Tổng quan
Topology & Bảng địa chỉ IP
HỘI THI HỌC SINH SINH VIÊN GIỎI NGHỀ – Lần 16, 2026
Bảng cấu hình máy chủ
| FQDN | IP Address | Dịch vụ | OS |
|---|---|---|---|
fw01.hcmc.vn | 192.168.1.254/24 210.103.5.1/26 | Routing, NAT, VPN, DHCP | Debian 12.13 CUI |
srv.hcmc.vn | 192.168.1.1/24 | OpenLDAP, FreeRADIUS, SNMP, Cacti, Mail | Debian 12.13 CUI |
dns.hcmc.vn | 192.168.1.2/24 | DNS, WEB, FTP, CA | Debian 12.13 CUI |
client.hcmc.vn | DHCP (192.168.1.100) | LDAP Client, Browser, Mail | Debian 12.13 GUI |
fw02.vnsc.vn | 172.16.1.254/24 172.16.2.254/24 210.103.5.2/26 | RRAS, DHCP, VPN | Win Server 2022 CUI |
DC.vnsc.vn | 172.16.1.1/24 | AD, DNS, GPO, CA, ADFS, RDS, FS | Win Server 2022 GUI |
worker.vnsc.vn | DHCP (172.16.2.100) | Domain Client | Windows 11 GUI |
Bảng Networks
| Network | CIDR | Domain |
|---|---|---|
| hcmc.vn Internal | 192.168.1.0/24 | hcmc.vn |
| vnsc.vn Internal | 172.16.1.0/24 172.16.2.0/24 | vnsc.vn |
| Public Internet | 210.103.5.0/26 | — |
| Remote Access VPN Pool | 192.168.3.0/24 | — |
Credentials
Thông tin đăng nhập & Users
| Loại | Username | Password | Ghi chú |
|---|---|---|---|
| Linux root | root | Qthtm!2026 | Tất cả Linux servers |
| Linux user | user | Qthtm!2026 | |
| Windows Admin | Administrator | Qthtm!2026 | Fallback: P@ssw0rd |
| LDAP User | james | Qthtm!2026 | james@hcmc.vn |
| LDAP User | donald | Qthtm!2026 | donald@hcmc.vn |
| Cacti Admin | admin | Qthtm!2026 | monitor.hcmc.vn/monitor |
| RADIUS Shared Secret | — | Qthtm!2026 | fw01 ↔ FreeRADIUS |
⚠ Lưu ýNếu Group Policy chặn password trên Windows, dùng
P@ssw0rd thay cho Qthtm!2026Linux · Debian 12.13 CUI
fw01.hcmc.vn
192.168.1.254/24 · 210.103.5.1/26 — Routing · NAT · VPN · DHCP
0 · Cấu hình ban đầu – Hostname & Network
1
Đặt hostname và cấu hình mạng
# terminal
hostnamectl set-hostname fw01.hcmc.vn
/etc/network/interfaces
# Interface nội bộ auto eth0 iface eth0 inet static address 192.168.1.254 netmask 255.255.255.0 # Interface public (internet) auto eth1 iface eth1 inet static address 210.103.5.1 netmask 255.255.255.192 gateway 210.103.5.62
# apply
systemctl restart networking
1 · Routing – IP Forwarding & Static Routes
1
Bật IP forwarding vĩnh viễn
/etc/sysctl.d/99-routing.conf
net.ipv4.ip_forward = 1
# apply
sysctl -p /etc/sysctl.d/99-routing.conf
2
Cấu hình static routes đến mạng vnsc.vn (172.16.0.0/16 qua tunnel)
/etc/network/interfaces – thêm vào eth0
# Static route đến vnsc.vn (qua VPN tunnel – sẽ active sau khi VPN lên)
up ip route add 172.16.1.0/24 via 210.103.5.2 dev eth1
up ip route add 172.16.2.0/24 via 210.103.5.2 dev eth1
2 · NAT – nftables (PAT · Port-Forward · Static NAT · Firewall · Logging)
1
Cài đặt nftables
# install
apt install nftables -y systemctl enable --now nftables
2
Tạo ruleset hoàn chỉnh cho nftables
/etc/nftables.conf
#!/usr/sbin/nft -f # fw01.hcmc.vn – nftables ruleset # Variables: ETH_IN=eth0(192.168.1.0/24) ETH_OUT=eth1(public) flush ruleset define ETH_IN = eth0 define ETH_OUT = eth1 define NET_HCMC = 192.168.1.0/24 define IP_DNS = 192.168.1.2 define IP_SRV = 192.168.1.1 define IP_FW01_PUB = 210.103.5.1 define IP_FW02_PUB = 210.103.5.2 table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established/related ct state established,related accept comment "Allow established" # Allow loopback iifname lo accept # Allow ICMP ip protocol icmp accept comment "Allow ICMP" # Allow DHCP (DNS server sẽ update DDNS) iifname $ETH_IN udp dport 67 accept comment "DHCP server" # Allow SSH từ nội bộ iifname $ETH_IN tcp dport 22 accept comment "SSH internal" # Allow IKEv2 VPN udp dport {500, 4500} accept comment "IKEv2 VPN" # Từ dns.hcmc.vn – chỉ traffic cần thiết cho DNS ip saddr $IP_DNS udp dport 53 accept ip saddr $IP_DNS tcp dport 53 accept # Drop + log tất cả còn lại log prefix "[FW01-DROP-IN] " drop comment "Log dropped inbound" } chain forward { type filter hook forward priority 0; policy drop; ct state established,related accept ip protocol icmp accept # hcmc.vn -> internet iifname $ETH_IN oifname $ETH_OUT ip saddr $NET_HCMC accept comment "LAN to WAN" # DNS traffic từ internet vào dns.hcmc.vn iifname $ETH_OUT oifname $ETH_IN ip daddr $IP_DNS tcp dport 53 accept iifname $ETH_OUT oifname $ETH_IN ip daddr $IP_DNS udp dport 53 accept # Port forwarding: HTTPS -> dns.hcmc.vn (web) iifname $ETH_OUT oifname $ETH_IN ip daddr $IP_DNS tcp dport 443 accept # Port forwarding: FTP -> dns.hcmc.vn iifname $ETH_OUT oifname $ETH_IN ip daddr $IP_DNS tcp dport {20,21} accept # Port forwarding: Mail (SMTPS/IMAPS) -> srv.hcmc.vn iifname $ETH_OUT oifname $ETH_IN ip daddr $IP_SRV tcp dport {465,993} accept # VPN traffic (Site-to-Site) iifname $ETH_OUT ip saddr $IP_FW02_PUB accept comment "S2S VPN peer" log prefix "[FW01-DROP-FWD] " drop comment "Log dropped forward" } chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain prerouting { type nat hook prerouting priority -100; # Port Forwarding: DNS từ public về dns.hcmc.vn iifname $ETH_OUT udp dport 53 dnat to $IP_DNS:53 comment "DNAT DNS UDP" iifname $ETH_OUT tcp dport 53 dnat to $IP_DNS:53 comment "DNAT DNS TCP" # Port Forwarding: HTTPS -> web.hcmc.vn (dns server) iifname $ETH_OUT tcp dport 443 dnat to $IP_DNS:443 comment "DNAT HTTPS" # Port Forwarding: FTP -> dns.hcmc.vn iifname $ETH_OUT tcp dport 21 dnat to $IP_DNS:21 comment "DNAT FTP" # Port Forwarding: Mail iifname $ETH_OUT tcp dport 465 dnat to $IP_SRV:465 comment "DNAT SMTPS" iifname $ETH_OUT tcp dport 993 dnat to $IP_SRV:993 comment "DNAT IMAPS" } chain postrouting { type nat hook postrouting priority 100; # PAT: toàn bộ hcmc.vn ra internet ip saddr $NET_HCMC oifname $ETH_OUT masquerade comment "PAT LAN" # Static NAT: fw01 -> public IP cố định ip saddr 192.168.1.254 oifname $ETH_OUT snat to $IP_FW01_PUB comment "Static NAT fw01" } }
3
Apply ruleset và kiểm tra
# apply & verify
nft -f /etc/nftables.conf nft list ruleset systemctl restart nftables
3 · DHCP Server – isc-dhcp-server (với DDNS)
1
Cài đặt DHCP server
# install
apt install isc-dhcp-server -y
2
Cấu hình interface cho DHCP
/etc/default/isc-dhcp-server
INTERFACESv4="eth0"
3
Tạo TSIG key cho DDNS (dùng chung với BIND)
# tạo TSIG key
tsig-keygen -a hmac-sha256 ddns-key > /etc/dhcp/ddns-key.conf cat /etc/dhcp/ddns-key.conf # copy key để dùng trong BIND
4
Cấu hình /etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd.conf
# TSIG key (giống key trong BIND) include "/etc/dhcp/ddns-key.conf"; # DDNS settings ddns-updates on; ddns-update-style interim; update-static-leases on; ignore client-updates; zone hcmc.vn. { primary 192.168.1.2; key ddns-key; } zone 1.168.192.in-addr.arpa. { primary 192.168.1.2; key ddns-key; } # Global options authoritative; default-lease-time 86400; max-lease-time 172800; subnet 192.168.1.0 netmask 255.255.255.0 { range 192.168.1.50 192.168.1.150; option domain-name "hcmc.vn"; option domain-name-servers 192.168.1.2; option routers 192.168.1.254; option broadcast-address 192.168.1.255; # Static reservation cho client.hcmc.vn host client.hcmc.vn { hardware ethernet AA:BB:CC:DD:EE:FF; # thay MAC thực tế fixed-address 192.168.1.100; option host-name "client"; } }
⚠ Thay AA:BB:CC:DD:EE:FF bằng MAC thực tế của client: ip link show trên máy client
5
Khởi động dịch vụ
# enable & start
systemctl enable --now isc-dhcp-server systemctl status isc-dhcp-server
4 · Site-to-Site VPN – IKEv2 (StrongSwan)
📋 Điều kiện tiên quyếtCertificate từ HCMC-CA phải được tạo trên
dns.hcmc.vn trước. Copy cert về /etc/ipsec.d/1
Cài đặt StrongSwan
# install
apt install strongswan strongswan-pki libcharon-extra-plugins -y
2
Copy certificates từ CA
# cấu trúc thư mục cert
# Từ dns.hcmc.vn copy về: scp root@192.168.1.2:/etc/ssl/CA/Root-CA.crt /etc/ipsec.d/cacerts/ scp root@192.168.1.2:/etc/ssl/certs/fw01.hcmc.vn.crt /etc/ipsec.d/certs/ scp root@192.168.1.2:/etc/ssl/private/fw01.hcmc.vn.key /etc/ipsec.d/private/
3
Cấu hình /etc/ipsec.conf
/etc/ipsec.conf
config setup charondebug="ike 1, knl 1, cfg 1" # Site-to-Site VPN đến fw02.vnsc.vn conn hcmc-to-vnsc keyexchange=ikev2 left=210.103.5.1 leftid=fw01.hcmc.vn leftcert=fw01.hcmc.vn.crt leftsubnet=192.168.1.0/24 right=210.103.5.2 rightid=fw02.vnsc.vn rightsubnet=172.16.1.0/24,172.16.2.0/24 ike=aes256-sha256-modp2048! esp=aes256-sha256! auto=start dpdaction=restart authby=rsasig # Remote Access VPN (IKEv2 + EAP) conn vpn-remote-access keyexchange=ikev2 left=210.103.5.1 leftid=vpn.hcmc.vn leftcert=vpn.hcmc.vn.crt leftsubnet=192.168.1.0/24,172.16.1.0/24,172.16.2.0/24 leftsendcert=always right=%any rightsendcert=never rightauth=eap-radius rightsourceip=192.168.3.0/24 eap_identity=%any auto=add
4
Cấu hình /etc/ipsec.secrets
/etc/ipsec.secrets
: RSA fw01.hcmc.vn.key : RSA vpn.hcmc.vn.key
5
Cấu hình RADIUS cho EAP (Remote Access VPN)
/etc/strongswan.d/charon/eap-radius.conf
eap-radius {
servers {
hcmc-radius {
address = 192.168.1.1
secret = Qthtm!2026
}
}
}
6
Khởi động IPsec
# start
systemctl enable --now strongswan-starter ipsec up hcmc-to-vnsc ipsec statusall
Linux · Debian 12.13 CUI
srv.hcmc.vn
192.168.1.1/24 — OpenLDAP · FreeRADIUS · SNMP · Cacti · Mail
1 · OpenLDAP Server
1
Cài đặt OpenLDAP
# install
apt install slapd ldap-utils -y # Trong quá trình cài sẽ hỏi admin password: Qthtm!2026 dpkg-reconfigure slapd # DNS domain: hcmc.vn | Organization: HCMC | Password: Qthtm!2026 # Backend: MDB | Remove db on purge: No | Move old db: Yes
