2 Administering Microsoft Windows Server 2003 Exam Objectives in this Chapter: ■ Manage servers remotely ❑ Manage a server by using Remote Assistance ❑ Manage a server by using Terminal Services remote administration mode ❑ Manage a server by using available support tools ■ Troubleshoot Terminal Services ❑ Diagnose and resolve issues related to Terminal Services security ❑ Diagnose and resolve issues related to client access to Terminal Services Why This Chapter Matters Microsoft Windows Server 2003 administrative tools, called snap−ins, enable you to manage user accounts, modify computer software and service settings, install new hardware, and perform many other tasks. The Microsoft Management Con- sole (MMC) provides the framework within which these snap-ins operate. Although the default consoles delivered with Windows Server 2003 contain one or more snap-ins related to a single task, MMCs can be customized to fit the exact needs of the administrator and the task at hand. Many MMC snap-ins also support remote administration, allowing you to connect to and manage another computer without requiring “sneaker net” (a physical visit to the other computer). Windows Server 2003 provides several other important options for remote sys- tems management. When you require more control than you can achieve using the remote connection supported by MMC snap-ins, you can leverage Remote Desktop For Administration and Remote Assistance. Remote Desktop For Admin- istration opens a session that gives you complete control of a remote system as if you were logged on locally at the computer’s console. Remote Desktop is akin to “remote control” software such as PCAnywhere or Virtual Network Computer (VNC), but it is fully integrated and supported with Microsoft Windows XP and Windows Server 2003. Remote Assistance is used to connect to an existing session on a remote computer, allowing you to view or even control what another user is doing in that session. Remote Assistance is particularly useful for user support scenarios, when you need to see and help a user. 2-1 2-2 Chapter 2 Administering Microsoft Windows Server 2003 Finally, Windows Server 2003 supports traditional Terminal Services functionality so that multiple users can connect to and open sessions on a single server. Ter- minal Services and the Remote Desktop client reduce the costs of support and management because the installation and configuration of applications is per- formed only once: on the terminal server itself. User desktops act as “terminals” and require only an operating system and the Remote Desktop client. In fact, users can connect to a terminal server using a hardware-based or software-based thin client. This chapter will explore each of these options for administration and support of local and remote systems. Lessons in this Chapter: ■ Lesson 1: The Microsoft Management Console . . . . . . . . . . . . . . . . . . . . . . .2-3 ■ Lesson 2: Managing Computers Remotely with the MMC . . . . . . . . . . . . . . . .2-9 ■ Lesson 3: Managing Servers with Remote Desktop For Administration . . . . .2-13 ■ Lesson 4: Using Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-21 ■ Lesson 5: Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-29 Before You Begin To perform the practices related to the objectives in this chapter, you must have ■ A computer that has Windows Server 2003 installed and operating. To follow the examples directly, your server should be named Server01 and function as a domain controller in the contoso.com domain. ■ A configured and functioning Transmission Control Protocol/Internet Protocol (TCP/IP) network to which your console and remote administrative target comput- ers can connect (for administration of remote computers). ■ A second computer running Windows Server 2003, named Server02 and config- ured as a member server in the contoso.com domain. Lesson 1 The Microsoft Management Console 2-3 Lesson 1: The Microsoft Management Console The administrative framework of Windows Server 2003 is the MMC. The MMC provides a standardized, common interface for one or more tools, called snap-ins, that are spe- cialized for individual tasks. The default administrative tools in Windows Server 2003 are MMCs with one or more snap-ins suited to a specific purpose. The Active Directory Users And Computers administrative tool, for example, is an MMC with the Active Directory Users And Computers snap-in. After this lesson, you will be able to ■ Configure an MMC with individual snap-ins ■ Configure an MMC with multiple snap-ins ■ Save an MMC in Author or User mode Estimated lesson time: 15 minutes The MMC The MMC provides a two-paned framework consisting of a console tree pane, also called a scope pane, and a details pane. The MMC menus and a toolbar provide com- mands for manipulating the parent and child windows, snap-ins, and the console itself. Navigating the MMC An empty MMC is shown in Figure 2-1. Note that the console has a name and that there is a Console Root. This Console Root will contain any snap-ins that you choose to include. f02nw01 Figure 2-1 An empty MMC 2-4 Chapter 2 Administering Microsoft Windows Server 2003 Each console includes a console tree, console menu and toolbars, and the details pane. The contents of these will vary, depending on the design and features of the snap-in you use. Figure 2-2 shows a populated MMC with two snap-ins loaded. f02nw02 Figure 2-2 A populated MMC Using the MMC Menus and Toolbar Although each snap-in will add its unique menu and toolbar items, there are several key