■ The server has not booted properly. ■ The server has been shut down and you need to bring it up again. The extent to which an administrator can use out-of-band management depends on the hardware of their server. At the very least, on a server with Windows Server 2003, a serial port, and EMS enabled, they can connect a VT100-type terminal or a computer with a terminal emulator to the serial port and perform certain tasks using the Special Administration Console (SAC). However, the server must be up and running to be able to manage it in this way. If an administrator needs to be able to manage the server remotely when it has crashed or even been switched off, they need special hardware and firmware on the motherboard that provide features such as firmware console redirection.This means that they can mon- itor the server via the serial port right from the moment it starts up and even check out basic input/output system (BIOS) settings. EMS is not enabled by default, but can be enabled during an installation, an upgrade, or after setup has been completed. Exercise 3.07 outlines the process by which you can use Emergency Management Services.This exercise requires two computers—one with Windows Server 2003 and the other with any operating system and a terminal emulator—and a special serial cable with two female ends and a crossover, sometimes called a null-modem cable.Alternatively, you can use a single computer and a dumb terminal that connects to the serial port of the server computer. www.syngress.com 184 Chapter 3 • Managing and Maintaining Remote Servers Managing Several Windows Server 2003 Computers with EMS EMS provides a useful service for managing your servers in an emergency situation. But what if you have a large number of computers running Windows Server 2003 in a computer room? What is the best way of hooking to EMS on all of them without having an array of terminals? A tidy way of providing access is to use a ter- minal concentrator (sometimes called a Terminal Server, not to be confused with Terminal Services). A terminal concentrator has several serial ports (16 is a common number) and a network connection. You use a program like Telnet to connect to the terminal concentrator over the network, and then choose a particular port on the concen- trator to connect to the device attached to that port. Connect each of the serial ports on the servers to the serial ports on the terminal concentrator and you can then connect to EMS over the network. Of course, if the terminal concentrator fails, then you will not be able to connect to any of the servers. New & Noteworthy… 271_70-292_03.qxd 8/21/03 2:04 PM Page 184 E XERCISE 3.07 CONNECTING TO EMS 1. Connect the serial cable between the two computers using COM1 on both computers. 2. On the server to be managed, open a command window and type the command bootcfg /ems on /id 1 /port COM1. This enables EMS on serial port COM1. The /id option specifies the operating system in the boot.ini list on which EMS is to be enabled. If you have more than one operating system on your computer, be sure to adjust the value of /id accordingly. 3. On the second computer, start Hyperterminal or any other terminal emulator and connect to COM1 using a baud rate of 9600. You will not see anything in the terminal window yet. 4. Reboot the server computer. Watch the terminal window as the server computer restarts. You should see the normal server-starting messages, including the operating system loader where you can choose which operating system to boot. At this stage, you can interact with the boot process through the terminal window. 5. When the computer has finished booting, the SAC prompt appears, as shown in Figure 3.41. www.syngress.com Managing and Maintaining Remote Servers • Chapter 3 185 Figure 3.41 The SAC 271_70-292_03.qxd 8/21/03 2:04 PM Page 185 6. Type cmd to start a command-prompt channel. 7. To switch to the command-prompt channel type ch si 1 and press the spacebar to view the channel. 8. Enter your logon name, domain, and password. Use the name of the computer for the domain if your computer is not part of a domain. 9. After you have successfully authenticated, you get the normal com- mand prompt where you can navigate the directory tree and run com- mands. www.syngress.com 186 Chapter 3 • Managing and Maintaining Remote Servers 271_70-292_03.qxd 8/21/03 2:04 PM Page 186 Summary of Exam Objectives Windows Server 2003 provides a wide range of management tools; some are graphical and others are command-line based.There are also many wizards to help less-experienced administrators through particular tasks. Many of the graphical tools are built using the MMC and snap-ins.You can use snap- ins to configure your own customized administrative tools. It is important to realize that most tools (graphical and command-line) work over the network so that you can manage remote servers from your computer. When you need to manage a server remotely, you can choose from a variety of tools, including a