1. 70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration

2. Guide to MCSE 70-290, Enhanced 2 Objectives Distinguish between the various methods, tools, and processes used to manage a Windows Server 2003 system Understand and configure Terminal Services and Remote Desktop for Administration Delegate administrative authority in Active Directory Install, configure, and manage Microsoft Software Update Services

3. Guide to MCSE 70-290, Enhanced 3 Network Administration Procedures In a Windows Server 2003 environment, administrator will normally be responsible for more than one server A useful tool for administrators to manage remote servers is Microsoft Management Console (MMC) Secondary logon is another useful tool for administrators

4. Guide to MCSE 70-290, Enhanced 4 Windows Server 2003 Management Tools Server shutdown and restart has new features in Windows Server 2003 Shutdown Event Tracker logs these events Can include comments on why events occurred Logged as event 1074 in Event Viewer system log

5. Guide to MCSE 70-290, Enhanced 5 The Microsoft Management Console MMC provides a unified framework for hosting multiple management tools (snap-ins) Can add and remove management tools as necessary and save custom tools for use by authorized administrators Console saved as Management Saved Console (MSC) file with.msc extension Can focus snap-ins to point to remote clients or servers

6. Guide to MCSE 70-290, Enhanced 6 Secondary Logon Recommendation is for network administrators to have two logon accounts One with administrative rights One with normal user rights Secondary logon feature allows you to log on with user account, open administrative tools as an administrator

7. Guide to MCSE 70-290, Enhanced 7 Network Troubleshooting Processes Need a systematic approach to troubleshooting Recommended steps Define the problem Gather detailed information about what has changed Devise a plan to solve the problem Implement the plan and observe the results Document all changes and results

8. Guide to MCSE 70-290, Enhanced 8 Define the Problem Indication of a problem is often A general complaint from a user An error message Ask questions of user Try to recreate the problem in a test To decode error messages, use net utility At command prompt, type NET HELPMSG number

9. Guide to MCSE 70-290, Enhanced 9 Gather Detailed Information About What Has Changed Factors to consider include Any new components installed recently? Who has access to computer? Have they made any changes? Any software or service patches installed recently?

10. Guide to MCSE 70-290, Enhanced 10 Devise a Plan to Solve the Problem Important considerations when devising a plan: Interruptions to network or its components (e.g., restarts) Possible changes to network security policy Need to document all changes and troubleshooting steps Be sure to include a rollback strategy in case plan doesn’t work

11. Guide to MCSE 70-290, Enhanced 11 Implement the Plan; Observe Results; Document All Changes and Results Notify users if network availability will be affected Do not make too many configuration changes at one time If plan doesn’t work, document what was done and start again Document all troubleshooting steps, results, and configuration changes

12. Guide to MCSE 70-290, Enhanced 12 Configuring Terminal Services and Remote Desktop for Administration Two services that provide remote access to a server desktop Terminal services allows users to connect in order to run applications Remote Desktop for Administration allows an administrator to connect in order to run administrative services

13. Guide to MCSE 70-290, Enhanced 13 Enabling Remote Desktop for Administration Installed automatically as a part of Windows Server 2003 Disabled by default Once enabled, only Administrators group can connect by default Additional users can be granted access

14. Guide to MCSE 70-290, Enhanced 14 Installing Terminal Services Installed from Add/Remove Windows Components of Add or Remove Programs (in Control Panel) To set up a Terminal server, one Windows Server 2003 server in network must be configured as a Terminal Services licensing server

15. Guide to MCSE 70-290, Enhanced 15 Managing Terminal Services Three primary tools for Terminal Services administration: Terminal Services Manager Terminal Services Configuration Terminal Services Licensing

16. Guide to MCSE 70-290, Enhanced 16 Configuring Remote Connection Settings Primary tool is Terminal Services Configuration Settings related to connection attempts Settings related to permissions of user or group accounts Configured from properties of a Terminal Server connection object: 1 object for multiple user connections Settings include: Authentication (none or standard Windows) Encryption (client compatible or high)

17. Guide to MCSE 70-290, Enhanced 17 Configuring Remote Connection Settings (continued)

18. Guide to MCSE 70-290, Enhanced 18 Terminal Services Client Software Terminal Server folder containing client software packages: %Systemroot%\system32\clients\tsclient\win32 Contains files to install Remote Desktop Connection Provided as both MSI file and Win32 executable Share folder and initiate installation process either manually or through Group Policy deployment Pre-installed on Windows Server 2003 and Windows XP

19. Guide to MCSE 70-290, Enhanced 19 Installing Applications Applications must be installed in a mode for multiple users compatible with Terminal Server(install mode) Use Add or Remove Programs applet in Control Panel after Terminal Server is installed Can also place Windows Server 2003 in install mode from command line Change user /install to begin Change user /execute when finished May need to reinstall some applications

