Professional Documents
Culture Documents
Server management is the process of monitoring and maintaining servers to operate at peak
performance. Server management also encompasses the management of hardware, software,
security, and backups. The primary goals of an effective server management strategy are to:
Server management basics include management of hardware, software, security, and backups.
The following are important elements of effective server management any IT strategy or
software solution.
Hardware Management
Central Processing Unit (CPU): The CPU is the brains of a server, performing all the
calculations to make programs run. CPUs should be constantly monitored to avoid overuse. A
CPU running close to 100% utilization for an extended period is overtaxed, meaning there’s no
excess capacity for users to perform additional tasks, risking everything depending on the server
slowing to a crawl.To deal with an overused CPU, you may need to upgrade the chip, add more
CPUs, or halt unnecessary programs taking up system resources. A more complex option is
tuning the performance of other system elements to put less stress on the CPU.
Random Access Memory (RAM): RAM is a server’s working memory. This form of temporary
storage runs faster than permanent hard disks. Programs running from RAM will perform better
given this speed advantage.
Hard Drive: The hard drive (also referred to as a hard disk) is a server’s permanent storage.
Programs and data are saved here even when the machine is shut down. Performance can
degrade when a hard drive nears maximum capacity.
CPU Temperature: Servers can generate a great deal of heat. Most physical servers come with
wired thermometers to help you gauge whether the CPU temperature is in the normal range. If
the CPU temperature gets too high, shut down the server immediately and assess the problem.
Operating Environment: In addition to the inside temperate of a server, you should also pay
attention to the operating environment where the server is located. A server room must be kept at
the proper temperature and humidity—with air flows maintained—for peak server performance
and reliability.
Software Management
Just like hardware, server software needs monitoring and regular maintenance. Make sure you
understand the software dependencies within your infrastructure, so you can better locate and
tune any performance issues.
Also, remember to use basic best practices with application management—existing software,
firmware, and operating systems should be regularly updated for both performance and security,
as poor performance can drag down other parts of the system and potentially create
vulnerabilities that cyber attackers can use to enter your network. It’s also good practice to
uninstall old software you’re no longer using.
Security
An important component to server management is maintaining a secure network. These security
policies can differ depending on the needs and industry type of the business. Common server
security solutions include:
Backups
Your final responsibility to have effective server management is taking regular backups. Losing
important data can be a disaster for any enterprise. Fortunately, several robust backup solutions
are available in the marketplace, including server backup software to support both physical and
virtual servers.
The server’s power supply should also have a backup, so data isn’t lost during a power outage.
There are also tools to let you quickly perform and automate backups and recoveries in addition
to easily monitoring backup status to avoid potential data loss.
Remote Server administration
RSAT (Remote Server Administration Tools) is a Windows Server component for remote
management of other computers also running that operating system. RSAT was introduced in
Windows Server 2008 R2.
Remote server access is the capability to access a computer or a network remotely with the help
of a network connection. It allows users to access the system they need when they can’t be
available physically for connecting.
To put, users access the systems remotely through telecommunications or internet connection.
Remote Access Services is effectively used by organizations for internally connecting networks
and the system as well.
Windows servers and clients support two types of remote desktop control without the use of
third-party applications:
Remote Assistance
Remote Desktop Services
Both are addressed in this section briefly, and Remote Desktop Services is covered in greater
detail in the section of this chapter titled “Understanding Remote Desktop Services.” This
section also addresses virtual private networks and the roles they play in remote access.
Remote Desktop Services (RDS) is the new version of Terminal Services. Terminal Services was
initially released as a special version of Windows NT 4.0 Server in the 1990s. It remained as a
feature of Windows Server through Windows Server 2003 R2. With the release of Windows
Server 2008, the technology was renamed to Remote Desktop Services even though the core
usage and functionality did not change. RDS provides the service that allows administrators to
access Desktops from remote locations and allows users to access virtual desktops and virtual
applications in the enterprise. This section explains important topics you should understand in
order to plan for the use of RDS in an organization.
