop image for our accounting department. To do this

we will create a new group policy under our “LabRats/Groups” OU. To make things simple we

will name the new GPO “Accounting Desktop”. Once the new GPO has been created we will

need to make a few changes. We need to remove Authenticated Users from the Security Filtering

Section and replace it with the Accounting Group. We will then need to place Authenticated

Users in the Delegation section. Once that is done we will do in and edit the policy. Once inside

the policy we will want to expand “User Configuration/Policies/Admin Templates/Desktop” then

click on Desktop. After clicking on Desktop there will be an option called Desktop Wallpaper,

click on that; set it to enable, and provide a path to the wallpaper you want to set. You now have

a custom wallpaper.

54 | P a g e
55 | P a g e
56 | P a g e
Setting Software Restrictions
Sometimes it can be helpful to restrict the type of software that is used in our network.

This can prevent unauthorized software from running and being installed on a system. It can

prevent viruses and malware from running, and it will also make sure everyone is using the same

software. To create and set a software restriction policy we will need to open our Default

Domain Policy. Once that is open we will navigate to “User Configuration/Policies/Windows

Settings/Security Settings/Software Restriction Policies”. By default there is no policy created so

we will need to right click and create a new policy.

57 | P a g e
58 | P a g e
59 | P a g e
Next we want to move into the “Enforcement” option and verify it is set to all software files

except libraries, and that it is set for all users. Now that we have that set, lets move into the

designated file types. This is were you tell the policy what type of file extentions we want to

track. Lets remove LNK, and add PS1, JSE, VBS, SCT, VBE, and WSF.

60 | P a g e
61 | P a g e
62 | P a g e
 Once that has been saved, we will move into Security Levels, here we will set the default

level. We will want to set the default level to Disallowed, as this will mean there will have to be

a specific listing for any application that we want to allow on our systems.

Now move into the Additional Rules section. Here is where all our application rules will

exist. Start by right-clicking and click on “New Path Rule”. Use the full install path to the

63 | P a g e
application you want to use. Depending on what type of application it is will depend on the

Security Level used. For the browsers use Unrestricted. Now simply update group policies and if

there is more than one browser on the system only Chrome will work.

64 | P a g e
65 | P a g e
Creating a Software Deployment Policy
We will once again use our Default Domain Policy for our software deployment policy.

Once inside our Default Domain Policy we will want to open “Computer

Configuration/Policies/Software Settings”. We will then want to right-click and select

“New/Package…”. The new screen that opens will ask you where your software packages are

located. We will use a share located on DC1 named Software$. This is a hidden share. In the

navigation bar type “\\DC1\Software$” you should see all your MSI packages in the folder. Click

on the package you want to deploy and click open. Next leave the default as Assigned and click

OK. Your package is now created. Once the policy is updated on the client systems and the

systems are restarted the new package will be installed.

66 | P a g e
67 | P a g e
68 | P a g e
69 | P a g e
Setting up Remote Access
Now we are going to setup Remote Access. This should be done on a separate stand-

alone server, but for this lab I will set it up on my DC1 server. To get started, open the Add

Roles and Features Wizard from the Manage tab inside Server Manager. Click the box next to

Remote Access. Next in the features section check the box for RAS Connection Manager Admin

Kit. Lastly on the the Role Services section check the boxes for DirectAccess and VPN (RAS0

and Routing.

70 | P a g e
71 | P a g e
 Now click on the flag and click the blue link. This will finish the RRAS install and create
the server. Once the Routing and Remote Access window opens up right-click on your server
name and click “Configure and Enable Routing and Remote Access”. We will be using Remote
access (dial-up or VPN), We will want to select VPN and then select our interface. We now want
to tell our RRAS server how we want to provide an IP address to our clients. I will use the “From
a specified range of addresses” option. On the next screen I will provide an IP range of
10.10.10.50 – 10.10.10.150. This will give me 101 addresses and it will never cross any network
in use. Once you have clicked through the remaining windows your server will be setup.

72 | P a g e
73 | P a g e
74 | P a g e
75 | P a g e
76 | P a g e
77 | P a g e
78 | P a g e
 Setting Up a File Server

Installing the File Server Role

To install the file server role we will navigate to Manage, then add role or feature.

