70290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Serv

1
70-290 MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment,
EnhancedChapter 10Server Administration
2
Objectives

• Distinguish between the various methods, tools,
  and processes used to manage a Windows Server
  2003 system
• Understand and configure Terminal Services and
  Remote Desktop for Administration
• Delegate administrative authority in Active
  Directory
• Install, configure, and manage Microsoft Software
  Update Services

3
Network Administration Procedures

• In a Windows Server 2003 environment,
  administrator will normally be responsible for
  more than one server
• A useful tool for administrators to manage remote
  servers is Microsoft Management Console (MMC)
• Secondary logon is another useful tool for
  administrators

4
Windows Server 2003 Management Tools

• Server shutdown and restart has new features in
  Windows Server 2003
• Shutdown Event Tracker logs these events
• Can include comments on why events occurred
• Logged as event 1074 in Event Viewer system log

5
Activity 10-1 Restarting Windows Server 2003

• Objective to restart Windows Server 2003
• Start ? Shut Down ? Restart
• Configure the Shutdown Event Tracker options

6
Activity 10-2 Viewing Shutdown Events in the
Event View System Log

• Objective Use Event Viewer to view server
  shutdown events
• Start ? Administrative Tools ? Event Viewer ?
  System
• Look for the shutdown event that was generated in
  the previous activity
• Explore other shutdown events

7
The Microsoft Management Console

• MMC provides a unified framework for hosting
  multiple management tools (snap-ins)
• Can add and remove management tools as necessary
  and save custom tools for use by authorized
  administrators
• Console saved as Management Saved Console (MSC)
  file with .msc extension
• Can focus snap-ins to point to remote clients or
  servers

8
Activity 10-3 Using the MMC to View Information
on a Remote Computer

• Objective Use MMC to view system logs on a
  remote computer
• Focus the Event Viewer to connect to another
  computer from an existing MMC
• Browse the system and application logs on the
  remote computer
• Focus back to the local computer

9
Activity 10-4 Creating a Taskpad

• Objective create a taskpad to simplify
  administrative tasks
• A taskpad view provides a graphical
  representation of the tasks that can be performed
  in an MMC
• Create a new MMC with an Event Viewer
• Create and configure a taskpad view using the New
  Taskpad View Wizard
• Save the new MMC

10
Secondary Logon

• Recommendation is for network administrators to
  have two logon accounts
• One with administrative rights
• One with normal user rights
• Secondary logon feature allows you to log on with
  user account, open administrative tools as an
  administrator

11
Activity 10-5 Using the Windows Server 2003
Secondary Logon Feature

• Objective Use the Run as command to open a
  program with a secondary account
• Start ? Administrative Tools ? right-click Event
  Viewer ? Run as
• Log on with alternative credentials in Run As
  dialog box

12
Activity 10-6 Using the Secondary Logon Feature
from the Command Line

• Objective To log on using alternate credentials
  from the command line
• Start ? Run ? enter cmd in Open box to open a
  command prompt
• Enter command-line form of runas to open the
  Event Viewer as directed in the exercise

13
Network Troubleshooting Processes

• Need a systematic approach to troubleshooting
• Recommended steps
• Define the problem
• Gather detailed information about what has
  changed
• Devise a plan to solve the problem
• Implement the plan and observe the results
• Document all changes and results

14
Define the Problem

• Indication of a problem is often
• A general complaint from a user
• An error message
• Ask questions of user
• Try to recreate the problem in a test
• To decode error messages, use net utility
• At command prompt, type NET HELPMSG number

15
Gather Detailed Information About What Has Changed

• Factors to consider include
• Any new components installed recently?
• Who has access to computer? Have they made any
  changes?
• Any software or service patches installed
  recently?

16
Devise a Plan to Solve the Problem

• Important considerations when devising a plan
• Interruptions to network or its components (e.g.,
  restarts)
• Possible changes to network security policy
• Need to document all changes and troubleshooting
  steps
• Be sure to include a rollback strategy in case
  plan doesnt work

17
Implement the Plan Observe Results Document All
Changes and Results

• Notify users if network availability will be
  affected
• Do not make too many configuration changes at one
  time
• If plan doesnt work, document what was done and
  start again
• Document all troubleshooting steps, results, and
  configuration changes

18
Configuring Terminal Services and Remote Desktop
for Administration

• Two services that provide remote access to a
  server desktop
• Terminal services allows users to connect in
  order to run applications
• Remote Desktop for Administration allows an
  administrator to connect in order to run
  administrative services

19
Enabling Remote Desktop for Administration

• Installed automatically as a part of Windows
  Server 2003
• Disabled by default
• Once enabled, only Administrators group can
  connect by default
• Additional users can be granted access

