70 648 70-649 transitioning your mcsa mcse to windows server 2008
70-290: MCSE Guide to Managing a Microsoft Windows Server ...
-
Upload
databaseguys -
Category
Documents
-
view
198 -
download
2
Transcript of 70-290: MCSE Guide to Managing a Microsoft Windows Server ...
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003
Environment, Enhanced
Chapter 10:Server Administration
Guide to MCSE 70-290, Enhanced 2
Objectives• Distinguish between the various methods, tools,
and processes used to manage a Windows Server 2003 system
• Understand and configure Terminal Services and Remote Desktop for Administration
• Delegate administrative authority in Active Directory
• Install, configure, and manage Microsoft Software Update Services
Guide to MCSE 70-290, Enhanced 3
Network Administration Procedures
• In a Windows Server 2003 environment, administrator will normally be responsible for more than one server
• A useful tool for administrators to manage remote servers is Microsoft Management Console (MMC)
• Secondary logon is another useful tool for administrators
Guide to MCSE 70-290, Enhanced 4
Windows Server 2003 Management Tools
• Server shutdown and restart has new features in Windows Server 2003• Shutdown Event Tracker logs these events• Can include comments on why events occurred• Logged as event 1074 in Event Viewer system log
Guide to MCSE 70-290, Enhanced 5
Activity 10-1: Restarting Windows Server 2003
• Objective: to restart Windows Server 2003 • Start Shut Down Restart• Configure the Shutdown Event Tracker options
Guide to MCSE 70-290, Enhanced 6
Activity 10-2: Viewing Shutdown Events in the Event
View System Log
• Objective: Use Event Viewer to view server shutdown events
• Start Administrative Tools Event Viewer System
• Look for the shutdown event that was generated in the previous activity
• Explore other shutdown events
Guide to MCSE 70-290, Enhanced 7
The Microsoft Management Console
• MMC provides a unified framework for hosting multiple management tools (snap-ins)
• Can add and remove management tools as necessary and save custom tools for use by authorized administrators
• Console saved as Management Saved Console (MSC) file with .msc extension
• Can focus snap-ins to point to remote clients or servers
Guide to MCSE 70-290, Enhanced 8
Activity 10-3: Using the MMC to View Information on a
Remote Computer• Objective: Use MMC to view system logs on a
remote computer• Focus the Event Viewer to connect to another
computer from an existing MMC • Browse the system and application logs on the
remote computer• Focus back to the local computer
Guide to MCSE 70-290, Enhanced 9
Activity 10-4: Creating a Taskpad
• Objective: create a taskpad to simplify administrative tasks
• A taskpad view provides a graphical representation of the tasks that can be performed in an MMC
• Create a new MMC with an Event Viewer• Create and configure a taskpad view using the
New Taskpad View Wizard• Save the new MMC
Guide to MCSE 70-290, Enhanced 10
Secondary Logon
• Recommendation is for network administrators to have two logon accounts• One with administrative rights• One with normal user rights
• Secondary logon feature allows you to log on with user account, open administrative tools as an administrator
Guide to MCSE 70-290, Enhanced 11
Activity 10-5: Using the Windows Server 2003
Secondary Logon Feature• Objective: Use the Run as command to open a
program with a secondary account• Start Administrative Tools right-click Event
Viewer Run as• Log on with alternative credentials in Run As
dialog box
Guide to MCSE 70-290, Enhanced 12
Activity 10-6: Using the Secondary Logon Feature from
the Command Line• Objective: To log on using alternate credentials
from the command line• Start Run enter cmd in Open box to open a
command prompt• Enter command-line form of runas to open the
Event Viewer as directed in the exercise
Guide to MCSE 70-290, Enhanced 13
Network Troubleshooting Processes
• Need a systematic approach to troubleshooting• Recommended steps
• Define the problem• Gather detailed information about what has changed• Devise a plan to solve the problem• Implement the plan and observe the results• Document all changes and results
Guide to MCSE 70-290, Enhanced 14
Define the Problem
• Indication of a problem is often• A general complaint from a user• An error message
• Ask questions of user• Try to recreate the problem in a test• To decode error messages, use net utility
• At command prompt, type NET HELPMSG number
Guide to MCSE 70-290, Enhanced 15
Gather Detailed Information About What Has Changed
• Factors to consider include• Any new components installed recently?• Who has access to computer? Have they made any
changes?• Any software or service patches installed recently?
