df9n34-part2 coleg notes

DF9N 34 Network Server Operating

System

Part 2 of 2

JULY 2005 © SQA

Network Operating System – Part 2 DF9N 34

© SQA Version1 Developed by COLEG 2

Acknowledgements

Microsoft® and Windows® are registered trademarks of the Microsoft Corporation. Screenshots are reproduced by permission of Microsoft Corporation.

© Scottish Qualifications Authority – Material developed by GCNS. This publication is licensed by SQA to COLEG for use by Scotland’s colleges as commissioned materials under the terms and conditions of COLEG’s Intellectual Property Rights document, September 2004. No part of this publication may be reproduced without the prior written consent of COLEG and SQA.



Contents

Acknowledgements 2 Introduction to the unit 5

What this unit is about 5 Outcomes 5 Unit structure 5 How to use these learning materials 6 Symbols used in this unit 6

Other resources required 8 Assessment information 9

How you will be assessed 9 When and where you will be assessed 9 What you have to achieve 9 Opportunities for reassessment 9

Section 3: Manage and maintain access to resources 11 Introduction to this section 13 Assessment information for this section 14 Configuring access to shared folders 15 Troubleshoot terminal services 21 Control file system permissions 35 Summary of this section 42 Answers to SAQs 43

Section 4: Manage and maintain a server environment 45 Introduction to this section 47 Assessment information for this section 48 Monitor and analyse events and system performance 49 System monitoring tools 54 Manage software updates and site licensing 61 Manage servers remotely 66 Monitoring file and print servers 70 Monitoring and optimising application performance 84 Managing a web server 91 Summary of this section 94



Answers to SAQs 95 Section 5: Manage and implement disaster recovery 97

Introduction to this section 99 Assessment information for this section 100 Performing system recovery for a server 101 Manage backup procedures 103 Recover from server hardware failure 115 Summary of this section 118 Answers to SAQs 119

Mock test 120 Useful websites 127 Glossary 128



Introduction to the unit What this unit is about This unit is designed to introduce the issues involved in managing and maintaining a network server operating system. It is intended for candidates undertaking an HNC or HND in Computing, Computer Networking or a related area, who require a broad knowledge of network servers, including the main theories, concepts and principles in this area.

Please note: The first two study sections are contained in the companion volume for this unit entitled: DF9N 34 Network Server Operating System: Part 1 of 2. Study sections 3, 4 and 5 are contained in this book.

Outcomes • Outcome 1: Manage and maintain physical and logical devices.

• Outcome 2: Manage users, computers and groups.

• Outcome 3: Manage and maintain access to resources.

• Outcome 4: Manage and maintain a server environment.

• Outcome 5: Manage and implement disaster recovery.

Unit structure This unit contains five study sections. You will need two books to cover the whole unit. Study sections 3, 4 and 5 are contained in this book. Study sections 1 and 2 are contained in the companion volume for this Unit entitled: DF9N 34 Network Server Operating System: Part 1 of 2.

Section number and title

Approximate study time

1 Manage and maintain physical and logical devices

12 hours

2 Manage users, computers and groups 12 hours

3 Manage and maintain access to resources 12 hours

4 Manage and maintain a server environment 12 hours

5 Manage and implement disaster recovery 12 hours



How to use these learning materials These learning materials are designed for you to work through at your own pace, but the closed-book test(s) will have to be administered to the whole class group at the same time.

Symbols used in this unit These learning materials allow you to work on your own with tutor support. As you work through the course, you will encounter a series of symbols which indicate that something follows that you are expected to do. You will notice that as you work through the study sections you will be asked to undertake a series of self assessed questions, activities and tutor assignments. An explanation of the symbols used to identify these is given below.

Self assessed question

This symbol is used to indicate a self assessed question (SAQ). Most commonly, SAQs are used to check your understanding of the material that has already been covered in the sections.

This type of assessment is self contained; everything is provided within the section to enable you to check your understanding of the materials.

The process is simple:

• you are set SAQs throughout the study section

• you respond to these by writing either in the space provided in the assessment itself or in your notebook

• on completion of the SAQ, you turn to the back of the section to compare the model SAQ answers to your own

• if you are not satisfied after checking your responses, turn to the appropriate part of the study section and go over the topic again.

Remember – the answers to SAQs are contained within the study materials. You are not expected to guess at these answers.

Activity

This symbol indicates an activity, which is normally a task you will be asked to do that should improve or consolidate your understanding of the subject in general or a particular feature of it.

The suggested responses to activities follow directly after each activity.

A

?



