Server management strategies

What Is Server Management?

Server management is the process of monitoring and maintaining servers to operate at peak
performance. Server management also encompasses the management of hardware, software,
security, and backups. The primary goals of an effective server management strategy are to:

 Minimize—and hopefully eliminate—server slowdowns and downtime

 Build secure server environments
 Ensure servers continue to meet the needs of an organization as it evolves

Server Management Basics

Server management basics include management of hardware, software, security, and backups.
The following are important elements of effective server management any IT strategy or
software solution.

Hardware Management
Central Processing Unit (CPU): The CPU is the brains of a server, performing all the
calculations to make programs run. CPUs should be constantly monitored to avoid overuse. A
CPU running close to 100% utilization for an extended period is overtaxed, meaning there’s no
excess capacity for users to perform additional tasks, risking everything depending on the server
slowing to a crawl.To deal with an overused CPU, you may need to upgrade the chip, add more
CPUs, or halt unnecessary programs taking up system resources. A more complex option is
tuning the performance of other system elements to put less stress on the CPU.
Random Access Memory (RAM): RAM is a server’s working memory. This form of temporary
storage runs faster than permanent hard disks. Programs running from RAM will perform better
given this speed advantage.
Hard Drive: The hard drive (also referred to as a hard disk) is a server’s permanent storage.
Programs and data are saved here even when the machine is shut down. Performance can
degrade when a hard drive nears maximum capacity.
CPU Temperature: Servers can generate a great deal of heat. Most physical servers come with
wired thermometers to help you gauge whether the CPU temperature is in the normal range. If
the CPU temperature gets too high, shut down the server immediately and assess the problem.
Operating Environment: In addition to the inside temperate of a server, you should also pay
attention to the operating environment where the server is located. A server room must be kept at
the proper temperature and humidity—with air flows maintained—for peak server performance
and reliability.
Software Management
Just like hardware, server software needs monitoring and regular maintenance. Make sure you
understand the software dependencies within your infrastructure, so you can better locate and
tune any performance issues.
Also, remember to use basic best practices with application management—existing software,
firmware, and operating systems should be regularly updated for both performance and security,
as poor performance can drag down other parts of the system and potentially create
vulnerabilities that cyber attackers can use to enter your network. It’s also good practice to
uninstall old software you’re no longer using.
Security
An important component to server management is maintaining a secure network. These security
policies can differ depending on the needs and industry type of the business. Common server
security solutions include:

 Installing and keeping up-to-date antivirus software.

 Putting firewalls in place to keep out unauthorized traffic.
 Using a password policy or access control software to only allow secure passwords and
require users to regularly change them.
 Encrypting sensitive data storage and external network connections.
 Implementing SIEM tools.
 Analyzing and using security logging best practices to better understand potential threat
trends.

Backups
Your final responsibility to have effective server management is taking regular backups. Losing
important data can be a disaster for any enterprise. Fortunately, several robust backup solutions
are available in the marketplace, including server backup software to support both physical and
virtual servers.
The server’s power supply should also have a backup, so data isn’t lost during a power outage.
There are also tools to let you quickly perform and automate backups and recoveries in addition
to easily monitoring backup status to avoid potential data loss.
Remote Server administration
RSAT (Remote Server Administration Tools) is a Windows Server component for remote
management of other computers also running that operating system. RSAT was introduced in
Windows Server 2008 R2.

Remote server access is the capability to access a computer or a network remotely with the help
of a network connection. It allows users to access the system they need when they can’t be
available physically for connecting.
To put, users access the systems remotely through telecommunications or internet connection.
Remote Access Services is effectively used by organizations for internally connecting networks
and the system as well.

Planning for Remote Administration Tools

Windows servers and clients support two types of remote desktop control without the use of
third-party applications:

 Remote Assistance
 Remote Desktop Services

Both are addressed in this section briefly, and Remote Desktop Services is covered in greater
detail in the section of this chapter titled “Understanding Remote Desktop Services.” This
section also addresses virtual private networks and the roles they play in remote access.

