There are always situations in which the system administrator must perform a task on a Windows Server 2003 server but is currently not physically located near the server console. In some cases, the system administrator is not located in the same part of the building as the server room or may even be located in a different country! Microsoft has included several tools for remotely managing servers with Windows Server 2003. These tools allow the system administrator to perform system management tasks as though he or she were physically sitting in front of the console of each server in the organization. Knowing which tool to use in specific situations allows you to be more effective as a system administrator. The Microsoft Management Console: Where Management Begins
In Chapter 1, "Windows Server 2003 Environment," we introduced the Microsoft Management Console (MMC) and showed you how to add additional snap-ins to create a custom console. However, the real beauty of the MMC snap-in administrative tools is that they don't limit you to managing only the local machine you are working on. As you saw when working with the Shared Folders snap-in in Chapter 4, "Managing and Maintaining Access to Resources," by selecting Connect to Another Computer, you can connect the tool to a remote computer and perform the administrative tasks as though you were sitting at the system console. This allows you not only to manage all your servers from one server but to manage either servers or workstations from any Windows 2000 or later computer by starting the appropriate MMC and snap-ins. In the following challenge exercise, we review some of the things we have looked at in the previous chapters to refresh your memory and prepare you for the rest of the chapter.
If the user has the proper permissions, she can use any computer in the Windows 2000/2003/XP family to manage other family members via the Computer Management MMC. For example, a Windows 2000 Professional computer can be used to manage a Windows Server 2003 or Windows XP Professional computer. Only the features supported on the remote computer are available in the Computer Management MMC. For example, if you are using a Windows Server 2003 computer to manage a Windows XP Professional computer, the selection for RAID-5 within the Disk Management snap-in is not available because it is not supported on the remote computer, which in this case is Windows XP Professional. You can access the rest of the tools that appear in this book either through their own administrative tools or by creating a custom MMC and adding their respective snap-ins. A good example of an MMC with a variety of snap-ins included is the Computer Management MMC. The purpose of the Computer Management MMC is to group together a selection of Windows utilities in a single MMC that can be connected to either the local computer or a remote computer. We have used the Computer Management MMC to access various snap-ins in the previous chapters, but we haven't taken the time to examine it yet. The Computer Management MMC comes prepopulated with the most commonly used administrative tools:
As you can see, using the Computer Management MMC, you can perform tasks such as adding and managing disks, adding shared folders, and stopping and starting services on local or remote computers. Note: Administrative Tools By running adminpak.msi, you can add additional MMC-based tools to manage your domain. For a Step by Step on how to accomplish this, see Chapter 1. In addition to the capabilities mentioned previously, the MMC can be used to manage tasks simultaneously on multiple remote computers. That is the scenario used in the Challenge Exercise.
There are many advantages to using the MMC for server management. For example, as you have seen in this Challenge Exercise, you can manage multiple instances of the same or different tools connected to multiple servers, all within a single MMC. Moving from server to server or tool to tool is as simple as clicking the mouse. Administrative GroupsHowever, not every user can manage a server. For security (and common sense) reasons, it is best to limit the number and scope of users who have management access to the servers on your network. As was covered briefly in Chapter 3, "Managing Groups," the following domain local groups can be used to delegate various management tasks on your network:
Users should always be assigned to the group that gives them the minimum of permissions and rights necessary to perform their duties. This will improve the security of the domain and prevent users from performing unauthorized functions. Remote Desktop for Administration
The basic functionality of the Remote Desktop for Administration feature has been available for some time from other vendors, such as Citrix, and even from Microsoft, as Windows Terminal Services. Terminal Services is available in two modes: Remote Desktop for Administration (formerly called Remote Administration mode) and Application Server mode. Application Server mode configures the Windows Server 2003 machine to operate similar to the previous version of Windows NT Terminal Server 4.0. Remote Desktop for Administration mode is used to provide remote server management. Unlike in Windows 2000, where the Remote Administration mode was an option, the Remote Desktop for Administration mode is automatically installed in Windows Server 2003. However, incoming connections are disabled by default. Note: More Info on Terminal Services Modes For a detailed discussion of Windows Server 2003 Terminal Services in Application Server mode, see Chapter 11, "Managing and Maintaining Terminal Services." Terminal Services in Remote Desktop for Administration ModeAs mentioned previously, the Terminal Services (TS) Remote Administration mode was first available in Windows 2000. The previous versions of Windows Server and Windows Terminal Services did not have this feature. With Windows 2003 Terminal Services in Remote Desktop for Administration mode, you are allowed two concurrent sessions, plus a console session to the Windows server. These sessions can be used to remotely access any programs or data on the server. The console session takes over the physical console of the server. In the past, a lot of tools and applications could not be run via a Terminal Services session because they were written to interact directly with "session 0," the physical server console. Also, most system messages are automatically routed to the console, so if you are trying to manage the server remotely and receive a pop-up error message, you won't be able to see it. Using the Terminal Services client is just like working on the server console. The Remote Desktop for Administration mode allows you to have two concurrent TS sessions without any additional Client Access Licenses required. The beauty of the Remote Desktop for Administration mode is that it allows you to manage your server from just about anywhere and from just about any computer. Because the TS client is supported on a variety of Windows clients, including Windows CE, you can load the client on any Windows box that you have available and manage your server. Imagine managing your server from your Pocket PC! Like the tools discussed in the previous section, Remote Desktop enables you to open a session on a remote Windows Server 2003 machine and run applications as though you were physically sitting at the console of the remote machine. In addition, because the Remote Desktop Protocol (RDP) connection between the server and the client requires a minimum of bandwidth, you are not limited to having a high-speed LAN connection. The Terminal Services client can access the servers via a dial-up connection, the Internet, or even a wireless connection. With this feature, you can connect to your Windows Server 2003 servers from home or a hotel room and have full access to all your applications, files, and other network resources. Exam Alert: Required Port If the RDP client is connecting to a server through a firewall, port 3389 must be open. This is important to know in the field, and for the exam. To use Remote Desktop, you must enable it on your server and grant access to the appropriate users and groups by following the procedure in Step by Step 5.1.