Remember that the SAQs and activities contained within your package are intended to allow you to check your understanding and monitor your own progress throughout the course. It goes without saying that the answers to these should only be checked after the SAQ or activity has been completed. If you refer to these answers before completing the activities, you cannot expect to get maximum benefit from your course.

Tutor assignment – formative assessment

This symbol means that a tutor assignment is to follow. These will be found at the end of each study section. The aim of the tutor assignment is to cover and/or incorporate the main topics of the section and prepare you for unit (summative) outcome assessment.

T



Other resources required You will need the following resources:

• a computer capable of running Windows® 2003 enterprise and Windows XP professional

• a copy of Windows 2003 enterprise and a copy of Windows XP professional and the matching product keys

• an Internet connection.

To complete this unit you will need the book entitled: DF9N 34 Network Server Operating System: Part 1of 2, which contains study sections 1 and 2.



Assessment information How you will be assessed You will have a closed-book assessment of 40 restricted response questions. These will cover the knowledge and skills for the whole unit. This will be similar to the Microsoft® examination on 70-290. You might find it helpful to search the Internet for free practice exam questions and cram-sheets for this exam as they are useful preparation. A list of resources I have found useful is given at the end of the unit.

This can be a single test at the end of the unit, or can be split into several subtests, each covering one or more outcomes.

You are also required to keep a logbook of practical tasks for each outcome. This logbook must be authenticated by your tutor.

When and where you will be assessed When you are confident that you have worked through all of the SAQs and activities in the various sections, and have submitted all tutor assignments to your tutor, you will undertake unit (summative) assessment. These unit assessments will be set by your tutor.

Your tutor will help you to decide whether or not you are ready to undertake unit (summative) assessment, and will make the necessary arrangements for you.

What you have to achieve In the closed-book test you must answer at least 70% correctly to achieve a pass . If you are taking subtests, each of these must be answered 70% correctly to achieve a pass.

Opportunities for reassessment Normally, you will be given one attempt to pass an assessment with one reassessment opportunity.

Your centre will also have a policy covering 'exceptional' circumstances, for example if you have been ill for an extended period of time. Each case will be considered on an individual basis and is at your centre's discretion (usually via written application), and they will decide whether or not to allow a third attempt. Please contact your tutor for details regarding how to apply.



Section 3: Manage and maintain access to resources



Introduction to this section

What this section is about In this section you’ll learn how to manage and maintain access to resources.

Outcomes, aims and objectives

• Configure access to shared folders.

• Troubleshoot terminal services.

• Configure file system permissions.

Approximate study time 12 hours.

Other resources required

• A computer capable of running Windows 2003 Enterprise and Windows XP Professional.

• A copy of Windows 2003 Enterprise and a copy of Windows XP Professional and the matching product keys.

• An Internet connection.



Assessment information for this section

How you will be assessed You’ll be assessed through closed-book test and logbook. You must provide evidence of the knowledge and skills for the entire unit by answering a set of 40 restricted-response questions. These may be administered as a single test at the end of the unit or as several subtests, each covering one or more outcomes.

When and where you will be assessed You’ll take the closed-book test after you have completed the outcomes(s) it covers.

Record the following activities in you logbook as you complete them:

• Activity 3.1: Configure access to shared folder activity

• Activity 3.2: Configure file system permissions activity.

What you have to achieve You have to complete the activities and achieve at least 70% in the closed-book test or 70% in all the subtests individually.

Opportunities for reassessment If needed, your tutor will give you the opportunity for one reassessment.



Configuring access to shared folders You can use the Share Folder Wizard to set up sharing and share access on your shared folder. You will still have to configure NTFS folder permissions after you have run the wizard.

Alternatively, you can use one of Windows 2003 Wizards to help you. There is a ‘Run the Share a Folder Wizard’ available if you select File Server on the Server Role screen. (This is because the purpose of a file server is to share files.)

You can access this by clicking Manage Server from the Start menu. The screen shown in Figure 58 is displayed.

Figure 58: Manage Server

This is a very useful screen. Microsoft have set it up as a portal to a lot of commonly used administration tasks. To start the ‘Run the Share a Folder Wizard’, click Add Shared Folders under File Server. This starts up the wizard. It asks first what folder you wish to share; if you cannot remember the path, click Browse and navigate to it (see Figure 59). The wizard also gives you the option to create a new folder.



Figure 59: Browse for a folder

Once you have selected the folder you wish to share, you are then given some options for configuring off-line access, as shown in Figure 60.