We just need a basic File server so we will select the File Server sub-role and the File Server

Resource Manager sub-role, on our Member1 server. For this project I have added two separate

hard drives, one for folder redirection and one for all the corporate shares.

79 | P a g e
80 | P a g e
Setting up Folder Redirection
Once the roles are installed we need to lay the ground work for folder redirection. To get

started we need to create a new group on our Domain Controller. To do this we will open Active

Directory Users and Computers. I have created a LABRats OU to help organize our

environment. Inside the LABRats OU I have also created an OU for Computers, Groups, and

Users. Inside the Groups OU we will right click in the large white space and click “New/Group.”

For the group name we will use Redirect.

81 | P a g e
 Once the new group is created we will create a new folder on the User drive called
User_Redirection. This is where we will store all the users documents and any other folders we
may want to redirect to our server latter on. We will right click on the white space of the User
Drive and click “New/Folder” then label the new folder.

82 | P a g e
83 | P a g e
 Now that the new folder has been created we can open the “File and Storage

Servers/Share” section on the left of the Server Manager. This is where we will create all of our

new share. To create the folder redirection share click “Tasks/New Share” to the right of Share.

We will use an Advanced SMB Share since we want to use Quotas. On the next screen click the

Use custom location radial and find the user_redirection folder under the User drive. Next name

the share, it is best to use a hidden share so I will use Users$.

On the share settings page we will use access-based enumeration and we will also encrypt

the access to the date. For our permissions we will want to disable inheritance and remove the

Users groups. We will also remove our account and add the redirect group. Once that is done we

will select User Files on the properties page and get a quota to 100 MB on the Quota page.
84 | P a g e
85 | P a g e
86 | P a g e
87 | P a g e
88 | P a g e
89 | P a g e
90 | P a g e
91 | P a g e
92 | P a g e
93 | P a g e
Creating a GPO to Redirect
Now that the share has been created we need to create a GPO to enforce the redirect. To

get started open Group Policy Management from the Server Manager. Expand the Forest, then

Domains, and finally our domain. Right click on the domain name and click “Create a GPO in

this domain and Link it here…”. Next give the new GPO a name, I am using “Folder Redirection

Settings”. Our first step once the GPO has need created is to set up a few items on the GPO

itself. Under “Security Filtering” remove “Authenticated Users”. Then click “Add” and add the

new Redirection group we created earlier. Now we will move Authenticated Users to the

Delegation tab. Click “Delegation” and “Add” the group.

94 | P a g e
 Now right click the group name and click “Edit” to move into the GPO. Expand “User

Configuration/Policies/Windows Settings/Folder Redirection”. For this lab we just want to

redirect the Documents folder of our users. So right click on Documents and click on Properties.

Inside the properties window leave the Setting at Basic, and set the Target folder location to

“Create a folder for each user under the root path”. Next click on the Settings tab, click the radial

button for Redirect the folder back… under Policy Removal.

At this point our folder redirection is set up so we need to add a user to the redirection

group and test it out. Login to a client system and right click on Documents and go to the

Location tab. If this has been set up properly you will see the server location in the box;

additioanlly you can create a file in the Documents folder and look at the User drive to see if the

users folder has been created and if the file is there.

95 | P a g e
96 | P a g e
97 | P a g e
98 | P a g e
99 | P a g e
100 | P a g e
101 | P a g e
102 | P a g e
103 | P a g e
104 | P a g e
105 | P a g e
106 | P a g e
Creating User Groups and Shares
We will use the same process we used to create the Redirection group to create our

Accounting, Corporate, HR, IT, Legal, and Maintenance groups. Once all our groups are created

we will go back to the File and Storage Services/Share section and make new shares for each

group. This time we will create a quick share. Name the share with the name of the group the

share is for. In the screenshots I am only setting up the Accounting share since everything will be

the same for each share. Use the same share settings that were used for the redirection share,

access-based enumeration, and Encrypt data access. Setup the permissions the same as the

redirect share, but instead of adding the redirect group add the appropriate group, giving each

group “modify” permissions to the correct share.