2
Tắt anonymous access và tắt plaintext (enforce TLS)
disable-anon.ldif
dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc
# apply
ldapmodify -Y EXTERNAL -H ldapi:/// -f disable-anon.ldif
3
Tạo OUs và Users (james, donald)
base.ldif
# OU People dn: ou=people,dc=hcmc,dc=vn objectClass: organizationalUnit ou: people # OU Groups dn: ou=groups,dc=hcmc,dc=vn objectClass: organizationalUnit ou: groups
users.ldif
# User james dn: uid=james,ou=people,dc=hcmc,dc=vn objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: james cn: James sn: James mail: james@hcmc.vn uidNumber: 2001 gidNumber: 2001 homeDirectory: /home/james loginShell: /bin/bash userPassword: {SSHA}<hash> # User donald dn: uid=donald,ou=people,dc=hcmc,dc=vn objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount uid: donald cn: Donald sn: Donald mail: donald@hcmc.vn uidNumber: 2002 gidNumber: 2002 homeDirectory: /home/donald loginShell: /bin/bash userPassword: {SSHA}<hash>
# Tạo hash password và add user
# Tạo SSHA hash cho password slappasswd -s Qthtm!2026 # Copy hash vào users.ldif thay cho <hash> ldapadd -x -D "cn=admin,dc=hcmc,dc=vn" -W -f base.ldif ldapadd -x -D "cn=admin,dc=hcmc,dc=vn" -W -f users.ldif # Kiểm tra ldapsearch -x -D "cn=admin,dc=hcmc,dc=vn" -W -b "dc=hcmc,dc=vn" "(objectClass=person)"
2 · FreeRADIUS (LDAP Backend)
1
Cài đặt FreeRADIUS với LDAP module
# install
apt install freeradius freeradius-ldap -y
2
Cấu hình LDAP module
/etc/freeradius/3.0/mods-available/ldap
ldap {
server = "ldap://127.0.0.1"
identity = "cn=admin,dc=hcmc,dc=vn"
password = Qthtm!2026
base_dn = "ou=people,dc=hcmc,dc=vn"
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
base_dn = "ou=groups,dc=hcmc,dc=vn"
filter = "(objectClass=posixGroup)"
}
}
3
Enable LDAP module và cấu hình client (fw01)
# enable module
ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/
/etc/freeradius/3.0/clients.conf – thêm vào cuối
client fw01.hcmc.vn {
ipaddr = 192.168.1.254
secret = Qthtm!2026
shortname = fw01
}
4
Cấu hình inner-tunnel cho EAP-MSCHAPv2
/etc/freeradius/3.0/sites-available/inner-tunnel – thêm ldap vào authorize
# Trong section authorize {}, thêm ldap sau expiration:
ldap
if (ok || updated) {
update control {
Auth-Type := LDAP
}
}
# restart & test
systemctl enable --now freeradius # Test mode để debug freeradius -X
3 · SNMP Agent
1
# install & config
apt install snmpd -y # Sửa /etc/snmp/snmpd.conf sed -i 's/^agentaddress.*/agentaddress udp:161/' /etc/snmp/snmpd.conf # Thêm community public echo 'rocommunity public 192.168.1.0/24' >> /etc/snmp/snmpd.conf systemctl enable --now snmpd snmpwalk -v2c -c public localhost system
4 · Cacti Monitoring
1
Cài đặt dependencies và Cacti
# install stack
apt install apache2 mariadb-server php php-mysql php-snmp \ php-xml php-mbstring php-json php-gd rrdtool snmp \ cacti cacti-spine -y # Trong quá trình cài Cacti: chọn apache2, yes cấu hình DB
2
Cấu hình Apache alias /monitor
/etc/apache2/conf-available/cacti.conf
Alias /monitor /usr/share/cacti/site
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
# enable & restart
a2enconf cacti systemctl restart apache2
3
Cấu hình DNS cho Cacti: thêm CNAME monitor.hcmc.vn → srv.hcmc.vn trên dns server
📋 Sau khi cài xongVào
http://monitor.hcmc.vn/monitor → Login admin / Qthtm!2026 → Console → Devices → thêm srv và DC → tạo graph Network Traffic → Build Tree by Host5 · Email – Postfix (SMTPS) + Dovecot (IMAPS)
1
Cài đặt Postfix và Dovecot
# install
apt install postfix dovecot-core dovecot-imapd postfix-ldap -y # Postfix config type: Internet Site | Domain: hcmc.vn
2
Cấu hình Postfix SMTPS
/etc/postfix/main.cf – các dòng quan trọng
myhostname = srv.hcmc.vn mydomain = hcmc.vn myorigin = $mydomain mydestination = $myhostname, localhost.$mydomain, $mydomain mynetworks = 192.168.1.0/24 127.0.0.0/8 # TLS smtpd_tls_cert_file = /etc/ssl/certs/srv.hcmc.vn.crt smtpd_tls_key_file = /etc/ssl/private/srv.hcmc.vn.key smtpd_tls_CAfile = /etc/ssl/CA/Root-CA.crt smtpd_use_tls = yes smtpd_tls_security_level = may # LDAP lookup virtual_mailbox_domains = hcmc.vn virtual_transport = lmtp:unix:private/dovecot-lmtp
/etc/postfix/master.cf – enable smtps port 465
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
3
Cấu hình Dovecot IMAPS
/etc/dovecot/conf.d/10-ssl.conf
ssl = required ssl_cert = </etc/ssl/certs/srv.hcmc.vn.crt ssl_key = </etc/ssl/private/srv.hcmc.vn.key ssl_ca = </etc/ssl/CA/Root-CA.crt
/etc/dovecot/conf.d/10-auth.conf – LDAP auth
disable_plaintext_auth = yes auth_mechanisms = plain login !include auth-ldap.conf.ext
/etc/dovecot/dovecot-ldap.conf.ext
