Ch1: Network & System Administration

What is network & system administration?

 It is about putting together a network of computers, getting them

running and then keeping them running in spite of the activities of users
who tend to cause the system to fail.

It is a system implemented by a person or a group of persons under

the supervision of knowledgeable person who is network
administrator.

It is a process of installing, configuring, troubleshooting and

maintaining a network.

It is the way to monitor the delivery of information across a network

and protect the network from internal and external security threats.
What is a system?

 It is a combination or an integration of subsystems which are independent

objects, having specific performances to attain the same goal.

In the network system, objects that constitute a system are:

 Users

 Hardware resources

 Software resources

 Network expertise/Network administrator

Who is system / network administrator?

 It is a professional person who is responsible for the physical design,

management of network & system administration.

 Network/System administrators are responsible for the security and

availability of the network services they manage.

 Network administrators must adhere to the following universal

Information Technology Policies:

 Network Connection Policy

 Wireless LAN Policy

 Network and System Monitoring Policy

 Network Security Policy

 Network Access Policy

What is network design?

 It describes making various decisions regarding the

architecture of a network such as:

 The LAN and WAN technologies to be used

 The transmission media to be used

 The cable layout to create high speed backbones

 The hardware equipment to be used

 General network administration tasks
 These tasks are categorized into 3:
1) Managing network accounts which includes:
a. Creating user accounts
b. Creating group accounts
c. Creating computer accounts
d. Deleting user and computer accounts
e. Renaming user and computer accounts
f. Assigning access rights to the users
2) Managing network performance which includes
 Verifying the proper working of network devices such as network cards,
connectivity devices, computers, etc.
3) Managing network security which includes:

a. Securing data stored on the network from external or

unauthorized bodies.

b. Retrieving data from storage in the event of data loss.

 There are two types of network securities:

i. Physical security – securing hardware resources such as cables,

servers and others from physical damage.

ii. Data security – securing network data and software resources.

 The network administrator must include the following points as a

check list in his/her network security planning:

 What should be protected?

 From whom it should be protected?

 How likely is the occurrence of the threats or challenges?

 What is the estimated financial loss due to the threats or

challenges?
 The key roles of network & system administrator

1) Documenting the network and its resources:

o Any modification made to the network should be documented immediately.

o This document should include:

Type of computer being used.

The name of computer (assigned by network administrator).

The IP address of computers.

Operating system being used on each computer.

The network design or map detailing the location of network resources.

2) Administering network IP addresses and sub-netting:

o Grouping computers on the basis of department or functional

location.

o Assigning IP address and subnet masks: this can be done manually

using static configuration or dynamically using DHCP server.

3) Educating (Training) network users:

o It involves:

• The proper use of networking and its resources.

• Providing knowledge about virus threats & its solutions.

4) Designing a network which is logical and efficient:

 Deciding what services are needed.

 Planning and implementing adequate security.

 Providing a comfortable environment for users.

 Developing ways of fixing errors and problems which occur.

 Concepts of server based network
 It is a network architecture in which client requests data from server and the
server responds to the request in retrieving the required information.
 It provides shared resources such as:
o Software
o Peripherals
o Files
o Storage devices
 Advantages of server based networking:
i. Sharing centralized resources.
ii. Managing network security.
iii. Backup purpose.
iv. Maximizing number of clients in the network.
v. High capacity to store data.
 Concepts of Active Directory & Domain Controller

Active Directory (AD): Active directory is a database of computers,

users, shared printers, shared folders and other network resources
which enables user to find a particular resource and allows
administrator to see a hierarchal view of the network.

 Domain Controller (DC): It is a computer with windows server

OS that provides a complete network database or active directory. It
provides the network administrator with a facility to control all
objects in the network environment.
End of Chapter 1
 Ch2: Managing AD Users & Group Accounts
 User Account:

 Each user requires a user account to log on to windows server

domain and this enables to authenticate a user on a network.

 This user account refers to username and password assigned by

the network administrator.

 Once the users logon, they can access resources based on the
permissions that have been assigned by the network
administrator.
 Built-in Users in AD
 Administrator account: created locally when we install windows server OS
and has full control over the computer or domain. Its default settings are: full
rights (controlling users and computers) and assigning users’ access rights.
The administrator account cannot be deleted /removed; for a security purpose
it is recommended to rename than disabling. If the administrator account is
disabled it can still be used when the server is booted in safe mode that is why
renaming the administrator account increase computers’ security level.

 Guest account: allows users to access the computer even if they do not have
a unique username and password. Because of a security risk associated with
this account, this account is disabled by default. This account is given very
limited privileges.
Windows Server OS Username and Password Rules

 Username rules:

 The username must be unique to the user.

 It cannot contain these characters: * ? / \ () : ; [ ] = + < > “.

 It cannot also contain period (.) and space.

 Password policies:

 Enforce password history – default password remembered is 24.

 Maximum password age – default password age is b/n 1 and 42 days.

 Minimum password length – by default is 7 characters.

