Title: 70290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Serv
170-290 MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment,
EnhancedChapter 10Server Administration
2Objectives
- Distinguish between the various methods, tools,
and processes used to manage a Windows Server
2003 system - Understand and configure Terminal Services and
Remote Desktop for Administration - Delegate administrative authority in Active
Directory - Install, configure, and manage Microsoft Software
Update Services
3Network Administration Procedures
- In a Windows Server 2003 environment,
administrator will normally be responsible for
more than one server - A useful tool for administrators to manage remote
servers is Microsoft Management Console (MMC) - Secondary logon is another useful tool for
administrators
4Windows Server 2003 Management Tools
- Server shutdown and restart has new features in
Windows Server 2003 - Shutdown Event Tracker logs these events
- Can include comments on why events occurred
- Logged as event 1074 in Event Viewer system log
5Activity 10-1 Restarting Windows Server 2003
- Objective to restart Windows Server 2003
- Start ? Shut Down ? Restart
- Configure the Shutdown Event Tracker options
6Activity 10-2 Viewing Shutdown Events in the
Event View System Log
- Objective Use Event Viewer to view server
shutdown events - Start ? Administrative Tools ? Event Viewer ?
System - Look for the shutdown event that was generated in
the previous activity - Explore other shutdown events
7The Microsoft Management Console
- MMC provides a unified framework for hosting
multiple management tools (snap-ins) - Can add and remove management tools as necessary
and save custom tools for use by authorized
administrators - Console saved as Management Saved Console (MSC)
file with .msc extension - Can focus snap-ins to point to remote clients or
servers
8Activity 10-3 Using the MMC to View Information
on a Remote Computer
- Objective Use MMC to view system logs on a
remote computer - Focus the Event Viewer to connect to another
computer from an existing MMC - Browse the system and application logs on the
remote computer - Focus back to the local computer
9Activity 10-4 Creating a Taskpad
- Objective create a taskpad to simplify
administrative tasks - A taskpad view provides a graphical
representation of the tasks that can be performed
in an MMC - Create a new MMC with an Event Viewer
- Create and configure a taskpad view using the New
Taskpad View Wizard - Save the new MMC
10Secondary Logon
- Recommendation is for network administrators to
have two logon accounts - One with administrative rights
- One with normal user rights
- Secondary logon feature allows you to log on with
user account, open administrative tools as an
administrator
11Activity 10-5 Using the Windows Server 2003
Secondary Logon Feature
- Objective Use the Run as command to open a
program with a secondary account - Start ? Administrative Tools ? right-click Event
Viewer ? Run as - Log on with alternative credentials in Run As
dialog box
12Activity 10-6 Using the Secondary Logon Feature
from the Command Line
- Objective To log on using alternate credentials
from the command line - Start ? Run ? enter cmd in Open box to open a
command prompt - Enter command-line form of runas to open the
Event Viewer as directed in the exercise
13Network Troubleshooting Processes
- Need a systematic approach to troubleshooting
- Recommended steps
- Define the problem
- Gather detailed information about what has
changed - Devise a plan to solve the problem
- Implement the plan and observe the results
- Document all changes and results
14Define the Problem
- Indication of a problem is often
- A general complaint from a user
- An error message
- Ask questions of user
- Try to recreate the problem in a test
- To decode error messages, use net utility
- At command prompt, type NET HELPMSG number
15Gather Detailed Information About What Has Changed
- Factors to consider include
- Any new components installed recently?
- Who has access to computer? Have they made any
changes? - Any software or service patches installed
recently?
16Devise a Plan to Solve the Problem
- Important considerations when devising a plan
- Interruptions to network or its components (e.g.,
restarts) - Possible changes to network security policy
- Need to document all changes and troubleshooting
steps - Be sure to include a rollback strategy in case
plan doesnt work
17Implement the Plan Observe Results Document All
Changes and Results
- Notify users if network availability will be
affected - Do not make too many configuration changes at one
time - If plan doesnt work, document what was done and
start again - Document all troubleshooting steps, results, and
configuration changes
18Configuring Terminal Services and Remote Desktop
for Administration
- Two services that provide remote access to a
server desktop - Terminal services allows users to connect in
order to run applications - Remote Desktop for Administration allows an
administrator to connect in order to run
administrative services
19Enabling Remote Desktop for Administration
- Installed automatically as a part of Windows
Server 2003 - Disabled by default
- Once enabled, only Administrators group can
connect by default - Additional users can be granted access
20Activity 10-7 Enabling and Testing Remote
Desktop for Administration
- Objective To enable and test Remote Desktop for
Administration - Start ? Control Panel ? System ? Remote tab
- Enable Remote Desktop for Administration on the
server as directed in the activity - Connect to the server using the Remote Desktop
Connection tool - Disconnect leaving session open and then
disconnect closing the session
21Installing Terminal Services
- Installed from Add/Remove Windows Components of
Add or Remove Programs (in Control Panel) - To set up a Terminal server, one Windows Server
2003 server in network must be configured as a
Terminal Services licensing server
22Activity 10-8 Installing Terminal Services
- Objective To install Windows Server 2003
Terminal Services on a server - Start ? Control Panel ? Add or Remove Programs ?