browser (for remote administration), Remote Desktop connection (using Terminal Services), snap-ins for the MMC, and the Administration Tools Pack. Some tasks, such as adding a user, can be carried out using any of the remote administration tools, whereas others require you to use a specific tool. End-users can use Remote Assistance to enable others access to their desktop to guide them through resolving a problem or show them how to do something. Terminal Services contains two components for remote administration.The first, Remote Desktop for Administration, allows up to two administrators to simultaneously connect remotely to the server. Each receives their own session with a separate desktop. Using this mode, an administrator can also connect to the console session of the server.This option was not available in Windows 2000 and it allows the administrator to view the server’s main desktop, just as if sitting at its keyboard.The second mode, Remote Assistance, allows a user, called the Novice, to request assistance from someone more knowledgeable, called the Expert. An invitation is sent from the Novice to the Expert, which enables the Expert to connect to and view the actual desktop of the Novice’s computer. Only one of the Remote Assistance sessions can exist on a computer at any given time.The Novice can also allow the Expert to have cursor and keyboard input within the Novice’s session. Both the Remote Desktop for Administration and Remote Access components must be enabled manually on the server. There are three basic client tools that can be used to establish a Terminal Services con- nection.The Remote Desktop Connection utility is the primary tool designed for end users. It allows for connection to a single Terminal Server per instance of the utility and has a wide range of configuration options.The Remote Desktops MMC snap-in allows for connections to multiple Terminal Services computers within the same interface, and also allows you to connect to the console session. It is primarily designed for administrators.The Remote Desktop Web Connection utility is an IIS component that is installed from Add or Remove Programs in the Control Panel. IIS 6.0 must be installed on the Terminal Server to enable Wweb connections. It uses a client side ActiveX control as the client.When used in full screen mode, it launches a session window independent of the browser window.The Web client requires MSIE 5.0 or later, with security settings configured to allow ActiveX controls to be downloaded and installed. www.syngress.com Managing and Maintaining Remote Servers • Chapter 3 187 271_70-292_03.qxd 8/21/03 2:04 PM Page 187 Sometimes you will not be able to connect to a server over the network at all or it might have crashed completely. If the server is physically distant from you, consider using EMS. Provided that you have the appropriate hardware, you can establish access to the server even when the operating system is not running. Even with a server with no special hardware, you can still use EMS via the serial port to remotely manage the server using the SAC, but this will work only while the operating system is running. Exam Objectives Fast Track Recognizing Types of Management Tools  Windows Server 2003 provides administrators with a variety of management tools including wizards, graphical administration tools, and command-line utilities.  Most graphical administration tools can be found as pre-configured management consoles accessible via Start | Programs | Administrative Tools.  Many graphical management tools are built using the MMC and snap-ins.  You can create your own customized management tools by using snap-ins provided by the operating system or third-party products. Using Terminal Services Components for Remote Administration  Remote Desktop for Administration allows up to two administrators to remotely connect to the server simultaneously, each in their own session, to perform administrative tasks.  Remote Assistance allows a user, called the Novice, to request help from someone more knowledgeable, called the Expert.The Expert is able to view and interact with the Novice’s desktop remotely if permission is granted by the Novice.  Though installed with the operating system, both Remote Desktop for Administration and Remote Assistance must be enabled manually after installation before they can be used. Using Terminal Services Client Tools  The Remote Desktop Connection utility is the primary Terminal Services client for end users. It comes with Windows Server 2003 and Windows XP, and can be installed on Windows 9x, NT, and 2000 computers. www.syngress.com 188 Chapter 3 • Managing and Maintaining Remote Servers 271_70-292_03.qxd 8/21/03 2:04 PM Page 188  The Remote Desktop MMC snap-in is designed for administrators. It allows for connections to multiple servers within a single interface, as well as console session connections.  The console session is the server’s primary desktop, the one you would see if you were actually sitting at its physical keyboard.  