Once all the shares have been created we can check our permissions settings. To check

our settings we will create a new user and place that user in the accounting group. Once that is

done, we will try accessing the accounting share, and the legal share. We should have access to

the Accounting share, but not the Legal share.

107 | P a g e
108 | P a g e
109 | P a g e
110 | P a g e
111 | P a g e
112 | P a g e
113 | P a g e
 Maintaining High Availability

Installing Network Load Balancing

Why do We want Network Load Balancing

In a large enterprise network network load balancing play a very important role for the network

admins and employees and clients. For example, lets say an enterprise has 5,000 employees and

they have an internal web server that hosts an intranet site, and a few web applications that the

employees need to access to do their job. If this enterprise only deployed 1 web server that server

would be overloaded all the time and may not respond fast enough for all the employees to get

their jobs done. There are two options to fix this problem; lets take a look at them now.

First we will look at the option that would not work out very well. That would be to

deploy multiple servers all hosting the same site and applications, but each at a different address.

Now you would have to assign different employees to use different servers address or URLs to

access the same thing. There is also no redundance, if a server goes down the employees that

were using the server will have to be redirected to a different server until their went down. This

will reduce the load each server has to deal with, but it is very impractical. It also would be very

inefficient if the company had an external website. To accomplish the same task as deploying

multiple servers with different addresses would be to use network load balancing.

Network load balancing, or NLB is a feature in Windows Server that lets you add

multiple servers to a virtual cluster. These servers are still separate systems each with its own

copy of the intranet site and applications, but with one major difference. That difference is the

fact that they are in a cluster. In this configuration each server stills has its separate IP address,

114 | P a g e
but every server in the cluster shares an IP address, this address is where you would access the

intranet from and all the web applications. With this setup, if a server goes down no one will

notice, employees access resources will still be online and the IT staff will not have to worry

about redirecting anyone to a different server. The same go for an external web server, if one

node in the cluster goes down the external clients will never notice. This will give IT staff time

to repair the down node. Once the node is repaired, it resumes its place in the cluster and takes

part of the load back. NLB is perfect for redundant serveries, but what about redundant data, or

that we move to a fail-over cluster.

The fist set is to install the network load balancing service on both of our servers.

If you are not using PowerShell this can take a little while since the steps will have to be

preformed twice. However, with PowerShell we can install the NLB feature on both servers at

one time. To do this we will use the Invoke-Command. The command will look like this

“Invoke-Command -ComputerName DC1, Member1 -Command {Install-WindowsFeature

NLB,RSAT-NLB}”

115 | P a g e
116 | P a g e
 Next we need to create the cluster. To create the cluster we will use the New-NlbCluster
command. The complete command we want to use will look like this, “New-NlbCluster -
InterfaceName “Ethernet2” -OperationMode Multicast -ClusterPrimaryIP 172.16.125.15
ClusterName UATNTW216-NLB”. This command will create a cluster using the Ethernet 2
adapter and running in Multicast mode with an IP address of 172.16.125.15.

117 | P a g e
118 | P a g e
 Next we need to add a DNS record for our NLB cluster. We can add this cluster resource
record to our DNS server with the invoke command again. The command will look like this,
“Invoke-Command -ComputerName DC1 -Command{Add-DnsServerResourceRecordA -
zonename UATNTW216.local -Name UATNTW216-NLB -Ipv4Address 172.16.125.15}”.

119 | P a g e
 At this point the cluster is created and we can add a node to the cluster using the Add-
NlbClusterNode command. This command requires an Interface, node name, and the interface of
the new node. We can use “Add-NlbClusterNode -InterfaceName “Ethernet 2” -NewNodeName
“Member1” -NewNodeInterface “Ethernet2””.

120 | P a g e
 At this point our NLB cluster is setup and ready for use. We can check this with the Get-
NlbCluster and Get-NlbClusterNode commands. We can also check the Network Load
Balancing Manager.

121 | P a g e
122 | P a g e
Installing the Failover Cluster

Why do We need a Failover Cluster

In an enterprise environment setting up a fail-over cluster for your file and print servers is also

very important if you don’t want your users to experience any downtime due to a server

becoming offline, then you need to create a fail-over cluster. A fail-over cluster is like a network

load balance cluster, in that it creates nodes that allow users to experience little to no down time.