The first thing you should understand is the difference between what Microsoft calls Remote
Desktop and Remote Desktop Services. Remote Desktop is a feature built-into Windows servers
and clients that allows administrators to connect to a machine and manage it from a remote client
using the Remote Desktop Client software. Remote Desktop is not intended for users to gain
access to applications on servers. Remote Desktop does not require additional licensing because
it is intended to be used only for support purposes and not for running applications from remote
computers. It uses the same RDP protocol as Remote Desktop Services, but it is much simpler to
enable and configure.
Remote Desktop Services enables hundreds of users to access applications running on Windows
servers. For example, with Remote Desktop Services, users can run Microsoft Office from the
server. However, Remote Desktop Services can also be used to allow administrators to access
various administration tools from remote locations. In summary, Remote Desktop
Services allows everything Remote Desktop allows and it allows multipleusers to access it
simultaneously.
To enable Remote Desktop on a Windows Server 2008 or R2 server, follow
this procedure:
After enabling Remote Desktop on the server, you can connect to it from a Windows client using
the Remote Desktop Connection application and the following procedure:
Delegating control
Delegation allows you to provide some AD management tasks to common domain users without
making them the members of the privileged domain groups, like Domain Admins, Account
Operators, etc. For example, you can use delegation to grant a certain AD security group (say,
Helpdesk) the permissions to add users to groups, to create new users in AD and to reset account
passwords.
To delegate privileges in AD the Delegation of Control Wizard in Active Directory Users and
Computers (DSA.msc) is used.
You can delegate administrative privileges in AD on a quite detailed level. You can grant one
group the permissions to reset passwords in the OU, another one – to create and delete accounts,
and the third one – to reset passwords. You can configure permission inheritance for the nested
OUs. Privileges can be delegated on the following domain levels:
AD site;
The whole domain;
A specific Organizational Unit (OU) in Active Directory.
Usually it is not recommended to delegate control directly to a user account. Create a new
security group in AD instead, add a user to it and delegate permissions on an OU to the group. If
you want to grant the same privileges to another user, just add them to this security group.
Run the Active Directory Users and Computers (dsa.msc) console, right-click the OU with
the users and select the Delegate Control menu item.
Select one of the preconfigured set of privileges (Delegate the following common tasks): Or
create your own delegation task (Create a custom task to delegate). I will select the second
option.
Select the type of AD objects on which you want to grant administrative privileges. Since
we want to grant control over user accounts, select the User Object item. If you want to
provide permissions to create or delete users in the OU, select the options Create/Delete
selected objects in this folder. In our example we don’t grant these privileges.
In the list of permissions you need to select those you want to delegate. In our example,
we’ll select the privileges to unlock account (Read lockoutTime and Write lockoutTime)
and to reset a password (Reset password).
Click Next, and confirm the delegation of the selected.
In this article, we see about How to create Group policy in windows server 2016. First open
Group Policy Management console by using server manager. By using GPM we can assign
various polices for Organizational units(OU). We show simple example to create GP.
Right click domain name and click to create GPO in this domain and link here.
Give a name for New GPO, we give Information Security and click OK.
Click GPO and click Settings to check what are the policy enabled.
Block Inheritance Group Policy
To Block Inheritance of group policy to parent Organizational unit, it’s used to not apply any
policy to blocked inheritance. For Example Right click Organizational unit and click Block
Inheritance.
Link enabled that the group policy is linked to the OU. So the policy applies to the objects
within the OU. Right click GPO and select Link enabled.
By Default Group Policy will take 90 Minutes of frequency to update to Clients which means
client will contact Active Directory every 90 Minutes to check any policy changes are there and
update if any changes or new Policies available and applicable for that particular client. If you
want to update immediately, We can us gpupdate /force in the clients which will do check and
update.
Implement patch management strategy
Windows Server 2016 is equipped with a Windows Update client that automatically downloads
operating system updates from Microsoft’s web servers and installs them. By enabling an
optional setting, you can enable Windows Update to download updates for other Microsoft
products as well.
The simplest software update strategy you can implement on a network is to simply let Windows
Update run using its default settings. The client typically downloads and installs updates about
once a month. However, in an enterprise environment, this practice can result in some problems,
including the following:
Bandwidth Utilization Each computer running the Windows Update client downloads its own
copy of every update from the Microsoft servers on the Internet. A large network can therefore
consume a huge amount of Internet bandwidth downloading hundreds of copies of the same files.
