Microsoft Management Console MMC

1
Microsoft Management Console (MMC)

• In a Windows Server 2003 environment,
  administrator will normally be responsible for
  more than one server
• A useful tool for administrators to manage
  Windows computers anywhere on the network (remote
  server and clients) is Microsoft Management
  Console (MMC)
• MMC provides a customizable management framework
  for hosting multiple management tools (snap-ins)
• MMC with one or more snap-ins is called console
• Can add and remove management tools as necessary
  and save as a custom MMC console file with .msc
  extension
• By default, consoles are saved in the
  Administrative Tools folder in the users
  profiles and appear as shortcuts in the Start
  menus Administrative Tools program group

2
Microsoft Management Console (MMC)

• Most of the shortcuts in the Administrative Tools
  program group are preconfigured MMC consoles
• The executable file for MMC is Mmc.exe
• Run this file from the Run dialog box or command
  prompt
• Empty console appears, select Add/Remove snap-in
  from the File menu
• Select and add as many stand-alone snap-ins to a
  console and save it as a custom console with .msc
  file extension
• Can access a remote computer through selecting
  Connect to Another Computer from Action menu in
  the MMC snap-in
• Also, by using Add/Remove snap in from File menu,
  selecting what computer you want to manage from
  the list of snap-ins and then clicking Add button

3
Terminal Services

• Terminal Services is a Window-based application
  service that enables clients to access a server
  remotely to execute, process and store data on
  the server
• The Terminal Server client software is installed
  on the client, the client receives the Windows
  Server 2003 GUI from the Terminal Server, users
  enter keystrokes, and mouse clicks, the commands
  are sent to the Terminal Server for execution,
  and the server then refreshes the local terminal
  screen. Two Terminal Service-based tools
• Remote Desktop for Administration allows an
  administrator to connect to any computer on the
  network in order to run and manage administrative
  services
• Remote Assistance is used to allow a trusted
  party an expert to remotely access your system
  to view and interact

4
Benefits of Terminal Services

• Support for thin clients required fewer system
  resources, RAM, minimum operating system, etc.
• Centralized access to applications
• Administrator can control client access
• Reduce network and workstation maintenance
• Reduce network traffic for remote access users
• Down-level operating systems clients can connect
  to TS
• Remote Administration of Windows Server 2003
• Easier way to upgrade software on a remote server
• Installed automatically as a part of Windows
  Server 2003
• Disabled by default, Once enabled, only
  Administrators group can connect by default,
  Additional users can be granted access

5
Installing Terminal Services

• To set up a Terminal server, one Windows 2003
  server in network must be configured as a
  Terminal Services licensing server to host
  terminal services clients
• Install Terminal Services on a member server
  rather than on a Domain Controller
• Log on as an Administrator to Installed Terminal
  Services, Start ? Control Panel ? Add or Remove
  Programs ? Add/Remove Windows Components to
  initiate the Windows Components Wizard
• Scroll down Components list and select the
  Terminal Server and Terminal Server Licensing
  check boxes
• Use the Windows Components Wizard to install
  Terminal Services as directed

6
Installing Remote Desktop for Administration

• Two components of Terminal services to be
  configured
• Remote Desktop for Administration - to access
  remote server computer on the network for
  administrative purposes, without the
  application-sharing capabilities
• Remote Desktop Connection the client software
  running on client computer to connect to a
  Terminal Server
• Log on as an Administrator to enable or disable
  Remote Desktop for Administration, which is
  installed automatically as a part of Windows
  Server 2003, and disabled by default
• Start ? Control Panel ? System ? Remote tab or
• Start ? right-click My computer ?Properties
  ?System Properties dialog box Remote tab
• In the Remote Desktop section, select the Allow
  Users to connect remotely to this computer check
  box
• Remote Desktop for Administration allows only
  two concurrent connections

7
Installing Remote Desktop Connection

• Remote Desktop Connection the client software
  running on client computer to connect to a
  Terminal Server
• By default it is installed on Windows Server 2003
  and XP
• For all other operating systems install
  manually
• The Remote Desktop Connection client software is
  stored in systemroot\system32\clients\tsclients\
  win32 folder
• Share this folder on the network for distribution
  purposes
• Connect to the share from the client computer and
  run Setup.exe file InstallShield Wizard
• Or configure Group Policy to distribute the
  Remote Desktop Connection .msi package
• Only Administrators or Remote Desktop User group
  can successfully connect to the server using
  Remote Desktop for Administration

8
Terminal Services User Account Settings

• Applications must be installed in a mode for
  multiple users compatible with Terminal Server
  (install mode), may need to reinstall some
  applications
• Terminal services uses TCP and UDP port number
  3389 for all of its client/server communications
  by default
• Application layer protocol called Remote Desktop
  Protocol (RDP) handles communication between the
  Terminal Server and the client
• On the client computer Start ? All Programs ?
  Accessories ? Communications ? Remote Desktop
  Connection
• Explore Terminal Services user account settings
  using Active Directory Users and Computers
• Start ? Administrative Tools ? Active Directory
  Users and Computers ? Users
• Explore the settings on the four Terminal
  Services tabs Terminal Services Profile, Remote
  control, Sessions, and Environment