Add/Remove Windows Components - Use the Windows Components Wizard to install
Terminal Server as directed
23Managing Terminal Services
- Three primary tools for Terminal Services
administration - Terminal Services Manager
- Terminal Services Configuration
- Terminal Services Licensing
24Configuring Remote Connection Settings
- Primary tool is Terminal Services Configuration
- Settings related to connection attempts
- Settings related to permissions of user or group
accounts - Configured from properties of a Terminal Server
connection object 1 object for multiple user
connections - Settings include
- Authentication (none or standard Windows)
- Encryption (client compatible or high)
25Configuring Remote Connection Settings (continued)
26Activity 10-9 Exploring Terminal Services
Settings
- Objective to explore and configure Terminal
Services settings - Start ? Administrative Tools ? Terminal Services
Configuration - Browse and configure settings as directed in the
activity
27Terminal Services Client Software
- Terminal Server folder containing client software
packages - Systemroot\system32\clients\tsclient\win32
- Contains files to install Remote Desktop
Connection - Provided as both MSI file and Win32 executable
- Share folder and initiate installation process
either manually or through Group Policy
deployment - Pre-installed on Windows Server 2003 and Windows
XP
28Installing Applications
- Applications must be installed in a mode for
multiple users compatible with Terminal
Server(install mode) - Use Add or Remove Programs applet in Control
Panel after Terminal Server is installed - Can also place Windows Server 2003 in install
mode from command line - Change user /install to begin
- Change user /execute when finished
- May need to reinstall some applications
29Configuring Terminal Services User Properties
- Terminal Server adds four tabs to properties of
user accounts - Terminal Services Profile user can configure a
special connection profile and home directory - Remote control configures remote control
properties for a user account - Sessions configures a maximum session time and
disconnect options - Environment configures a program to run
automatically when user connects to terminal
server
30Activity 10-10 Exploring Terminal Services User
Account Settings
- Objective Explore Terminal Services user account
settings using Active Directory Users and
Computers - Start ? Administrative Tools ? Active Directory
Users and Computers ? Users - Explore the settings on the four Terminal
Services tabs Terminal Services Profile, Remote
control, Sessions, and Environment
31Delegating Administrative Authority
- Active Directory is a database and must be
protected - Uses permissions similar to NTFS file permissions
- Administrators have full access by default
- User are given read permission for most
attributes by default - Administrator can edit permissions
- Must take care not to make any objects completely
inaccessible
32Active Directory Object Permissions
- Objects can be assigned permissions at 2 levels
- Object-level permissions
- Must be granted for a user to create or modify an
OU, user, or group account - Applied according to a preconfigured set of
standard permissions - Attribute-level permissions
- Control which attributes a user or group can view
or modify - If not explicitly set, object inherits parent
containers permissions
33Activity 10-11 Exploring Active Directory Object
Permissions
- Objective Explore Active Directory object
permission settings - Start ? Administrative Tools ? Active Directory
Users and Computers ? View (menu bar) ? Advanced
Features - Access the properties of an OU and explore the
various permission configurations as directed in
the exercise
34Permission Inheritance
- Child objects inherit permissions from parent
objects by default when child object is created - If permissions to parent are changed
subsequently, can force permission changes to
child if desired - Can modify default inheritance by blocking it at
the container or object level
35Delegating Authority Over Active Directory Objects
- Allows you to distribute/decentralize process of
administering Active Directory - Steps to delegating authority
- Design OU structure to permit distribution
- Configure permissions to support appropriate
distribution - Implementing delegation
- Can manage permissions directly from Security tab
- Can use Delegation of Control Wizard
36Activity 10-12 Using the Delegation of Control
Wizard
- Objective Delegate control of an OU using the
Active Directory Users and Computer Delegation of
Control Wizard - To start wizard, right-click OU and click
Delegate Control - Delegate a specific permission to a group
following directions in the exercise - Verify that the permission appears as expected
37Software Update Services
- Software Update Services (SUS) allows an
administrator to control the deployment of O.S.
