Capstone Project: Microsoft Active Directory and Exchange

Capstone Proposal Summary

“Information is power”, are the words of a great man. In the present age, words are beginning to make more literal sense than what one would coin from the statement. Imagine what innocent tampering can be done with the information in a particular organization if there are no backups. The tale is all too familiar with many experts and people who have interacted with computers, which are used by many people in an office setting. Having worked in a 500 staff office, which is a mid-sized company, brought the self-experience due to the frequent curses that followed loss of information, passwords and crucial settings.

Various ideas for mitigating such situations came up and as such formed the basis of this project. Indeed, the problem of computer manipulation by unauthorized personnel poses a great challenge. The solution, therefore, lays in a system that limited the use of such systems for authorized procedures and if possible only certain operations that fall within the department that one is assigned to. Active Directory was the most effective and implementable solution for resolution of the problems that existed in the company.

Indeed, reading showed that the service offers the ability to customize one’s settings saved in a server. Not only did it reduce tampering and distortion, but it meant that one could log into one’s specific settings and files in any of the networked computers in the workplace, giving the convenience and comfort of a known arrangement of files and folders in whichever computer one is using. Crucial information, which should be protected from access by the workers, was stored safely. At the very least, addition of malicious software that corrupted the computers and perhaps the whole network was avoided. It indeed protected the company from the possible turmoil.

To start the process of checking whether what I had in mind would work, I diagnosed the computers for other possible sources of complaints, which included potential viruses that would be deleting documents and changing the passwords that were in question. After the application of an elimination methods to the problem identification, the potential viruses were not present, apart from some programs installed that either had Trojan based “cracks” or invalid digital signatures that could be risky, let alone being illegal. Further research showed that after such instances, there was a probable confrontation that involved two workmates where one had used the computer most recently.

In addition to the personal diagnosis, I asked the employees for feedback on probable causes of data loss. Most of the employees sited sharing of the passwords as the setback that exposed them to either malice or pure coincidence that would lead to the loss of crucial data in the company. Frustrations were expressed on the inability to meet deadlines, not due to the laziness, but due to such catastrophic errors that meant starting the process all over again. Not only the resulting inconveniences were frustrating the customers, but also the customer service personnel reported that the company experienced huge losses in income over time.

The potential sources were narrowed to either innocent errors or malice that existed. It brought about friction in the workplace and was an issue that existed for a while. It was, therefore, important that an improvement in the security of login data was made with a compulsory change of the passwords, which is apart from the Active Directory program that I had in mind. Most relevant to this proposal is the Active Directory service which goals and objectives were quite clear.

Creating a server can be easily done, with the help of a normal computer and even for a very small number of users. Other than that, they offer cost effective means, but that is not an option for the company in this case due to the number of users. Server specific hardware is uniquely suited for the tasks with better orientation to carry out the purpose of the data storage, protection, enhanced reliability due to the heavy-duty parts that are used, larger connectivity to handle large amounts of data, and the ability to create upgrades to suit any expansions that may emerge in the future.

In this case, the company had two overloaded servers that were only used for the purposes of the Internet connections by the users in two locations that they had. Available options of using the existing servers were not feasible due to the state of the servers and the required upgrade to use Exchange 2010. Further need for consultations emerged in order to make a good choice of the servers to be used. Mail support was added to the system and this required a server that would be able to handle the data and give provisions for increase in users, without the need in immediate upgrade. Therefore, it was necessary to overdesign the system to handle more than what there was then.

In my opinion, Microsoft server software proved reliable, and members of the IT department in the company informed me about the problems with Linux-based server software. Another challenge came about in hardware service and parts. Necessary specifications were that one server should have served about 250 employees. I overdesigned it to handle 300 employees with a 2GB mailbox each. The main server handled 500 employees for cost effectiveness working on a 2GB mailbox each and had easy upgrade requirements. In my opinion HP ProLiant DL180 G6 Server was the best solution for both cases.