These steps configure Windows Server 2003 to accept incoming connections. The Windows 2003 Remote Desktop Connection (RDC) client can be installed on any version of Windows from Windows 95 and later. To install the client, insert the Windows Server 2003 CD-ROM into the client machine's CD-ROM drive. When the Welcome page appears, click Perform Additional Tasks and then click Set Up Remote Desktop Connection. Note: Using Older Clients Windows Server 2003 also supports connections from the older Windows Terminal Services clients, so you can use the 16-bit client from a Windows 3.1 machine, if you still have one. However, some of the newer features, such as device redirection, are not available. Citrix clients are not supported because they use the Independent Computing Architecture (ICA) protocol instead of the RDP used with the RDC client. The Windows XP version of the client, which is supported on Windows 95 and later, is available at http://www.microsoft.com/downloads/details.aspx?FamilyID=80111f21-d48d-426e-96c2-08aa2bd23a49&DisplayLang=en. To connect to your Windows Server 2003 server remotely, start the RDP client on the remote computer. This computer must have a connection of some kind to the other computerLAN, WAN, VPN, or dial-up. Enter the IP address or the name of the remote computer and then click the Connect button. Enter the username and password, and you're in! Note: Connecting to the Console To specifically connect to the console session of a Windows Server 2003 server, type mstsc /console on the command line. Remote Desktops Snap-InThe Remote Desktops snap-in is useful for those situations when you need to remotely manage or monitor several Windows Server 2003 servers. This snap-in allows you to be connected concurrently to the RDC sessions of multiple servers. Each session can be given focus by selecting it via a navigable tree interface. Step by Step 5.2 walks you through connecting to multiple remote computers using the Remote Desktops snap-in.
You can switch between multiple remote sessions by clicking the entry in the left pane of the MMC. By creating multiple custom MMCs, you can have several Remote Desktops MMCs that are preconfigured to connect to different groups of servers. Remote Assistance
Diagnosing a computer problem can be difficult if you are not sitting in front of the computer. The Windows Server 2003 Remote Assistance feature enables you to grant a friend or a help desk operator permission to connect to your computer and assist you with a problem. Your computer must have a connection of some kind to the other computer, such as a LAN, WAN, VPN, or dial-up connection. The Remote Assistance function is similar to the Remote Desktop function in that it allows a remote user to connect to your Windows Server 2003 machine. Remote Desktop, however, is designed to allow you to run applications remotely on your computer, whereas the Remote Assistance function is designed to allow a remote user to log in to your running session and assist you in determining a problem with a currently running session. Remote Assistance is more of a remote-control tool, similar to PCAnywhere. Remote Assistance allows you to exchange messages via a chat session, or you can talk to another user if you both have the required sound cards and microphones. You can even grant a remote user the ability to take over your desktop to make changes and run programs. The Remote Assistance feature was first available on Windows XP Professional and XP Home Edition. Unlike in the versions of Windows XP, it is disabled by default in Windows Server 2003. To use Remote Assistance, you must enable it on your server by following the procedure in Step by Step 5.3.
After enabling Remote Assistance, you must issue an invitation before another user can connect to your machine. This invitation can be sent to the other user via one of the following methods:
The invitation is an encrypted ticket used to grant the remote user access to the Windows Server 2003 server. The remote user must have the ticket and a password to be permitted access. You can send the password separately by email (not recommended), instant messaging, or telephone. By default, the invitation is good for 30 days, but you should probably change it to 24 hours or less.
An example of when the Remote Assistance feature comes in handy is if you are having a problem on a Windows Server 2003 server and you require assistance from a support person. You can allow the support person to view your activities on the server console. The first step in this process is to create an invitation for the support person. To create an invitation, perform the procedure outlined in Step by Step 5.4.
The invitation has been saved to a file. This file can be emailed, saved to a disk and carried to a remote user, or copied to a network share. The user from whom you have requested assistance must be running a version of Windows XP or Windows Server 2003. To respond to an invitation, perform the procedure outlined in Step by Step 5.5.
If the assisting user needs to take over your machine, he can click the Take Control icon on his toolbar. You are prompted as to whether you want this to happen. You can both share control of the desktop until you press the Esc key. When you're finished, click the Disconnect button on the Remote Assistance dialog box (see Figure 5.6). Figure 5.6. Remote Assistance, showing the view from the assisted desktop.Of course, allowing someone to take over your machine requires a great amount of trust. Don't open this feature to anyone you don't know! Make sure your invitations always require a password, which should not be sent with the invitations, and keep your invitation durations as short as possible. Problems with Remote AssistanceIf you are accessing a Remote Assistance computer that is behind a firewall, port 3389 must be open. Table 5.2 lists some common connection scenarios.
For more information on the Remote Assistance feature, consult Microsoft Knowledge Base Article Q301529, "Supported Connection Scenarios for Remote Assistance," or Article Q306298, "Description of the Windows Messenger Reverse Connection Process Used by Remote Assistance." |