Guide to MCSE 70-290, Enhanced 16
Devise a Plan to Solve the Problem
• Important considerations when devising a plan:• Interruptions to network or its components (e.g.,
restarts)• Possible changes to network security policy• Need to document all changes and troubleshooting
steps
• Be sure to include a rollback strategy in case plan doesn’t work
Guide to MCSE 70-290, Enhanced 17
Implement the Plan; Observe Results; Document All Changes and Results
• Notify users if network availability will be affected
• Do not make too many configuration changes at one time
• If plan doesn’t work, document what was done and start again
• Document all troubleshooting steps, results, and configuration changes
Guide to MCSE 70-290, Enhanced 18
Configuring Terminal Services and Remote Desktop for
Administration• Two services that provide remote access to a
server desktop• Terminal services allows users to connect in order
to run applications• Remote Desktop for Administration allows an
administrator to connect in order to run administrative services
Guide to MCSE 70-290, Enhanced 19
Enabling Remote Desktop for Administration
• Installed automatically as a part of Windows Server 2003
• Disabled by default• Once enabled, only Administrators group can
connect by default• Additional users can be granted access
Guide to MCSE 70-290, Enhanced 20
Activity 10-7: Enabling and Testing Remote Desktop for Administration
• Objective: To enable and test Remote Desktop for Administration
• Start Control Panel System Remote tab• Enable Remote Desktop for Administration on the
server as directed in the activity• Connect to the server using the Remote Desktop
Connection tool• Disconnect leaving session open and then
disconnect closing the session
Guide to MCSE 70-290, Enhanced 21
Installing Terminal Services
• Installed from Add/Remove Windows Components of Add or Remove Programs (in Control Panel)
• To set up a Terminal server, one Windows Server 2003 server in network must be configured as a Terminal Services licensing server
Guide to MCSE 70-290, Enhanced 22
Activity 10-8: Installing Terminal Services
• Objective: To install Windows Server 2003 Terminal Services on a server
• Start Control Panel Add or Remove Programs Add/Remove Windows Components
• Use the Windows Components Wizard to install Terminal Server as directed
Guide to MCSE 70-290, Enhanced 23
Managing Terminal Services
• Three primary tools for Terminal Services administration:• Terminal Services Manager• Terminal Services Configuration• Terminal Services Licensing
Guide to MCSE 70-290, Enhanced 24
Configuring Remote Connection Settings
• Primary tool is Terminal Services Configuration • Settings related to connection attempts• Settings related to permissions of user or group
accounts
• Configured from properties of a Terminal Server connection object: 1 object for multiple user connections
• Settings include:• Authentication (none or standard Windows)• Encryption (client compatible or high)
Guide to MCSE 70-290, Enhanced 25
Configuring Remote Connection Settings (continued)
Guide to MCSE 70-290, Enhanced 26
Activity 10-9: Exploring Terminal Services Settings
• Objective: to explore and configure Terminal Services settings
• Start Administrative Tools Terminal Services Configuration
• Browse and configure settings as directed in the activity
Guide to MCSE 70-290, Enhanced 27
Terminal Services Client Software
• Terminal Server folder containing client software packages:• %Systemroot%\system32\clients\tsclient\win32
• Contains files to install Remote Desktop Connection
• Provided as both MSI file and Win32 executable• Share folder and initiate installation process either
manually or through Group Policy deployment• Pre-installed on Windows Server 2003 and
Windows XP
Guide to MCSE 70-290, Enhanced 28
Installing Applications
• Applications must be installed in a mode for multiple users compatible with Terminal Server(install mode)
• Use Add or Remove Programs applet in Control Panel after Terminal Server is installed
• Can also place Windows Server 2003 in install mode from command line• Change user /install to begin• Change user /execute when finished
• May need to reinstall some applications
Guide to MCSE 70-290, Enhanced 29
Configuring Terminal Services User Properties