security updates and critical packages - Intended to minimize administrative effort
required to keep O.S. protected - 2 main elements
- Client component updated version of Windows
Automatic Updates, clients contact server to get
updates - Server component can be installed on a server
running Windows 2000 or Server 2003
38Installing Software Update Services
- SUS client and server components available for
download from Microsoft Web site - Requires minimum hardware and a dedicated server
if possible - Internet Information Services version 5.0 or
higher and Internet Explorer 5.5 or higher are
prerequisites - Server component can be installed on Windows 2000
Server, Windows Server 2003, or Microsoft Small
Business Server 2000
39Activity 10-13 Installing Software Update
Services
- Objective To install the server component of
Software Update Services (after installing IIS) - Start ? Control Panel ? Add or Remove Programs ?
Add/Remove Windows Components - Install IIS following instructions
- Run the SUS10SP1.exe file to start installation
of SUS - Follow directions to run Microsoft Software
Update Services Setup Wizard - Complete installation as directed
40How Software Update Services Works
- Purpose of SUS is to provide centralized facility
for clients to obtain security package updates
automatically - SUS server can store updates locally or store
catalog with clients downloading from Internet - Administrator must approve an update before
clients can download it - Clients must have Automatic Updates software
installed to interact with SUS server
41Configuring Software Update Services
- Default SUS configurations (Typical option)
- Updates downloaded from Internet servers
- Proxy server settings are set to Automatic
- Downloaded content is stored locally on SUS
server - Packages are downloaded in all supported
languages - If changes occur to an approved package, changed
package is not approved - Administration is Web-based, password protected
- On-line resources include SUS Overview
Whitepaper, SUS Deployment Guide, Windows Update,
Security Web sites
42Activity 10-14 Configuring Software Update
Services Settings
- Objective To configure SUS settings
- Start ? All Programs ? Internet Explorer
- Enter the SUS administration Web address and log
on as directed - Browse the Set options pages
- Configure your SUS to maintain updates on a
Microsoft Windows Update server
43Activity 10-15 Synchronizing Software Update
Services Content
- Objective To manually synchronize SUS content
- Use the Microsoft SUS menu through Internet
Explorer to start the synchronization process as
directed - Browse potential updates and explore sorting
options and details menu - Approve an update
- Browse logs and other information as directed
44Automatic Updates
- Clients must have Automatic Updates client
software installed to obtain security updates - Some systems have software preinstalled, others
must manually install - Automatic Updates can be manually enabled along
with notification and scheduling options - To connect to local SUS server to obtain updates,
must configure clients Registry or Group Policy
settings - Group policy settings override local settings
45Automatic Updates (continued)
46Activity 10-16 Reviewing Automatic Updates Group
Policy Settings
- Objective To review Group Policy settings for
Automatic Update - Start ? Administrative Tools ? Active Directory
Users and Computers - Edit the Default Domain Policy and add the wuau
template as directed - Browse and configure settings for Automatic
Updates
47Planning a Software Updates Services
Infrastructure
- Common methods that organizations use to deploy
and configure SUS - Small networks single server running SUS or
multiple location-based servers managed
independently - Enterprise networks multiple SUS servers, single
synchronization server (hub and spoke) - High security networks corporate intranet
disconnected from public Internet. All local
servers download from special connected server(s).
48Activity 10-17 Uninstalling Software Update
Services and Internet Information Services
- Objective To uninstall SUS and IIS
- Start ? Control Panel ? Add or Remove Programs
- Remove Software Update Services as directed
- Remove Internet Information Services as directed
49Summary
- Tools used to manage server tasks and remote
management of clients - Microsoft Management Console (MMC)
- Secondary logon feature
- Network troubleshooting process steps define
problem, gather information about changes, devise
plan, implement plan, document changes results - Terminal Services allows users to connect to and
run applications on remote servers
50Summary (continued)
- Remote Desktop for Administration allows
administrators to connect to and interact with
remote servers - Administrative authority for Active Directory
objects can be delegated through object-level and
attribute-level permissions - Software Update Services allows control of the
deployment of security updates throughout a
network