Managing Servers Lesson 10
Skills Matrix Technology SkillObjective DomainObjective # Using Remote DesktopPlan server management strategies 2.1 Delegating Administration Tasks Plan for delegated administration 2.2 Updating ServersImplement patch management strategy 3.1
Remote Administration Server administrators frequently have to work with a lot of different computers, and often those computers are located in other rooms, other buildings, or even other cities. Rather than open a server closet, enter a secured data center, or travel to another site, Windows Server 2008 makes it possible to perform most server management tasks remotely.
Configuring Windows Server 2008 When you start a Windows Server 2008 computer for the first time after installing the operating system, the Initial Configuration Tasks window displays. This window presents a consolidated view of the post- installation tasks that, in previous Windows Server versions, you had to perform using various interfaces presented during and after the OS setup process. Server Manager is an MMC console that provides a selection of the most commonly used Windows Server 2008 management tools.
Remote Administration Unlike many MMC consoles, you cannot point Server Manager to another computer to manage it remotely. You can, however, use Remote Desktop to connect to another computer and run Server Manager within the Remote Desktop session. You can also create your own MMC console containing the various snap-ins found in Server Manager and point it to any other server on the network.
MMC Consoles MMC provides a standardized, common interface for application modules called snap-ins, which you can use to configure operating system settings, applications, and services. MMC snap-ins are individualized to specific tasks, and you can combine, order, and group them within the MMC shell to your individual preferences. An instance of MMC with one or more snap-ins installed is referred to as a console.
MMC Consoles Most of the primary administrative tools in Windows Server 2008 are MMC consoles with collections of snap-ins installed that are suited to a specific purpose. With only a few exceptions, all of the shortcuts that can appear in the Administrative Tools program group on a computer running Windows Server 2008 are links to pre-configured MMC consoles.
MMC Consoles Windows Server 2008 includes a large collection of MMC snap-ins, not all of which are immediately accessible using the default shortcuts in the Start menu. There are some extremely powerful tools included with the operating system that you must seek out yourself. It is also possible for third-party software developers to create their own MMC snap-ins and include them with their products.
Customized MMC Console One of the most powerful MMC features, which is the ability to create customized consoles containing whatever snap-ins you want to use. You can combine one or more snap-ins or parts of snap-ins in a single console, to create a single interface in which you can perform all of your administrative tasks. By creating a custom MMC console, you do not have to switch between different programs or individual consoles. Customized consoles can contain any of the Windows Server 2008 snap-ins, whether they are already included in a preconfigured console or not, as well as any third party snap- ins you might have.
Standalone and Extension Snap-ins There are two types of MMC snap-ins, as follows: – Standalone snap-ins A standalone snap-in is a single tool that you can install directly into an empty MMC console. Standalone snap-ins appear in the first level directly beneath the console root in the console’s scope pane. – Extension snap-ins An extension snap-in provides additional functionality to specific standalone snap-ins. You cannot add an extension snap-in to a console without adding an appropriate standalone snap-in first. Extension snap-ins appear beneath the associated standalone snap-in in the console’s scope pane.
Console Options By default, all new consoles you create are configured to use Author mode, which provides full access to all console functions. The available modes you can choose from are as follows: – Author Mode – User Mode-Full Access – User Mode-Limited Access, Multiple Windows – User Mode-Limited Access, Single Windows
Connecting to a Remote Computer The MMC consoles that appear in the Start menu of a computer running Windows Server 2003 are all configured to manage resources on the local system. However, many of the snap-ins supplied with Windows Server 2008 enable you to manage other Windows computers on the network as well. There are two ways to access a remote computer using an MMC snap-in: which are as follows: – Redirect an existing snap-in to another system. – Create a custom console with snap-ins directed to other systems.
Remote Desktop Ever since the Windows Server 2003 release, however, the components that make up the Terminal Services application are fully integrated into the operating system. This means that the Terminal Services capabilities are there, even if you do not have the Terminal Services role installed on the computer. The main reason for this is so administrators can use Terminal Services to manage remote computers without having to travel to a distant location. In Windows, this capability is known as Remote Desktop.
Remote Desktop Unlike Terminal Services, which supports multiple simultaneous connections and requires clients to have Terminal Services Client Access Licenses (TS CALs), Windows Server 2008 includes licenses for two Remote Desktop connections (three if you count the console). This means that there is no extra cost associated with Windows Server 2008’s remote administration capabilities.
Remote Desktop To use Remote Desktop to administer a server on the network, you must complete the following tasks: – Enable Remote Desktop on the server. – Configure Remote Desktop Connection (RDC) on the client. – Establish a connection between the client and the server.
Remote Desktop Connections By default, the Administrators group on a Windows Server 2008 computer has the permissions needed to establish a Remote Desktop connection. If you want to grant other users the same permissions, you must add them to the Remote Desktop Users group on the server, either by clicking the Select Users button on the Remote tab of the System Properties sheet, or by using the Local Users and Groups MMC snap-in.
Remote Desktop Connection By configuring the options in the RDC client, administrators can use them to improve the client’s performance and optimize network bandwidth consumption.
Disconnecting from a Session When using Remote Desktop, it is important to distinguish between disconnecting from a session and logging off from one. When you disconnect, the session still exists on the remote computer and any applications you have left open will continue to run. When you log off, the session ends, terminating all running applications.
