Server Administration

1
Server Administration

• Chapter Ten

2
Network Administration Procedures

• In a Windows Server 2003 environment,
  administrator will normally be responsible for
  more than one server
• A useful tool for administrators to manage remote
  servers is Microsoft Management Console (MMC)
• Secondary logon is another useful tool for
  administrators

3
Windows Server 2003 Management Tools

• Server shutdown and restart has new features in
  Windows Server 2003
• Shutdown Event Tracker logs these events
• Can include comments on why events occurred
• Logged as event 1074 in Event Viewer system log

4
The Microsoft Management Console

• MMC provides a unified framework for hosting
  multiple management tools (snap-ins)
• Can add and remove management tools as necessary
  and save custom tools for use by authorized
  administrators
• Console saved as Management Saved Console (MSC)
  file with .msc extension
• Can focus snap-ins to point to remote clients or
  servers

5
Taskpad View

• Create a taskpad to simplify administrative tasks
• A taskpad view provides a graphical
  representation of the tasks that can be performed
  in an MMC
• Create and configure a taskpad view using the New
  Taskpad View Wizard
• New Taskpad Item - Tree Item Task
• Can click on specific options Create User, View
  Specific Components

6
Secondary Logon

• Recommendation is for network administrators to
  have two logon accounts
• One with administrative rights
• One with normal user rights
• Secondary logon feature allows you to log on with
  user account, open administrative tools as an
  administrator
• Greater security in these cases

7
Secondary Logon Feature

• Use the Run as command to open a program with a
  secondary account
• Start ? Administrative Tools ? right-click Event
  Viewer ? Run as
• Log on with alternative credentials in Run As
  dialog box

8
Secondary Logon Feature from the Command Line

• Log on using alternate credentials from the
  command line
• runas /useradministrator_at_biznet.com "mmc
  windir\system32\dsa.msc"

9
Remote Administration with IIS

• Add/Remove Programs
• Web Services
• Remote Administration (HTML)
• https//servername8098/admin
• Remote administrative through web interface.

10
Network Troubleshooting Processes

• Need a systematic approach to troubleshooting
• Recommended steps
• Define the problem
• Gather detailed information about what has
  changed
• Devise a plan to solve the problem
• Implement the plan and observe the results
• Document all changes and results

11
Define the Problem

• Indication of a problem is often
• A general complaint from a user
• An error message
• Ask questions of user
• Try to recreate the problem in a test
• To decode error messages, use net utility
• At command prompt, type NET HELPMSG number

12
Gather Detailed Information About What Has Changed

• Factors to consider include
• Any new components installed recently?
• Who has access to computer? Have they made any
  changes?
• Any software or service patches installed
  recently?

13
Devise a Plan to Solve the Problem

• Important considerations when devising a plan
• Interruptions to network or its components (e.g.,
  restarts)
• Possible changes to network security policy
• Need to document all changes and troubleshooting
  steps
• Be sure to include a rollback strategy in case
  plan doesnt work

14
Configuring Terminal Services and Remote Desktop
for Administration

• Two services that provide remote access to a
  server desktop
• Terminal services allows users to connect in
  order to run applications
• Remote Desktop for Administration allows an
  administrator to connect in order to run
  administrative services

15
Enabling Remote Desktop for Administration

• Installed automatically as a part of Windows
  Server 2003
• Disabled by default
• Once enabled, only Administrators group can
  connect by default
• Additional users can be granted access

16
Enabling Remote Desktop for Administration

• Enable Remote Desktop for Administration
• Start ? Control Panel ? System ? Remote tab

17
Installing Terminal Services

• Installed from Add/Remove Windows Components of
  Add or Remove Programs (in Control Panel)
• To set up a Terminal server, one Windows Server
  2003 server in network must be configured as a
  Terminal Services licensing server

18
Access to Terminal Services

• Remote Desktop Listening uses port 3389.
• Remote Desktop Web Connection uses port 80.
• Must not be blocked by firewall, if you want
  Remote Desktop to work.