Under such conditions, the company had better security, improved employee satisfaction and thus improved performance, a mailing system for better communication, fewer customer complaints about the efficiency of the company, a backup system for all the data, and productivity increase making the business an ideal working area with no employee friction. All this was done within an acceptable budget of hardware and software with minimal interruption for implementation.

Review of Other Work

This project required integration of various ideologies that were not fully understood. To ensure that the system designed met the client’s specifications indeed and if possible provide a better performance for the present load and any increase in the future were in mind. The system would not require immediate upgrade if there was an increase in the number of employees. In particular, sizing the system that would handle the load became an issue, as some of the calculators had problems with providing the best specifications for the server, and some problems emerged with under-designing, as mentioned one of the clients in Microsoft TechNet chat room.

I tried “Exchange 2010 Mailbox Server Role Requirements Calculator”, but it doesn’t help in my configuration (SAN LUNs and hardware snapshots). It said I need 8 GB ram.

At the moment, Ex 2007 server has got 12Gb ram for 350 users. When there was 8Gb ram, we had memory issues, UM stopped working.

We will enable UM for all users in Ex 2010. It will increase the use of Exchange server. Also, we will enable Outlook Anywhere (RPC over HTTPS).

I don’t see the accurate sizing tools (Microsoft TechCenter, 2012).

Considerations emerged as a very important factor in various levels of the design process not only for the server, but also for the installation of the Windows Server 2008 Forest (Petri, 2009). This is particularly important when one is creating an Active Directory for the first time in the mentioned server. Forest and domain functional level decisions that determine whether Windows 2000 or 2003 servers can be in the forest singularly or both of them are to be made beforehand. Notably, there were several domain controllers that did not work in the Windows 2008 server (they are not supported), in particular, the controller that runs Microsoft Windows NT server 4.0 server OS. In that case, to support older NT 4.0 servers, it was inevitable that the domain controllers run on Windows 2000/2003. With the option of either a global catalog server or RODC, the first Windows server 2008 DC should have been a global catalog server in a particular forest.

Windows server 2008 harbored many improvements from its predecessors but notably came with a different approach before running DCPROMO. As Lockstep Systems, Inc. (2012) explains, it is imperative that before promoting the server to a domain controller and finally installing active directory, the AD-DS role in the server should be activated. In fact, this is what makes the server a domain controller. Other than that, the DCPROMO will be run the usual way.

In addition to these requirements, it was crucial that the following pre-installation requirements in the computer and the network were to be met. Firstly, the partition that was used in the server should have been formatted to NTFS format. No major things should have been done apart from a simple conversion to NTFS or a check to ensure that it was indeed in the prescribed disc format. Permission in the Administrator username and password was required, as well as free space on the partition (above 250 MB) and an operating system just in case it did not come with the hardware. To ensure that DNS registrations would work well in the future, it was important to use dedicated IP addresses instead of dynamically assigned IP.

In that same line, a DNS server should be active; this could be the domain controller too. In that case, the DC pointed to its IP in the DNS server list to avert any possible hiccups that could emerge. It was recommended that the server should be connected to a network or other computer via crossover cable. If the server was the first DC and no network was available, simply installing Microsoft loopback adapter would finish DCPROMO.exe. It should be noted that indeed DNS configurations should have been done before running DCPROMO or, as Petri (2009) recommends, you can let the DCPROMO wizard make necessary changes and configurations in the DNS. It was also recommended that one should not use domain names that do not have a period (single-label domain names) to prevent name collisions.

The Internet connectivity in this case needed to be restored, and there were various measures or recommendations that were to be followed to ensure that the connection works indeed. A NAT device was recommended and helped connect client computers to the Internet. The NAT “translated private IP addresses to one public one, and allowed connectivity through one ISP-assigned IP address” (Petri, 2009). In essence, it eradicates the problems when the Internet service provider (ISP) gives an IP address to the client. Isolating the clients on the local network is also an alternative in some cases. The server was connected to the NAT and a router. In that case, the local network clients pointed to the DNS server (internal) and not the ISP’s DNS server. This ensured that there was connectivity.