hosts = 127.0.0.1 dn = cn=admin,dc=hcmc,dc=vn dnpass = Qthtm!2026 base = ou=people,dc=hcmc,dc=vn user_filter = (&(objectClass=inetOrgPerson)(uid=%u)) pass_filter = (&(objectClass=inetOrgPerson)(uid=%u))
# enable & start
systemctl enable --now postfix dovecot
Linux · Debian 12.13 CUI
dns.hcmc.vn
192.168.1.2/24 — BIND9 DNS · Certificate Authority · Apache HTTPS · vsftpd FTP
1 · Root Certificate Authority (OpenSSL) – LÀM TRƯỚC TIÊN
⚠ Thứ tự quan trọngTạo CA trước, sau đó ký cert cho tất cả servers, rồi mới cấu hình các dịch vụ TLS
1
Khởi tạo CA directory structure
# tạo CA structure
mkdir -p /etc/ssl/CA/{certs,crl,newcerts,private,requests} chmod 700 /etc/ssl/CA/private echo "1000" > /etc/ssl/CA/serial echo "1000" > /etc/ssl/CA/crlnumber touch /etc/ssl/CA/index.txt
2
Cấu hình openssl.cnf cho CA
/etc/ssl/CA/openssl.cnf
[ ca ] default_ca = CA_default [ CA_default ] dir = /etc/ssl/CA certs = $dir/certs crl_dir = $dir/crl new_certs_dir = $dir/newcerts database = $dir/index.txt serial = $dir/serial crlnumber = $dir/crlnumber private_key = $dir/private/Root-CA.key certificate = $dir/Root-CA.crt crl = $dir/crl/Root-CA.crl default_md = sha256 default_days = 3650 default_crl_days = 365 preserve = no policy = policy_loose x509_extensions = usr_cert [ policy_loose ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_md = sha256 distinguished_name = req_distinguished_name x509_extensions = v3_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = VN organizationName = Organization Name organizationName_default = HCMC commonName = Common Name [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true keyUsage = critical, cRLSign, keyCertSign crlDistributionPoints = URI:http://ca.hcmc.vn/Root-CA.crl authorityInfoAccess = caIssuers;URI:http://ca.hcmc.vn/Root-CA.crt [ usr_cert ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth crlDistributionPoints = URI:http://ca.hcmc.vn/Root-CA.crl authorityInfoAccess = caIssuers;URI:http://ca.hcmc.vn/Root-CA.crt
3
Tạo Root CA key và self-signed certificate
# tạo CA
# Tạo private key openssl genrsa -out /etc/ssl/CA/private/Root-CA.key 4096 chmod 400 /etc/ssl/CA/private/Root-CA.key # Tạo self-signed cert (Subject: C=VN, O=HCMC, CN=Root-CA) openssl req -config /etc/ssl/CA/openssl.cnf \ -key /etc/ssl/CA/private/Root-CA.key \ -new -x509 -days 3650 -extensions v3_ca \ -out /etc/ssl/CA/Root-CA.crt \ -subj "/C=VN/O=HCMC/CN=Root-CA" # Kiểm tra openssl x509 -noout -text -in /etc/ssl/CA/Root-CA.crt | grep -E "Subject:|Issuer:|CRL|AIA"
4
Script ký cert cho tất cả servers (dùng lại cho mỗi server)
# ký cert – thay FQDN tương ứng
FQDN="fw01.hcmc.vn" # thay: srv.hcmc.vn | dns.hcmc.vn | vpn.hcmc.vn | ... openssl genrsa -out /etc/ssl/CA/private/${FQDN}.key 2048 openssl req -new -key /etc/ssl/CA/private/${FQDN}.key \ -out /etc/ssl/CA/requests/${FQDN}.csr \ -subj "/C=VN/O=HCMC/CN=${FQDN}" \ -addext "subjectAltName=DNS:${FQDN}" openssl ca -config /etc/ssl/CA/openssl.cnf \ -in /etc/ssl/CA/requests/${FQDN}.csr \ -out /etc/ssl/CA/certs/${FQDN}.crt \ -days 825 -batch
Ký cert cho: fw01.hcmc.vn, vpn.hcmc.vn, srv.hcmc.vn, dns.hcmc.vn, fw02.vnsc.vn, DC.vnsc.vn
5
Publish CRT và CRL qua HTTP (Apache)
# setup web cho CA files
mkdir -p /var/www/html/ca cp /etc/ssl/CA/Root-CA.crt /var/www/html/ca/ # Tạo CRL lần đầu openssl ca -config /etc/ssl/CA/openssl.cnf -gencrl -out /etc/ssl/CA/crl/Root-CA.crl cp /etc/ssl/CA/crl/Root-CA.crl /var/www/html/ca/
2 · BIND9 DNS Server
1
Cài đặt BIND9
# install
apt install bind9 bind9utils bind9-doc -y
2
Cấu hình named.conf.options (forwarder đến DC.vnsc.vn)
/etc/bind/named.conf.options
# TSIG key cho DDNS (giống key trên fw01) include "/etc/bind/ddns-key.conf"; options { directory "/var/cache/bind"; recursion yes; allow-recursion { 192.168.1.0/24; 127.0.0.1; }; dnssec-validation no; # disabled vì lab listen-on { 192.168.1.2; 127.0.0.1; }; forwarders { 172.16.1.1; }; # DC.vnsc.vn forward only; };
3
Cấu hình view nội bộ và zones
/etc/bind/named.conf.local
# TSIG key
include "/etc/bind/ddns-key.conf";
view "internal" {
match-clients { 192.168.1.0/24; 127.0.0.1; };
zone "hcmc.vn" {
type master;
file "/etc/bind/zones/db.hcmc.vn";
allow-update { key ddns-key; };
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.192.168.1";
allow-update { key ddns-key; };
};
};
4
Tạo zone file hcmc.vn
/etc/bind/zones/db.hcmc.vn
$TTL 86400
@ IN SOA dns.hcmc.vn. admin.hcmc.vn. (
2026033001 ; Serial
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
# NS
@ IN NS dns.hcmc.vn.
# A Records
srv IN A 192.168.1.1
dns IN A 192.168.1.2
fw01 IN A 192.168.1.254
# CNAME
ca IN CNAME dns.hcmc.vn.
www IN CNAME dns.hcmc.vn.
ftp IN CNAME dns.hcmc.vn.
monitor IN CNAME srv.hcmc.vn.
vpn IN CNAME fw01.hcmc.vn.
mail IN CNAME srv.hcmc.vn.