20. Guide to MCSE 70-290, Enhanced 20 Configuring Terminal Services User Properties Terminal Server adds four tabs to properties of user accounts Terminal Services Profile – user can configure a special connection profile and home directory Remote control – configures remote control properties for a user account Sessions – configures a maximum session time and disconnect options Environment – configures a program to run automatically when user connects to terminal server

21. Guide to MCSE 70-290, Enhanced 21 Delegating Administrative Authority Active Directory is a database and must be protected Uses permissions similar to NTFS file permissions Administrators have full access by default User are given read permission for most attributes by default Administrator can edit permissions Must take care not to make any objects completely inaccessible

22. Guide to MCSE 70-290, Enhanced 22 Active Directory Object Permissions Objects can be assigned permissions at 2 levels: Object-level permissions Must be granted for a user to create or modify an OU, user, or group account Applied according to a preconfigured set of standard permissions Attribute-level permissions Control which attributes a user or group can view or modify If not explicitly set, object inherits parent container’s permissions

23. Guide to MCSE 70-290, Enhanced 23 Permission Inheritance Child objects inherit permissions from parent objects by default when child object is created If permissions to parent are changed subsequently, can force permission changes to child if desired Can modify default inheritance by blocking it at the container or object level

24. Guide to MCSE 70-290, Enhanced 24 Delegating Authority Over Active Directory Objects Allows you to distribute/decentralize process of administering Active Directory Steps to delegating authority Design OU structure to permit distribution Configure permissions to support appropriate distribution Implementing delegation Can manage permissions directly from Security tab Can use Delegation of Control Wizard

25. Guide to MCSE 70-290, Enhanced 25 Software Update Services Software Update Services (SUS) allows an administrator to control the deployment of O.S. security updates and critical packages Intended to minimize administrative effort required to keep O.S. protected 2 main elements: Client component: updated version of Windows Automatic Updates, clients contact server to get updates Server component: can be installed on a server running Windows 2000 or Server 2003

26. Guide to MCSE 70-290, Enhanced 26 Installing Software Update Services SUS client and server components available for download from Microsoft Web site Requires minimum hardware and a dedicated server if possible Internet Information Services version 5.0 or higher and Internet Explorer 5.5 or higher are prerequisites Server component can be installed on Windows 2000 Server, Windows Server 2003, or Microsoft Small Business Server 2000

27. Guide to MCSE 70-290, Enhanced 27 How Software Update Services Works Purpose of SUS is to provide centralized facility for clients to obtain security package updates automatically SUS server can store updates locally or store catalog with clients downloading from Internet Administrator must approve an update before clients can download it Clients must have Automatic Updates software installed to interact with SUS server

28. Guide to MCSE 70-290, Enhanced 28 Configuring Software Update Services Default SUS configurations (Typical option): Updates downloaded from Internet servers Proxy server settings are set to Automatic Downloaded content is stored locally on SUS server Packages are downloaded in all supported languages If changes occur to an approved package, changed package is not approved Administration is Web-based, password protected On-line resources include SUS Overview Whitepaper, SUS Deployment Guide, Windows Update, Security Web sites

29. Guide to MCSE 70-290, Enhanced 29 Automatic Updates Clients must have Automatic Updates client software installed to obtain security updates Some systems have software preinstalled, others must manually install Automatic Updates can be manually enabled along with notification and scheduling options To connect to local SUS server to obtain updates, must configure client’s Registry or Group Policy settings Group policy settings override local settings

30. Guide to MCSE 70-290, Enhanced 30 Automatic Updates (continued)

31. Guide to MCSE 70-290, Enhanced 31 Planning a Software Updates Services Infrastructure Common methods that organizations use to deploy and configure SUS Small networks: single server running SUS or multiple location-based servers managed independently Enterprise networks: multiple SUS servers, single synchronization server (hub and spoke) High security networks: corporate intranet disconnected from public Internet. All local servers download from special connected server(s).

32. Guide to MCSE 70-290, Enhanced 32 Summary Tools used to manage server tasks and remote management of clients: Microsoft Management Console (MMC) Secondary logon feature Network troubleshooting process steps: define problem, gather information about changes, devise plan, implement plan, document changes & results Terminal Services allows users to connect to and run applications on remote servers

33. Guide to MCSE 70-290, Enhanced 33 Summary (continued) Remote Desktop for Administration allows administrators to connect to and interact with remote servers Administrative authority for Active Directory objects can be delegated through object-level and attribute-level permissions Software Update Services allows control of the deployment of security updates throughout a network