Rationale and Systems Analysis

Understanding the current system was a crucial start point in upgrade and evaluation of whether what was available did not suffice indeed. In that sense, the understanding will shape the decisions made in the project that include, for example, whether the entire system needed to be removed and a brand new one put in place or some adjustments sufficed. From that statement, it indicated two sides of the considerations should have been made. On the one hand, there was the current hardware and software infrastructure that was in place; on the other hand, we have the customer needs and complaints that were related to the system as it was.

After the comparison, the overall needs of the business and professional expertise came in play, and any omitted defaults in the system that may have not been noticed by the client were unearthed to ensure that the suggested or proposed solution would be the best for the business. First, it was necessary to carry out a survey in order to determine which aspects of the current system set up are not to the expectation of the management and the staff in general. The information gathered pointed out that:

· Frequent loss of information could be caused by sharing of information in the computers in the workplace, which have similar passwords apart from the management ones.

· The communication in the company was slow and this was taking a toll on the performance and customers who were slowly moving to the competitors.

· Computers’ disk space was full, had unauthorized software and showed the signs of malware and viruses.

· The current servers used were overloaded and caused some glitches in the network.

· Management did not put in place a backup system for the company and the loss of the late one has shown a need for a backup.

· Network security was not sufficient and it exposed staff to malice that led to friction and frustration among the workers.

Hardware inspection was another aspect of understanding the problem. The networking on the computers was proper and up to the standard, apart from the dedicated servers that they used. The cabling was done on CAT 6, and the router was up to the task in serving the needs of the staff. Recommendations that followed were based on the feedback obtained and the managements’ budget on the matter.

A deeper analysis was done to ascertain the expectations of the management in terms of what software should have been present in the systems and the extent to which the ideas in mind could stretch. Consultations on whether an off-net mailing service for the company would be of help in the communication problem led to the installation of Exchange 2010 as part of the project.

Solutions were diluted to the installation of Active Directory in Windows server 2008 and Exchange 2010 among other software that includes Manage Engine OP manager and backup software and hard drives. Active Directory was a direct solution to the sharing of passwords in the company that puts employees at risk of malicious intents by other employees, as well as vulnerability to loss of the information in some unfortunate events. As a solution, Active Directory facilitated the log-in of members using specific usernames and passwords that would be changed now and then as a default setting in the server, for example, a 30-day password expiry cycle.

Computers in the network operate on Windows 7 ultimate 32-bit. With Microsoft Office Pro installed, Microsoft Outlook is available and can be configured to Microsoft Exchange. Exchange 2010 facilitated the use of Microsoft Outlook for internal communications from one department to another. The flow of information became quicker and improved the performance of the employees due to the infrastructure, as well as motivated the employees.

Backup was a major issue, and the options in the market were diverse. Broad categories of hard drive based backup systems and cloud based emerge. A business is usually affected adversely by the downtime it has, since this constitutes the productive time that is has. Therefore, the selection made should consider the efficiency, as well as the reduction of the total downtime that will be experienced in the eventual case that the system is affected. In that case, the users’ files and details were backed up in the server, and the server got a backup of everything ensuring that the information is secure indeed.

Goals and Objectives

The project needed to set several measurable and non-measurable expectations by the end of the completion of the project and beyond. Some of the compiled goals and objectives are as follows:

· Enable easier communication by the offline mail support.

· Reduce loss of information via the shared passwords.

· Ensure back-up of information for the emergency cases.

· Commission two servers for domain controller.

· Reduce malware and viruses in the system installed by the workers.

· Establish tools which report on the system usage and users in general (Manage engine OP manager).

· Upgrade the existing network hardware to support Active Directory and Exchange 2010.

· Set up remote access capability for the mangers and mobile personnel.

· Ensure that the relevant personnel are trained in using the system.

· Come up with a system that is cost-effective to remove budgetary constraints.

· Improve worker performance by installing a system that will ease communication and provide faster customer service.

· Eradicate friction between employees that emerges from loss blame games.

· Ensure proper user and information security by the individual password protection (password content and expiry).