# MX
@ IN MX 10 mail.hcmc.vn.
5
Tạo reverse zone
/etc/bind/zones/db.192.168.1
$TTL 86400
@ IN SOA dns.hcmc.vn. admin.hcmc.vn. (
2026033001 3600 1800 604800 86400)
@ IN NS dns.hcmc.vn.
1 IN PTR srv.hcmc.vn.
2 IN PTR dns.hcmc.vn.
254 IN PTR fw01.hcmc.vn.
# check & restart
named-checkconf named-checkzone hcmc.vn /etc/bind/zones/db.hcmc.vn systemctl enable --now named dig @192.168.1.2 fw01.hcmc.vn
3 · Apache – HTTPS www.hcmc.vn với Directory Auth
1
# install & enable modules
apt install apache2 libapache2-mod-authnz-external -y a2enmod ssl rewrite authn_core authz_core authnz_ldap
2
Tạo Virtual Host HTTPS với directory authentication
/etc/apache2/sites-available/hcmc.vn.conf
<VirtualHost *:80> ServerName www.hcmc.vn Redirect permanent / https://www.hcmc.vn/ </VirtualHost> <VirtualHost *:443> ServerName www.hcmc.vn DocumentRoot /var/www/hcmc.vn SSLEngine on SSLCertificateFile /etc/ssl/CA/certs/dns.hcmc.vn.crt SSLCertificateKeyFile /etc/ssl/CA/private/dns.hcmc.vn.key SSLCACertificateFile /etc/ssl/CA/Root-CA.crt # Thư mục hcmcsc2026 – ADFS bằng OpenLDAP <Directory /var/www/hcmc.vn/hcmcsc2026> AuthType Basic AuthName "HCMC SC 2026 – LDAP Auth" AuthBasicProvider ldap AuthLDAPURL ldap://192.168.1.1/ou=people,dc=hcmc,dc=vn?uid AuthLDAPBindDN "cn=admin,dc=hcmc,dc=vn" AuthLDAPBindPassword Qthtm!2026 Require valid-user </Directory> # Thư mục vnsc2026 – xác thực Windows AD (qua ADFS) <Directory /var/www/hcmc.vn/vnsc2026> AuthType Basic AuthName "VNSC 2026 – AD Auth" AuthBasicProvider ldap AuthLDAPURL ldap://172.16.1.1/DC=vnsc,DC=vn?sAMAccountName AuthLDAPBindDN "Administrator@vnsc.vn" AuthLDAPBindPassword Qthtm!2026 Require valid-user </Directory> # Mạng 192.168.1.0/24 – không cần xác thực <Directory /var/www/hcmc.vn> Require ip 192.168.1.0/24 </Directory> </VirtualHost>
# create webroot & enable site
mkdir -p /var/www/hcmc.vn/{hcmcsc2026,vnsc2026} echo "<h1>HCMC.VN</h1>" > /var/www/hcmc.vn/index.html a2ensite hcmc.vn.conf systemctl reload apache2
4 · vsftpd FTP Server
1
# install
apt install vsftpd -y
2
/etc/vsftpd.conf – cấu hình chính
listen=YES anonymous_enable=NO local_enable=YES write_enable=YES chroot_local_user=YES allow_writeable_chroot=YES # Giới hạn user vào web-root local_root=/var/www/hcmc.vn user_sub_token=$USER local_root=/var/www/hcmc.vn/$USER # PAM LDAP authentication pam_service_name=vsftpd # SSL/TLS (optional) ssl_enable=YES rsa_cert_file=/etc/ssl/CA/certs/dns.hcmc.vn.crt rsa_private_key_file=/etc/ssl/CA/private/dns.hcmc.vn.key
# PAM LDAP config cho FTP
apt install libpam-ldapd nslcd -y # Cấu hình nslcd.conf: cat >> /etc/nslcd.conf <<EOF uri ldap://192.168.1.1 base dc=hcmc,dc=vn binddn cn=admin,dc=hcmc,dc=vn bindpw Qthtm!2026 EOF systemctl enable --now nslcd vsftpd
Linux · Debian 12.13 GUI
client.hcmc.vn
DHCP 192.168.1.100 — LDAP Login · Firefox CA · Thunderbird
1 · LDAP Login (PAM/NSS)
1
# install LDAP client
apt install libpam-ldapd nslcd libnss-ldapd -y # Cấu hình nslcd cat > /etc/nslcd.conf <<EOF uid nslcd gid nslcd uri ldap://192.168.1.1 base dc=hcmc,dc=vn binddn cn=admin,dc=hcmc,dc=vn bindpw Qthtm!2026 EOF # Cấu hình nsswitch sed -i 's/^passwd:.*/passwd: files ldap/' /etc/nsswitch.conf sed -i 's/^group:.*/group: files ldap/' /etc/nsswitch.conf sed -i 's/^shadow:.*/shadow: files ldap/' /etc/nsswitch.conf # PAM mkhomedir pam-auth-update --enable mkhomedir systemctl enable --now nslcd id james # kiểm tra
2 · Firefox – Cài CA Certificate
1
Copy Root-CA.crt từ dns server về client
# copy cert
scp root@192.168.1.2:/etc/ssl/CA/Root-CA.crt /home/james/Root-CA.crt
Trong Firefox: Settings → Privacy & Security → View Certificates → Authorities → Import → chọn Root-CA.crt → tick "Trust for websites"
3 · Thunderbird – Cấu hình james@hcmc.vn
1
Mở Thunderbird → Add Account → cấu hình thủ công
| Field | Incoming (IMAP) | Outgoing (SMTP) |
|---|---|---|
| Server | srv.hcmc.vn | srv.hcmc.vn |
| Port | 993 | 465 |
| Security | SSL/TLS | SSL/TLS |
| Auth | Normal Password | Normal Password |
| Username | james | james |
Windows Server 2022 GUI
DC.vnsc.vn
172.16.1.1/24 — AD DS · DNS · GPO · File Server · CA · ADFS · RDS · SNMP
0 · Cấu hình ban đầu
1
Đặt hostname và IP tĩnh
Server Manager → Local Server → Computer Name: DC
Network Adapter → Properties → IPv4: 172.16.1.1/24, GW: 172.16.1.254, DNS: 127.0.0.1
1 · Active Directory Domain Services
1
Cài đặt và Promote Domain Controller
Server Manager → Add Roles and Features → Active Directory Domain Services → Install
Notification Flag → Promote this server to a domain controller
Cấu hình ADDC
Add a new forest → Root domain: vnsc.vn
Forest/Domain Level: Windows Server 2016
Global Catalog: ✓ | DNS: ✓
DSRM Password: Qthtm!2026
→ Install (server sẽ tự restart)
Forest/Domain Level: Windows Server 2016
Global Catalog: ✓ | DNS: ✓
DSRM Password: Qthtm!2026
→ Install (server sẽ tự restart)
2
