Chapter10 Server Administration


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Chapter10 Server Administration

  1. 1. Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration
  2. 2. Objectives <ul><li>Distinguish between the various methods, tools, and processes used to manage a Windows Server 2003 system </li></ul><ul><li>Understand and configure Terminal Services and Remote Desktop for Administration </li></ul><ul><li>Delegate administrative authority in Active Directory </li></ul><ul><li>Install, configure, and manage Microsoft Software Update Services </li></ul>
  3. 3. Network Administration Procedures <ul><li>In a Windows Server 2003 environment, administrator will normally be responsible for more than one server </li></ul><ul><li>A useful tool for administrators to manage remote servers is Microsoft Management Console (MMC) </li></ul><ul><li>Secondary logon is another useful tool for administrators </li></ul>
  4. 4. Windows Server 2003 Management Tools <ul><li>Server shutdown and restart has new features in Windows Server 2003 </li></ul><ul><ul><li>Shutdown Event Tracker logs these events </li></ul></ul><ul><ul><li>Can include comments on why events occurred </li></ul></ul><ul><ul><li>Logged as event 1074 in Event Viewer system log </li></ul></ul>
  5. 5. Activity 10-1: Restarting Windows Server 2003 <ul><li>Objective: to restart Windows Server 2003 </li></ul><ul><li>Start  Shut Down  Restart </li></ul><ul><li>Configure the Shutdown Event Tracker options </li></ul>
  6. 6. Activity 10-2: Viewing Shutdown Events in the Event View System Log <ul><li>Objective: Use Event Viewer to view server shutdown events </li></ul><ul><li>Start  Administrative Tools  Event Viewer  System </li></ul><ul><li>Look for the shutdown event that was generated in the previous activity </li></ul><ul><li>Explore other shutdown events </li></ul>
  7. 7. The Microsoft Management Console <ul><li>MMC provides a unified framework for hosting multiple management tools (snap-ins) </li></ul><ul><li>Can add and remove management tools as necessary and save custom tools for use by authorized administrators </li></ul><ul><li>Console saved as Management Saved Console (MSC) file with .msc extension </li></ul><ul><li>Can focus snap-ins to point to remote clients or servers </li></ul>
  8. 8. Activity 10-3: Using the MMC to View Information on a Remote Computer <ul><li>Objective: Use MMC to view system logs on a remote computer </li></ul><ul><li>Focus the Event Viewer to connect to another computer from an existing MMC </li></ul><ul><li>Browse the system and application logs on the remote computer </li></ul><ul><li>Focus back to the local computer </li></ul>
  9. 9. Activity 10-4: Creating a Taskpad <ul><li>Objective: create a taskpad to simplify administrative tasks </li></ul><ul><li>A taskpad view provides a graphical representation of the tasks that can be performed in an MMC </li></ul><ul><li>Create a new MMC with an Event Viewer </li></ul><ul><li>Create and configure a taskpad view using the New Taskpad View Wizard </li></ul><ul><li>Save the new MMC </li></ul>
  10. 10. Secondary Logon <ul><li>Recommendation is for network administrators to have two logon accounts </li></ul><ul><ul><li>One with administrative rights </li></ul></ul><ul><ul><li>One with normal user rights </li></ul></ul><ul><li>Secondary logon feature allows you to log on with user account, open administrative tools as an administrator </li></ul>
  11. 11. Activity 10-5: Using the Windows Server 2003 Secondary Logon Feature <ul><li>Objective: Use the Run as command to open a program with a secondary account </li></ul><ul><li>Start  Administrative Tools  right-click Event Viewer  Run as </li></ul><ul><li>Log on with alternative credentials in Run As dialog box </li></ul>
  12. 12. Activity 10-6: Using the Secondary Logon Feature from the Command Line <ul><li>Objective: To log on using alternate credentials from the command line </li></ul><ul><li>Start  Run  enter cmd in Open box to open a command prompt </li></ul><ul><li>Enter command-line form of runas to open the Event Viewer as directed in the exercise </li></ul>