19
Managing Terminal Services

• Three primary tools for Terminal Services
  administration
• Terminal Services Manager
• Terminal Services Configuration
• Terminal Services Licensing

20
Terminal Services Configuration

• Session, network, client desktop, and client
  remote control settings
• Bitmap caching - only changes in screen are
  updated

21
Terminal Services Manager

• Send messages to clients, disconnect or logoff
  session, establish remote control of session
• Without Licensing in Remote Administration mode
  limited to 2 administrative sessions Windows
  Server 2003
• Application Server mode requires client access
  licenses and a licensing server. If you are using
  Windows XP Professional this number is limited to
  1 remote connection and there is no way to
  increase this number.

22
Terminal Services Licensing Application Mode

• Terminal Services for Windows 2003 Server -
  application deployment and management for users
  on a variety of devices through its Application
  Server mode. Each device that initiates a Windows
  2003 Terminal Services session must be licensed
  with the following
• 1. Windows XP Professional license or Windows
  2003 Terminal Services Client Access license.
• 2. Windows 2003 Server Client Access license or
  BackOffice family Client Access license.

23
Terminal Services Manager

• Disconnect an active Terminal Services session.
• The session remains attached to the Terminal
  Services server in a disconnected state. Programs
  that are currently in use continue to run. When
  you reconnect to the Terminal Services server,
  you can reconnect by using the same session from
  which you disconnected. You can resume working
  without any loss of data in the programs that
  were running when you disconnected.
• End Session an active Terminal Services session.
• Applications are terminated and data is lost.

24
Configuring Remote Connection Settings

• Primary tool is Terminal Services Configuration
• Settings related to connection attempts
• Settings related to permissions of user or group
  accounts
• Configured from properties of a Terminal Server
  connection object 1 object for multiple user
  connections
• Settings include
• Authentication (none or standard Windows)
• Encryption (client compatible, high (128 bit),
  low (56 bit), FIPS(Federal Information Processing
  Standard for cryptographic software - may cause
  problems)) for sending data between TS and TS
  Client

25
Configuring Remote Connection Settings

• Local Resources
• Audio Mapping
• Bring sound in addition to standard mouse,
  keyboard, and screen output.
• Drive Redirection
• Allows access to drive that are local to the
  users PC
• My Computer - shown as Other

• Clipboard mapping
• Copy and pate information between session and
  desktop client

26
Configuring Settings at Various Levels

• Computer Level Group Policy (top level)
• User Level Group Policy
• Terminal Services Configuration
• Account Properties A.D. Users and Computers
• Remote Desktop User Configuration (lowest level)

27
Configuring Remote Connection Settings (continued)
28
Terminal Services Client Software

• Terminal Server folder containing client software
  packages
• Systemroot\system32\clients\tsclient\win32
• Contains files to install Remote Desktop
  Connection
• Provided as both MSI file and Win32 executable
• Share folder and initiate installation process
  either manually or through Group Policy
  deployment
• Pre-installed on Windows Server 2003 and Windows
  XP

29
Installing Applications

• Applications must be installed in a mode for
  multiple users compatible with Terminal
  Server(install mode)
• Use Add or Remove Programs applet in Control
  Panel after Terminal Server is installed
• Can also place Windows Server 2003 in install
  mode from command line
• Change user /install to begin
• Change user /execute when finished
• May need to reinstall some applications

30
Configuring Terminal Services User Properties

• Terminal Services user account settings using
  Active Directory Users and Computers
• Terminal Server adds four tabs to properties of
  user accounts
• Terminal Services Profile user can configure a
  special connection profile and home directory
  application data
• Remote control configures remote control
  properties for a user account
• Sessions configures a maximum session time and
  disconnect options
• Environment configures a program to run
  automatically when user connects to terminal
  server

31
Delegating Administrative Authority

• Active Directory is a database and must be
  protected
• Uses permissions similar to NTFS file permissions
• Administrators have full access by default
• User are given read permission for most
  attributes by default
• Administrator can edit permissions
• Must take care not to make any objects completely
  inaccessible

32
Active Directory Object Permissions

• Objects can be assigned permissions at 2 levels
• Object-level permissions
• Must be granted for a user to create or modify an
  OU, user, or group account
• Applied according to a preconfigured set of
  standard permissions
• Attribute-level permissions
• Control which attributes a user or group can view
  or modify
• If not explicitly set, object inherits parent
  containers permissions

33
Permission Inheritance

• Child objects inherit permissions from parent
  objects by default when child object is created
• If permissions to parent are changed
  subsequently, can force permission changes to
  child if desired
• Can modify default inheritance by blocking it at
  the container or object level