Figure 60: Offline Settings

Then have to decide on the share permissions. You are given several common options and the choice to customise them. This is the same screen you would see if you were configuring share permissions without the Wizard (see Figure 61).



Figure 61: Share Permissions

However, you still have to configure NTFS permissions on the folder. It is recommended that if you are giving users access to shared folders you give them full control across the share and narrow it down with NTFS permission. This makes administration easier. Share and NTFS permissions are cumulative. The wizard does not configure shadow copies; they have to be configured separately. Sometimes you may need to store information in a common place or share work with colleagues. For example, if you were both writing a book, you would both need access to it and one way to deal with this is to share folders. To create a shared folder, you first need to create the folder and then share it. To create a folder, navigate to where you want the folder to be, click File, click New and choose Folder. Now give it a name.

If you want to share this folder, you are given the option to give it a more user-friendly name. The default on a shared folder is to allow everyone to access it (the Everyone group). Access to shared folders is controlled by permissions. There are two sets of permissions that apply to shared folders and the results are the most restrictive of the two. Apart from the ubiquitous Deny permission, which overrides all others, there are Share permissions, which apply when users access the shared folder over a network, and NTFS permissions, which apply to all folder access, whether the folder is shared or not. NTFS folder permissions are covered at the beginning of this section.

Shadow copies of shared folders Shadow Copies is a new Windows 2003 feature. Shadow copies provide snapshots of files that are in shared folders. The following are the benefits of shadow copies:



• If you accidentally delete a file you can recover a previous version.

• If you have overwritten a file by mistake you can get back the previous version.

• You can compare previous versions of a file with the current one.

To configure shadow copies on a shared folder, you need administrative rights for the computer where the shared folder is located. Go to Computer Management, right-click Shared Folders, then All Tasks, then Configure Shadow Copies. The screen displayed in Figure 62 is displayed

Figure 62: Shadow copies

Shadow copies are disabled by default and if you enable them you enable them for the whole volume. If you click Enable, you are warned that the default settings are for servers with high I/O. So you have an option to go back and customise the settings before you enable Shadow Copies. Once enabled, you cannot change the storage area without deleting your previous versions. There is a limit on space for the shadow copies and a limit to how often they can be taken. The default storage is 400 Mb and the default schedule is once a day at 7:00 am.

Note: the system only keeps a maximum of 64 shadow copies subject to space availability and if you take them more frequently, the period of time you can go back to will be shorter.

To use shadow copies, you need to install the client software on the client machines. The software is in the \\%systemroot%\system32\clients\twclient directory



on the server. One of the easiest ways to deploy this is to use group policy, or you could put it on a network share and give users instructions for navigating to it.

Manage and troubleshoot access to shared folders Once you have set up your shared folders, there might still be problems with others accessing them

The problems most commonly encountered are :

• A user cannot see the computer that is hosting the shared folder, and so cannot navigate to it. This could be because of a connectivity problem. To check this, ping the computer hosting the shared folder. If this is OK, the two computers are communicating, so it must be something else causing the problem.

• If you have network connectivity and there is less than the maximum number of connections, the permissions will be the problem. Share permissions are recommended for everyone and NTFS permissions set on the file or folder. These permissions are cumulative. Remember that share permissions only apply to users that connect over a network, so if someone logs in locally and they are not given access via the share permissions, they will still be able to access the folder if they have the appropriate NTFS permissions.

Configure access to shared folders Work in groups of two (or three if there is an odd number) and make sure you record all configuration changes in your log book and take appropriate screen prints. You are going to use the Shared Folder Wizard to do the following:

• Create a shared folder called daytimeyourcomputername.

• Limit access on the Share permissions.

• Create a comedy group and put two new users that you have created called Laurel and Hardy in the group.

• Test that you can access the shared folder from across the network, so one member of the group will boot up as a client to test it and another will boot up the Windows 2003 operating system. Make sure everyone in the group has a chance to be the client and to be the server.

Follow the step-by-step instructions below.

Create a shared folder 1 From the Start menu select Manage Your Server.

2 Select Add Shared Folders (this opens the Share a Folder Wizard).

3 Select Browse.

4 Select Make New Folder and enter daytimeyourcomputername.

5 Select Next.

A 3.1



6 Enter TV as the share name and select Next.

7 Select ‘Administrators have full access; others have read-only access’

8 Select Next, then Finish.

Create new users and add them to a group 1 Go into Active Directory and create two users called Stan Laurel and Oliver

Hardy and put in them in the Comedy global group. (Follow the instructions for creating a global group in Activity 2.4)

2 Log on as Stan Laurel.

Set Sharing and Security options 1 From the Start menu, select Windows Explorer.