Understanding Remote Desktop Services

Remote Desktop Services (RDS) is the new version of Terminal Services. Terminal Services was
initially released as a special version of Windows NT 4.0 Server in the 1990s. It remained as a
feature of Windows Server through Windows Server 2003 R2. With the release of Windows
Server 2008, the technology was renamed to Remote Desktop Services even though the core
usage and functionality did not change. RDS provides the service that allows administrators to
access Desktops from remote locations and allows users to access virtual desktops and virtual
applications in the enterprise. This section explains important topics you should understand in
order to plan for the use of RDS in an organization.

Remote Desktop versus Remote Desktop Services

The first thing you should understand is the difference between what Microsoft calls Remote
Desktop and Remote Desktop Services. Remote Desktop is a feature built-into Windows servers
and clients that allows administrators to connect to a machine and manage it from a remote client
using the Remote Desktop Client software. Remote Desktop is not intended for users to gain
access to applications on servers. Remote Desktop does not require additional licensing because
it is intended to be used only for support purposes and not for running applications from remote
computers. It uses the same RDP protocol as Remote Desktop Services, but it is much simpler to
enable and configure.

Remote Desktop Services enables hundreds of users to access applications running on Windows
servers. For example, with Remote Desktop Services, users can run Microsoft Office from the
server. However, Remote Desktop Services can also be used to allow administrators to access
various administration tools from remote locations. In summary, Remote Desktop
Services allows everything Remote Desktop allows and it allows multipleusers to access it
simultaneously.
To enable Remote Desktop on a Windows Server 2008 or R2 server, follow
this procedure:

1. Click the Start menu, right-click on Computer, and select Properties.

2. Click the Advanced System Settings link on the left menu of the System screen.
3. Click the Advanced System Settings link on the left menu of the System screen.
4. Choose either of the following:
Allow Connections From Computers Running Any Version Of Remote Desktop
Allow Connections Only From Computers Running Remote Desktop With Network
Level Authentication
5. Click OK.

After enabling Remote Desktop on the server, you can connect to it from a Windows client using
the Remote Desktop Connection application and the following procedure:

1. From a Windows 7 or Vista Desktop, select Start ⇒ Accessories ⇒ Remote Desktop

Connection.
2. In the Remote Desktop Connection dialog, enter the server name or IP address of the
server to which you want to connect.
3. Click the Options drop-down arrow to customize the display, access to local resources,
programs to execute upon connection, and the experience within the connection, such as
the graphical richness of the connection.
4. On the General tab, enter the username with which you want to connectand then click
Connect.
 5. When prompted for credentials, enter the password for the usernameyou entered in step
4.

Delegating control

Delegation allows you to provide some AD management tasks to common domain users without
making them the members of the privileged domain groups, like Domain Admins, Account
Operators, etc. For example, you can use delegation to grant a certain AD security group (say,
Helpdesk) the permissions to add users to groups, to create new users in AD and to reset account
passwords.

Features of Control Delegation in Active Directory

To delegate privileges in AD the Delegation of Control Wizard in Active Directory Users and
Computers (DSA.msc) is used.

You can delegate administrative privileges in AD on a quite detailed level. You can grant one
group the permissions to reset passwords in the OU, another one – to create and delete accounts,
and the third one – to reset passwords. You can configure permission inheritance for the nested
OUs. Privileges can be delegated on the following domain levels:

 AD site;
 The whole domain;
 A specific Organizational Unit (OU) in Active Directory.
Usually it is not recommended to delegate control directly to a user account. Create a new
security group in AD instead, add a user to it and delegate permissions on an OU to the group. If
you want to grant the same privileges to another user, just add them to this security group.

Delegate Password Reset and Unlock Account Permissions in AD

Run the Active Directory Users and Computers (dsa.msc) console, right-click the OU with
the users and select the Delegate Control menu item.

Select the group you want to grant administrative privileges to.

Select one of the preconfigured set of privileges (Delegate the following common tasks): Or
create your own delegation task (Create a custom task to delegate). I will select the second
option.
Select the type of AD objects on which you want to grant administrative privileges. Since
we want to grant control over user accounts, select the User Object item. If you want to
provide permissions to create or delete users in the OU, select the options Create/Delete
selected objects in this folder. In our example we don’t grant these privileges.
In the list of permissions you need to select those you want to delegate. In our example,
we’ll select the privileges to unlock account (Read lockoutTime and Write lockoutTime)
and to reset a password (Reset password).
Click Next, and confirm the delegation of the selected.