However unlike a network load balancing cluster, a fail-over cluster has one or more nodes in a

passive mode. This means that one or more nodes are waiting for an active node to fail, when

that happens the passive node will become active and take over for the downed active node.

There are many services and applications a network administrator might want to place in

a fail-over cluster, like database applications, mail applications, file servers and print servers.

Lets look at file and print fail-over clustering a little more. Lets say an enterprise only has one

file and one print server. If that system has to be taking down for maintenance, due to system

updates or hardware replacements the down time would have to be planed in advance since the

complete system, a file share or every printer in the company, would no longer be available until

the system is brought back online.

This could mean your IT staff would either have to stay late at the office, or come in on a

weekend. This can lead to unhappy employees or employees making mistakes due to being tired

and overworked. How can a fail-over cluster fix this problem? The answer to that question is

very simple. Lets take the same situation as above, a system need to be taking offline for

maintenance; without the cluster that maintenance would have to happen late at night or on a

123 | P a g e
weekend, to prevent every other employee in the building from being able to complete their

work. However, with the cluster any painted maintenance can be completed during normal

business hours because once the active node is taken offline the passive node or nodes will

become active thus keeping the services online and keeping employees working. This is also

important for unplanned maintenance. We can never plan for when a server will crash, but we

can put a plan into action that will help keep the services online when a server is taking offline

unexpectedly. That is why fail-over clusters should always be used for mission critical systems.

To install the failover cluster service we will again use the power of the Invoke-

Command option in PowerShell. Our command will look like this, “Invoke-Command -

ComputerName DC1, Member1 -Command {InstallWindowsFeature -Name Failover-Clustering

-IncludeManagementTools}”.

124 | P a g e
 Once the clustering service is install we need to test our systems to make sure they are
ready to be made part of a failover cluster. To do this we will use the Test-Cluster command.
Use, Test-Cluster -Node DC1,Member1. My two servers are using different operating system
versions so my cluster will not work, but the steps will be the same.

125 | P a g e
126 | P a g e
Once the tests are complete we can create the new cluster using the New-Cluster command. We
need to provide a cluster name, the nodes, and an address. In my case I will also add the -
NoStorage option. New-Cluster -Name UATNTW216-Failover -Node DC1, Member1 -
StaticAddress 172.16.125.16 -NoStorage”. Again due to a mix in OS version this will not work.
If this command had succeeded the cluster would be setup and completed.

127 | P a g e
128 | P a g e
 Troubleshooting a Server
Testing the NIC
When it comes to testing a NIC in a virtual machine the fastest way is to run a ping test.
Using ping you can test if the servers NIC is connected to the network or if another host is
connected to the network. If your problem is internet connectivity you can also test to see if you
have a local connection and an internet connection. You can ping a local system to test for local
network connectivity and you can ping an internet DNS server to check for internet connectivity.
This will help narrow down the issue.

129 | P a g e
Adding an Additional NIC to Server VM
Adding additional NIC’s to a server VM can be different depending on the hypervisor

you are using. For this lab I used my XCP-NG server and my Xen Orchestra web interface. Once

logged in to my web interface; I locate the VM I want to work on select the network tab. I then

click on the blue + button to create a new NIC, I will do this twice to create a total of three NIC’s

for this server. I will then select the correct network to connect the new NIC to and click create.

Once the new NIC’s are created I will refresh Server Manager to load the new NIC’s.

130 | P a g e
131 | P a g e
132 | P a g e
133 | P a g e
Setting up NIC Teaming/Configure a spare NIC for
Team
To create a NIC team we first need to click on the blue link labeled “Disabled” across

from “NIC Teaming” When the NIC Team window opens locate the Teams section and click on

TASKS, then New Team. In the new window provide a team name, and check the adapters you

want to include in the team. We will check all three adapters to create the team and set a standby

adapter. Once your adapters have been selected click “Additional Properties”.

134 | P a g e
 Change “Teaming mode” to Switch Independent as this is the only mode usable in a VM,

for load balancing chose Address Hash, and set the standby adapter to the last adapter in the list.