Update Approval The Windows Update client defaults do not provide users or administrators
with an opportunity to evaluate the updates before it installs them. Youcan specify a time during
which the system will reboot, if it is necessary, but this would require someone to manage each
computer individually.
Compliance The default Windows Update configuration provides no means for administrators to
confirm that the client has successfully installed all the required updates successfully, except to
examine the Update History on each computer individually.
On all but the smallest networks, the Windows Update client with its default settings is not a
reliable update solution. To address these problems, you can design an alternative update
deployment strategy for your network, using Group Policy settings and Windows Server Update
Services (WSUS).
WSUS architectures
Windows Server Update Services (WSUS) is a role included in Windows Server 2016 that
enables a local server on your network to function as the back end for the Windows Update
client, just as the Microsoft Update servers do on the Internet.
After installing a WSUS server, you can use it to supply updates to all the other servers
and workstations on your network. WSUS downloads all new updates from the Microsoft
Update servers on the Internet, and your other computers download the updates from the
WSUS server. This way, you are only paying for the bandwidth needed to download one
copy of every update.
Single WSUS Server A single WSUS server downloads updates from the Microsoft Update
website and all the other computers on the network download the updates from that WSUS
server, as shown in Figure 6-1. A single WSUS server can support as many as 25,000 clients, so
this configuration is suitable for most enterprise network.
Replica WSUS Servers One central WSUS server downloads updates from the Microsoft
Update site on the Internet. Administrators at that central site evaluate and approve the
downloaded updates, and WSUS servers at remote locations—called downstream servers—
obtain the approved updates from that first server, as shown in Figure 6-2. Intended for networks
with well-connected branch offices, this arrangement enables clients to access their updates from
a local source, minimizes the Internet bandwidth used, and enables the administrators of the
central server to manage the updates for the entire enterprise.
Autonomous WSUS Servers Like the replica WSUS server architecture, except that the remote
WSUS servers download all available updates from the central server, and administrators at each
site are responsible for evaluating and approving updates for their own users.
Low-bandwidth WSUS Servers WSUS servers at remote sites download only the list of
approved updates from the central WSUS server, without downloading the updates themselves.
The remote servers then download the approved updates from the Microsoft Update servers on
the Internet, using their relatively fast Internet connection to do so. This arrangement enables
remote sites with low-bandwidth or metered Wide Area Network (WAN) connections to the
main office to minimize WAN traffic.
Disconnected WSUS Servers Administrators at the main office save the updates to an offline
medium, such as portable drives or DVD-ROMs, and ship them to the remote sites, where other
administrators import them for deployment. This enables the main office administrators to
exercise control over the update process while utilizing no WAN or Internet bandwidth.
WSUS role Installation
WSUS storage
The Content Location Selection page, as shown in Figure, appears in the Add Roles and Features
Wizard. On this page, you can specify whether you want to store downloaded updates on the
server’s local NTFS drive. The Store Updates In the Following Location checkbox is selected by
default, and you can specify the drive and folder where you want the server to store the update
files.
The Content Location Selection page in the Add Roles and Features Wizard.
Synchronize From Microsoft Update Configures the server to download all update information
and updates from the Microsoft Update servers on the Internet. Use this option for single server
WSUS implementations or for the first WSUS server you install at the top of a WSUS hierarchy.
Configures the server to download all update information from another WSUS server on your
network. Use this option to create the lower levels of a WSUS server hierarchy on your network.
When you select this option, as shown in Figure, you must specify the name and port number for
an upstream WSUS server on your network and specify whether the connection between the
servers should use SSL encryption. Select the This Is A Replica Of The Upstream Server
checkbox to download only the updates approved at the upstream server.
The Choose Upstream Server page in the Windows Server Update Services Configuration
Wizard
3. On the Specify Proxy Server page, select the Use A Proxy Server When Synchronizing
checkbox if the server requires a proxy server to access the Internet or the upstream server you
specified. Then, specify the proxy server name and port number, as well as the credentials
needed to access the proxy server, if necessary.