Group policy strategy

Group Policy is a hierarchical infrastructure that allows a network administrator in charge of

Microsoft's Active Directory to implement specific configurations for users and computers.
Group Policy is primarily a security tool, and can be used to apply security settings to users and
computers. Group Policy allows administrators to define security policies for users and for
computers. These policies, which are collectively referred to as Group Policy Objects (GPOs),
are based on a collection of individual Group Policy settings. Group Policy objects are
administered from a central interface called the Group Policy Management Console. Group
Policy can also be managed with command line interface tools such as gpresult and gpupdate.

Creating and managing the group policy in window server 2016

In this article, we see about How to create Group policy in windows server 2016. First open
Group Policy Management console by using server manager. By using GPM we can assign
various polices for Organizational units(OU). We show simple example to create GP.

Right click domain name and click to create GPO in this domain and link here.
Give a name for New GPO, we give Information Security and click OK.

Right click Group Policy Object and click Edit.

Here we showing simple example for editing GPO, click policies-Windows settings-Security
Settings-Account polices-password Policy and click Maximum password age change
password expire days and click OK.

Click GPO and click Settings to check what are the policy enabled.
Block Inheritance Group Policy
To Block Inheritance of group policy to parent Organizational unit, it’s used to not apply any
policy to blocked inheritance. For Example Right click Organizational unit and click Block
Inheritance.

We see now blocked Organizational units as BPO and Technical Dept.

Enforcing Policy will take presence and apply to all the OUs followed in the Active Directory.
which means that Even you blocked any OU using the Block Inheritance, Enforce will take
override of that settings and apply the policy what ever enforced. So be careful, when selecting
the Enforce has it will override and apply which may cause issues if any OUs defined and
required different settings.

To enable Enforce, Right click GPO and select Enforced.

Link enabled GPO

Link enabled  that the group policy is linked to the OU. So the policy applies to the objects
within the OU. Right click GPO and select Link enabled.

By Default Group Policy will take 90 Minutes of frequency to update to Clients which means
client will contact Active Directory every 90 Minutes to check any policy changes are there and
update if any changes or new Policies available and applicable for that particular client. If you
want to update immediately, We can us gpupdate /force in the clients which will do check and
update.
Implement patch management strategy

Implement Windows Server Update Service (WSUS)

Windows Server 2016 is equipped with a Windows Update client that automatically downloads
operating system updates from Microsoft’s web servers and installs them. By enabling an
optional setting, you can enable Windows Update to download updates for other Microsoft
products as well.
The simplest software update strategy you can implement on a network is to simply let Windows
Update run using its default settings. The client typically downloads and installs updates about
once a month. However, in an enterprise environment, this practice can result in some problems,
including the following:

Bandwidth Utilization Each computer running the Windows Update client downloads its own
copy of every update from the Microsoft servers on the Internet. A large network can therefore
consume a huge amount of Internet bandwidth downloading hundreds of copies of the same files.

Update Approval The Windows Update client defaults do not provide users or administrators
with an opportunity to evaluate the updates before it installs them. Youcan specify a time during
which the system will reboot, if it is necessary, but this would require someone to manage each
computer individually.

Compliance The default Windows Update configuration provides no means for administrators to
confirm that the client has successfully installed all the required updates successfully, except to
examine the Update History on each computer individually.

On all but the smallest networks, the Windows Update client with its default settings is not a
reliable update solution. To address these problems, you can design an alternative update
deployment strategy for your network, using Group Policy settings and Windows Server Update
Services (WSUS).

WSUS architectures

Windows Server Update Services (WSUS) is a role included in Windows Server 2016 that
enables a local server on your network to function as the back end for the Windows Update
client, just as the Microsoft Update servers do on the Internet.

After installing a WSUS server, you can use it to supply updates to all the other servers
and workstations on your network. WSUS downloads all new updates from the Microsoft
Update servers on the Internet, and your other computers download the updates from the
WSUS server. This way, you are only paying for the bandwidth needed to download one
copy of every update.

In addition to conserving bandwidth, WSUS enables administrators to screen the available

updates, test them in a lab environment, and approve them for deployment to the clients.
Administrators can therefore retain ultimate authority over which updates get installed and when
the installations occur.
A single WSUS server can support many Windows Update clients, which means that one server
is theoretically enough for all but the largest networks. However, WSUS also supports a few
architectural variations, to accommodate topologies of various sizes that include remote users
and branch offices with limited communication capabilities.

