Professional Documents
Culture Documents
Morimoto, MCSE Andrew Abbate, MCSE Eric Kovach, MCSE Ed Roberts, MVP (Windows Server)
Microsoft
Presented by:
8
Administering Windows Server 2003 Remotely
There are several methods by which
system administrators can manage the IT environments server resources. Though it is possible to manage each server locally, managing these resources remotely can greatly improve productivity. Remote administration reduces the administrative overhead required to manage servers in any size IT organization because it provides the flexibility for administrators to be centrally located while managing distributed server resources. Windows Server 2003 provides the tools necessary for administrators to perform a vast array of management functions on remotely located servers. Server application and operating system upgrades can be performed remotely, as well as domain controller promotion/demotion and disk defragmentation. This chapter describes the tools available for administrators to manage Windows Server 2003 servers remotely and provides best practices for leveraging remote administration features.
IN THIS CHAPTER
Using Remote Desktop for Administration Taking Advantage of Windows Server 2003 Administration Tools 164 167
Using Out-Of-Band Remote Administration Tools for Emergency Administration 170 Using and Configuring Remote Assistance Securing and Monitoring Remote Administration Delegating Remote Administration Administering IIS in Windows Server 2003 Remotely
BEST PRACTICE
bootcfg.exe Syntax
Reproduced from the book Microsoft Windows Server 2003 Insider Solutions. Copyright 2004, Sams Publishing. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.
164
Terminal Server mode. This is the Application Server mode that was available in Windows 2000 Server. Remote Desktop for Administration. This is an enhancement of the Remote Administration mode of Windows 2000 Server.
This second Terminal Services mode is used to administer Windows Server 2003 servers remotely. Remote Desktop for Administration provides remote access to the graphical interfacebased tools available in the Windows environment. Remotely managing servers with Remote Desktop for Administration does not affect server performance or application compatibility. Unlike the other terminal service mode, no terminal server Client Access Licenses (CALs) are required to use Remote Desktop for Administration. Windows Server 2003 provides two remote administrative sessions, for collaborative purposes, and a console session.
16-bit Windows-based computers running Windows for Workgroups with TCP/IP. 32-bit Windows-based computers running every Windows OS from Windows 95 to Windows Server 2003. Windows CE-based handheld devices. Windows CE-based terminals, or thin clients.
n n
The RDC allows for automatic restoration of interrupted network connections. This is key for remote administration. In the event that an administrator is disconnected in the middle of a mission-critical operation, the RDC will reconnect the session without losing the administrators place in the operation. The RDC supports a great deal of customization for the look and feel of a remote session. Providing high color, audio, and full screen sessions, the RDC allows you to control the graphic options and connection speed. This is an important feature because as you connect remotely to servers over a slow WAN link you will want to throttle the bandwidth usage for those particular sessions. One of the biggest improvements to the RDC involves client resource redirection, which is available to Windows Server 2003 and Windows XP. You now have the capability to access local drives, network drives, and printers through the remote connection. Cut and paste, as well as large file transfers, can be accomplished between the client and server in a remote administration session.
165
Finally, in addition to the two remote sessions available for remote administration, Windows Server 2003 allows a console mode that enables you to connect to the real console of the server. Now administrative functions, such as some software installations that previously required local interaction, can be performed remotely.
remote sessions
The default level of encryption for remote sessions is bidirectional 128-bit. Some older terminal service clients might not support 128-bit encryption.
1. From the Control Panel, double-click the System icon. 2. Choose the Remote tab. 3. On the bottom of the screen, click the check box to Allow Users to Connect Remotely to your computer, as shown in Figure 8.1. 4. Click OK to complete the configuration. FIGURE 8.1 Enabling Remote Desktop for Administration.
166
167
the flip side, when configuring the timeouts, Preventing Eavesdropping allow enough time so that accidental disconFor security purposes, when you are using the nections can be resumed without resetting console mode of remote administration, the the session. By default, when a connection is physical console of the server is automatibroken, the session goes into a disconnected cally locked to prevent eavesdropping. state and continues to execute whatever process it is running at that time. If the session is configured to reset when the connection breaks, all processes running in that session will be abruptly stopped. Disconnect and reset timeouts can be configured using the Terminal Services Configuration Administrative tool.
