WSMB2022 PRA ITNSA SOALAN v2
WSMB2022 PRA ITNSA SOALAN v2
WSMB2022 PRA ITNSA SOALAN v2
WORLDSKILLS MALAYSIA
KATEGORI BELIA (WSMB)
TAHUN 2022
(IT NETWORK
SYSTEM
ADMINISTRATION)
PRA-KELAYAKAN
(5 JAM)
JABATAN PEMBANGUNAN KEMAHIRAN
KEMENTERIAN SUMBER MANUSIA
Description of project and tasks
Active Directory
• Install and configure Active Directory Domain Service for ITNSA.MY
• Import users from csv file located in C:\ITNSA\User.zip on host PC. You may use the
Powershell script provided in the same folder but the script has error that need to
repaired:
• Account placed in appropriate OU
• Accounts is enabled with all properties in CSV file
• Userprincipalname with @itnsa.my suffix
• User is not required to change password at first login
DNS
• Install and configure DNS Service
• Create also a reverse zone for the internal subnet
• Create static A records for all servers
• Make sure client able to communicate to wsmb.my domain
DHCP
• Install and configure DHCP Service:
• Range 192.168.1.100 – 192.168.1.200/24 (Clients)
• Def ault Gateway 192.168.1.1
• DNS Server 10.0.0.4
PKI
• Install and configure Certificate Service
• Install only the “Certificate Authority”
• Create a template for Domain Computers
ISCSI
• Conf igure iSCSI Initiator.
• Use iqn.2022-05.itnsa.my:core as Initiator name
• Connect iSCSI target disk “iqn.2022-05.itnsa.my:wsmb2022-tgt"
RAID
• Install and configure RAID 1
• Add 1 new 5 GB drives AND iSCSI disk
• Create 1 Raid 1 array with the remaining drives (D:\)
File Sharing
• Create f ile share f or user’s home drives:
• Access UNC path: \\core.itnsa.my\homes
• Local path: "D:\homes\"
• Limit home folders so that users cannot store more than 10 MB of data and cannot
save bitmap (*.bmp) files.
• Create a f ile share f or local path D:\witness and share it as \\core\witness
• Create a f ile share f or local path D:\WSC and share it as \\core\WSC
• Create two subfolders inside D:\WSC and share and configure access control on each
f older as follows:
• Create a “Junior Skills” folder.
• Allow read-only access for users who have "Junior" as the job title.
• Allow f ull access to the users who are also part of the "WSJ" organizational unit and
also belong to the "Manager" group.
• Create a “Secret Challenges” folder
• Allow modify access only for "Agent" group.
• This f older should be hidden for all users who have insufficient permission to access
the f older.
• Install and configure DFS so that the “WSC” share and “Public” share from DC are
accessible by accessing \\itnsa.my\shares.
IIS
Table 1: IP Address
VMNET
HOSTNAME IP ADDRESS
MAPPING
DC ETH0 10.0.0.4 VMNET1
CORE ETH0 10.0.0.3 VMNET1
STRG-SVR ENS33 10.0.0.5 VMNET3
BRCH-SRV ENS33 10.20.30.[2,3,5.10.21] VMNET4
CLNT,STAFF,
ETH0 DHCP VMNET2,6,5
REMOTE
ISP-RTR G0/0 131.107.0.1 G0/1 203.12.220.30 G0/2 121.122.5.1/27
BRCH-RTR G0/0 131.107.0.254 G0/1.10 172.16.1.1 G0/1.20 10.20.30.1
CORP-FW G0/1 203.12.220.1 G0/2 20.20.20.1
G0/0.10 10.0.0.1 G0/0.20 192.168.1.1 G0/0.99 11.22.33.254
CORP-SW1 VLAN99 11.22.33.1
CORP-SW2 VLAN99 11.22.33.2
CORP-SW3 VLAN99 11.22.33.3
HOSTNAME VLAN/Port
CORP-SW[1-3] VLAN10 NAME: SVR VLAN20 NAME:LAN VLAN99 NAME:MGMT
BRCH-SW VLAN10 NAME:SVR VLAN20 NAME:LAN
Table 3: VTP
• Conf igure hostname, IP Address, VLAN and VTP based on Table 1, Table 2 and Table 3
SWITCH
• Conf igure LACP for link between CORP-SW1, CORP-SW2 and CORP-SW3
• CORP-SW3 will be in passive mode for both link
• CORP-Sw2 will be in passive mode for link to CORP-SW1
• Use MGMT as the native VLAN for trunks
VPN
• Conf igure site-to-site VPN between CORP-FW and BRCH-RTR
• Allow both site internal networks passing through VPN
• VPN must be encrypted using IPSEC
• You may use any authentication method to established the VPN
DHCP
• Conf igure DHCP on ISP-RTR
• Use appropriate range and gateway for 121.122.5.10-20/27
• Use BRCH-SVR public IP as DNS server
SECURITY
• Conf igure DHCP Snooping on CORP switches to allow only DC server to serve DHCP
• On CORP-FW:
• LAN and SVR VLAN should able to access to all services
• Only WWW is allowed to access from Internet
• Block other access
ROUTING
• Conf igure OSPF between CORP-FW, ISP-RTR and BRCH-RTR
• OSPF advertisement disabled on all LAN interface
• Only share public IP to OSPF neighbor
• Protect OSPF link with md5 authentication with password “Skills39”
NAT
• Mapped the following service from BRCH-RTR TO BRCH-SVR
BRCH-RTR BRCH-SW
-VPN
-Routing
-Nat
Internet 172.16.1.1/26
ISP-RTR
-DHCP 10.20.30.1/24
CORP-FW
-Routing -Routing 131.107.0.254/24
STRG-SVR:
-VPN
-ISCS
-NAT 131.107.0.1/24
-SECURITY 10.20.30.2/24
10.0.0.5/24 BRCH-SVR
121.122.5.0/27
203.12.220.30/27 -Web
-DNS
CLIENT
203.12.220.1/27 -FTP
-MAIL
CORP-SW1 REMOTE -DHCP
CORP-SW3 11.22.33.LAST IP/28
10.0.0.1/24
192.168..1.1/24
11.22.33.1/28
11.22.33.3/28
CORP-SW CORP-SW2
-VTP
-LACP 11.22.33.2/28
-VLAN
DC
CORE -AD
-ICSI -DNS
-RAID -DHCP
-FILE -PKI
10.0.0.4/24
-GPO
10.0.0.3/24