There are five basic WSUS architecture configurations, as follows:

Single WSUS Server A single WSUS server downloads updates from the Microsoft Update
website and all the other computers on the network download the updates from that WSUS
server, as shown in Figure 6-1. A single WSUS server can support as many as 25,000 clients, so
this configuration is suitable for most enterprise network.

WSUS single server architecture.

Replica WSUS Servers One central WSUS server downloads updates from the Microsoft
Update site on the Internet. Administrators at that central site evaluate and approve the
downloaded updates, and WSUS servers at remote locations—called downstream servers—
obtain the approved updates from that first server, as shown in Figure 6-2. Intended for networks
with well-connected branch offices, this arrangement enables clients to access their updates from
a local source, minimizes the Internet bandwidth used, and enables the administrators of the
central server to manage the updates for the entire enterprise.

The WSUS remote server architecture

Autonomous WSUS Servers Like the replica WSUS server architecture, except that the remote
WSUS servers download all available updates from the central server, and administrators at each
site are responsible for evaluating and approving updates for their own users.

Low-bandwidth WSUS Servers WSUS servers at remote sites download only the list of
approved updates from the central WSUS server, without downloading the updates themselves.
The remote servers then download the approved updates from the Microsoft Update servers on
the Internet, using their relatively fast Internet connection to do so. This arrangement enables
remote sites with low-bandwidth or metered Wide Area Network (WAN) connections to the
main office to minimize WAN traffic.

Disconnected WSUS Servers Administrators at the main office save the updates to an offline
medium, such as portable drives or DVD-ROMs, and ship them to the remote sites, where other
administrators import them for deployment. This enables the main office administrators to
exercise control over the update process while utilizing no WAN or Internet bandwidth.
WSUS role Installation

The Select Role Services page for a WSUS role installation

WSUS storage

The Content Location Selection page, as shown in Figure, appears in the Add Roles and Features
Wizard. On this page, you can specify whether you want to store downloaded updates on the
server’s local NTFS drive. The Store Updates In the Following Location checkbox is selected by
default, and you can specify the drive and folder where you want the server to store the update
files.
The Content Location Selection page in the Add Roles and Features Wizard.

To configure WSUS, use the following procedure.

1. In Server Manager, click Tools | Windows Server Update Services. The Windows Server
Update Services Configuration Wizard appears.
2. On the Choose Upstream Server page, select one of the following options:

Synchronize From Microsoft Update Configures the server to download all update information
and updates from the Microsoft Update servers on the Internet. Use this option for single server
WSUS implementations or for the first WSUS server you install at the top of a WSUS hierarchy.

Synchronize From Another Windows Software Update Services Server

Configures the server to download all update information from another WSUS server on your
network. Use this option to create the lower levels of a WSUS server hierarchy on your network.
When you select this option, as shown in Figure, you must specify the name and port number for
an upstream WSUS server on your network and specify whether the connection between the
servers should use SSL encryption. Select the This Is A Replica Of The Upstream Server
checkbox to download only the updates approved at the upstream server.
The Choose Upstream Server page in the Windows Server Update Services Configuration
Wizard

3. On the Specify Proxy Server page, select the Use A Proxy Server When Synchronizing
checkbox if the server requires a proxy server to access the Internet or the upstream server you
specified. Then, specify the proxy server name and port number, as well as the credentials
needed to access the proxy server, if necessary.

4. On the Connect to Upstream Server page, click Start Connecting to access the upstream server
you selected and download information about the available updates. This process is called
synchronization in WSUS.
5. By default, WSUS downloads updates in all available languages, which can consume a lot of
unnecessary bandwidth and disk space. On the Choose Languages page, shown in Figure, you
can select the Download Updates Only In These Languages option and specify which languages
your WSUS clients use. This configures the WSUS server to download updates only in the
selected languages.