168
Administrative privileges in Active Directory. Network access to a domain controller in a Windows Server 2003 domain. Domain membership of the Windows XP Professional workstation in the Windows Server 2003 domain.
To install Windows Server 2003 Administrative Tools on a local Microsoft XP workstation, follow these steps:
1. Insert the Windows Server 2003 CD-ROM and browse to the i386 folder. 2. Double-click Adminpak.msi. 3. Click Next, and then click Finish. When installing the Windows Server 2003 Administration Tools on a Windows XP workstation, it is a best practice to also install the Windows Server 2003 help files. On a Windows XP workstation, by default, there is only the Windows XP help. If the workstation is intended to be an administrators remote console, the Windows Server 2003 help files should be locally available.
Again, installing the Windows Server 2003 help files can only be installed on Windows Server 2003 servers and Windows XP Professional SP1 workstations. The Windows Server 2003 help files can be installed on an XP workstation from either the installation media or over the wire from a Windows Server 2003 server. To install the help files from the install media, perform the following steps on the workstation: 1. Click Start, and then click Help and Support. 2. In Help and Support Center, click the Options button. 3. Under Options, click Install and Share Windows Help. 4. Choose Install Help Content from a CD or Disk Image. 5. Browse to the CD, and click the Find button. 6. Click the Install button.
169
Basically, the Convenience Consoles are customized MMCs that contain tools and MMC snapins that fall into related groups. The MMCs are included in the installation and appear in the Administrative Tools program group of the XP Workstation. The consoles can be published to administrative workstations for administrators who have been delegated permissions in the given category. There are three Convenience Consoles included in the Tools Pack:
n
Active Directory Management. This console includes Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and DNS. The file associated with this console is ADMgmt.msc. Public Key Management. This console includes Certification Authorities, Certificate Templates, Certificates for Current User, and Certificates for Local Computer. The file associated with this console is PKMgmt.msc IP Address Management. This console contains the DHCP, DNS, and WINS management tools. The file associated with this console is IPAddrMgmt.msc.
170
171
you can manage a server without the need for a keyboard, mouse, local monitor, or video adapter. EMS uses text-mode communication only, which provides flexibility as to the means by which servers are remotely accessed. These methods include serial connections, terminal concentrators, and terminal emulators. With the proper hardware and EMS configuration, out-of-band support is provided to the servers kernel components, the loader, setup, Recovery Console, and Stop errors. When the server is up and running, EMS provides a text-mode management console called Special Administration Console (SAC), which will be discussed later in this section. If the server hardware supports it, EMS can be installed with the Windows Server 2003 operating system. By enabling firmware console redirection in the systems BIOS before installing the OS, EMS will be self-configured on installation. To enable EMS after the operating system is installed, you can use the bootcfg.exe command with the /EMS switch in the command console. For example, the following command enables EMS to use COM1 with a baud rate of 19200 on the first boot entry ID:
Bootcfg.exe /EMS ON /PORT COM1 /BAUD 19200 /ID 1
BEST PRACTICE
bootcfg.exe Syntax
The syntax for the bootcfg.exe /EMS command is illustrated as follows:
BOOTCFG /EMS value [/S system [/U user [/P [password]]]] [/PORT port] [/BAUD baudrate] [/ID bootid]
Parameter List: /EMSs /S /U /P /PORT /BAUD /ID Value computer Domain\user password port baudrate Bootid On, Off, or Edit Specifies a remote computer Specifies user context Password for the user account Specifies the COM port to be used for redirection. Valid ports are COM1, COM2, COM3, COM4, BIOSSET(EMS uses BIOS settings). Valid baudrates are 9600, 19200, 57600, 115200. Specifies the boot entry ID to add the EMS option. This is required when the EMS value is set to ON or OFF.
172
most EMS functionality. Additional hardware, such as a service processor that is independent of the main server processor, will enhance EMS functionality. If the server hardware includes a service processor, console redirection should be available. The firmware must also use the same terminal conventions as EMS.