menus and commands that you will use in many situations that are common to most snap-ins, as shown in Table 2-1. Table 2-1 Common MMC Menus and Commands Menu Commands File Create a new console, open an existing console, add or remove snap-ins from a console, set options for saving a console, the recent console file list, and an exit command Action Varies by snap-in but generally includes export, output, configuration, and help features specific to the snap-in View Varies by snap-in, but includes a customize option to change general console characteristics Favorites Allows for adding and organizing saved consoles Window Open a new window, cascade, tile, and switch between open child windows in this console Help General help menu for the MMC as well as loaded snap-in help modules Lesson 1 The Microsoft Management Console 2-5 Extending the MMC with Snap-Ins Each MMC contains a collection of one or more tools called snap−ins. A snap-in extends the MMC by adding specific management capability and functionality. There are two types of snap-ins: stand-alone and extension. Stand-Alone Snap-Ins Stand−alone snap−ins are provided by the developer of an application. All administra- tive tools for Windows Server 2003, for example, are either single snap-in consoles or consoles with a combination of snap-ins useful to a particular task. The File Server Management console (Filesvr.msc), for example, contains snap-ins to facilitate the con- figuration, monitoring, and optimization of file server storage and shares. Extension Snap-Ins Extension snap−ins, or extensions, are designed to work with one or more stand-alone snap-ins. When you add an extension, Windows Server 2003 places the extension into the appropriate location within the stand-alone snap-in. Many snap-ins can act as a stand-alone snap-in or extend the functionality of other snap-ins. For example, the Event Viewer snap-in can operate as a stand-alone snap-in, as in the Event Viewer console, and is an available extension for the Computer Man- agement snap-in. Building a Customized MMC You can combine one or more snap-ins to create customized MMCs, which you can then use to consolidate the tools you require for administration. To create a customized MMC: 1. Click Start, and then select Run. 2. In the Open text box, type mmc and then click OK. A blank MMC will appear. 3. Select the File menu, and then select Add/Remove Snap-In. The Add/Remove Snap-In dialog box appears with the Standalone tab active. Note that no snap-ins are loaded. 4. Click Add to display the Add Stand-alone Snap-In dialog box. Locate the snap-in you want to add, and then click Add. Many snap-ins prompt you to specify whether you wish to focus the snap-in on the local computer or another computer on the network. 5. When you have added all the snap-ins you require, close the dialog boxes. 6. To save the customized MMC, select the File menu and then select Save. 2-6 Chapter 2 Administering Microsoft Windows Server 2003 Off the Record Spend a few minutes analyzing your daily tasks and group them by type of function and frequency of use. Build two or three customized consoles that contain the tools that you use most often. You will save quite a bit of time not needing to open, switch among, and close tools as often. Console Options Console options determine how an MMC operates in terms of what nodes in the con- sole tree may be opened, what snap-ins may be added, and what windows may be cre- ated. You configure console options in the Options dialog box, which you can open by clicking Options on the File menu. Author Mode When you save a console in Author mode, which is the default, you enable full access to all of the MMC functionality, including: ■ Adding or removing snap-ins ■ Creating windows ■ Creating taskpad views and tasks ■ Viewing portions of the console tree ■ Changing the options on the console ■ Saving the console User Modes If you plan to distribute an MMC with specific functions, you can set the desired User mode and then save the console. By default, consoles will be saved in the Administra- tive Tools folder in the users’ profile. Table 2-2 describes the user modes that are avail- able for saving the MMC. Table 2-2 MMC User Modes Type of User Mode Description Full Access Allows users to navigate between snap-ins, open windows, and access all portions of the console tree. Limited Access, Prevents users from opening new windows or accessing a portion of the Multiple Windows console tree but allows them to view multiple windows in the console. Limited Access, Prevents users from opening new windows or accessing a portion of the Single Window console tree and allows them to view only one window in the console. Lesson 1 The Microsoft Management Console 2-7 Note MMCs, when saved, have an *.msc extension. Active Directory Users And Comput- ers, for example, is named Dsa.msc (Directory Services Administrator.msc). Tip Create administrative consoles for your administrators by saving customized consoles, optionally in a restricted User mode, and distributing the resulting .msc files. Any snap-in used in a custom console must be installed on the system. This means, for example, that you must have installed the Windows Server 2003 administrative tools, Adminpak.msi, on a sys- tem for a console with the Active Directory Users And Computers snap-in to function. Practice: Building and Saving Consoles In this practice, you will create, configure, and save an MMC. Exercise 1: An Event Viewer Console 1. Click Start, and then click Run. 2. In the Open text box, type mmc, and then click OK. 3. Maximize the Console1 and Console Root windows. 