20
Activity 10-7 Enabling and Testing Remote
Desktop for Administration

• Objective To enable and test Remote Desktop for
  Administration
• Start ? Control Panel ? System ? Remote tab
• Enable Remote Desktop for Administration on the
  server as directed in the activity
• Connect to the server using the Remote Desktop
  Connection tool
• Disconnect leaving session open and then
  disconnect closing the session

21
Installing Terminal Services

• Installed from Add/Remove Windows Components of
  Add or Remove Programs (in Control Panel)
• To set up a Terminal server, one Windows Server
  2003 server in network must be configured as a
  Terminal Services licensing server

22
Activity 10-8 Installing Terminal Services

• Objective To install Windows Server 2003
  Terminal Services on a server
• Start ? Control Panel ? Add or Remove Programs ?
  Add/Remove Windows Components
• Use the Windows Components Wizard to install
  Terminal Server as directed

23
Managing Terminal Services

• Three primary tools for Terminal Services
  administration
• Terminal Services Manager
• Terminal Services Configuration
• Terminal Services Licensing

24
Configuring Remote Connection Settings

• Primary tool is Terminal Services Configuration
• Settings related to connection attempts
• Settings related to permissions of user or group
  accounts
• Configured from properties of a Terminal Server
  connection object 1 object for multiple user
  connections
• Settings include
• Authentication (none or standard Windows)
• Encryption (client compatible or high)

25
Configuring Remote Connection Settings (continued)
26
Activity 10-9 Exploring Terminal Services
Settings

• Objective to explore and configure Terminal
  Services settings
• Start ? Administrative Tools ? Terminal Services
  Configuration
• Browse and configure settings as directed in the
  activity

27
Terminal Services Client Software

• Terminal Server folder containing client software
  packages
• Systemroot\system32\clients\tsclient\win32
• Contains files to install Remote Desktop
  Connection
• Provided as both MSI file and Win32 executable
• Share folder and initiate installation process
  either manually or through Group Policy
  deployment
• Pre-installed on Windows Server 2003 and Windows
  XP

28
Installing Applications

• Applications must be installed in a mode for
  multiple users compatible with Terminal
  Server(install mode)
• Use Add or Remove Programs applet in Control
  Panel after Terminal Server is installed
• Can also place Windows Server 2003 in install
  mode from command line
• Change user /install to begin
• Change user /execute when finished
• May need to reinstall some applications

29
Configuring Terminal Services User Properties

• Terminal Server adds four tabs to properties of
  user accounts
• Terminal Services Profile user can configure a
  special connection profile and home directory
• Remote control configures remote control
  properties for a user account
• Sessions configures a maximum session time and
  disconnect options
• Environment configures a program to run
  automatically when user connects to terminal
  server

30
Activity 10-10 Exploring Terminal Services User
Account Settings

• Objective Explore Terminal Services user account
  settings using Active Directory Users and
  Computers
• Start ? Administrative Tools ? Active Directory
  Users and Computers ? Users
• Explore the settings on the four Terminal
  Services tabs Terminal Services Profile, Remote
  control, Sessions, and Environment

31
Delegating Administrative Authority

• Active Directory is a database and must be
  protected
• Uses permissions similar to NTFS file permissions
• Administrators have full access by default
• User are given read permission for most
  attributes by default
• Administrator can edit permissions
• Must take care not to make any objects completely
  inaccessible

32
Active Directory Object Permissions

• Objects can be assigned permissions at 2 levels
• Object-level permissions
• Must be granted for a user to create or modify an
  OU, user, or group account
• Applied according to a preconfigured set of
  standard permissions
• Attribute-level permissions
• Control which attributes a user or group can view
  or modify
• If not explicitly set, object inherits parent
  containers permissions

33
Activity 10-11 Exploring Active Directory Object
Permissions

• Objective Explore Active Directory object
  permission settings
• Start ? Administrative Tools ? Active Directory
  Users and Computers ? View (menu bar) ? Advanced
  Features
• Access the properties of an OU and explore the
  various permission configurations as directed in
  the exercise

34
Permission Inheritance

• Child objects inherit permissions from parent
  objects by default when child object is created
• If permissions to parent are changed
  subsequently, can force permission changes to
  child if desired
• Can modify default inheritance by blocking it at
  the container or object level

35
Delegating Authority Over Active Directory Objects

• Allows you to distribute/decentralize process of
  administering Active Directory
• Steps to delegating authority
• Design OU structure to permit distribution
• Configure permissions to support appropriate
  distribution
• Implementing delegation
• Can manage permissions directly from Security tab
• Can use Delegation of Control Wizard