· Publish a new security and group policy to inform the users of the expectations in the new system.

This project facilitated effective and reliable communication between all the workers within the company. The offline mail system was set up using Exchange 2010 and a mail server, which enabled the local users in the company to connect to the mail server from their workstations. The Microsoft Outlook application came in handy by letting workers exchange emails among themselves and with other company stakeholders. In addition to enabling offline email support, Microsoft Outlook, which came as part of the Microsoft Office Suite, also included such functions as contact manager, task manager, calendar, note taking and a journal. These features enhanced easier communication for multiple users within the organization. Additionally, the email system improved the features for group conversations of different users within the company.

The Active Directory reduced the frequent loss of information that comes about through the malice or accident when one user shared his/her personal password with another user to let him/her access work-related or other information or files from their computers. This problem was eliminated by letting a user log into any computer within the workplace and access his/her files, folders and emails just as the worker is using his/her computer. The Active Directory in the Windows Server automatically downloaded the full profile of a roaming user from the server once he/she logged into the domain through any of the local computers in the workplace. As soon as the user logged off from the system, all changes made to the user’s profile were saved in the domain controller and backed up in the server. This means that there was no longer need to share passwords. At the same time, a user only accessed and/or altered his/her individual profiles on the domain and the server without interfering with the profile of any other user.

This project put in place a fully functional active domain and email system complete with hardware and software for backup of information for future reference and emergency cases, such as massive loss of the data. All crucial data from all the users on all domains was stored in the servers. This way, the data of every user was safely stored in the hard drives of the server. Thus, in the event that any of the hard drives in the local computers crushes, all data belonging to the affected user including their files, folders and emails remains intact, as they will be stored in their profile in the server. It was also pertinent to ensure that all the data stored in the server is backed up in case the server also crushes. To mitigate a catastrophe of this kind, all the information in the server was periodically backed up in offsite hard drives. This will facilitate fast and effective retrieval of the information in case of a massive loss of the data in the company.

Given that the company had two branches, it was feasible to commission two servers to control the domains in each of the branches. The main server at the company’s headquarters was designed to handle 500 users. This was not only cost-effective, but it facilitates easy upgrade. This is because each of the projected 500 users would be allocated a 2GB mailbox, meaning that the server could effectively accommodate more users, as most of them would only be using about 1GB of memory each.

The second server was designed to handle 300 users, each with a 2GB mailbox. These servers played the role of responding to security authentication requests from all the users. Therefore, it was possible to control the domains by granting access to the various computer resources with the use of the unique username and password for every user. It is important to note that every server was configured to play the roles of a domain controller through installation of AD-DS. By doing so, it was be possible to create appropriate forests, domains and additional domain controllers within the existing domains.

The Active Directory in this project granted access to the computer resources and privileges that are specific to their job descriptions and authority ranks within the company. This move was aimed at controlling malware and viruses in the system by granting administrator permissions to the specific individuals with authority over all the users in each domain. Only the administrators have the privilege to install, update or uninstall software into the system. The employees are required to work within the limited permissions. Should any employee need to execute a function that is not permitted under their user profile, they have to seek the intervention of the domain administrators who are in turn have to execute the task on their behalf. A user are only able to access their profiles from the server through the unique username and password that do only allow them to access stipulated resources as determined by the domain controller. This move eliminated the problems of viruses, worms, Trojan horses, spyware and rogue security software.

In order to track activities of all the employees on their computers, it is appropriate to integrate a reporting tool through which supervisors and managers at various levels are able to obtain comprehensive reports on the system usage and activities carried out by the individual users. The Manage Engine OP Manager application is used to fulfill this objective. This made it possible to determine the number of working hours that are lost through inappropriate computer and Internet usage. The reporting tool also helps keep track of who accesses the system, when they access it, and what changes they make into the system by keeping a log of all the users and their activities, including both authorized and unauthorized activities. Additionally, the Manage Engine OP Manager is useful in tracking system errors such as leak of information and devouring of important data by insidious software.