Then click OK. This will create your team with a spare NIC in case of a failure.

135 | P a g e
Server Troubleshooting
One reason you may not be able to join a domain even after a system reboot could be due

to an IP Address miss configuration. As a start I would check the static IP Address, if there is

one, to make sure it is in the same subnet. I would also check the netmask, gateway, and DNS

addresses to make sure they all fall under the correct settings for the domain.

136 | P a g e
Network Diagram

137 | P a g e
 References

E. (2018, December 02). Install AD DS, DNS, and DHCP using Powershell on Windows Server
2016. Retrieved August 02, 2020, from https://medium.com/@droidmlwr/install-ad-ds-
dns-and-dhcp-using-powershell-on-windows-server-2016-ac331e5988a7
Installing IIS on a Server with Windows Server Minimal Installation. (n.d.). Retrieved August
03, 2020, from https://www.ionos.com/help/server-cloud-infrastructure/server-
administration/installing-iis-on-a-server-with-windows-server-minimal-installation/
Abrams, L. (2016, May 9). How to create an Application Whitelist Policy in Windows.
Retrieved August 16, 2020, from https://www.bleepingcomputer.com/tutorials/create-an-
application-whitelist-policy-in-windows/
Desai, P. (2019, July 07). Deploy Desktop Background Wallpaper using Group Policy. Retrieved
August 16, 2020, from https://www.prajwaldesai.com/deploy-desktop-background-
wallpaper-using-group-policy/
Hussain, B. (2017, June 29). Step by Step Deploying Software using Group Policy in Windows
Server 2016. Retrieved August 16, 2020, from
https://newhelptech.wordpress.com/2017/06/29/step-by-step-deploying-software-using-
group-policy-in-windows-server-2016/
JasonGerend. (2019, June 06). Deploy Folder Redirection with Offline FilesDeploy Folder
Redirection with Offline Files. Retrieved August 10, 2020, from
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-folder-
redirection
Hussain, B., Says:, A., Says:, B., & Says:, X. (2018, August 19). Step by Step How to Installing
and Configuring Network Load Balancing in Windows Server 2016. Retrieved August
10, 2020, from https://newhelptech.wordpress.com/2018/10/01/step-by-step-how-to-
implement-configure-network-load-balancing-in-windows-server-2016/
JasonGerend. (2019, June 06). Create a failover cluster. Retrieved August 10, 2020, from

https://docs.microsoft.com/en-us/windows-server/failover-clustering/create-failover-cluster

Panek, W. (2018). Configuring High Availability. In MCSA Windows Server 2016 Complete

Study Guide: Exam 70-740, Exam 70-741, Exam 70-742, and Exam 70-743 (pp. 829-

900). Newark, NJ: John Wiley & Sons, Incorporated.

138 | P a g e
Finn, K. (2017, July 29). Windows Server 2016 - Setup Local Domain Controller. Retrieved July
26, 2020, from https://www.tenforums.com/tutorials/51456-windows-server-2016-setup-
local-domain-controller.html
A flexible & easy-to-manage web server... (n.d.). Retrieved July 26, 2020, from
https://www.iis.net/
How To Install and Configure a DHCP Server in a Workgroup in Windows Server 2003. (n.d.).
Retrieved July 26, 2020, from https://support.microsoft.com/en-us/help/323416/how-to-
install-and-configure-a-dhcp-server-in-a-workgroup-in-windows-s
JasonGerend. (2019, October 04). Windows Server 2016 Products and Editions. Retrieved July
26, 2020, from https://docs.microsoft.com/en-us/windows-server/get-started/2016-edition-
comparison
Technitium DNS Server. (n.d.). Retrieved July 26, 2020, from https://technitium.com/dns/
What is Windows Server Update Services (WSUS)? - Definition from Techopedia. (n.d.).
Retrieved July 26, 2020, from https://www.techopedia.com/definition/13917/windows-
server-update-services-wsus
Windows Server 2016 Standard - 16 Core (P73-07113). (n.d.). Retrieved July 26, 2020, from

https://www.newegg.com/microsoft-windows-server-standard-2016-16-core-oem/p/1B4-

003A-00062?Description=Windows+Server+2016

139 | P a g e