The Choose language page of the WSUS configuration wizard

6. On the Choose Products page, shown in Figure, you select the Microsoft products and versions
for which you want to download updates. By default, all the Windows products and versions are
selected. If you do not use some of the selections on your network, you can clear their
checkboxes and save more bandwidth and disk space.
The Choose Products page of the Windows Server Update Services Configuration Wizard

7. On the Choose Classifications page, shown in Figure 6-8, you specify what types of updates
you want the server to download. By default, Critical, Definition, and Security Updates are
selected, as well as Upgrades. You can select other classifications, but be mindful that some of
these classifications, such as the Service Packs for older Windows versions, can be very large.

8. On the Set Sync Schedule page, Synchronize Manually is the default option, requiring you to
start a synchronization to download new updates. You can also select the Synchronize
Automatically option, as shown in figure, to set a scheduled start time and the number of times
each day that synchronization should occur.
The Set Sync Schedule page of the Windows Server Update Services Configuration Wizard
9. On the Finished page, select the Begin Initial Synchronization check box and click Finish.
WSUS begins synchronizing with its upstream server and downloading information about the
updates that are available.
Monitor servers for performance evaluation and optimization
Monitor server installations
Server performance can change over time for a variety of reasons. Workloads can change, and so
can hardware components. Part of the server administrator’s job is to track the ongoing
performance of servers, to ensure that they continue to function efficiently. Windows Server
2016 includes tools that you can use for this performance tracking, such as the Performance
Monitor console.
Monitor workloads using Performance Monitor
Performance Monitor is a tool that displays system performance statistics in real time. Using
Performance Monitor, you can display hundreds of different statistics (called performance
counters) and create customized graphs containing any information you choose.
When you open the Performance Monitor console from the Windows Administrative Tools
group, you see an Overview page containing a system summary. Click the Performance Monitor
icon and you see a line graph, updated in real time, showing the current level for the % Processor
Time performance counter, as shown in figure.

The default performance monitor display

Adding performance counters
To add counters to the Performance Monitor display, click the Add button in the toolbar or press
Ctrl+I, to display the Add Counters dialog box, as shown in figure.
The Add Counters dialog box
In the Add Counters dialog box, you must specify the following four pieces of information to
add a counter to the display:
Computer Specifies the name of the computer you want to monitor with the selected counter.
Unlike most MMC snap-ins, you cannot redirect the entire focus of Performance Monitor to
another computer on the network. Instead, you specify a computer name for each counter you
add to the display. This enables you to create a display showing counters for various computers
on the network, such as a single graph of the processor activity for all your servers.
Performance Object Specifies the hardware or software component in the computer you want
to monitor. Click the down arrow on a performance object to display the performance counters
related to that components.
Performance Counter Identifies a statistic representing a specific aspect of the selected
performance object’s activities.
Instance Identifies a specific occurrence of the selected performance counter. For example, on a
computer with two network interface adapters, each counter in the Network Interface
performance object has two instances, enabling you to track the performance of each adapter
individually. Some counters also have instances such as Total or Average, enabling you to track
the performance of all instances combined or the median value of all instances.
Configure data collector sets
Performance bottlenecks can develop on a server over a long period, and it can often be difficult
to detect them by observing performance levels at one point in time. This is why it is a good idea
to use tools like Performance Monitor to establish baseline levels for a server. A baseline is a set
of readings, captured under normal operating conditions, which you can save and compare to
readings taken later. By comparing the baseline readings to the server’s current readings at
regular intervals, you can discern trends that might eventually affect the computer’s
performance.
To capture counter statistics in Performance Monitor console for later review, you must create a
data collector set, using the following procedure.

1. Open the Performance Monitor console and expand the Data Collector Sets folder.
2. Right-click the User Defined folder and, on the context menu, click New Data
Collector Set. The Create New Data Collector Set Wizard appears, displaying the How
Would You Like To Create This New Data Collector Set page, as shown in figure.
Create This New Data Collector Set page of the Create New Data Collector Set Wizard

3. In the Name text box, type a name for the data collector set. Then, select the Create
Manually (Advanced) option.
4. On the What Type Of Data Do You Want To Include? page, shown in figure, leave the
Create Data Logs option selected and select the Performance Counter check box.