Tạo OUs và Groups trong ADUC
Server Manager → Tools → Active Directory Users and Computers
Tạo 4 OUs dưới vnsc.vn
Right-click vnsc.vn → New → Organizational Unit:
OU: Managers | Sales | Tech | Visitors
OU: Managers | Sales | Tech | Visitors
Tạo Global Groups trong từng OU
Managers OU → New → Group → Vn_Managers (Global, Security)
Sales OU → New → Group → Vn_Sales
Tech OU → New → Group → Vn_tech
Visitors OU → New → Group → Vn_visitor
Sales OU → New → Group → Vn_Sales
Tech OU → New → Group → Vn_tech
Visitors OU → New → Group → Vn_visitor
3
Tạo Users từ Users.xlsx – Dùng PowerShell
PowerShell – Tạo users hàng loạt
# Ví dụ tạo user mẫu – lặp lại theo file xlsx $Password = ConvertTo-SecureString "Qthtm!2026" -AsPlainText -Force # Tạo user trong OU Managers New-ADUser -Name "Manager01" -SamAccountName "manager01" ` -UserPrincipalName "manager01@vnsc.vn" ` -Path "OU=Managers,DC=vnsc,DC=vn" ` -AccountPassword $Password -Enabled $true ` -HomeDirectory "\\vnsc.vn\HomeFolder\manager01" ` -HomeDrive "H:" # Thêm vào group Add-ADGroupMember -Identity "Vn_Managers" -Members "manager01" # Tạo Home Folder share trước: New-Item -Path "E:\HomeFolder" -ItemType Directory New-SmbShare -Name "HomeFolder" -Path "E:\HomeFolder" ` -FullAccess "Everyone"
2 · DNS – Primary Zone tích hợp AD
1
Server Manager → Tools → DNS Manager → DC → Forward Lookup Zones
Zone vnsc.vn đã được tạo tự động khi Promote DC
Vào Properties → General: Type = Primary (AD-integrated) ✓
Dynamic Updates: Secure only (chỉ domain-joined machines được đăng ký)
DNSSEC: Sign Zone → Next → Next → Finish
Vào Properties → General: Type = Primary (AD-integrated) ✓
Dynamic Updates: Secure only (chỉ domain-joined machines được đăng ký)
DNSSEC: Sign Zone → Next → Next → Finish
2
Thêm Conditional Forwarder cho hcmc.vn
DNS Manager → Conditional Forwarders → Right-click → New Conditional Forwarder
DNS Domain: hcmc.vn
Master servers IP: 192.168.1.2
✓ Store in AD (replicate to all DNS servers in domain)
Master servers IP: 192.168.1.2
✓ Store in AD (replicate to all DNS servers in domain)
3 · File Server – Storage Pool RAID5 + NTFS Permissions
1
Tạo Storage Pool từ 3 HDD 5GB → Virtual Disk RAID5 → Ổ E:
Server Manager → File and Storage Services → Storage Pools → Tasks → New Storage Pool
Pool Name: DataPool → chọn cả 3 disk 5GB
→ New Virtual Disk → Name: DataDisk → Layout: Parity (RAID5)
→ New Volume → Drive letter: E: → Format: NTFS → Label: Data
→ New Virtual Disk → Name: DataDisk → Layout: Parity (RAID5)
→ New Volume → Drive letter: E: → Format: NTFS → Label: Data
2
Tạo Folders và Share với ABE (Access-Based Enumeration)
PowerShell – Tạo shares
# Tạo thư mục $folders = @("Manager","sales","tech","visitor") foreach ($f in $folders) { New-Item "E:\data\$f" -ItemType Directory -Force } # Share từng folder với ABE (Access-Based Enumeration) New-SmbShare -Name "Manager" -Path "E:\data\Manager" ` -FolderEnumerationMode AccessBased -FullAccess "Administrators" New-SmbShare -Name "sales" -Path "E:\data\sales" ` -FolderEnumerationMode AccessBased -FullAccess "Administrators" New-SmbShare -Name "tech" -Path "E:\data\tech" ` -FolderEnumerationMode AccessBased -FullAccess "Administrators" New-SmbShare -Name "visitor" -Path "E:\data\visitor" ` -FolderEnumerationMode AccessBased -FullAccess "Administrators"
3
Cấu hình NTFS Permissions cho từng folder
PowerShell – NTFS ACL cho folder Manager
# Xóa inheritance và set permissions $path = "E:\data\Manager" $acl = Get-Acl $path $acl.SetAccessRuleProtection($true, $false) # disable inheritance # Thêm quyền cho Vn_Managers: List + Create Folder (không delete) $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( "vnsc\Vn_Managers", "ReadAndExecute,CreateDirectories,ListDirectory", "ContainerInherit,ObjectInherit", "None", "Allow" ) $acl.AddAccessRule($rule) Set-Acl $path $acl # Làm tương tự cho: sales→Vn_Sales, tech→Vn_tech, visitor→Vn_visitor
4
Folder Manager – yêu cầu thêm Claim: Title=Manager và phòng ban=Manager
ADAC → Dynamic Access Control → Claim Types → New
Tạo Claim Type: Title (từ AD attribute: title)
Tạo Claim Type: Department (từ AD attribute: department)
Tạo Central Access Rule: Manager Room Rule → User.Title == "Manager" AND User.Department == "Manager"
Tạo Central Access Policy → Apply qua GPO → Computer Configuration → Windows Settings → Security Settings → Filesystem → E:\data\Manager
Tạo Claim Type: Department (từ AD attribute: department)
Tạo Central Access Rule: Manager Room Rule → User.Title == "Manager" AND User.Department == "Manager"
Tạo Central Access Policy → Apply qua GPO → Computer Configuration → Windows Settings → Security Settings → Filesystem → E:\data\Manager
4 · Group Policy (GPO)
1
GPO Map ổ đĩa theo Group
Group Policy Management → vnsc.vn → GPO mới: Drive Mapping Policy
User Configuration → Preferences → Windows Settings → Drive Maps → New → Map Drive