  13. 13. Network Troubleshooting Processes <ul><li>Need a systematic approach to troubleshooting </li></ul><ul><li>Recommended steps </li></ul><ul><ul><li>Define the problem </li></ul></ul><ul><ul><li>Gather detailed information about what has changed </li></ul></ul><ul><ul><li>Devise a plan to solve the problem </li></ul></ul><ul><ul><li>Implement the plan and observe the results </li></ul></ul><ul><ul><li>Document all changes and results </li></ul></ul>
  14. 14. Define the Problem <ul><li>Indication of a problem is often </li></ul><ul><ul><li>A general complaint from a user </li></ul></ul><ul><ul><li>An error message </li></ul></ul><ul><li>Ask questions of user </li></ul><ul><li>Try to recreate the problem in a test </li></ul><ul><li>To decode error messages, use net utility </li></ul><ul><ul><li>At command prompt, type NET HELPMSG number </li></ul></ul>
  15. 15. Gather Detailed Information About What Has Changed <ul><li>Factors to consider include </li></ul><ul><ul><li>Any new components installed recently? </li></ul></ul><ul><ul><li>Who has access to computer? Have they made any changes? </li></ul></ul><ul><ul><li>Any software or service patches installed recently? </li></ul></ul>
  16. 16. Devise a Plan to Solve the Problem <ul><li>Important considerations when devising a plan: </li></ul><ul><ul><li>Interruptions to network or its components (e.g., restarts) </li></ul></ul><ul><ul><li>Possible changes to network security policy </li></ul></ul><ul><ul><li>Need to document all changes and troubleshooting steps </li></ul></ul><ul><li>Be sure to include a rollback strategy in case plan doesn’t work </li></ul>
  17. 17. Implement the Plan; Observe Results; Document All Changes and Results <ul><li>Notify users if network availability will be affected </li></ul><ul><li>Do not make too many configuration changes at one time </li></ul><ul><li>If plan doesn’t work, document what was done and start again </li></ul><ul><li>Document all troubleshooting steps, results, and configuration changes </li></ul>
  18. 18. Configuring Terminal Services and Remote Desktop for Administration <ul><li>Two services that provide remote access to a server desktop </li></ul><ul><li>Terminal services allows users to connect in order to run applications </li></ul><ul><li>Remote Desktop for Administration allows an administrator to connect in order to run administrative services </li></ul>
  19. 19. Enabling Remote Desktop for Administration <ul><li>Installed automatically as a part of Windows Server 2003 </li></ul><ul><li>Disabled by default </li></ul><ul><li>Once enabled, only Administrators group can connect by default </li></ul><ul><ul><li>Additional users can be granted access </li></ul></ul>
  20. 20. Activity 10-7: Enabling and Testing Remote Desktop for Administration <ul><li>Objective: To enable and test Remote Desktop for Administration </li></ul><ul><li>Start  Control Panel  System  Remote tab </li></ul><ul><li>Enable Remote Desktop for Administration on the server as directed in the activity </li></ul><ul><li>Connect to the server using the Remote Desktop Connection tool </li></ul><ul><li>Disconnect leaving session open and then disconnect closing the session </li></ul>
  21. 21. Installing Terminal Services <ul><li>Installed from Add/Remove Windows Components of Add or Remove Programs (in Control Panel) </li></ul><ul><li>To set up a Terminal server, one Windows Server 2003 server in network must be configured as a Terminal Services licensing server </li></ul>
  22. 22. Activity 10-8: Installing Terminal Services <ul><li>Objective: To install Windows Server 2003 Terminal Services on a server </li></ul><ul><li>Start  Control Panel  Add or Remove Programs  Add/Remove Windows Components </li></ul><ul><li>Use the Windows Components Wizard to install Terminal Server as directed </li></ul>
  23. 23. Managing Terminal Services <ul><li>Three primary tools for Terminal Services administration: </li></ul><ul><ul><li>Terminal Services Manager </li></ul></ul><ul><ul><li>Terminal Services Configuration </li></ul></ul><ul><ul><li>Terminal Services Licensing </li></ul></ul>