34
Delegating Authority Over Active Directory Objects

• Allows you to distribute/decentralize process of
  administering Active Directory
• Steps to delegating authority
• Design OU structure to permit distribution
• Configure permissions to support appropriate
  distribution
• Implementing delegation
• Can manage permissions directly from Security tab
• Can use Delegation of Control Wizard

35
Delegation of Control Wizard

• Delegate control of an OU using the Active
  Directory Users and Computer Delegation of
  Control Wizard
• To start wizard, right-click OU and click
  Delegate Control
• Delegate a specific permission to a group
  following directions in the exercise
• Verify that the permission appears as expected
• Can delegate control to reset password, create
  users and groups, create Group Policies, create
  computer objects, and other administrative tasks.

36
Software Update Services

• Software Update Services (SUS) allows an
  administrator to control the deployment of O.S.
  security updates and critical packages
• Intended to minimize administrative effort
  required to keep O.S. protected
• 2 main elements
• Client component updated version of Windows
  Automatic Updates, clients contact server to get
  updates
• Server component can be installed on a server
  running Windows 2000 or Server 2003

37
Installing Software Update Services

• SUS client and server components available for
  download from Microsoft Web site
• Requires minimum hardware and a dedicated server
  if possible
• Internet Information Services version 5.0 or
  higher and Internet Explorer 5.5 or higher are
  prerequisites
• Server component can be installed on Windows 2000
  Server, Windows Server 2003, or Microsoft Small
  Business Server 2000

38
How Software Update Services Works

• Purpose of SUS is to provide centralized facility
  for clients to obtain security package updates
  automatically
• SUS server can store updates locally or store
  catalog with clients downloading from Internet
• Administrator must approve an update before
  clients can download it
• Clients must have Automatic Updates software
  installed to interact with SUS server
• Downloads Security Updates or Hot Fixes

39
Configuring Software Update Services

• Default SUS configurations (Typical option)
• Updates downloaded from Internet servers
• Proxy server settings are set to Automatic
• Downloaded content is stored locally on SUS
  server
• Packages are downloaded in all supported
  languages
• If changes occur to an approved package, changed
  package is not approved
• Administration is Web-based, password protected
• On-line resources include SUS Overview
  Whitepaper, SUS Deployment Guide, Windows Update,
  Security Web sites

40
Configuring Software Update Services Settings

• Configure SUS settings
• http//servername/SUSAdmin
• Browse the Set options pages
• Configure your SUS to maintain updates on a
  Microsoft Windows Update server

41
Set options

• Proxy Server
• Servers name as FQDN or IP address
• Content Source
• Connect directly to Microsoft Windows Update
• Another SUS Server (saves bandwidth)

42
Synchronizing Software Update Services Content

• Synchronize SUS content
• Use the Microsoft SUS menu through Internet
  Explorer to start the synchronization process as
  directed
• Manually done first time after installation
• Schedule Updates

43
Approve Updates

• Approve an update
• Browse potential updates and explore sorting
  options and details menu
• Browse approved logs and other information as
  directed
• Approve for all SUSs in enterprise or allow
  administrators of other SUS to examine for
  approval

44
Planning a Software Updates Services
Infrastructure

• Common methods that organizations use to deploy
  and configure SUS
• Small networks single server running SUS or
  multiple location-based servers managed
  independently
• Enterprise networks multiple SUS servers, single
  synchronization server (hub and spoke)
• High security networks corporate intranet
  disconnected from public Internet. All local
  servers download from special connected server(s).

45
Automatic Updates

• Clients must have Automatic Updates client
  software installed to obtain security updates
• Some systems have software preinstalled, others
  must manually install
• Automatic Updates can be manually enabled along
  with notification and scheduling options
• To connect to local SUS server to obtain updates,
  must configure clients Registry or Group Policy
  settings
• Group policy settings override local settings
• Computer Configuration - Windows Settings,
  Administrative Templates - Windows Components -
  Windows Update

46
Automatic Updates (continued)
47
Client Configuration

• Notify
• System logs ready for installation
• Non-administrator show nothing can not cancel
  (decline)
• Administrator notified that a hot fix is
  available may cancel download
• Automatic
• Non-administrator can not choose when to
  install if restart required, log off in 5
  minutes message is given.
• Administrator downloads automatically and give
  notification that it will be installed can
  specify to install now or wait for schedule.