\\vnsc.vn\Manager → G: → Item-Level Targeting: Security Group = Vn_Managers
\\vnsc.vn\sales → G: → Targeting: Vn_Sales
\\vnsc.vn\tech → G: → Targeting: Vn_tech
\\vnsc.vn\visitor → G: → Targeting: Vn_visitor
\\vnsc.vn\Manager → G: → Item-Level Targeting: Security Group = Vn_Managers
\\vnsc.vn\sales → G: → Targeting: Vn_Sales
\\vnsc.vn\tech → G: → Targeting: Vn_tech
\\vnsc.vn\visitor → G: → Targeting: Vn_visitor
2
Password Policy – Fine-Grained (PSO)
ADAC → vnsc (domain) → System → Password Settings Container → New
PSO Default: Min length=5, Complexity=Yes, Precedence=30 → Apply to: Domain Users
PSO Visitor: Min length=0, Complexity=No, Precedence=20 → Apply to: Vn_visitor
PSO Manager: Min length=9, Complexity=Yes, Precedence=10 → Apply to: Vn_Managers
PSO Visitor: Min length=0, Complexity=No, Precedence=20 → Apply to: Vn_visitor
PSO Manager: Min length=9, Complexity=Yes, Precedence=10 → Apply to: Vn_Managers
3
Software Restriction – Block Notepad bằng Hash Rule cho Vn_Sales
GPO mới: Sales Software Restriction → Link to OU Sales
Computer Config → Policies → Windows Settings → Security Settings → Software Restriction Policies → New
Additional Rules → New Hash Rule → Browse → chọn notepad.exe từ C:\Windows\System32\
Security Level: Disallowed
Additional Rules → New Hash Rule → Browse → chọn notepad.exe từ C:\Windows\System32\
Security Level: Disallowed
4
Auto-enroll Certificate cho Vn_Managers (template VN_Users)
GPO mới: Manager Cert Autoenroll → Link to OU Managers
User Configuration → Policies → Windows Settings → Security Settings → Public Key Policies
→ Certificate Services Client – Auto-Enrollment → Enabled
✓ Renew expired certs | ✓ Update certs that use templates
→ Certificate Services Client – Auto-Enrollment → Enabled
✓ Renew expired certs | ✓ Update certs that use templates
5
IPsec – Encrypt traffic từ Vn_Managers đến File Server
GPO mới: IPsec Manager Policy → Link to OU Managers
Computer Config → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security
Connection Security Rules → New Rule → Server-to-Server
Endpoints: Vn_Managers computers ↔ DC.vnsc.vn (172.16.1.1)
Requirements: Require auth for in and out
Auth Method: Computer Certificate from HCMC-CA
Profile: Domain | Name: IPsec-Manager-FileServer
Connection Security Rules → New Rule → Server-to-Server
Endpoints: Vn_Managers computers ↔ DC.vnsc.vn (172.16.1.1)
Requirements: Require auth for in and out
Auth Method: Computer Certificate from HCMC-CA
Profile: Domain | Name: IPsec-Manager-FileServer
5 · Certificate Authority – Enterprise Sub CA
1
Cài Active Directory Certificate Services
Server Manager → Add Roles → Active Directory Certificate Services → Certification Authority
Setup Type: Enterprise CA
CA Type: Subordinate CA (sub CA của Root-CA trên dns.hcmc.vn)
CA Name: HCMC-CA
→ Generate CSR → Save file → Copy sang dns.hcmc.vn để ký
→ Sau khi ký xong, copy cert về và Install CA Certificate
CA Type: Subordinate CA (sub CA của Root-CA trên dns.hcmc.vn)
CA Name: HCMC-CA
→ Generate CSR → Save file → Copy sang dns.hcmc.vn để ký
→ Sau khi ký xong, copy cert về và Install CA Certificate
2
Tạo Certificate Templates
CA Console → Certificate Templates → Manage
VN_Server template: Duplicate từ "Web Server" → Rename → Subject: Supply in request → EKU: Server Auth
VN_Users template: Duplicate từ "User" → Rename → EKU: Client Auth, Smart Card Logon
→ Publish cả 2 templates: CA → Certificate Templates → New → Certificate Template to Issue
VN_Users template: Duplicate từ "User" → Rename → EKU: Client Auth, Smart Card Logon
→ Publish cả 2 templates: CA → Certificate Templates → New → Certificate Template to Issue
6 · ADFS
1
Server Manager → Add Roles → Active Directory Federation Services → Install
Configure ADFS → Create first federation server
Service Account: gMSA hoặc domain account
SSL Cert: Request từ HCMC-CA với CN=adfs.vnsc.vn
Federation Service Name: adfs.vnsc.vn
Service Account: gMSA hoặc domain account
SSL Cert: Request từ HCMC-CA với CN=adfs.vnsc.vn
Federation Service Name: adfs.vnsc.vn
2
Thêm OpenLDAP (hcmc.vn) là Claim Provider
ADFS Management → Trust Relationships → Claim Provider Trusts → Add
Import từ federation metadata URL hoặc manual:
Display Name: OpenLDAP
LDAP URL: ldap://192.168.1.1/ou=people,dc=hcmc,dc=vn
Attribute Store Type: LDAP
Mapping: uid → Name ID, mail → E-Mail
Display Name: OpenLDAP
LDAP URL: ldap://192.168.1.1/ou=people,dc=hcmc,dc=vn
Attribute Store Type: LDAP
Mapping: uid → Name ID, mail → E-Mail
7 · Remote Desktop Services
1
Server Manager → Add Roles → Remote Desktop Services
Role Services: RD Session Host, RD Web Access, RD Connection Broker
URL: https://rd.vnsc.vn/RDWeb
SSL Cert: Request cert với CN=rd.vnsc.vn từ HCMC-CA
URL: https://rd.vnsc.vn/RDWeb
SSL Cert: Request cert với CN=rd.vnsc.vn từ HCMC-CA