Only one administrator can be logged on to the console session at any given time. If another administrator attempts to log on, the current administrator will be logged off unless Group Policy prevents this.  The Remote Desktop Web Connection utility can be used from client machines that do not have one of the other Terminal Services clients installed. It requires and is a subcomponent of IIS 6.0.When a user connects, an Active X control is downloaded to their system to serve as the local Terminal Services client.This utility is only supported by MSIE 5.0 and higher.  End-users can use Remote Assistance to invite another person to view or take control of their desktops.  The Web Interface for Remote Administration enables you to manage a server from anywhere in the world using a Web browser. However, the range of administration tasks is limited.  Remote Desktop for Administration enables you to connect to a Windows 2000 Server or a Windows Server 2003 desktop via Terminal Services and act as if you were at the server.This enables you to perform any task on the server.  You can install the Administration Tools Pack on a Windows XP computer to enable you to remotely manage servers.  WMI provides a programming interface for developers to design management tools.  Computer Management (a pre-configured MMC) and other MMC snap-ins provide local and remote management capability. Using EMS  EMS provides a means for managing a server even when network connectivity has failed.  To manage a server even when the operating system is not running, special hardware is required.  EMS provides a SAC that runs on the serial port and enables remote access via a serial cable or modem.The SAC runs when the operating system is running.  EMS must be installed before it can be used. www.syngress.com Managing and Maintaining Remote Servers • Chapter 3 189 271_70-292_03.qxd 8/21/03 2:04 PM Page 189 Q: What type of administrative tools does Windows Server 2003 provide? A: You can work with graphical tools, command-line utilities, or wizards. Q: Which type of remote management tool would be most appropriate if you needed to manage your server from a customer’s office? A: The Web Interface for Remote Administration is generally best, assuming that your cus- tomer has Internet access. Q: What management feature can users use to request help from someone else? A: Computers running Windows XP or later include the Remote Assistance feature.This enables a user to send an invitation to another person to remotely view or take control of the user’s desktop and provide assistance. Remote Assistance is enabled by default, but you can turn it off via the Control Panel | System | Remote tab. Q: Can you manage Windows Server 2003 computers from your desktop computer? A: Yes.There are several methods: Remote Desktop,Web Interface, Administration Tools Pack, and MMCs. Q: What is the difference between Remote Desktop for Administration and the Terminal Server role? A: Both are designed to allow remote Terminal Services connections. However, the Terminal Server role contains additional multi-user code that keeps user session and application set- tings separate.This allows for many users to connect using Terminal Services without having problems with the applications they are using. By default,Terminal Services allows only two connections for remote administration.When the Terminal Server role is installed, an unlimited number of users can connect simultaneously. www.syngress.com 190 Chapter 3 • Managing and Maintaining Remote Servers Exam Objectives Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. 271_70-292_03.qxd 8/21/03 2:04 PM Page 190 Q: How can I connect to, view, and interact with the console session using Terminal Services? A: The Remote Desktop MMC snap-in is designed for administrator use. It allows for connection to multiple Terminal Services computers, in addition to defaulting to con- sole session access.You can also connect to the console from the command-line by typing mstsc /console. Q: Is Remote Assistance a part of Terminal Services or a separate component? A: Like Remote Desktop for Administration, Remote Assistance exists in both Windows XP and Windows Server 2003 (Remote Desktop is only included in XP Professional, not XP Home, but Remote Assistance comes with both editions of XP). It is an addi- tional service that uses the Terminal Services service to provide its core capabilities. Q: There seem to be a number of different utilities that can be used to connect to Terminal Services and establish a session.Which one is the primary client tool for end users? A: The Remote Desktop Connection utility is the primary end user connection tool. It comes pre-installed with Windows XP and Server 2003 and can be installed on Windows 9x, NT, and 2000 computers. It can be used to save connection settings to a file so that reconfiguration is not necessary when connecting to different servers. It also has a wide range of options that allow