9
Remote Assistance

• Enables a user to request help from help desk
  support person or network technician to remotely
  access his or her computer to either just view
  or to both view and interact with the their
  system by giving permission
• To receive remote assistance, a client must issue
  an invitation and send it to a particular expert
• Enable Remote Assistance through System
  Properties from Control Panel and select the
  Remote tab
• Select the Turn on Remote Assistance and Allow
  Invitations to be Sent From This Computer check
  box
• Click Advanced button to let the expert take
  control of the computer or simply view activities
  on the computer
• Specify the time for the invitation for remote
  assistance

10
Service packs and hotfixes

• Service pack A tested package containing
  collection of patches and other updates (includes
  old and new patches)
• Microsoft service pack releases are cumulative
  available
• CD-ROM installation files and program
  Update.exe
• Express download- checks computer and downloads
  only required files, reduce size of download,
  requires Internet access
• Network download downloads entire service pack
  files (single executable) on a network server and
  then distributes to clients, large size download
  (100 MB or more), no internet access required
• Hotfix - A software update that addresses one
  specific issue
• Service packs and Hotfixes release to address
  specific security issues such as new viruses or
  other threats
• Always test all updates before deploying over the
  network

11
Software Update Policies

• Remain aware of new update releases
• Determine which computers need to be updated
• Test update releases on multiple system
  configurations
• Deploy update releases on large fleets of
  computers must be automated less time
  consuming, efforts and expenses
• Uninstalling Service Packs always save backup
  copies of operating system files before applying
  a new service pack
• Microsoft Baseline Security Analyzer (MBSA) is
  a graphical informational tool, which checks and
  displays security lapses on computers but can not
  fix it
• MBSA is not included with Windows Server 2003,
  but can be downloaded from Microsoft Web site
  free of charge

12
Microsoft Baseline Security Analyzer

• Checks for required service packs and security
  updates, if not found, complies a list of
  required updates to be installed
• Checks whether Guest account is activated
• Checks whether more than two accounts have
  Administrator privileges
• Checks whether the computer is configured for
  Autologon
• Checks for passwords simple, complex, blank or
  expired
• Checks for NTFS filing system on all drives
• Checks IIS and Microsoft SQL Server for security
  weakness
• Checks and displays list of shares, Operating
  system version number, and whether auditing is
  enabled

13
Software Update Services (SUS)

• Ability to automatically download, control and
  deploy updates, service packs and patches to
  clients operating system using internal server
• Administrators can check and approve each package
  before it is made available to clients
• By storing the content locally on internal
  server, clients can download, without going on
  internet to Microsoft site
• A new group policy feature included with SUS
  allow the administrator to define the
  configuration of the Automatic Updates feature on
  client computers

14
Software Update Services (SUS)

• Software Updates consist of two components
• Client side service - which retrieves updates
  from SUS server and installs them
• Client side service - known as Automatic Updates
• Server side service which is a central point
  for distributing updates to clients
• Automatic Updates service can work with Windows
  2000 with (SP2), XP with (SP1) can not work
  with 98, or NT
• After installation of Automatic Updates on client
  computer, by default, it retrieves the updates
  from Microsoft Windows Updates server on
  Internet, however, you can redirect your clients
  to internal SUS server
• http//windowsupdate.microsoft.com/
• Clients must have Automatic Updates software
  installed to interact with SUS server

15
Deploying Software Update Services (SUS)

• Four Basic steps for deploying SUS
• Install an SUS server configure Administrator
  and client access to the SUS service, must
  install IIS before SUS
• Synchronize the server the process by which the
  SUS server downloads updates from the Microsofts
  Windows Update site through Internet and stores
  them on local drive
• Approve updates Administrator checks and
  approves
• Configure Automatic Update clients Configure
  GPO
• Start ? Control Panel ? Add or Remove Programs ?
  Add/Remove Windows Components
• Install IIS following instructions
• Run the SUS10SP1.exe file to start installation
  of SUS
• Follow directions to run Microsoft Software
  Update Services Setup Wizard
• Complete installation as directed

16
Administering Software Site Licensing

• The End-User License Agreement (EULA) is a
  binding contract to use Microsoft software
• Client Access Licenses (CALs) need to access
  server
• Per Server licensing mode - a single CAL is
  required for each concurrent connection to the
  specific server
• You apply CALs to the servers
• When maximum of concurrent connections to a
  server has been reached, no additional user can
  access the server
• Use Per Server mode when there are few servers
  and they require limited access
• The of CALs needed is determined by the of
  concurrent connections

17
Administering Software Site Licensing

• Per Device or User Licensing mode a CAL is
  required for each client connection, but it does
  not matter which server the client connect to
• If you buy 500 CALs, you can have up to 500
  concurrent users or devices connected to any of
  your servers
• The total number of CALs equals the of devices
  or of users, or a mixture of both, that access
  servers
• Use Per Device or User mode when there are many
  servers and they require frequent and widespread
  access
• The of CALs needed is determined by the of
  users or of devices, or both, that require
  access to the servers

18
Administering Site Licensing

• To help keep track of licensing, you have
  Licensing Tools
• Licensing in Control Panel The Choose Licensing
  Mode tool found in Control Panel manages
  licensing requirement for a single computer
• The Site Licensing Server - In order for the
  Licensing Tool in Administrative Tools program to
  function and to view and manage licensing for the
  entire site, the License Logging service must be
  enabled on one server on the site
• The server on which the License Logging service
  is running is known as the site licensing server,
  which keep tracks of all licenses on the site
  (single physical location)
• The site licensing server is typically the first
  domain controller created in a site