The current system requirements are not capable of supporting the recent versions of Active Directory and Exchange 2010. For that reason, it is necessary to upgrade the network hardware to handle these recent applications for not only efficiency and effectiveness in the computer usage and communication by workers, but also for increased system security. The circuit boards form the main hardware components of a computer network. Upgrading the current hardware will be in keeping with Moore’s Law, which states that “the number of transistors that can be placed inexpensively on an integrated circuit has doubled approximately every two years”. Simultaneous upgrading of the software by installing the named versions of Active Directory and Exchange 2010 will result in improved performance in processing data and transferring information.

The installed system allows secure remote access by managers and personnel who are working on locations away from the site. While remote access to a company’s internal system exposes the company to the unauthorized access and manipulation of the company’s data, the system is designed with a feature that allows secure connection for offsite personnel. To prevent unwarranted activities on the company’s Active Directory and email system, the system was designed in a manner that nullifies unauthorized offsite access. The concerned employees would be required to access the system only when it is necessary. Their activities were recorded and tracked to ensure that they did not engage in unauthorized activities.

The new system is effective in avoiding undesirable conflicts and friction among the employees. With the previous system, employees found themselves in a fix, as they had to share their passwords in order to allow their workmates to use their computers for various reasons. This occasionally resulted in distortion or loss of the important data from the shared computer because all the information was stored in the hard drives. The aftermath of such interference was friction between the concerned workers, as they blamed each other for the loss. With the Active Directory in the new installed system, users no longer need to share passwords, as every user is able to log into his/her profile and access all his/her data from the server without interfering with the data of another user.

The new system came with the feature of improved security to protect company and individual data. Specifically, every employee was allocated a user name in the domain and was required to develop a unique password for himself/herself. The system was designed so that the password requirements should include letters and at least one number and one symbol; thus, no one can guess the password of another user. The passwords expired every month, meaning that the system also required users to change their passwords on a monthly basis. This made the passwords more secure and banned unauthorized persons from accessing, altering or manipulating company and individual information.

The project also included rigorous training of employees to make them conversant with the new system. This helps fill in any existing knowledge gaps as far as the use of the system was concerned. Proper knowledge of how the new system works through comprehensive training leads to improved performance and productivity among the employees due to the better working computers and communication system. The employees underwent training on how to accomplish their tasks and communicate using the new improved system. Conversely, the management needed training in accessing the reports from the server and understanding what they mean so that they can act on them.

It was necessary to formulate a comprehensive user policy for all the employees and managers who used the system. This ensured that all the users only execute authorized tasks using their workplace computers. Access to the particular computer resources, networks and information was governed by the security policy that accorded both individual and group permissions and privileges to appropriate personnel within the corporation. Any violation of the policy should have been dealt with through the implementation of appropriate disciplinary measures as stipulated in the policy. The new security policy should have been based on a revision of the existing policy with appropriate amendments and additions to suit the security needs of the new system.

Cost-effectiveness was important for all the project management professionals and their clients. As such, the final goal in this project was to fully implement and conclude the project within the established budget. Cost-effectiveness was emphasized throughout the planning and implementation phases of this project while at the same time the attention was paid to quality and efficiency. While the company allocated an upper-range budget for this project, the objective was to come up with a system that met and even exceeded all their short-term and long-term requirements in the most cost-effective manner possible. All the stakeholders would be certainly pleased with an excellent project that met their budgetary expectations.

Project timeline

The project was broken down into distinctive part that was majorly characterized by the uniquely different tasks. In the order of the tasks, an overall logical sequence was used to ensure that a task that should be completed before another one was always carried out in that respect. Overall activities were in planning, purchase, pre-installation preparation, installation and verification, testing and training. For this project, the schedule was not interrupted but took longer than the expected finish date due to the request by the management to extend the training period.