2
Publish WordPad cho domain users
RDS → RemoteApp Manager → Add RemoteApp Programs → WordPad
User Assignment: Domain Users
Certificate: cert từ HCMC-CA (rd.vnsc.vn)
✓ Require smartcard/certificate authentication
Certificate: cert từ HCMC-CA (rd.vnsc.vn)
✓ Require smartcard/certificate authentication
8 · SNMP Agent
1
Server Manager → Add Features → SNMP Service
Services → SNMP Service → Properties → Security tab
Community: public → Rights: READ ONLY
Accept SNMP from: 192.168.1.1 (srv.hcmc.vn – Cacti server)
Accept SNMP from: 192.168.1.1 (srv.hcmc.vn – Cacti server)
Windows Server 2022 CUI
fw02.vnsc.vn
172.16.1.254/24 · 172.16.2.254/24 · 210.103.5.2/26 — RRAS · DHCP · IKEv2 VPN
0 · Cấu hình ban đầu (PowerShell CUI)
1
PowerShell – IP & Hostname
# Đặt hostname Rename-Computer -NewName "fw02" -Restart # Cấu hình IP (sau khi restart) # Interface 1: LAN vnsc (172.16.1.x) New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 172.16.1.254 -PrefixLength 24 Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 172.16.1.1 # Interface 2: LAN client (172.16.2.x) New-NetIPAddress -InterfaceAlias "Ethernet 2" -IPAddress 172.16.2.254 -PrefixLength 24 # Interface 3: WAN (Public) New-NetIPAddress -InterfaceAlias "Ethernet 3" -IPAddress 210.103.5.2 -PrefixLength 26 -DefaultGateway 210.103.5.62
1 · RRAS – Routing, NAT, Port Redirect
1
PowerShell – Install RRAS
Install-WindowsFeature -Name Routing -IncludeManagementTools Install-WindowsFeature -Name RemoteAccess -IncludeAllSubFeature # Cài RRAS qua netsh (hoặc GUI nếu có Remote Desktop) netsh routing ip nat install # Enable NAT trên interface WAN netsh routing ip nat add interface "Ethernet 3" full # Port Redirect: HTTPS -> DC netsh routing ip nat add portmapping "Ethernet 3" tcp 0.0.0.0 443 172.16.1.1 443 # Port Redirect: RDWeb netsh routing ip nat add portmapping "Ethernet 3" tcp 0.0.0.0 3389 172.16.1.1 3389
2 · DHCP Server
1
PowerShell – DHCP
Install-WindowsFeature -Name DHCP -IncludeManagementTools # Authorize DHCP Add-DhcpServerInDC -DnsName "fw02.vnsc.vn" -IPAddress 172.16.2.254 # Tạo Scope cho 172.16.2.0/24 Add-DhcpServerv4Scope -Name "VNSC Client" -StartRange 172.16.2.50 ` -EndRange 172.16.2.150 -SubnetMask 255.255.255.0 Set-DhcpServerv4OptionValue -ScopeId 172.16.2.0 ` -DnsServer 172.16.1.1 -Router 172.16.2.254 ` -DnsDomain "vnsc.vn" # Reservation cho worker.vnsc.vn Add-DhcpServerv4Reservation -ScopeId 172.16.2.0 ` -IPAddress 172.16.2.100 -ClientId "AA-BB-CC-DD-EE-FF" ` -Description "worker.vnsc.vn"
3 · Site-to-Site IKEv2 VPN (Windows RRAS)
1
Yêu cầu cert từ HCMC-CA (từ dns.hcmc.vn)
PowerShell – Request cert từ Sub CA
# Import Root CA và Sub CA cert vào Trusted Root store Import-Certificate -FilePath "C:\certs\Root-CA.crt" ` -CertStoreLocation Cert:\LocalMachine\Root Import-Certificate -FilePath "C:\certs\HCMC-CA.crt" ` -CertStoreLocation Cert:\LocalMachine\CA # Request cert qua template VN_Server $cert = Get-Certificate -Template "VN_Server" ` -SubjectName "CN=fw02.vnsc.vn,O=HCMC,C=VN" ` -CertStoreLocation Cert:\LocalMachine\My
2
Cấu hình IKEv2 S2S VPN qua RRAS
PowerShell – S2S VPN Connection
# Thêm kết nối VPN đến fw01 Add-VpnS2SInterface -Name "To-HCMC" ` -Destination 210.103.5.1 ` -Protocol IKEv2 ` -AuthenticationMethod MachineCertificates ` -IPv4Subnet @("192.168.1.0/24:100") ` -PassThru # Kết nối Connect-VpnS2SInterface -Name "To-HCMC" Get-VpnS2SInterface -Name "To-HCMC"
Windows 11 GUI
worker.vnsc.vn
DHCP 172.16.2.100 — Domain Join · Thunderbird · Test GPO/RDWeb
1 · Cấu hình cơ bản
1
Đặt DNS server trỏ về DC và join Domain
Settings → Network → Ethernet → Edit DNS: 172.16.1.1
Settings → System → About → Domain or workgroup → Change → Domain: vnsc.vn
Nhập credential: Administrator@vnsc.vn / Qthtm!2026 → Restart
2 · Import CA Certificate (không cảnh báo lỗi cert)
1
PowerShell (Admin) – Import CA certs
# Import Root CA Import-Certificate -FilePath "\\DC.vnsc.vn\SYSVOL\Root-CA.crt" ` -CertStoreLocation Cert:\LocalMachine\Root # Hoặc qua GPO: Computer Config → Policies → Windows Settings → Security # → Public Key → Trusted Root Certification Authorities → Import Root-CA.crt
3 · Thunderbird – Cấu hình donald@hcmc.vn
1
Mở Thunderbird → Add Account → Manual setup
| Field | Incoming (IMAP) | Outgoing (SMTP) |
|---|---|---|
| Server | srv.hcmc.vn | srv.hcmc.vn |
| Port | 993 | 465 |
| Security | SSL/TLS | SSL/TLS |
| Username | donald | donald |
| Password | Qthtm!2026 | Qthtm!2026 |
4 · Kiểm tra GPO & File Server
1
Chạy gpupdate /force sau khi login bằng từng tài khoản
- Login Vn_Managers → kiểm tra ổ G: map đến \\vnsc.vn\Manager
- Login Vn_Sales → kiểm tra Notepad bị block
- Login Vn_visitor → password để trống được
- Login Manager → mở https://rd.vnsc.vn/RDWeb → launch WordPad
- Kiểm tra File Server: chỉ thấy folder của group mình
- Kiểm tra cert tự động enroll cho Vn_Managers