for optimization over almost any bandwidth. It includes several improvements over the Windows 2000 Terminal Services client, including the ability to redirect audio from the server to the client. Q: I have enabled Remote Desktop connections.Why are administrators the only ones who can log on? A: By default, only administrators can establish remote administration sessions.This makes sense when you think about it, since they are most likely to be the ones that will be connecting to the server remotely to do the work. However, if you need to allow others to connect, you can add them to the Remote Desktop Users group.This differs from Windows 2000 Terminal Services in remote administration mode, where there was no way to allow non-administrative users to connect. Q: What does EMS provide? A: The capability to manage a server, even when there is no network connectivity and sometimes even when the operating system has crashed (if you have the proper server hardware). Q: What is the name of the management tool that EMS provides over the serial port? A: SAC, the Special Administration Console.This enables you to run command-line pro- grams in a terminal emulator. www.syngress.com Managing and Maintaining Remote Servers • Chapter 3 191 271_70-292_03.qxd 8/21/03 2:04 PM Page 191 Q: What is out-of-band management? A: Out-of-band management refers to using a different set of tools from the standard ones; including tools that do not run over the network. Recognizing Types of Management Tools 1. You are logged on to the server using an ordinary user account (i.e., without adminis- trator privileges).You need to add several new printers on the server and you decided to use the prncnfg command-line utility. How do you do this without logging off? A. Select Start | Run, and then type runas /user:administrator cmd. In the command window run the prncnfg command. B. Select Start | Programs | Administrative Tools | Prncnfg, and then right- click and select Run as. C. Select Start | Settings | Command. In the command window type runas /user:administrator cmd and run the prncnfg command in the new com- mand window that appears. D. Select Start | Run and then type cmd. In the command window run the prncnfg command. 2. You are creating a new MMC console for use by your help desk team that will be used to perform low level administrative functions in your network.You want the help desk team to be able to use the custom console, but not allow them to create any new windows or change the configuration of the console.What mode should you save this custom console in? A. Author mode B. User mode - full access C. User mode - limited access, multiple windows D. User mode - limited access, single window www.syngress.com 192 Chapter 3 • Managing and Maintaining Remote Servers Self Test A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. 271_70-292_03.qxd 8/21/03 2:04 PM Page 192 Using Terminal Services Components for Remote Administration 3. One of your users is having problems getting a productivity application to work cor- rectly.You suspect that he is performing the steps involved in using the application incorrectly, but the application interface is complex and it is difficult for you to explain over the phone what he needs to do.The user is running Windows XP, and you want to connect to his PC and show him how to perform the task in question so that he can actually see you go through the steps. How would you arrange to do this? A. Send the user a Remote Assistance Request. B. Get the user to send a Remote Assistance Invitation. C. Connect to the user’s PC using Remote Desktop. D. Connect to the user’s PC using the Web Interface for Remote Administration. 4. You are at a branch office of your company assisting a user on her PC.While assisting the user, you receive a call that requires you to alter a DNS setting on the server back at the main office.The user has many applications open and you would prefer to not have to log her out if at all possible.What would be the best way to connect to the server? A. Install the Windows Administration Tool Pack on the user’s PC. B. Connect to the server using the Web Interface for Administration. C. Use Computer Management on the PC and connect to the server. D. Connect to the server using Remote Desktop for Administration. 5. You are the network administrator for Joe’s Crab Shack.While at a meeting in Redmond,Washington, you are informed that one of your newly installed Windows Server 2003 DNS servers has stopped performing name resolution.Your CEO has asked you to make a Remote Desktop connection to the server via your virtual pri- vate network (VPN) connection to the network. After you have connected to your internal network via VPN, you attempt to create a Remote Desktop connection to the server and cannot.The DNS server is located on the same IP subnet as the VPN server.What is the most likely reason for this problem? A. TCP port 3389 is being blocked at your firewall. B. Remote Desktop is not enabled on the server. C. You do not posses the required credentials. D. Your Internet connection does not support the RDP 5.1 protocol. www.syngress.com Managing and Maintaining Remote Servers • Chapter 3 193 271_70-292_03.qxd 8/21/03 2:04 PM Page 193 [...]