• Terminal Server adds four tabs to properties of user accounts• Terminal Services Profile – user can configure a special
connection profile and home directory• Remote control – configures remote control properties
for a user account• Sessions – configures a maximum session time and
disconnect options• Environment – configures a program to run
automatically when user connects to terminal server
Guide to MCSE 70-290, Enhanced 30
Activity 10-10: Exploring Terminal Services User
Account Settings• Objective: Explore Terminal Services user
account settings using Active Directory Users and Computers
• Start Administrative Tools Active Directory Users and Computers Users
• Explore the settings on the four Terminal Services tabs: Terminal Services Profile, Remote control, Sessions, and Environment
Guide to MCSE 70-290, Enhanced 31
Delegating Administrative Authority
• Active Directory is a database and must be protected
• Uses permissions similar to NTFS file permissions• Administrators have full access by default• User are given read permission for most attributes
by default• Administrator can edit permissions
• Must take care not to make any objects completely inaccessible
Guide to MCSE 70-290, Enhanced 32
Active Directory Object Permissions
• Objects can be assigned permissions at 2 levels:• Object-level permissions
• Must be granted for a user to create or modify an OU, user, or group account
• Applied according to a preconfigured set of standard permissions
• Attribute-level permissions• Control which attributes a user or group can view or
modify
• If not explicitly set, object inherits parent container’s permissions
Guide to MCSE 70-290, Enhanced 33
Activity 10-11: Exploring Active Directory Object
Permissions
• Objective: Explore Active Directory object permission settings
• Start Administrative Tools Active Directory Users and Computers View (menu bar) Advanced Features
• Access the properties of an OU and explore the various permission configurations as directed in the exercise
Guide to MCSE 70-290, Enhanced 34
Permission Inheritance
• Child objects inherit permissions from parent objects by default when child object is created
• If permissions to parent are changed subsequently, can force permission changes to child if desired
• Can modify default inheritance by blocking it at the container or object level
Guide to MCSE 70-290, Enhanced 35
Delegating Authority Over Active Directory Objects
• Allows you to distribute/decentralize process of administering Active Directory
• Steps to delegating authority• Design OU structure to permit distribution• Configure permissions to support appropriate
distribution
• Implementing delegation• Can manage permissions directly from Security tab• Can use Delegation of Control Wizard
Guide to MCSE 70-290, Enhanced 36
Activity 10-12: Using the Delegation of Control Wizard
• Objective: Delegate control of an OU using the Active Directory Users and Computer Delegation of Control Wizard
• To start wizard, right-click OU and click Delegate Control
• Delegate a specific permission to a group following directions in the exercise
• Verify that the permission appears as expected
Guide to MCSE 70-290, Enhanced 37
Software Update Services
• Software Update Services (SUS) allows an administrator to control the deployment of O.S. security updates and critical packages
• Intended to minimize administrative effort required to keep O.S. protected
• 2 main elements:• Client component: updated version of Windows
Automatic Updates, clients contact server to get updates
• Server component: can be installed on a server running Windows 2000 or Server 2003
Guide to MCSE 70-290, Enhanced 38
Installing Software Update Services
• SUS client and server components available for download from Microsoft Web site
• Requires minimum hardware and a dedicated server if possible
• Internet Information Services version 5.0 or higher and Internet Explorer 5.5 or higher are prerequisites
• Server component can be installed on Windows 2000 Server, Windows Server 2003, or Microsoft Small Business Server 2000
Guide to MCSE 70-290, Enhanced 39
Activity 10-13: Installing Software Update Services
• Objective: To install the server component of Software Update Services (after installing IIS)
• Start Control Panel Add or Remove Programs Add/Remove Windows Components