  24. 24. Configuring Remote Connection Settings <ul><li>Primary tool is Terminal Services Configuration </li></ul><ul><ul><li>Settings related to connection attempts </li></ul></ul><ul><ul><li>Settings related to permissions of user or group accounts </li></ul></ul><ul><li>Configured from properties of a Terminal Server connection object: 1 object for multiple user connections </li></ul><ul><li>Settings include: </li></ul><ul><ul><li>Authentication (none or standard Windows) </li></ul></ul><ul><ul><li>Encryption (client compatible or high) </li></ul></ul>
  25. 25. Configuring Remote Connection Settings (continued)
  26. 26. Activity 10-9: Exploring Terminal Services Settings <ul><li>Objective: to explore and configure Terminal Services settings </li></ul><ul><li>Start  Administrative Tools  Terminal Services Configuration </li></ul><ul><li>Browse and configure settings as directed in the activity </li></ul>
  27. 27. Terminal Services Client Software <ul><li>Terminal Server folder containing client software packages: </li></ul><ul><ul><li>%Systemroot%system32clients sclientwin32 </li></ul></ul><ul><li>Contains files to install Remote Desktop Connection </li></ul><ul><li>Provided as both MSI file and Win32 executable </li></ul><ul><li>Share folder and initiate installation process either manually or through Group Policy deployment </li></ul><ul><li>Pre-installed on Windows Server 2003 and Windows XP </li></ul>
  28. 28. Installing Applications <ul><li>Applications must be installed in a mode for multiple users compatible with Terminal Server(install mode) </li></ul><ul><li>Use Add or Remove Programs applet in Control Panel after Terminal Server is installed </li></ul><ul><li>Can also place Windows Server 2003 in install mode from command line </li></ul><ul><ul><li>Change user /install to begin </li></ul></ul><ul><ul><li>Change user /execute when finished </li></ul></ul><ul><li>May need to reinstall some applications </li></ul>
  29. 29. Configuring Terminal Services User Properties <ul><li>Terminal Server adds four tabs to properties of user accounts </li></ul><ul><ul><li>Terminal Services Profile – user can configure a special connection profile and home directory </li></ul></ul><ul><ul><li>Remote control – configures remote control properties for a user account </li></ul></ul><ul><ul><li>Sessions – configures a maximum session time and disconnect options </li></ul></ul><ul><ul><li>Environment – configures a program to run automatically when user connects to terminal server </li></ul></ul>
  30. 30. Activity 10-10: Exploring Terminal Services User Account Settings <ul><li>Objective: Explore Terminal Services user account settings using Active Directory Users and Computers </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers  Users </li></ul><ul><li>Explore the settings on the four Terminal Services tabs: Terminal Services Profile, Remote control, Sessions, and Environment </li></ul>
  31. 31. Delegating Administrative Authority <ul><li>Active Directory is a database and must be protected </li></ul><ul><li>Uses permissions similar to NTFS file permissions </li></ul><ul><li>Administrators have full access by default </li></ul><ul><li>User are given read permission for most attributes by default </li></ul><ul><li>Administrator can edit permissions </li></ul><ul><ul><li>Must take care not to make any objects completely inaccessible </li></ul></ul>
  32. 32. Active Directory Object Permissions <ul><li>Objects can be assigned permissions at 2 levels: </li></ul><ul><ul><li>Object-level permissions </li></ul></ul><ul><ul><ul><li>Must be granted for a user to create or modify an OU, user, or group account </li></ul></ul></ul><ul><ul><ul><li>Applied according to a preconfigured set of standard permissions </li></ul></ul></ul><ul><ul><li>Attribute-level permissions </li></ul></ul><ul><ul><ul><li>Control which attributes a user or group can view or modify </li></ul></ul></ul><ul><li>If not explicitly set, object inherits parent container’s permissions </li></ul>
