70-290: MCSE Guide to Managing
a Microsoft Windows Server 2003
Environment
Chapter 10:
Server Administration
Objectives
• Distinguish between the various methods, tools,
and processes used to manage a Windows Server
2003 system
• Understand and configure Terminal Services and
Remote Desktop for Administration
• Delegate administrative authority in Active
Directory
• Install, configure, and manage Microsoft Software
Update Services
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
2
Network Administration
Procedures
• In a Windows Server 2003 environment,
administrator will normally be responsible for
more than one server
• A useful tool for administrators to manage remote
servers is Microsoft Management Console (MMC)
• Secondary logon is another useful tool for
administrators
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
3
Windows Server 2003
Management Tools
• Server shutdown and restart has new features in
Windows Server 2003
• Shutdown Event Tracker logs these events
• Can include comments on why events occurred
• Logged as event 1074 in Event Viewer system log
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
4
Activity 10-1: Restarting
Windows Server 2003
• Objective: to restart Windows Server 2003
• Start  Shut Down  Restart
• Configure the Shutdown Event Tracker options
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
5
Activity 10-2: Viewing
Shutdown Events in the Event
View System Log
• Objective: Use Event Viewer to view server
shutdown events
• Start  Administrative Tools  Event Viewer 
System
• Look for the shutdown event that was generated in
the previous activity
• Explore other shutdown events
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
6
The Microsoft Management
Console
• MMC provides a unified framework for hosting
multiple management tools (snap-ins)
• Can add and remove management tools as
necessary and save custom tools for use by
authorized administrators
• Console saved as Management Saved Console
(MSC) file with .msc extension
• Can focus snap-ins to point to remote clients or
servers
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
7
Activity 10-3: Using the MMC
to View Information on a
Remote Computer
• Objective: Use MMC to view system logs on a
remote computer
• Focus the Event Viewer to connect to another
computer from an existing MMC
• Browse the system and application logs on the
remote computer
• Focus back to the local computer
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
8
Activity 10-4: Creating a
Taskpad
• Objective: create a taskpad to simplify
administrative tasks
• A taskpad view provides a graphical
representation of the tasks that can be performed
in an MMC
• Create a new MMC with an Event Viewer
• Create and configure a taskpad view using the
New Taskpad View Wizard
• Save the new MMC
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
9
Secondary Logon
• Recommendation is for network administrators to
have two logon accounts
• One with administrative rights
• One with normal user rights
• Secondary logon feature allows you to log on with
user account, open administrative tools as an
administrator
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
10
Activity 10-5: Using the
Windows Server 2003
Secondary Logon Feature
• Objective: Use the Run as command to open a
program with a secondary account
• Start  Administrative Tools  right-click Event
Viewer  Run as
• Log on with alternative credentials in Run As
dialog box
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
11
Activity 10-6: Using the
Secondary Logon Feature from
the Command Line
• Objective: To log on using alternate credentials
from the command line
• Start  Run  enter cmd in Open box to open a
command prompt
• Enter command-line form of runas to open the
Event Viewer as directed in the exercise
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
12
Network Troubleshooting
Processes
• Need a systematic approach to troubleshooting
• Recommended steps
•
•
•
•
•
Define the problem
Gather detailed information about what has changed
Devise a plan to solve the problem
Implement the plan and observe the results
Document all changes and results
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
13
Define the Problem
• Indication of a problem is often
• A general complaint from a user
• An error message
• Ask questions of user
• Try to recreate the problem in a test
• To decode error messages, use net utility
• At command prompt, type NET HELPMSG number
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
14
Gather Detailed Information
About What Has Changed
• Factors to consider include
• Any new components installed recently?
• Who has access to computer? Have they made any
changes?
• Any software or service patches installed recently?