4. From the File menu, choose Options to view the configured console mode. In what mode is the console running? 5. Verify that the Console Mode drop-down list box is in Author mode, and then click OK. 6. From the File menu, click Add/Remove Snap-In. The Add/Remove Snap-In dialog box appears with the Standalone tab active. Note that there are no snap-ins loaded. 7. In the Add/Remove Snap-In dialog box, click Add to display the Add Standalone Snap-In dialog box. 8. Locate the Event Viewer snap-in, and then click Add. The Select Computer dialog box appears, allowing you to specify the computer you want to administer. You can add the Event Viewer snap-in for the local com- puter on which you are working, or if your local computer is part of a network, you can add Event Viewer for a remote computer. 9. In the Select Computer dialog box, select Local Computer, and then click Finish. 2-8 Chapter 2 Administering Microsoft Windows Server 2003 10. In the Add Standalone Snap-In dialog box, click Close, and then in the Add/Remove Snap-Ins dialog box, click OK. Event Viewer (Local) now appears in the console tree. You may adjust the width of the console tree pane and expand any nodes that you want to view. 11. On your own, add a snap-in for Device Manager (local). 12. Save the MMC as MyEvents. Lesson Review The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter. 1. What is the default mode when creating an MMC? 2. Can a snap-in have focus on both the local computer and a remote computer simultaneously? 3. If you want to limit the access of a snap-in, how do you construct the MMC that contains the snap-in? Lesson Summary The MMC is a powerful framework for organizing and consolidating administrative snap-ins. The hierarchical display, similar to that of Windows Explorer, offers a familiar view of snap-in features in a folder-based paradigm. There are two types of snap-ins, stand-alone and extension, with extensions appearing and behaving within the MMC based on the context of their placement. Any console can be configured to work in either of two modes, Author or User, with the User mode supporting various levels of restricted functionality in the saved console. Lesson 2 Managing Computers Remotely with the MMC 2-9 Lesson 2: Managing Computers Remotely with the MMC In Lesson 1, you learned that you can build a customized MMC with snap-ins that are focused on remote computers. In addition, many snap-ins allow you to change the focus of the snap-in by right-clicking the snap-in in the console tree and choosing a command such as Connect To Another Computer, Connect To Domain, Connect To Domain Controller, and so forth. Using the MMC to remotely manage another system (as shown in Figure 2–3) can save you the time and cost of a physical visit to the computer. f02nw03 Figure 2-3 Connecting to a user’s computer with the Computer Management console After this lesson, you will be able to ■ Construct an MMC to manage a computer remotely Estimated lesson time: 10 minutes Setting Up the Snap-in for Remote Use To connect to and manage another system using the Computer Management console, you must launch the console with an account that has administrative credentials on the remote computer. If your credentials do not have sufficient privileges on the target computer, snap-ins will load, but they either will function in read-only mode or will not display any information. 2-10 Chapter 2 Administering Microsoft Windows Server 2003 Tip You can use Run As, or secondary logon, to launch a console with credentials other than those with which you are currently logged on. When you’re ready to manage a remote system, you may open an existing console with the appropriate snap-in loaded or configure a new MMC and configure the remote connection when you add the snap-in. To remotely manage a system using the existing Computer Management console, for example, follow these steps: 1. Open the Computer Management console by right-clicking My Computer and choosing Manage from the shortcut menu. 2. Right-click Computer Management in the console tree and choose Connect To Another Computer. 3. In the dialog box shown in Figure 2-4, type the name or IP address of the computer or browse the network for the remote computer, and then click OK to connect. f02nw04 Figure 2-4 Setting the Local/Remote Context for a snap-in Once connected, you can perform administrative tasks on the remote computer. When you connect to a remote system using the MMC, you connect using remote pro- cedure calls (RPCs). If the remote system has Windows Firewall enabled, the default firewall configuration will prevent inbound RPC traffic. To enable remote administra- tion using the MMC, configure the firewall exception for remote administration. This exception opens TCP ports 135 and 445 and adds program exceptions for Svchost.exe and Lsass.exe to allow hosted services to open additional, dynamically assigned ports, typically in the range of 1024 to 1034. It also enables a computer to receive unsolicited incoming Distributed Component Object Model (DCOM) and RPC traffic. To configure this exception, open the local or a domain-based Group Policy Object (GPO) and navigate to the Computer Configuration, Administrative Templates, Net- work, Network Connections, Windows Firewall node. Then open the Domain Profile, which specifies firewall configuration when a system is connected to the domain. In the details pane, double-click the Windows Firewall: Allow Remote Administration