  33. 33. Activity 10-11: Exploring Active Directory Object Permissions <ul><li>Objective: Explore Active Directory object permission settings </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers  View (menu bar)  Advanced Features </li></ul><ul><li>Access the properties of an OU and explore the various permission configurations as directed in the exercise </li></ul>
  34. 34. Permission Inheritance <ul><li>Child objects inherit permissions from parent objects by default when child object is created </li></ul><ul><li>If permissions to parent are changed subsequently, can force permission changes to child if desired </li></ul><ul><li>Can modify default inheritance by blocking it at the container or object level </li></ul>
  35. 35. Delegating Authority Over Active Directory Objects <ul><li>Allows you to distribute/decentralize process of administering Active Directory </li></ul><ul><li>Steps to delegating authority </li></ul><ul><ul><li>Design OU structure to permit distribution </li></ul></ul><ul><ul><li>Configure permissions to support appropriate distribution </li></ul></ul><ul><li>Implementing delegation </li></ul><ul><ul><li>Can manage permissions directly from Security tab </li></ul></ul><ul><ul><li>Can use Delegation of Control Wizard </li></ul></ul>
  36. 36. Activity 10-12: Using the Delegation of Control Wizard <ul><li>Objective: Delegate control of an OU using the Active Directory Users and Computer Delegation of Control Wizard </li></ul><ul><li>To start wizard, right-click OU and click Delegate Control </li></ul><ul><li>Delegate a specific permission to a group following directions in the exercise </li></ul><ul><li>Verify that the permission appears as expected </li></ul>
  37. 37. Software Update Services <ul><li>Software Update Services (SUS) allows an administrator to control the deployment of O.S. security updates and critical packages </li></ul><ul><li>Intended to minimize administrative effort required to keep O.S. protected </li></ul><ul><li>2 main elements: </li></ul><ul><ul><li>Client component: updated version of Windows Automatic Updates, clients contact server to get updates </li></ul></ul><ul><ul><li>Server component: can be installed on a server running Windows 2000 or Server 2003 </li></ul></ul>
  38. 38. Installing Software Update Services <ul><li>SUS client and server components available for download from Microsoft Web site </li></ul><ul><li>Requires minimum hardware and a dedicated server if possible </li></ul><ul><li>Internet Information Services version 5.0 or higher and Internet Explorer 5.5 or higher are prerequisites </li></ul><ul><li>Server component can be installed on Windows 2000 Server, Windows Server 2003, or Microsoft Small Business Server 2000 </li></ul>
  39. 39. Activity 10-13: Installing Software Update Services <ul><li>Objective: To install the server component of Software Update Services (after installing IIS) </li></ul><ul><li>Start  Control Panel  Add or Remove Programs  Add/Remove Windows Components </li></ul><ul><li>Install IIS following instructions </li></ul><ul><li>Run the SUS10SP1.exe file to start installation of SUS </li></ul><ul><li>Follow directions to run Microsoft Software Update Services Setup Wizard </li></ul><ul><li>Complete installation as directed </li></ul>
  40. 40. How Software Update Services Works <ul><li>Purpose of SUS is to provide centralized facility for clients to obtain security package updates automatically </li></ul><ul><li>SUS server can store updates locally or store catalog with clients downloading from Internet </li></ul><ul><li>Administrator must approve an update before clients can download it </li></ul><ul><li>Clients must have Automatic Updates software installed to interact with SUS server </li></ul>