 Password must meet complexity requirement – not contains account

name, must have minimum of 6 characters, must compose
lower/upper case letters, numeric and special characters.
Creating new user using AD:
 Options that can be configured for new users are:

 first name, initials, last name and full name

 user logon name, User Principal Name (UPN) which is

made up of user logon name and principal name suffix

(domain controller’s name) separated by @ sign.

 password
Options that can be enabled when password is given for

new users:

 user must change password at next logon

 users cannot change password

 password never expires

 account is disabled
Disabling / Deleting user account:
 The disabled account can be enabled later, but the deleted account can never be
recovered.
 We should delete a user account if we are sure that the account will never be
needed again.
 Reasons for disabling user account are:
• If the user will not be using it for a period of time.
• If the network administrator planning to put another user in the same
function with the same user account.
• For the security mechanism at special situations.
 We disable the user account by right clicking on the user account and
selecting the disable account option.
 After an account has been disabled it will be displayed with a red circle and
an X-sign over the user account icon-within the active directory.
 Configuring user properties which consists of 13 main tabs in
the properties dialog box of which General tab and Account tab
are the major ones.

• General tab – contains the information that you supplied when

you set up the new user account to identify the user uniquely.
Used to record contact information for the user: Telephone, E-
mail, Full name, Description, Office location, etc.

• Account tab – shows the logon name information that we

supplied. It allows configuring the following settings: user logon
name and principal name suffix, the logon hours for the user,
account expire options, the logon to option, etc.
 User logon name & principal name suffix: Enable the network
administrator to change user logon name or to configure the server
that the user want to access in the network environment.
 Logon hours: By default users are allowed to log on 24 hours a
day and 7 days a week. The network administrator can adjust or
restrict the hour in which the user can log on.
 Logon denied: The network administrator can configure the day
and hour to block the user to logon & access the resources by
clicking on log on denied option.
 Logon to option: This option is used to configure the computers
that the user is allowed to logon. The network administrator can
restrict the user to logon using defined or limited computers.
 Account expire options: This option is used to configure the
expiration date, month and year for the user account created in the
active directory by selection end of option or, to make an account
never expire by selecting never expire option
 Account Lockout options: This option is configured through
domain security settings for password policy and account lockout
policy. Options under account lockout policies: Account lockout
duration, Account lockout threshold and Account lockout counter.

• Account lockout duration: Specify how long the account will be locked in
the event that the account lockout threshold is exceeded (after invalid
attempts).

• Account lockout threshold: Specify that the user gets (permitted with) a
specific number of invalid log in attempts before the account is locked.
Invalid log on attempts are decided by Network administrator.

• Account lockout counter after: Specify how long the account lockout
threshold will be tracked (blocked) after the invalid logon attempts. Account
lockout counter starts after the last invalid logon attempt and used to display
the remaining time for the next threshold (specify after how many minutes the
user can attempt to logon for the second round).
 Troubleshooting User Authentication

• Possible causes of logon failure:

 incorrect user logon name

 incorrect password

 prohibitive user right

 disabled or deleted account

 the computer is not part of the domain

 User Group Type and Scope
• Group type is used to organize users, computers, and other groups in to
logical objects for management purpose (to assign different
configuration/settings, permission).

• Groups can be either a security group or a distribution group.

 Security groups:
• They are security enabled groups ( listed under access control list).
• They need to access specific resources(secured resources of an
organization).
• They need permission to have a security access rights.
 Distribution groups:
• They have common characteristics in accessing resources (e.g. Computing
e-mail and application programs).
• They are not security enabled(have no security access rights).
• They need permission to access resources.
Built in groups in windows server OS domain:

 Account operators – create and manage users, groups and computer

accounts.

 Administrators – have full rights and privileges on all domain

controllers.

 Backup operators – backup and restore file system but can’t modify
them.

 Print operators – administer, create, delete and share printers.

 Remote desktop users – allows its members to logon to the server

remotely using remote desktop connection.

 Server operators – responsible to administer domain server.

End of Chapter 2
 Ch3: Managing Network Access
• Network access defines what access/rights a user has to local
resources, i.e. the scope of access users can have to the resources.

• A powerful feature of networking is the ability to allow or

protect access to files and folders.

• Network administrator can create shared files/folders on a

network so that users with appropriate access rights can access
them.

• There are two types of file systems used by local partitions:

 FAT(which includes FAT-16 and FAT-32)
 NTFS
 FAT partitions don’t support local security option while NTFS
partitions also support local security options.

 NTFS permissions are cumulative type, based on group member’s

access type, i.e. if the user has denied access and allowed access
through group, denied permissions override allowed permissions.