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
15
Devise a Plan to Solve the
Problem
• Important considerations when devising a plan:
• Interruptions to network or its components (e.g.,
restarts)
• Possible changes to network security policy
• Need to document all changes and troubleshooting
steps
• Be sure to include a rollback strategy in case plan
doesn’t work
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
16
Implement the Plan; Observe Results;
Document All Changes and Results
• Notify users if network availability will be
affected
• Do not make too many configuration changes at
one time
• If plan doesn’t work, document what was done
and start again
• Document all troubleshooting steps, results, and
configuration changes
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
17
Configuring Terminal Services
and Remote Desktop for
Administration
• Two services that provide remote access to a
server desktop
• Terminal services allows users to connect in order
to run applications
• Remote Desktop for Administration allows an
administrator to connect in order to run
administrative services
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
18
Enabling Remote Desktop for
Administration
• Installed automatically as a part of Windows
Server 2003
• Disabled by default
• Once enabled, only Administrators group can
connect by default
• Additional users can be granted access
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
19
Activity 10-7: Enabling and Testing
Remote Desktop for Administration
• Objective: To enable and test Remote Desktop for
Administration
• Start  Control Panel  System  Remote tab
• Enable Remote Desktop for Administration on the
server as directed in the activity
• Connect to the server using the Remote Desktop
Connection tool
• Disconnect leaving session open and then
disconnect closing the session
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
20
Installing Terminal Services
• Installed from Add/Remove Windows
Components of Add or Remove Programs (in
Control Panel)
• To set up a Terminal server, one Windows Server
2003 server in network must be configured as a
Terminal Services licensing server
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
21
Activity 10-8: Installing
Terminal Services
• Objective: To install Windows Server 2003
Terminal Services on a server
• Start  Control Panel  Add or Remove
Programs  Add/Remove Windows Components
• Use the Windows Components Wizard to install
Terminal Server as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
22
Managing Terminal Services
• Three primary tools for Terminal Services
administration:
• Terminal Services Manager
• Terminal Services Configuration
• Terminal Services Licensing
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
23
Configuring Remote
Connection Settings
• Primary tool is Terminal Services Configuration
• Settings related to connection attempts
• Settings related to permissions of user or group
accounts
• Configured from properties of a Terminal Server
connection object: 1 object for multiple user
connections
• Settings include:
• Authentication (none or standard Windows)
• Encryption (client compatible or high)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
24
Configuring Remote Connection
Settings (continued)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
25
Activity 10-9: Exploring
Terminal Services Settings
• Objective: to explore and configure Terminal
Services settings
• Start  Administrative Tools  Terminal
Services Configuration
• Browse and configure settings as directed in the
activity
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
26
Terminal Services Client
Software
• Terminal Server folder containing client software
packages:
• %Systemroot%\system32\clients\tsclient\win32
• Contains files to install Remote Desktop
Connection
• Provided as both MSI file and Win32 executable
• Share folder and initiate installation process either
manually or through Group Policy deployment
• Pre-installed on Windows Server 2003 and
Windows XP
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
27
Installing Applications
• Applications must be installed in a mode for
multiple users compatible with Terminal
Server(install mode)
• Use Add or Remove Programs applet in Control
Panel after Terminal Server is installed
• Can also place Windows Server 2003 in install
mode from command line
• Change user /install to begin
• Change user /execute when finished
• May need to reinstall some applications
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
28
Configuring Terminal Services
User Properties
• Terminal Server adds four tabs to properties of
user accounts
• Terminal Services Profile – user can configure a special
connection profile and home directory
• Remote control – configures remote control properties
for a user account
• Sessions – configures a maximum session time and
disconnect options
• Environment – configures a program to run
automatically when user connects to terminal server
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
29
Activity 10-10: Exploring
Terminal Services User
Account Settings
• Objective: Explore Terminal Services user account
settings using Active Directory Users and
Computers
• Start  Administrative Tools  Active Directory
Users and Computers  Users
• Explore the settings on the four Terminal Services
tabs: Terminal Services Profile, Remote control,
Sessions, and Environment
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
30
Delegating Administrative
Authority
• Active Directory is a database and must be
protected
• Uses permissions similar to NTFS file permissions
• Administrators have full access by default
• User are given read permission for most attributes
by default
• Administrator can edit permissions
• Must take care not to make any objects completely
inaccessible
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
31
Active Directory Object
Permissions
• Objects can be assigned permissions at 2 levels:
• Object-level permissions
• Must be granted for a user to create or modify an
OU, user, or group account
• Applied according to a preconfigured set of standard
permissions
• Attribute-level permissions
• Control which attributes a user or group can view or
modify
• If not explicitly set, object inherits parent
container’s permissions
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
32
Activity 10-11: Exploring
Active Directory Object
Permissions
• Objective: Explore Active Directory object
permission settings
• Start  Administrative Tools  Active Directory
Users and Computers  View (menu bar) 
Advanced Features
• Access the properties of an OU and explore the
various permission configurations as directed in
the exercise
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
33
Permission Inheritance
• Child objects inherit permissions from parent
objects by default when child object is created
• If permissions to parent are changed subsequently,
can force permission changes to child if desired
• Can modify default inheritance by blocking it at
the container or object level
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
34
Delegating Authority Over
Active Directory Objects
• Allows you to distribute/decentralize process of
administering Active Directory
• Steps to delegating authority
• Design OU structure to permit distribution
• Configure permissions to support appropriate
distribution
• Implementing delegation
• Can manage permissions directly from Security tab
• Can use Delegation of Control Wizard
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
35
Activity 10-12: Using the
Delegation of Control Wizard
• Objective: Delegate control of an OU using the
Active Directory Users and Computer Delegation
of Control Wizard
• To start wizard, right-click OU and click Delegate
Control
• Delegate a specific permission to a group
following directions in the exercise
• Verify that the permission appears as expected
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
36
Software Update Services
• Software Update Services (SUS) allows an
administrator to control the deployment of O.S.