  41. 41. Configuring Software Update Services <ul><li>Default SUS configurations (Typical option): </li></ul><ul><ul><li>Updates downloaded from Internet servers </li></ul></ul><ul><ul><li>Proxy server settings are set to Automatic </li></ul></ul><ul><ul><li>Downloaded content is stored locally on SUS server </li></ul></ul><ul><ul><li>Packages are downloaded in all supported languages </li></ul></ul><ul><ul><li>If changes occur to an approved package, changed package is not approved </li></ul></ul><ul><li>Administration is Web-based, password protected </li></ul><ul><li>On-line resources include SUS Overview Whitepaper, SUS Deployment Guide, Windows Update, Security Web sites </li></ul>
  42. 42. Activity 10-14: Configuring Software Update Services Settings <ul><li>Objective: To configure SUS settings </li></ul><ul><li>Start  All Programs  Internet Explorer </li></ul><ul><li>Enter the SUS administration Web address and log on as directed </li></ul><ul><li>Browse the Set options pages </li></ul><ul><li>Configure your SUS to maintain updates on a Microsoft Windows Update server </li></ul>
  43. 43. Activity 10-15: Synchronizing Software Update Services Content <ul><li>Objective: To manually synchronize SUS content </li></ul><ul><li>Use the Microsoft SUS menu through Internet Explorer to start the synchronization process as directed </li></ul><ul><li>Browse potential updates and explore sorting options and details menu </li></ul><ul><li>Approve an update </li></ul><ul><li>Browse logs and other information as directed </li></ul>
  44. 44. Automatic Updates <ul><li>Clients must have Automatic Updates client software installed to obtain security updates </li></ul><ul><li>Some systems have software preinstalled, others must manually install </li></ul><ul><li>Automatic Updates can be manually enabled along with notification and scheduling options </li></ul><ul><li>To connect to local SUS server to obtain updates, must configure client’s Registry or Group Policy settings </li></ul><ul><li>Group policy settings override local settings </li></ul>
  45. 45. Automatic Updates (continued)
  46. 46. Activity 10-16: Reviewing Automatic Updates Group Policy Settings <ul><li>Objective: To review Group Policy settings for Automatic Update </li></ul><ul><li>Start  Administrative Tools  Active Directory Users and Computers </li></ul><ul><li>Edit the Default Domain Policy and add the wuau template as directed </li></ul><ul><li>Browse and configure settings for Automatic Updates </li></ul>
  47. 47. Planning a Software Updates Services Infrastructure <ul><li>Common methods that organizations use to deploy and configure SUS </li></ul><ul><ul><li>Small networks: single server running SUS or multiple location-based servers managed independently </li></ul></ul><ul><ul><li>Enterprise networks: multiple SUS servers, single synchronization server (hub and spoke) </li></ul></ul><ul><ul><li>High security networks: corporate intranet disconnected from public Internet. All local servers download from special connected server(s). </li></ul></ul>
  48. 48. Activity 10-17: Uninstalling Software Update Services and Internet Information Services <ul><li>Objective: To uninstall SUS and IIS </li></ul><ul><li>Start  Control Panel  Add or Remove Programs </li></ul><ul><li>Remove Software Update Services as directed </li></ul><ul><li>Remove Internet Information Services as directed </li></ul>
  49. 49. Summary <ul><li>Tools used to manage server tasks and remote management of clients: </li></ul><ul><ul><li>Microsoft Management Console (MMC) </li></ul></ul><ul><ul><li>Secondary logon feature </li></ul></ul><ul><li>Network troubleshooting process steps: define problem, gather information about changes, devise plan, implement plan, document changes & results </li></ul><ul><li>Terminal Services allows users to connect to and run applications on remote servers </li></ul>
  50. 50. Summary (continued) <ul><li>Remote Desktop for Administration allows administrators to connect to and interact with remote servers </li></ul><ul><li>Administrative authority for Active Directory objects can be delegated through object-level and attribute-level permissions </li></ul><ul><li>Software Update Services allows control of the deployment of security updates throughout a network </li></ul>