 Windows server OS offers six levels of NTFS permissions:

1) full control

2) modify

3) read and execute

4) list folder contents

5) read

6) write
 Level 1 – Full control:
 If we select full control permission, all permissions will be checked by
default.
 If we unchecked any lower level permission (such as read, or others) the
full control allow check box will be automatically unchecked.
 Level 2 – Modify:
 If we select modify permission the following will be checked/allowed:
o Read and execute
o List folder content
o Read
o Write
 Level 3 – Read and Execute:
 Ifwe select the read and execute permission the following will be allowed
automatically:
o List folder contents
o Read permission
 Level 4 – List Folder Contents:
 This permission allows the following rights:
o List the content of folders.
o See files/folders attributes.
 Level 5 – Read:
 This permission allows the following rights:
o List the content of folder
o Read the data in a folder’s files
 Level 6 – Write:
 Thispermission allows the following rights:
o Create new folder/file
o Write data to the file
o Overwrite a file(modify a file)
o Change files/folder’s attribute
User’s effective permission:
 refers to the right the user actually has to access file or folder.
 To determine user’s effective permission combine all
permissions that have been allowed to the user through user name
or group association and subtract/remove/ all permissions that
have been denied to the user.
 e.g. find Alemu’s effective permissions as shown below:
Accounting Group IT Group

Permission Types Allow Deny Permission Types Allow Deny

Full Control Full Control

Modify √ Modify √
Read and Execute √ Read and Execute

List Folder Contents √ List Folder Contents √

Read √ Read √
Write √ Write √
Permission inheritance:
 By default parent folders permissions are applied to any files and sub folders
in the folder.
 This is called inherited permission.
 When you move or copy NTFS files, the permissions that have been set for
those files might be changed:

o If we move a file from one folder to another folder on the same NTFS
volume, the file will retain the original NTFS permissions (NTFS
permissions of the source folder).

o If we move file from one folder to other folder b/n different NTFS volumes,
the file is treated as a copy and will have the same permissions as the
destination folder.

o If we copy a file from one folder to another folder on the same NTFS
volume or on different volume the file will have the same permission as the
destination folder.

o If we copy/move a folder or file to a FAT partition, it will not retain any

NTFS permission.
Managing Network Printing:
 A network administrator can create 3 types of printer:
o a local printer, which is directly attached to the local
computer,
o a network printer which is attached to another computer on
the network, or
o a print device that has its own network card and attaches
directly to the network similar to the computers.
 The computer on which we run the Add Printer wizard and
create the printer automatically becomes the print server for that
printer.
 Once printer has been set up, printer properties allow us to
configure options such as the printer name, whether or not the
printer is shared, and printer security issues.
 The printer properties dialog box has a minimum of six tabs:
General, Sharing, Ports, Security, Device Settings, and Advanced.
a. General tab – contains information about the printer such as name of the
printer, the location, and the comment about the printer.

 It also lets us to set printing preferences and print test pages to check
our printer connectivity.

 This dialog box will allow us to specify the layout of the paper
(orientation: portrait or vertical, Landscape or horizontal), number of
page per sheet, and page order.

b. Configuring sharing properties – allows us to specify whether the printer

will be configured as a local printer or as a shared network printer.

c. Configuring Port properties – will allow us to configure all of the ports that
have been defined for printer use.

 Port is defined as the interface that allows the computer to communicate

with the print device.
 Windows server OS supports local ports/physical ports/ and logical ports
which can be: Parallel ports, Serial ports, USB ports, Infrared and TCP/IP
ports.

 Local ports are used when the printer attaches directly to the computer.

 Logical ports are used when the printer is attached to the network by
installing a network card in the printer.

 The advantage of network printers is that they are faster than local printers
and can be located anywhere on the network.

 Printer pooling – is the process of redirecting print jobs to another printer.

 Printer pools are used to associate multiple physical print devices with a
single logical printer.

 The advantage of configuring and using a printer pool is that the first
available print device will print our job.
d. Security Properties – Print Permission – The network
administrator can allow or deny access to a printer using
security tab from printer properties dialog box.
• Followings are the print permissions assigned by windows server:
 print,
 manage printers, and
 manage documents.

e. Configuring Advanced network print properties – The advanced

tab of the printer properties allows us to configure the following
options:
 Printer availability
 Printer priority
 Spooling properties
 Separator page
i. Printer Availability configuration – specifies when a printer
will service print jobs.
• It has two options: Always Available (default) and Available from
 print,
 manage printers, and
 manage documents.

ii. Printer Priority configuration – allows us to configure if we

have multiple printers that use a single print device.
• We might use this option when two or more groups share a
printer and we need to control the priority in which print jobs
are serviced by the print device.
• In the advanced tab of the printer properties dialog box, we can
set the priority value to a number from 1 to 99, with 1 as the
lowest priority and 99 as the highest priority.
iii. Spooling – means that print jobs are saved to disk into a printer
queue before they are sent to the printer.
• When we configure spooling options, we specify whether print
jobs are spooled or sent directly to the printer.

Separator pages – used at the beginning of each document to be

printed to identify the user who submitted the print job and to
separate print jobs/documents.
• If our printer is not shared, a separator page is generally a
waste of paper.
• If the printer is shared by many users, the separator page can
be useful for distributing finished print jobs.

End of Chapter 3