Windows 2003 Server
At the end of this chapter you should be able to:
Network Administration Procedures
We will look at the MMC in more detail and the secondary logon feature in Windows Server 2003 also known as Run As.
Windows Server 2003 Management Tools
As we have seen already throughout the class, Windows Server 2003 has a new shutdown process. When you shut down it will ask you to give a reason for the shut down. This reason is recorded in the System portion of the event viewer with an event ID of 1074. This way administrators can look and see why things were shutdown and by whom. If a server crashes or is shutdown improperly, on the next startup it will require a user to enter a reason for the shutdown.
LAB ACTIVITY - Do the lab on page 383. (10 Minutes)
LAB ACTIVITY - Do the lab on page 384. (10 Minutes)
The Microsoft Management Console
In chapter 1 we learned a little bit about the MMC and different snap-ins. One thing about a lot of snap-ins is that you can connect to other computers and mange them remotely. One example would be the Active Directory Users and Computers snap-in which you can install on a Windows XP computer. When you open the snap-in on you XP computer it actually connects to a domain controller remotely.
LAB ACTIVITY - Do the lab on page 386. (10 Minutes)
Some MMC snap-ins allow you to create a taskpad view which can be used to add buttons for common tasks. This way you can give a custom MMC to a user and it will have the tasks you want that user to perform right on it.
LAB ACTIVITY - Do the lab on page 387. (15 Minutes)
With a secondary logon you logon to the computer with a standard non-administrative account. When you want to perform an administrative function you can run a program as an administrator. When you do this it is a secondary logon. You can run a program as someone else one of two different ways.
The first way is to right click on the program and choose Run-As. If you don't see the Run-As option hold down the Shift key as you right click. A box will appear and ask you to login, once you logon you will be running that program as the new user. Any program launched by the original program will be run under the new user as well. For example if you run the command prompt as an administrator any program started from the command prompt will run as the administrator.
The second way is by using the Runas command from the command prompt.
LAB ACTIVITY - Do the lab on page 389. (5 Minutes)
LAB ACTIVITY - Do the lab on page 390. (5 Minutes)
Network Troubleshooting Processes
The steps to solving a problem are outlined below.
Configuring Terminal Services and Remote Desktop for Administration
Windows Server 2003 supports remote desktop for administrative purposes. Remote desktop allows you to control the server from a remote location. You can use it to connect to local console or to connect to a terminal session. There are two terminal session that you can connect to when the server is in remote administration mode.
Enabling Remote Desktop for Administration
In the system control panel you can click the remote tab to enable remote desktop.
LAB ACTIVITY - Do the lab on page 393. (10 Minutes)
Installing Terminal Services
If you want to install terminal services in application mode you can do so in the Add or Remove Programs control panel by clicking Add/Remove Windows components and checking Terminal Server. This will turn it on with a 120day license.
LAB ACTIVITY - Do the lab on page 396. (10 Minutes)
Managing Terminal Services
Three tools are available to you to manage terminal services.
Configuring Remote Connection Settings
Terminal Services Configuration allows you to configure different settings on the connection and server. We will look at them together in class.
LAB ACTIVITY - Do the lab on page 399. (10 Minutes)
Terminal Services Client Software
You can connect to a server that has terminal services enabled by using the Remote Desktop Connection application that is installed on Windows XP and Windows Server 2003 by default. You can install this application on early versions of Windows by running the setup in %systemroot%\System32\clients\tsclient\win32. Alternatively you can connect through the web if that feature is installed. In order to connect through the web you have to use Internet Explorer. There is also the Remote Desktops snap-in in Windows Server 2003 that lets you connect to the console of your servers.
Use the Add or Remove Programs control panel when installing applications on a terminal server that is in application mode. This will put the server in install mode. You can put a server in install mode manually by using the Change User /install command. After you install the application run the Change User /execute command.
Configuring Terminal Services User Properties
In Active Directory Users and Computer if you open a user object, you will see four tabs that have the settings for terminal services.
Unfortunately you cannot modify the terminal services settings on a user using ADSI. This means you cannot write a script that will loop through and modify the attributes like you can for other user attributes. A company called System Tools has released a program called TSCMD that will allow you to modify those settings from a command line. Using a VBScript you can run this command on all users in an OU and modify their terminal services settings.
LAB ACTIVITY - Do the lab on page 404. (10 Minutes)
Delegating Administrative Authority
There are some tasks in Windows Server 2003 that you may want to pass off to other users. For example you might have a small site with a few users. You can give one user on that site the ability to reset passwords. You don't have to give the user full control over the domain, you can give that user the right to only reset passwords of the members of his/her OU.
Active Directory Object Permissions
You can set permissions on Objects and Attributes. For example, you can grant the right to create objects of type "User" in an OU. If you have that right you can create user accounts. This is Object level permissions. If you try and add the user to a group it will fail. This is because you don't have the rights to modify the Group object.
If you are giving the right to reset passwords to all users you can modify the password attributes of the User objects. This is Attribute level permissions.
LAB ACTIVITY - Do the lab on page 407. (10 Minutes)
By default permissions are inherited from parent containers. You can block this inheritance.
Delegating Authority Over Active Directory Objects
The delegation wizard can help you grant object level and attribute level permissions.
LAB ACTIVITY - Do the lab on page 411. (10 Minutes)
Software Update Services
SUS is Microsoft's current way to deploy critical updates to Windows 2k/XP/2k3 computers. This is a free program that should be run on every domain. This program is about to be replaced by Windows Update Services (WUS)
Click Here to download the slides for this chapter