... 2: 04 PM Page 198 271 _70-292_ 04. qxd 8/21/03 5:10 PM Page 199 Chapter 4 MCSA/ MCSE 70-292 Managing and Maintaining Web Servers Exam Objectives in this Chapter: 3.3 Manage a Web server 3.3.1 Manage Internet Information Services (IIS) 3.3.2 Manage security for IIS Summary of Exam Objectives Exam Objectives Fast Track Exam Objectives Frequently Asked Questions Self Test Self Test Quick Answer Key 199 271 _70-292_ 04. qxd... complete the installation, click Next Figure 4. 5 The Summary of Selections Dialog Box 7 The Windows Component Wizard appears, as seen in Figure 4. 6 You may be prompted to provide the location to the Windows Server 2003 installation files www.syngress.com 213 271 _70-292_ 04. qxd 2 14 8/21/03 5:11 PM Page 2 14 Chapter 4 • Managing and Maintaining Web Servers Figure 4. 6 The Windows Components Wizard Performs... develop Web content and manage the Web site remotely For this example, select both options and click Next to continue www.syngress.com 271 _70-292_ 04. qxd 8/21/03 5:11 PM Page 213 Managing and Maintaining Web Servers • Chapter 4 Figure 4. 4 The Application Server Options Dialog Box 6 In the Summary of Selections dialog box, as seen in Figure 4. 5, you can review the configuration that you have selected Note... Figure 4. 9 The Windows Components Wizard www.syngress.com 215 271 _70-292_ 04. qxd 216 8/21/03 5:11 PM Page 216 Chapter 4 • Managing and Maintaining Web Servers 3 Select the Application Server option and click the Details button to open the Application Server dialog box, as seen in Figure 4. 10 Figure 4. 10 Examining the Application Server Options 4 Select the ASP.NET and Internet Information Services (IIS)... Server Wizard Figure 4. 1 Using the Manager Your Server Utility 2 The Configure Your Server Wizard starts and displays the Preliminary Steps dialog box, as seen in Figure 4. 2 After verifying that you are ready to continue, click Next Figure 4. 2 Viewing Preliminary Steps for the Configure Your Server Wizard www.syngress.com 211 271 _70-292_ 04. qxd 212 8/21/03 5:11 PM Page 212 Chapter 4 • Managing and Maintaining... installation of IIS has been completed, as seen in Figure 4. 7 Click Finish to close the Wizard Figure 4. 7 Completing the Configure Your Server Wizard The next section examines how IIS 6.0 can be installed using the Windows Component Wizard directly www.syngress.com 271 _70-292_ 04. qxd 8/21/03 5:11 PM Page 215 Managing and Maintaining Web Servers • Chapter 4 Using the Windows Component Wizard to Install IIS... 271 _70-292_ 04. qxd 8/21/03 5:11 PM Page 211 Managing and Maintaining Web Servers • Chapter 4 Exercise 4. 01 outlines the steps you will perform to install IIS 6.0 using the Configure Your Server Wizard EXERCISE 4. 01 INSTALLING IIS 6.0 USING THE CONFIGURE YOUR SERVER WIZARD 1 Click Start | Programs | Administrative Tools | Manage Your Server to open the Manage Your Server utility, as seen in Figure 4. 1... servers Thus, you can have a valid certificate and can be misled by this warning Windows 2000 only supports 40 -bit encryption and Windows Server 2003 supports both 40 -bit and 128-bit encryption www.syngress.com 271 _70-292_ 04. qxd 8/21/03 5:11 PM Page 203 Managing and Maintaining Web Servers • Chapter 4 Selectable Cryptographic Service Provider SSL/TLS offers a secure environment in which to exchange data.The... Next to continue 4 In the Server Role dialog box, as seen in Figure 4. 3, you can select the new configuration for your Windows Server 2003 Several possible roles are shown on the Server Role dialog box Select the Application Server (IIS, ASP.NET) option and click Next to continue Figure 4. 3 The Server Role Dialog Box 5 In the Application Server Options dialog box, as seen in Figure 4. 4, you can select... IIS 6.0 as outlined in Exercise 4. 02 EXERCISE 4. 02 INSTALLING IIS 6.0 USING THE WINDOWS COMPONENT WIZARD 1 Click Start | Settings | Control Panel | Add or Remove Programs to open the Add or Remove Programs applet Figure 4. 8 The Add or Remove Programs Applet 2 Click the Add/Remove Windows Components button to start the Windows Component Wizard, as seen in Figure 4. 9 Figure 4. 9 The Windows Components Wizard . Appendix. 1. A 2. D 3. B 4. D 5. B 6. A, C 7. A 8. A, C, D 9. A 10. B 11. A, C 12. C 13. B 14. B, C 15. D 271 _70-292_ 03.qxd 8/21/03 2: 04 PM Page 197 271 _70-292_ 03.qxd 8/21/03 2: 04 PM Page 198 199 Managing. Servers Exam Objectives in this Chapter: 3.3 Manage a Web server 3.3.1 Manage Internet Information Services (IIS) 3.3.2 Manage security for IIS Chapter 4 MCSA/ MCSE 70-292  Summary of Exam Objectives . only supports 40 -bit encryption and Windows Server 2003 supports both 40 -bit and 128-bit encryption. www.syngress.com 202 Chapter 4 • Managing and Maintaining Web Servers 271 _70-292_ 04. qxd 8/21/03