The first step of the project entailed going through the scope of the project to ensure that everything was set for the big changes. In the last briefing with the management, my last concern was with any arising costs that may emerge as a result of the ongoing process. Since I was within the range of the budget, the management assured me of the resources to cater for any unforeseen expenditure. The team was also briefed on the process and small teams were created to facilitate quick and efficient installation. The second step was just making the order for the required equipment and the delivery was made within the same day after 3 hours. This was due to the already established relationship with the supplier who operated just within the vicinity of the area. The third step therefore took an early start to ensure that everything was okay and ready for the process.

The third task was by far the most complicated as it required check of all the current computers. In the teams that were divided, while some were cross checking the hardware that had arrived, others started on inspection for failure or unreliable hardware as well as checking for malware and removing the unauthorized software. In some cases, the computers had to be formatted completely as some of the hardware that was not up to the task was noted and reordered. At some point, a proper definition of what should have been replaced since there were limited resources, was to be stretched. With that clear, the process was carried out with the extra day into its 8day allocation. In the checking again, the teams were divided into software checking and hardware checking. Software checking took more time and warranted intervention from the hardware team to meet the expected finish date.

The next two activities took place concurrently at some point before merging to utilize only one day of the two cumulative that were allocated. The activities included Domain mapping and network evaluation as well as Active Directory activation on the server. At this juncture, the teams were split into two sites so as to facilitate configuration of the users which was to be done at the site. Both teams performed the tasks within the period, with the branch taking less time since the allocations to the main were more cumbersome. The installation of the Exchange server 2010 therefore started earlier for one site, but the other members stepped up and finished a few hours before the deadline. Testing of the system was done flawlessly with minor glitches in the main since there was need to incorporate communications from the branch. The activity was finished earlier than expected and the backup systems were installed.

Installation of the management software was done and time was saved in training the IT personnel who developed interest within the installation period and has learned most of the tasks during the installation. Management was concerned on the period of training for the employees and requested to divide the training session into two. First, a minor session for everyone after which the system will be commissioned. After the commissioning, further training was to be done to ensure that most of the staff was able to perform their tasks. The first phase of the training took a day within which the system was commissioned at the close of the day to save on time. By that time there were six days in the project period, which upon consultation would be extended on a need basis and evaluation after the precise expected completion date. Two more days were added to the training, which now entailed personal coaching upon request by the staff.

Project development

The project mostly went according to the plan with minor variations like the requirement of added resources in case some of the hardware was not fit for the use. The anticipated purchase was shared with the management and approval was made up to the maximum budget of the project, which had not been reached even with previous purchases. Though the figure was significant, the mere replacement of the hardware was not to be done but instead that hardware had to be thoroughly evaluated and deemed incapacitated, the most acceptable replacement was cabling and RJ45 clips.

The discussion of the scope also brought in thoughts regarding the time used for training of the staff. After the installation of the system was appreciated, the management feared slow performance or frustration of the employees and they clearly realized the level of investment they were making. This was however, a fear, as most of the employees were very excited about the system and as such showed understanding and eagerness to learn. There were no major issues in understanding the operation of the system since it was demonstrated on projector for all the employees. Confidence on the system was evident in the first two days of the use with major chitchat and excitement. As management put it, the reception of the system and the presentation of what one should do is the best.

Overdesigning of the system requirements helped greatly as the speeds in the system surprised the staff and the management who were even happier upon the explanation of the true nature of the system. With the chief IT personnel for the company expressing confidence in the system and affirming the reception of the employees, the other glitches encountered during the process were tackled expeditiously and even to my surprise, the capability of the teams to handle some of the tasks was amazing. I also learned from the communication and skills of the IT personnel especially in troubleshooting problems. There was no doubt that maintaining the system would not be a problem for them.

After deployment, the backup system had developed a problem which was noticed when the IT personnel were trying to recover data from the back up as a test. Apparently, the rate of the back up had been left on default setting and therefore did not provide solutions for some cases. Upon calculation of rate of data entry into the system, hourly back up was set and the employees were simply astonished by the level of security that had been deployed. Generally, the employees were intrigued and the follow up call made to the management a month after the full system deployment inclusive of training described the project as the best decision they made and had high expectations from the employees, which they indicated seemed to be working out all by itself.

Appendix 1: Competency Matrix