security updates and critical packages
• Intended to minimize administrative effort
required to keep O.S. protected
• 2 main elements:
• Client component: updated version of Windows
Automatic Updates, clients contact server to get
updates
• Server component: can be installed on a server running
Windows 2000 or Server 2003
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
37
Installing Software Update
Services
• SUS client and server components available for download
from Microsoft Web site
• Requires minimum hardware and a dedicated server if
possible
• Internet Information Services version 5.0 or higher and
Internet Explorer 5.5 or higher are prerequisites
• Server component can be installed on Windows 2000
Server, Windows Server 2003, or Microsoft Small
Business Server 2000
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
38
Activity 10-13: Installing
Software Update Services
• Objective: To install the server component of
Software Update Services (after installing IIS)
• Start  Control Panel  Add or Remove
Programs  Add/Remove Windows Components
• Install IIS following instructions
• Run the SUS10SP1.exe file to start installation of
SUS
• Follow directions to run Microsoft Software
Update Services Setup Wizard
• Complete installation as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
39
How Software Update Services
Works
• Purpose of SUS is to provide centralized facility
for clients to obtain security package updates
automatically
• SUS server can store updates locally or store
catalog with clients downloading from Internet
• Administrator must approve an update before
clients can download it
• Clients must have Automatic Updates software
installed to interact with SUS server
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
40
Configuring Software Update
Services
• Default SUS configurations (Typical option):
•
•
•
•
•
Updates downloaded from Internet servers
Proxy server settings are set to Automatic
Downloaded content is stored locally on SUS server
Packages are downloaded in all supported languages
If changes occur to an approved package, changed
package is not approved
• Administration is Web-based, password protected
• On-line resources include SUS Overview
Whitepaper, SUS Deployment Guide, Windows
Update, Security Web sites
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
41
Activity 10-14: Configuring
Software Update Services
Settings
• Objective: To configure SUS settings
• Start  All Programs  Internet Explorer
• Enter the SUS administration Web address and log
on as directed
• Browse the Set options pages
• Configure your SUS to maintain updates on a
Microsoft Windows Update server
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
42
Activity 10-15: Synchronizing
Software Update Services
Content
• Objective: To manually synchronize SUS content
• Use the Microsoft SUS menu through Internet
Explorer to start the synchronization process as
directed
• Browse potential updates and explore sorting
options and details menu
• Approve an update
• Browse logs and other information as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
43
Automatic Updates
• Clients must have Automatic Updates client
software installed to obtain security updates
• Some systems have software preinstalled, others
must manually install
• Automatic Updates can be manually enabled along
with notification and scheduling options
• To connect to local SUS server to obtain updates,
must configure client’s Registry or Group Policy
settings
• Group policy settings override local settings
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
44
Automatic Updates (continued)
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
45
Activity 10-16: Reviewing
Automatic Updates Group
Policy Settings
• Objective: To review Group Policy settings for
Automatic Update
• Start  Administrative Tools  Active Directory
Users and Computers
• Edit the Default Domain Policy and add the wuau
template as directed
• Browse and configure settings for Automatic
Updates
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
46
Planning a Software Updates
Services Infrastructure
• Common methods that organizations use to deploy
and configure SUS
• Small networks: single server running SUS or multiple
location-based servers managed independently
• Enterprise networks: multiple SUS servers, single
synchronization server (hub and spoke)
• High security networks: corporate intranet disconnected
from public Internet. All local servers download from
special connected server(s).
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
47
Activity 10-17: Uninstalling
Software Update Services and
Internet Information Services
• Objective: To uninstall SUS and IIS
• Start  Control Panel  Add or Remove
Programs
• Remove Software Update Services as directed
• Remove Internet Information Services as directed
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
48
Summary
• Tools used to manage server tasks and remote
management of clients:
• Microsoft Management Console (MMC)
• Secondary logon feature
• Network troubleshooting process steps: define
problem, gather information about changes, devise
plan, implement plan, document changes & results
• Terminal Services allows users to connect to and
run applications on remote servers
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
49
Summary (continued)
• Remote Desktop for Administration allows
administrators to connect to and interact with
remote servers
• Administrative authority for Active Directory
objects can be delegated through object-level and
attribute-level permissions
• Software Update Services allows control of the
deployment of security updates throughout a
network
70-290: MCSE Guide to Managing a Microsoft
Windows Server 2003 Environment
50
Descargar

Document