36
Activity 10-12 Using the Delegation of Control
Wizard

• Objective Delegate control of an OU using the
  Active Directory Users and Computer Delegation of
  Control Wizard
• To start wizard, right-click OU and click
  Delegate Control
• Delegate a specific permission to a group
  following directions in the exercise
• Verify that the permission appears as expected

37
Software Update Services

• Software Update Services (SUS) allows an
  administrator to control the deployment of O.S.
  security updates and critical packages
• Intended to minimize administrative effort
  required to keep O.S. protected
• 2 main elements
• Client component updated version of Windows
  Automatic Updates, clients contact server to get
  updates
• Server component can be installed on a server
  running Windows 2000 or Server 2003

38
Installing Software Update Services

• SUS client and server components available for
  download from Microsoft Web site
• Requires minimum hardware and a dedicated server
  if possible
• Internet Information Services version 5.0 or
  higher and Internet Explorer 5.5 or higher are
  prerequisites
• Server component can be installed on Windows 2000
  Server, Windows Server 2003, or Microsoft Small
  Business Server 2000

39
Activity 10-13 Installing Software Update
Services

• Objective To install the server component of
  Software Update Services (after installing IIS)
• Start ? Control Panel ? Add or Remove Programs ?
  Add/Remove Windows Components
• Install IIS following instructions
• Run the SUS10SP1.exe file to start installation
  of SUS
• Follow directions to run Microsoft Software
  Update Services Setup Wizard
• Complete installation as directed

40
How Software Update Services Works

• Purpose of SUS is to provide centralized facility
  for clients to obtain security package updates
  automatically
• SUS server can store updates locally or store
  catalog with clients downloading from Internet
• Administrator must approve an update before
  clients can download it
• Clients must have Automatic Updates software
  installed to interact with SUS server

41
Configuring Software Update Services

• Default SUS configurations (Typical option)
• Updates downloaded from Internet servers
• Proxy server settings are set to Automatic
• Downloaded content is stored locally on SUS
  server
• Packages are downloaded in all supported
  languages
• If changes occur to an approved package, changed
  package is not approved
• Administration is Web-based, password protected
• On-line resources include SUS Overview
  Whitepaper, SUS Deployment Guide, Windows Update,
  Security Web sites

42
Activity 10-14 Configuring Software Update
Services Settings

• Objective To configure SUS settings
• Start ? All Programs ? Internet Explorer
• Enter the SUS administration Web address and log
  on as directed
• Browse the Set options pages
• Configure your SUS to maintain updates on a
  Microsoft Windows Update server

43
Activity 10-15 Synchronizing Software Update
Services Content

• Objective To manually synchronize SUS content
• Use the Microsoft SUS menu through Internet
  Explorer to start the synchronization process as
  directed
• Browse potential updates and explore sorting
  options and details menu
• Approve an update
• Browse logs and other information as directed

44
Automatic Updates

• Clients must have Automatic Updates client
  software installed to obtain security updates
• Some systems have software preinstalled, others
  must manually install
• Automatic Updates can be manually enabled along
  with notification and scheduling options
• To connect to local SUS server to obtain updates,
  must configure clients Registry or Group Policy
  settings
• Group policy settings override local settings

45
Automatic Updates (continued)
46
Activity 10-16 Reviewing Automatic Updates Group
Policy Settings

• Objective To review Group Policy settings for
  Automatic Update
• Start ? Administrative Tools ? Active Directory
  Users and Computers
• Edit the Default Domain Policy and add the wuau
  template as directed
• Browse and configure settings for Automatic
  Updates

47
Planning a Software Updates Services
Infrastructure

• Common methods that organizations use to deploy
  and configure SUS
• Small networks single server running SUS or
  multiple location-based servers managed
  independently
• Enterprise networks multiple SUS servers, single
  synchronization server (hub and spoke)
• High security networks corporate intranet
  disconnected from public Internet. All local
  servers download from special connected server(s).

48
Activity 10-17 Uninstalling Software Update
Services and Internet Information Services

• Objective To uninstall SUS and IIS
• Start ? Control Panel ? Add or Remove Programs
• Remove Software Update Services as directed
• Remove Internet Information Services as directed

49
Summary

• Tools used to manage server tasks and remote
  management of clients
• Microsoft Management Console (MMC)
• Secondary logon feature
• Network troubleshooting process steps define
  problem, gather information about changes, devise
  plan, implement plan, document changes results
• Terminal Services allows users to connect to and
  run applications on remote servers

50
Summary (continued)

• Remote Desktop for Administration allows
  administrators to connect to and interact with
  remote servers
• Administrative authority for Active Directory
  objects can be delegated through object-level and
  attribute-level permissions
• Software Update Services allows control of the
  deployment of security updates throughout a
  network