500 likes | 915 Views
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration. Objectives. Distinguish between the various methods, tools, and processes used to manage a Windows Server 2003 system
E N D
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, EnhancedChapter 10:Server Administration
Objectives • Distinguish between the various methods, tools, and processes used to manage a Windows Server 2003 system • Understand and configure Terminal Services and Remote Desktop for Administration • Delegate administrative authority in Active Directory • Install, configure, and manage Microsoft Software Update Services Guide to MCSE 70-290, Enhanced
Network Administration Procedures • In a Windows Server 2003 environment, administrator will normally be responsible for more than one server • A useful tool for administrators to manage remote servers is Microsoft Management Console (MMC) • Secondary logon is another useful tool for administrators Guide to MCSE 70-290, Enhanced
Windows Server 2003 Management Tools • Server shutdown and restart has new features in Windows Server 2003 • Shutdown Event Tracker logs these events • Can include comments on why events occurred • Logged as event 1074 in Event Viewer system log Guide to MCSE 70-290, Enhanced
Activity 10-1: Restarting Windows Server 2003 • Objective: to restart Windows Server 2003 • Start Shut Down Restart • Configure the Shutdown Event Tracker options Guide to MCSE 70-290, Enhanced
Activity 10-2: Viewing Shutdown Events in the Event View System Log • Objective: Use Event Viewer to view server shutdown events • Start Administrative Tools Event Viewer System • Look for the shutdown event that was generated in the previous activity • Explore other shutdown events Guide to MCSE 70-290, Enhanced
The Microsoft Management Console • MMC provides a unified framework for hosting multiple management tools (snap-ins) • Can add and remove management tools as necessary and save custom tools for use by authorized administrators • Console saved as Management Saved Console (MSC) file with .msc extension • Can focus snap-ins to point to remote clients or servers Guide to MCSE 70-290, Enhanced
Activity 10-3: Using the MMC to View Information on a Remote Computer • Objective: Use MMC to view system logs on a remote computer • Focus the Event Viewer to connect to another computer from an existing MMC • Browse the system and application logs on the remote computer • Focus back to the local computer Guide to MCSE 70-290, Enhanced
Activity 10-4: Creating a Taskpad • Objective: create a taskpad to simplify administrative tasks • A taskpad view provides a graphical representation of the tasks that can be performed in an MMC • Create a new MMC with an Event Viewer • Create and configure a taskpad view using the New Taskpad View Wizard • Save the new MMC Guide to MCSE 70-290, Enhanced
Secondary Logon • Recommendation is for network administrators to have two logon accounts • One with administrative rights • One with normal user rights • Secondary logon feature allows you to log on with user account, open administrative tools as an administrator Guide to MCSE 70-290, Enhanced
Activity 10-5: Using the Windows Server 2003 Secondary Logon Feature • Objective: Use the Run as command to open a program with a secondary account • Start Administrative Tools right-click Event Viewer Run as • Log on with alternative credentials in Run As dialog box Guide to MCSE 70-290, Enhanced
Activity 10-6: Using the Secondary Logon Feature from the Command Line • Objective: To log on using alternate credentials from the command line • Start Run enter cmd in Open box to open a command prompt • Enter command-line form of runas to open the Event Viewer as directed in the exercise Guide to MCSE 70-290, Enhanced
Network Troubleshooting Processes • Need a systematic approach to troubleshooting • Recommended steps • Define the problem • Gather detailed information about what has changed • Devise a plan to solve the problem • Implement the plan and observe the results • Document all changes and results Guide to MCSE 70-290, Enhanced
Define the Problem • Indication of a problem is often • A general complaint from a user • An error message • Ask questions of user • Try to recreate the problem in a test • To decode error messages, use net utility • At command prompt, type NET HELPMSG number Guide to MCSE 70-290, Enhanced
Gather Detailed Information About What Has Changed • Factors to consider include • Any new components installed recently? • Who has access to computer? Have they made any changes? • Any software or service patches installed recently? Guide to MCSE 70-290, Enhanced
Devise a Plan to Solve the Problem • Important considerations when devising a plan: • Interruptions to network or its components (e.g., restarts) • Possible changes to network security policy • Need to document all changes and troubleshooting steps • Be sure to include a rollback strategy in case plan doesn’t work Guide to MCSE 70-290, Enhanced
Implement the Plan; Observe Results; Document All Changes and Results • Notify users if network availability will be affected • Do not make too many configuration changes at one time • If plan doesn’t work, document what was done and start again • Document all troubleshooting steps, results, and configuration changes Guide to MCSE 70-290, Enhanced
Configuring Terminal Services and Remote Desktop for Administration • Two services that provide remote access to a server desktop • Terminal services allows users to connect in order to run applications • Remote Desktop for Administration allows an administrator to connect in order to run administrative services Guide to MCSE 70-290, Enhanced
Enabling Remote Desktop for Administration • Installed automatically as a part of Windows Server 2003 • Disabled by default • Once enabled, only Administrators group can connect by default • Additional users can be granted access Guide to MCSE 70-290, Enhanced