Delegating Administration Tasks As networks grow larger in size, so do the numbers of administrative tasks there are to perform on a regular basis, and so do the IT staffs that are needed to perform them. Delegating administrative tasks to specific individuals is a natural part of enterprise server management, as is assigning those individuals the permissions they need — and only the permissions they need — to perform those tasks.
Delegating Active Directory Administrative Privileges One of the most common ways of delegating administrative responsibility on an Active Directory network is to give individuals responsibility for branches of the directory tree or for individual objects.
Active Directory Permissions Active Directory has its own permissions system, which functions much like that of the NTFS file system. By granting users and groups permissions to specific Active Directory objects, you can allow them to perform specific administrative tasks on those objects. As with NTFS, Active Directory has a set of standard permissions, which are pre-defined collections of special permissions. You can choose to work with either type of permission, or you can simplify the process by using the Delegation of Control Wizard to create permission assignments.
Updating Servers One of the most important ongoing tasks faced by server administrators is keeping the network’s servers updated with the latest operating system hotfixes and service packs. Windows Server 2008 includes an Automatic Updates feature that can download and install updates with no user intervention, but this is not always an ideal solution for enterprise network servers.
Windows Server Update Services (WSUS) WSUS is a program that downloads updates from the Microsoft Update Web site and stores them for administrative evaluation. An administrator can then select the updates to deploy and computers on the network download them using a reconfigured Automatic Updates client.
WSUS Architecture There are four basic WSUS architecture configurations, as follows: – Single WSUS server. – Multiple independent WSUS servers. – Multiple synchronized WSUS servers. – Multiple disconnected WSUS servers.
The WSUS Single Server Architecture
The WSUS Multiple Independent Server Architecture
The WSUS Multiple Synchronized Server Architecture
Multiple Disconnected WSUS Servers The multiple disconnected WSUS server architecture is the same as the multiple synchronized architecture, except that instead of the central WSUS server transmitting updates directly to the secondary servers, administrators save the updates to an offline medium, such as DVD-ROMs, and ship them to remote sites.
WSUS 3.0 Service Pack 1 WSUS 3.0 Service Pack 1 is the first WSUS release that can run on Windows Server WSUS 3.0 SP1 is not supplied with the Windows Server 2008 operating system. It is a free download from the Microsoft Downloads Web site. You must also download Microsoft Report Viewer 2005 or later and install it before using WSUS.
Configuring WSUS Clients To configure Automatic Updates using Group Policy, the recommended practice is to create a new group policy object (GPO). Configure the required policy settings; and link the GPO to an appropriate domain, site, or organizational unit object. If you are using multiple WSUS servers, you can distribute the client load among them by creating a separate GPO for each server and linking them to different objects.
Summary Server Manager is an MMC console that contains a collection of snap-ins most commonly used by Windows Server 2008 administrators. The Server Manager console integrates the ten snap-ins into a single, categorized interface by default.
Summary MMC provides a standardized, common interface for application modules called snap-ins, which you can use to configure operating system settings, applications, and services. MMC snap-ins are individualized to specific tasks, and you can combine, order, and group them within the MMC shell to your individual preferences. An instance of MMC with one or more snap-ins installed is referred to as a console.
Summary There are two types of MMC snap-ins. A standalone snap-in is a single tool that you can install directly into an empty MMC console. – Standalone snap-ins appear in the first level directly beneath the console root in the console’s scope pane. An extension snap-in provides additional functionality to specific standalone snap-ins. – You cannot add an extension snap-in to a console without adding an appropriate standalone snap-in first.
Summary The MMC consoles that appear in the Start menu of a computer running Windows Server 2003 are all configured to manage resources on the local system. However, many of the snap-ins supplied with Windows Server 2008 enable you to manage other Windows computers on the network as well.
Summary Ever since the Windows Server 2003 release, the components that make up the Terminal Services application are fully integrated into the operating system. This means that the Terminal Services capabilities are there, even if you do not have the Terminal Services role installed on the computer. This occurs so that administrators can use Terminal Services to manage remote computers without having to travel to a distant location. In Windows, this capability is known as Remote Desktop.
Summary The general rule of thumb for network file system permission assignments is to never assign permissions to individual user accounts. While it is certainly possible to grant each user individual permissions for every file they need, this would require an enormous amount of work, both in the initial setup and in ongoing maintenance.
Summary Active Directory has its own permissions system, which functions much like that of the NTFS file system. By granting users and groups permissions to specific Active Directory objects, you can allow them to perform specific administrative tasks on those objects.
Summary As with NTFS, Active Directory has a set of standard permissions, which are predefined collections of special permissions. You can choose to work either type of permission, or you can simplify the process by using the Delegation of Control Wizard to create permission assignments.
Summary Instead of working directly with individual permissions, you can use the Delegation of Control Wizard in the Active Directory Users and Computers console to assign permissions based on common administrative tasks.
Summary Windows Server Update Services (WSUS) is a program that downloads updates from the Microsoft Update Website and stores them for administrative evaluation. An administrator can then select the updates to deploy, and then computers on the network download them using a reconfigured Automatic Updates client.
Summary Before the client computers on the network can download updates from the WSUS server, you configure their Automatic Updates clients.