The serial port is the most common out-ofband hardware interface because it provides multiple methods of remote access, such as terminal concentrators and modems. By default, EMS uses the first serial port (COM 1 at 3F8). It is important to verify that the motherboard serial ports are enabled, and that no other device is using that resource. EMS and the Windows debugger cannot share the same COM port. The actual configuration of the serial port will depend on the firmware settings available for a server. Some computers will enable user configuration, whereas others might simply have an Enabled/Disabled setting. Best practices for hardware configuration with EMS are as follows:
n
Enable the appropriate port and maintain the default setting. Because EMS works with COM1 at 3F8 automatically in most cases, this should be the target configuration. Configure the port to use the highest baud rate available to the hardware. This will provide the best performance and reduce slow text-mode processes. Use a null modem cable with the serial port connection. Select hardware and firmware that support VT-UTF8. This terminal environment provides the best compatibility with EMS. Sending the proper command escape sequences are more difficult in a telnet session using VT100 and V100+.
n n
Restart or shut down the server. View and end active processes. View and set server IP address. Generate a stop error to create a memory dump. Start and access command prompts.
173
Because SAC enables you to access the command prompt, any text-based utilities usable in a Telnet session are available (provided there are system resources to run them). For example, the common communications accessory, HyperTerminal, can be used to access SAC on an EMS enabled server, as shown in Figure 8.4. FIGURE 8.4 Using HyperTerminal to access the SAC command line.
SAC includes command shell utilities, such as dir, and text-based console programs, such as bootcfg.exe. Access to the command prompt requires a user logon with a local or domain account. If SAC fails or becomes unavailable, !Special Administration Console (!SAC) is enabled. The !SAC is an auxiliary console environment hosted by Windows Server 2003 that has a subset of the features available with SAC. With !SAC, you can redirect Stop error message text and restart the server.
174
Using Windows Messenger. Windows Messenger is the preferred method for sending the invitation for assistance because it provides additional ways for the two machines to find each other over the Internet. If the two computers are on separate networks, separated by firewalls, and/or use Network Address Translation (NAT), this is the method to use.
175
Sending an e-mail. Remote Assistance uses Simple Mail Advanced Programming Interface (MAPI) to help compose the invitation. The inviter or Novice sends an e-mail to the invitee or Expert with an attachment. When the Expert opens the attachment, he is prompted for a password, providing that the Novice specified a password, and the process continues.
Remote Assistance
If an e-mail client has not yet been configured, Remote Assistance attempts to help the Novice configure it. To change the e-mail client that Remote Assistance uses, in Control Panel, double-click Internet Options, and on the Programs tab, change the e-mail setting to the appropriate e-mail client. Some e-mail clients that do not support Simple MAPI will not appear as an option in the Internet Options Control Panel program.
Saving and transferring a file. This method is used if there is no compatible MAPI client installed, or if other prerequisites are not available. This option enables the Novice to save the same file that would be created and attached to an e-mail automatically to be saved to her local drive or to a network share. The file can be transferred on a network share, a floppy disk, or other means. When the Expert receives the file, he can double-click it to open the invitation and start the Remote Assistance session.
To invite another administrator for Remote Assistance by sending a file, perform the following steps: 1. Open Help and Support Center by clicking Start and then clicking Help and Support. 2. Under Ask for Assistance click Invite a Friend to Connect to Your Computer with Remote Assistance. 3. Click Invite Someone to Help You. 4. Click Save Invitation as a File. 5. Specify the Inviters name, and an expiration time for the invitation, then click Continue. 6. Type in a password that will unlock the invitation, retype the password for confirmation, and click Save Invitation. 7. Select a location accessible to the Expert to save the file. 8. When the Expert receives the invitation, the Expert is prompted for the password. After supplying this password, the Expert can initiate the Remote Assistance session. 9. After the Expert initiates the session, the Novices computer verifies the password that the Expert entered. 10. The Novices computer also checks to make sure that the invitation that the Expert used is a valid invitation and that the invitation is still open. 11. If the invitation is open and the password is correct, the Novice receives a notification stating that the Expert wants to start the session now and the Novice is prompted to start the Remote Assistance session.