Activity 10-7: Enabling and Testing Remote Desktop for Administration • Objective: To enable and test Remote Desktop for Administration • Start Control Panel System Remote tab • Enable Remote Desktop for Administration on the server as directed in the activity • Connect to the server using the Remote Desktop Connection tool • Disconnect leaving session open and then disconnect closing the session Guide to MCSE 70-290, Enhanced
Installing Terminal Services • Installed from Add/Remove Windows Components of Add or Remove Programs (in Control Panel) • To set up a Terminal server, one Windows Server 2003 server in network must be configured as a Terminal Services licensing server Guide to MCSE 70-290, Enhanced
Activity 10-8: Installing Terminal Services • Objective: To install Windows Server 2003 Terminal Services on a server • Start Control Panel Add or Remove Programs Add/Remove Windows Components • Use the Windows Components Wizard to install Terminal Server as directed Guide to MCSE 70-290, Enhanced
Managing Terminal Services • Three primary tools for Terminal Services administration: • Terminal Services Manager • Terminal Services Configuration • Terminal Services Licensing Guide to MCSE 70-290, Enhanced
Configuring Remote Connection Settings • Primary tool is Terminal Services Configuration • Settings related to connection attempts • Settings related to permissions of user or group accounts • Configured from properties of a Terminal Server connection object: 1 object for multiple user connections • Settings include: • Authentication (none or standard Windows) • Encryption (client compatible or high) Guide to MCSE 70-290, Enhanced
Configuring Remote Connection Settings (continued) Guide to MCSE 70-290, Enhanced
Activity 10-9: Exploring Terminal Services Settings • Objective: to explore and configure Terminal Services settings • Start Administrative Tools Terminal Services Configuration • Browse and configure settings as directed in the activity Guide to MCSE 70-290, Enhanced
Terminal Services Client Software • Terminal Server folder containing client software packages: • %Systemroot%\system32\clients\tsclient\win32 • Contains files to install Remote Desktop Connection • Provided as both MSI file and Win32 executable • Share folder and initiate installation process either manually or through Group Policy deployment • Pre-installed on Windows Server 2003 and Windows XP Guide to MCSE 70-290, Enhanced
Installing Applications • Applications must be installed in a mode for multiple users compatible with Terminal Server(install mode) • Use Add or Remove Programs applet in Control Panel after Terminal Server is installed • Can also place Windows Server 2003 in install mode from command line • Change user /install to begin • Change user /execute when finished • May need to reinstall some applications Guide to MCSE 70-290, Enhanced
Configuring Terminal Services User Properties • Terminal Server adds four tabs to properties of user accounts • Terminal Services Profile – user can configure a special connection profile and home directory • Remote control – configures remote control properties for a user account • Sessions – configures a maximum session time and disconnect options • Environment – configures a program to run automatically when user connects to terminal server Guide to MCSE 70-290, Enhanced
Activity 10-10: Exploring Terminal Services User Account Settings • Objective: Explore Terminal Services user account settings using Active Directory Users and Computers • Start Administrative Tools Active Directory Users and Computers Users • Explore the settings on the four Terminal Services tabs: Terminal Services Profile, Remote control, Sessions, and Environment Guide to MCSE 70-290, Enhanced
Delegating Administrative Authority • Active Directory is a database and must be protected • Uses permissions similar to NTFS file permissions • Administrators have full access by default • User are given read permission for most attributes by default • Administrator can edit permissions • Must take care not to make any objects completely inaccessible Guide to MCSE 70-290, Enhanced
Active Directory Object Permissions • Objects can be assigned permissions at 2 levels: • Object-level permissions • Must be granted for a user to create or modify an OU, user, or group account • Applied according to a preconfigured set of standard permissions • Attribute-level permissions • Control which attributes a user or group can view or modify • If not explicitly set, object inherits parent container’s permissions Guide to MCSE 70-290, Enhanced
Activity 10-11: Exploring Active Directory Object Permissions • Objective: Explore Active Directory object permission settings • Start Administrative Tools Active Directory Users and Computers View (menu bar) Advanced Features • Access the properties of an OU and explore the various permission configurations as directed in the exercise Guide to MCSE 70-290, Enhanced
Permission Inheritance • Child objects inherit permissions from parent objects by default when child object is created • If permissions to parent are changed subsequently, can force permission changes to child if desired • Can modify default inheritance by blocking it at the container or object level Guide to MCSE 70-290, Enhanced
Delegating Authority Over Active Directory Objects • Allows you to distribute/decentralize process of administering Active Directory • Steps to delegating authority • Design OU structure to permit distribution • Configure permissions to support appropriate distribution • Implementing delegation • Can manage permissions directly from Security tab • Can use Delegation of Control Wizard Guide to MCSE 70-290, Enhanced