• Install IIS following instructions• Run the SUS10SP1.exe file to start installation of
SUS• Follow directions to run Microsoft Software
Update Services Setup Wizard• Complete installation as directed
Guide to MCSE 70-290, Enhanced 40
How Software Update Services Works
• Purpose of SUS is to provide centralized facility for clients to obtain security package updates automatically
• SUS server can store updates locally or store catalog with clients downloading from Internet
• Administrator must approve an update before clients can download it
• Clients must have Automatic Updates software installed to interact with SUS server
Guide to MCSE 70-290, Enhanced 41
Configuring Software Update Services
• Default SUS configurations (Typical option):• Updates downloaded from Internet servers• Proxy server settings are set to Automatic• Downloaded content is stored locally on SUS server• Packages are downloaded in all supported languages• If changes occur to an approved package, changed
package is not approved
• Administration is Web-based, password protected• On-line resources include SUS Overview
Whitepaper, SUS Deployment Guide, Windows Update, Security Web sites
Guide to MCSE 70-290, Enhanced 42
Activity 10-14: Configuring Software Update Services
Settings• Objective: To configure SUS settings• Start All Programs Internet Explorer• Enter the SUS administration Web address and log
on as directed• Browse the Set options pages • Configure your SUS to maintain updates on a
Microsoft Windows Update server
Guide to MCSE 70-290, Enhanced 43
Activity 10-15: Synchronizing Software Update Services
Content• Objective: To manually synchronize SUS content • Use the Microsoft SUS menu through Internet
Explorer to start the synchronization process as directed
• Browse potential updates and explore sorting options and details menu
• Approve an update• Browse logs and other information as directed
Guide to MCSE 70-290, Enhanced 44
Automatic Updates
• Clients must have Automatic Updates client software installed to obtain security updates
• Some systems have software preinstalled, others must manually install
• Automatic Updates can be manually enabled along with notification and scheduling options
• To connect to local SUS server to obtain updates, must configure client’s Registry or Group Policy settings
• Group policy settings override local settings
Guide to MCSE 70-290, Enhanced 45
Automatic Updates (continued)
Guide to MCSE 70-290, Enhanced 46
Activity 10-16: Reviewing Automatic Updates Group
Policy Settings• Objective: To review Group Policy settings for
Automatic Update• Start Administrative Tools Active Directory
Users and Computers• Edit the Default Domain Policy and add the wuau
template as directed• Browse and configure settings for Automatic
Updates
Guide to MCSE 70-290, Enhanced 47
Planning a Software Updates Services Infrastructure
• Common methods that organizations use to deploy and configure SUS• Small networks: single server running SUS or multiple
location-based servers managed independently• Enterprise networks: multiple SUS servers, single
synchronization server (hub and spoke)• High security networks: corporate intranet disconnected
from public Internet. All local servers download from special connected server(s).
Guide to MCSE 70-290, Enhanced 48
Activity 10-17: Uninstalling Software Update Services and Internet Information Services
• Objective: To uninstall SUS and IIS • Start Control Panel Add or Remove
Programs• Remove Software Update Services as directed• Remove Internet Information Services as directed
Guide to MCSE 70-290, Enhanced 49
Summary
• Tools used to manage server tasks and remote management of clients:• Microsoft Management Console (MMC)• Secondary logon feature
• Network troubleshooting process steps: define problem, gather information about changes, devise plan, implement plan, document changes & results
• Terminal Services allows users to connect to and run applications on remote servers
Guide to MCSE 70-290, Enhanced 50
Summary (continued)
• Remote Desktop for Administration allows administrators to connect to and interact with remote servers
• Administrative authority for Active Directory objects can be delegated through object-level and attribute-level permissions
• Software Update Services allows control of the deployment of security updates throughout a network