4. On the Connect to Upstream Server page, click Start Connecting to access the upstream server
you selected and download information about the available updates. This process is called
synchronization in WSUS.
5. By default, WSUS downloads updates in all available languages, which can consume a lot of
unnecessary bandwidth and disk space. On the Choose Languages page, shown in Figure, you
can select the Download Updates Only In These Languages option and specify which languages
your WSUS clients use. This configures the WSUS server to download updates only in the
selected languages.
6. On the Choose Products page, shown in Figure, you select the Microsoft products and versions
for which you want to download updates. By default, all the Windows products and versions are
selected. If you do not use some of the selections on your network, you can clear their
checkboxes and save more bandwidth and disk space.
The Choose Products page of the Windows Server Update Services Configuration Wizard
7. On the Choose Classifications page, shown in Figure 6-8, you specify what types of updates
you want the server to download. By default, Critical, Definition, and Security Updates are
selected, as well as Upgrades. You can select other classifications, but be mindful that some of
these classifications, such as the Service Packs for older Windows versions, can be very large.
8. On the Set Sync Schedule page, Synchronize Manually is the default option, requiring you to
start a synchronization to download new updates. You can also select the Synchronize
Automatically option, as shown in figure, to set a scheduled start time and the number of times
each day that synchronization should occur.
The Set Sync Schedule page of the Windows Server Update Services Configuration Wizard
9. On the Finished page, select the Begin Initial Synchronization check box and click Finish.
WSUS begins synchronizing with its upstream server and downloading information about the
updates that are available.
Monitor servers for performance evaluation and optimization
Monitor server installations
Server performance can change over time for a variety of reasons. Workloads can change, and so
can hardware components. Part of the server administrator’s job is to track the ongoing
performance of servers, to ensure that they continue to function efficiently. Windows Server
2016 includes tools that you can use for this performance tracking, such as the Performance
Monitor console.
Monitor workloads using Performance Monitor
Performance Monitor is a tool that displays system performance statistics in real time. Using
Performance Monitor, you can display hundreds of different statistics (called performance
counters) and create customized graphs containing any information you choose.
When you open the Performance Monitor console from the Windows Administrative Tools
group, you see an Overview page containing a system summary. Click the Performance Monitor
icon and you see a line graph, updated in real time, showing the current level for the % Processor
Time performance counter, as shown in figure.
1. Open the Performance Monitor console and expand the Data Collector Sets folder.
2. Right-click the User Defined folder and, on the context menu, click New Data
Collector Set. The Create New Data Collector Set Wizard appears, displaying the How
Would You Like To Create This New Data Collector Set page, as shown in figure.
Create This New Data Collector Set page of the Create New Data Collector Set Wizard
3. In the Name text box, type a name for the data collector set. Then, select the Create
Manually (Advanced) option.
4. On the What Type Of Data Do You Want To Include? page, shown in figure, leave the
Create Data Logs option selected and select the Performance Counter check box.
5. On the Which Performance Counters Would You Like To Log page, click Add, to
display the Add Counters dialog box.
6. Select the counters you want to log in the usual manner and click OK. The counters
appear in the Performance Counters box.
7. Select the interval at which Performance Monitor should collect samples.
8. On the Where Would You Like The Data To Be Saved Page, type the name of or
browse to the folder where you want to store the data collector set.
9. On the Create The Data Collector Set page, if the account you are currently using does
not have the privileges needed to gather the log information, click Change to display a
Performance Monitor dialog box in which you can supply alternative credentials.
10. Click finish.
Performance Monitor information collected using a data collector set
Server security
Configuration of windows server firewall
Firewall.cpl This opens the Windows Firewall Control Panel.
The following are important Windows Firewall Control Panel elements:
Allow an app or feature through Windows Firewall This option, shown in Figure, gives you
control over basic firewall rules for installed services and applications.
Turn Windows Firewall on or off This option allows you to enable or disable Windows
Firewall for each network location profile.
Advanced settings This option opens the Windows Firewall with Advanced Security console.
Allow or block app traffic in Windows Firewall
The Windows Firewall with Advanced Security console