Activity 10-12: Using the Delegation of Control Wizard • Objective: Delegate control of an OU using the Active Directory Users and Computer Delegation of Control Wizard • To start wizard, right-click OU and click Delegate Control • Delegate a specific permission to a group following directions in the exercise • Verify that the permission appears as expected Guide to MCSE 70-290, Enhanced
Software Update Services • Software Update Services (SUS) allows an administrator to control the deployment of O.S. security updates and critical packages • Intended to minimize administrative effort required to keep O.S. protected • 2 main elements: • Client component: updated version of Windows Automatic Updates, clients contact server to get updates • Server component: can be installed on a server running Windows 2000 or Server 2003 Guide to MCSE 70-290, Enhanced
Installing Software Update Services • SUS client and server components available for download from Microsoft Web site • Requires minimum hardware and a dedicated server if possible • Internet Information Services version 5.0 or higher and Internet Explorer 5.5 or higher are prerequisites • Server component can be installed on Windows 2000 Server, Windows Server 2003, or Microsoft Small Business Server 2000 Guide to MCSE 70-290, Enhanced
Activity 10-13: Installing Software Update Services • Objective: To install the server component of Software Update Services (after installing IIS) • Start Control Panel Add or Remove Programs Add/Remove Windows Components • Install IIS following instructions • Run the SUS10SP1.exe file to start installation of SUS • Follow directions to run Microsoft Software Update Services Setup Wizard • Complete installation as directed Guide to MCSE 70-290, Enhanced
How Software Update Services Works • Purpose of SUS is to provide centralized facility for clients to obtain security package updates automatically • SUS server can store updates locally or store catalog with clients downloading from Internet • Administrator must approve an update before clients can download it • Clients must have Automatic Updates software installed to interact with SUS server Guide to MCSE 70-290, Enhanced
Configuring Software Update Services • Default SUS configurations (Typical option): • Updates downloaded from Internet servers • Proxy server settings are set to Automatic • Downloaded content is stored locally on SUS server • Packages are downloaded in all supported languages • If changes occur to an approved package, changed package is not approved • Administration is Web-based, password protected • On-line resources include SUS Overview Whitepaper, SUS Deployment Guide, Windows Update, Security Web sites Guide to MCSE 70-290, Enhanced
Activity 10-14: Configuring Software Update Services Settings • Objective: To configure SUS settings • Start All Programs Internet Explorer • Enter the SUS administration Web address and log on as directed • Browse the Set options pages • Configure your SUS to maintain updates on a Microsoft Windows Update server Guide to MCSE 70-290, Enhanced
Activity 10-15: Synchronizing Software Update Services Content • Objective: To manually synchronize SUS content • Use the Microsoft SUS menu through Internet Explorer to start the synchronization process as directed • Browse potential updates and explore sorting options and details menu • Approve an update • Browse logs and other information as directed Guide to MCSE 70-290, Enhanced
Automatic Updates • Clients must have Automatic Updates client software installed to obtain security updates • Some systems have software preinstalled, others must manually install • Automatic Updates can be manually enabled along with notification and scheduling options • To connect to local SUS server to obtain updates, must configure client’s Registry or Group Policy settings • Group policy settings override local settings Guide to MCSE 70-290, Enhanced
Automatic Updates (continued) Guide to MCSE 70-290, Enhanced
Activity 10-16: Reviewing Automatic Updates Group Policy Settings • Objective: To review Group Policy settings for Automatic Update • Start Administrative Tools Active Directory Users and Computers • Edit the Default Domain Policy and add the wuau template as directed • Browse and configure settings for Automatic Updates Guide to MCSE 70-290, Enhanced
Planning a Software Updates Services Infrastructure • Common methods that organizations use to deploy and configure SUS • Small networks: single server running SUS or multiple location-based servers managed independently • Enterprise networks: multiple SUS servers, single synchronization server (hub and spoke) • High security networks: corporate intranet disconnected from public Internet. All local servers download from special connected server(s). Guide to MCSE 70-290, Enhanced
Activity 10-17: Uninstalling Software Update Services and Internet Information Services • Objective: To uninstall SUS and IIS • Start Control Panel Add or Remove Programs • Remove Software Update Services as directed • Remove Internet Information Services as directed Guide to MCSE 70-290, Enhanced
Summary • Tools used to manage server tasks and remote management of clients: • Microsoft Management Console (MMC) • Secondary logon feature • Network troubleshooting process steps: define problem, gather information about changes, devise plan, implement plan, document changes & results • Terminal Services allows users to connect to and run applications on remote servers Guide to MCSE 70-290, Enhanced
Summary (continued) • Remote Desktop for Administration allows administrators to connect to and interact with remote servers • Administrative authority for Active Directory objects can be delegated through object-level and attribute-level permissions • Software Update Services allows control of the deployment of security updates throughout a network Guide to MCSE 70-290, Enhanced