176
13. The Expert can request to take control of the Novices computer at this point by clicking the Take Control button on the Expert console. This sends a message to the Novices computer notifying the Novice that the Expert is requesting to take control of the computer. 14. When the collaborative session is complete, the session can be ended by the Novice or Expert by clicking the Disconnect button.
177
Depending on the topological location of the server, firewall technologies can be used to protect the server. Some servers, such as VPN and Web servers, are more prone to attack due to their topological proximity to the Internet. As such, firewalls should be deployed and properly configured to filter network traffic to and from such servers. Enable IPSec. IPSec policies provide both the strength and flexibility to protect communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients. It can even be used to block receipt or transmission of specific traffic types. With an Active Directory domain, IPSec policies can be enforced using Group Policy. Require all users who make remote connections to use strong passwords. The role that passwords play in securing an organizations network is often underestimated and overlooked. Passwords provide the first line of defense against unauthorized access to the server. Password-cracking tools continue to improve, and the computers that are used to crack passwords are more powerful than ever. Limit the users who can log on to the server remotely. You can leverage security templates, or group policies to limit whom can connect to a server through Terminal Services. The setting Allow Logon through Terminal Services can be found in the Group Policy Editor by navigating to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Always password-protect Remote Assistance. A Remote Assistance invitation that has no password associated with it might be intercepted by an attacker, giving him the capability to remotely interact with a server. For this reason, it is also important to set an expiration time on the invitation.
178
For servers enabled for remote administration, it is important to audit the success and failure of logon events, account management, policy changes, and system events. Also, failure of privileged use events should logged.
179
180
181
2. Choose Add/Remove Windows Components. 3. Navigate to Application Server\Internet Information Services\World Wide Web Services and then choose Remote HTML Administration. Click the OK button three times for dialog prompts and then click Next. 4. Insert the Windows Server 2003 installation media when prompted. 5. When the installation completes, click Finish. After the HTML tool is installed, the remote administration functionality must be enabled in Internet Information Services Manager. To maintain a high level of security for the Web server, it is important to restrict remote access to the server to a select IP address or group of IP addresses from which the server can be remotely administered. In the following example, a Web server will be enabled for remote administration, but will be configured so that only a computer with an IP address of 192.168.20.20 will be able to remotely administer IIS for that server. To enable the HTML remote administration tool, perform the following steps: 1. Click Start, point to Administrative Tools, and then click Internet Information Services Manager. 2. Expand ServerName, where ServerName is the name of the Web server, and then expand Web Sites. 3. Right-click Administration and then click Properties. 4. Under Web Site Identification, record the numbers that are displayed in the TCP Port box and SSL Port boxes. The defaults are 8099 and 8098. 5. Click the Directory Security tab, and then click the Edit button under IP address and domain name restrictions. 6. In the IP Address and Domain Name Restriction dialog box that appears, click Denied Access, and then click Add. 7. The Grant Access On dialog box appears. Under Type, click Single computer. 8. Type the IP address, in this example, 192.168.20.20 as shown in Figure 8.9, and then click OK. 9. Click OK again to complete the configuration, and close Internet Information Services Manager.
182
After the Remote Tool is installed, and the Web server is enabled for remote administration, perform the following steps to remotely administer the Web server: 1. Start Microsoft Internet Explorer, and then type the host name of the Web server, followed by the port number that was recorded earlier in the SSL Port box, and then click Go. For example, if the Web server is on an intranet, and the SSL port number is 8098, type the following URL: https://ServerName:8098 (where ServerName is the name of the Web server). 2. At the prompt, enter a username and password for the Web server. The Remote Administration Tool is then displayed in the browser window. 3. From this point, there are several links and options to choose from in administering the Web server. Choose one that is appropriate for the task at hand and continue to remotely manage the server.
Summary
Windows Server 2003 provides a wealth of options that enable administrators the flexibility necessary to manage servers in a distributed IT environment through remote administration tools and techniques. Although some tools are really just enhancements of technologies introduced in earlier operating systems, there are many new features that make Windows Server 2003 a compelling alternative and worthwhile investment in terms of both manageability and security. Administrators can now remotely attach to servers without a network connection, keyboard, mouse, or video adapter to troubleshoot and bring the server back online without making expensive and timely visits to the servers physical location.