Create New Data Collector Set Wizard

5. On the Which Performance Counters Would You Like To Log page, click Add, to
display the Add Counters dialog box.
6. Select the counters you want to log in the usual manner and click OK. The counters
appear in the Performance Counters box.
7. Select the interval at which Performance Monitor should collect samples.
8. On the Where Would You Like The Data To Be Saved Page, type the name of or
browse to the folder where you want to store the data collector set.
9. On the Create The Data Collector Set page, if the account you are currently using does
not have the privileges needed to gather the log information, click Change to display a
Performance Monitor dialog box in which you can supply alternative credentials.
10. Click finish.
Performance Monitor information collected using a data collector set
Server security
Configuration of windows server firewall
Firewall.cpl This opens the Windows Firewall Control Panel.
The following are important Windows Firewall Control Panel elements:
Allow an app or feature through Windows Firewall This option, shown in Figure, gives you
control over basic firewall rules for installed services and applications.
Turn Windows Firewall on or off This option allows you to enable or disable Windows
Firewall for each network location profile.
Advanced settings This option opens the Windows Firewall with Advanced Security console.
Allow or block app traffic in Windows Firewall
The Windows Firewall with Advanced Security console

The Windows Firewall with Advanced Security MMC console

Inbound Rules Firewall rules that pertain to incoming network traffic.
Outbound Rules Firewall rules that apply to outgoing network traffic.
Connection Security Rules Network policies that employ IPSec to control host-to-host
authentication, encryption, and data integrity.
Monitoring Interface to audit the behavior of the firewall and connection security rules and
IPSec security associations (SAs).
Implement an antimalware solution with Windows Defender
Malware is a malicious software. Windows Defender is Microsoft’s free antimalware
application, and it’s included by default in Windows Server 2016. As you can see in Figure, the
server-based Windows Defender application looks exactly like the client version you see in
Windows 10—it’s the same app.
Configuring Windows Defender through the Settings app
Real-time protection This means Windows Defender runs in the background and detects threats
before they occur.
Cloud-based protection This option sends Windows Defender scan results to Microsoft to help
them make the product more effective.
Automatic sample submission By optionally sharing your detected malware samples with
Microsoft, you improve Windows Defender and contribute to better security worldwide.
Exclusions Instructing Windows Defender not to scan certain files is a risky proposition, but can
improve scanning performance if you’re 100 percent sure those files are safe.
Configure User Rights Assignment group policies
To configure user rights assignments and other Group Policy settings for installation, you create
a group policy object (GPO) and link it to an OU containing the AD objects (such as computer or
users) that you want to configure. Any objects you then placein that OU receive the settings from
the GPO.
To create and link a GPO, use the following procedure:

 Open the Group Policy Management console on a domain controller or a workstation

with Remote Server Administration Tools installed.
 Browse to your domain and expand it.
  Right-click the Group Policy Objects folder and, in the context menu that appears, select
New. A New GPO dialog box appears.
 Specify a name for the new GPO and click OK. The new GPO appears in the right pane.
 In the left pane, browse to the OU you want to link to the GPO.
 Right-click the OU and, in the context menu that appears, select Link an Existing GPO. A
Select GPO dialog box appears.
 Select the GPO you just created and configured and click OK. The GPO appears on the
OU’s Linked Group Policy Objects tab.
 Right-click the new GPO you created and, in the context menu that appears, click Edit. A
Group Policy Management Editor window appears.
At this point, you can browse through the structure of the GPO, which contains hundreds of
settings that you can configure. For example, to configure user rights assignment settings for the
computers to which the GPO is applied, you browse to the Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment container, as shown in Figure.

User rights assignment settings in a GPO

Configure security options settings in group policy
In addition to the user rights assignments and other settings shown in the previous section, group
policy objects also include a container called Security Options, which has settings that you can
use to harden the security of your workstations and servers.
To configure these settings using the Group Policy Management Editor, browse to the container
located at Computer Configuration\Policies\Windows Settings\ SecuritySettings\ LocalPolicies\
Security Options, as shown in figure.

The Security Options container in a GPO

As with user rights assignment settings, double-clicking on a security option setting opens a
Properties sheet, as shown in figure. However, because security options apply to the entire
computer, not to specific users and groups, there is no account list. Instead, security options can
have various types controls that configure the functionality of the setting, such as the spin box in
this example.
The Properties sheet for a security options setting in a GPO
Settings in the Security Options container are categorized, to make it easier to locate specific
types of settings. The Interactive Logon settings control functions that can help you to control the
PAW logon behavior you configured in the previous section.