2 Select My Network Places.

3 Select Entire Network.

4 Select Microsoft Windows Network.

5 Select the computer you created the shared folder on.

6 Select TV (note that it is the shared name that is displayed not the path to the folder).

7 Try creating a Microsoft Word® document in the shared folder (you do not have write access so it will not let you).

8 Using My Computer, find the folder daytimeyourname and right-click it.

9 Select Sharing and Security then the Security tab.

10 Under User Limit select ‘Allow this number of users’ and select 1.

11 Select New Share and give it the share name cable and the description second (leave the user limit as the maximum allowed).

Test access to the shared folder 1 Two of you navigate to the shared folder TV from My Network Places (on the

same server). Can you both access the folder? (The system should only allow the first one as you have set a limit).

2 Try accessing the cable share (points to the same folder but a different limit). You should both be able to access it at the same time.

3 Select daytimeyourname folder, right-click it and select Sharing and Security.

4 If you want to remove one of your shares click Remove Share. (This option is only available if you have more than one share name pointing to the same folder.)

5 If you do not want to share the folder any longer, select ‘Do not share this folder’.

6 Using My Network Places, see if you can see the shared folder. Neither of the shared folders should now appear.



1 What permissions apply to shared folders?

2 If Ivan is a member of the Sales group and he has no share permission to a shared folder called Personnel, but has the NTFS permission of Full Control, what can he do to the folder if he logs on locally, not through the network?

3 What do you do to stop sharing a shared folder?

4 Can shadow copies be configured on individual shared folders?

Troubleshoot terminal services Remote Desktop For Administration is installed on every Windows 2003 Server by default, and once it is enabled using the System in Control Panel, a server will support two concurrent connections from users who belong to the Remote Desktop Users group. Windows Server 2003 terminal services also support providing applications to multiple users running concurrent sessions. This feature, similar to the Terminal Services Application Server mode of Windows 2000 Server, is now called Terminal Server. You use Remote Desktop for Administration to connect to a server session from a remote client.

Installing and configuring a terminal server environment There are several key factors to be considered when planning the deployment of a terminal server environment. The Terminal Server component can be installed using the Add/Remove Windows Components Wizard, which itself is found in Add or Remove Programs, or by using the Configure your Server Wizard, which can be launched from Manage your Server. Microsoft recommends that you configure standalone member servers as terminal servers, not domain controllers, to minimise the security risk. Because applications on a terminal server will be provided to multiple users, probably concurrently, certain registry keys, files and folders must be installed differently on a terminal server from on a non–terminal server. You should always use the Add or Remove Programs tool in Control Panel to install an application on a terminal server. Add or Remove Programs will automatically switch the terminal server into installation mode prior to launching the application’s setup routine. While in installation mode, the terminal server manages the configuration of the application appropriately so that the application can run in multi-user mode. Occasionally, an application, patch or other installation-related process cannot be initiated via Add or Remove Programs. For example, the software application vendor might provide an online update feature for its application and this capability cannot be launched from Add or Remove Programs. If this happens, open a command prompt and issue the change user /install command before starting the installation or patch process. Once the process has completed, issue the change user /execute command.

Keep in mind that some applications require compatibility scripts to modify their installation behaviour on a terminal server. Microsoft recommends that you install Terminal Server before you install any applications that will be run in multi-user mode. Also, before you remove Terminal Server from a server, you should uninstall all applications that were installed in multi-user mode. If you must install additional

? 3.1



applications on an existing terminal server, make sure that you reset (log off) any current user sessions using Terminal Server Connections and disable new connections before using the change logon /disable command. Once applications have been installed, use the change logon /enable command to allow new connections once again. The Remote tab of System Properties (shown in Figure 63) allows you to enable and disable terminal services connections.

Figure 63: Remote tab of System Properties

Older applications might not function in this more secure configuration, at which point you might opt for relaxed security. The setting can be changed at any time using the Server Settings in the Terminal Services Configuration, which is accessed from Administration Tools. If you right-click Server Settings the screen shown in Figure 64 is displayed.



Figure 64: Server Settings

If you want to change the settings, right-click Server Settings and select Properties. The Permission Compatibility setting can only be changed if you are in application server mode.

The Terminal Services Home Folder setting on the Terminal Services Profile tab can be configured as part of the user account, as shown in Figure 65.

Figure 65: Terminal Services Profile tab



The Terminal Services Home folder is used by Terminal Services to store user-specific files for multi-user applications. It does not affect the storage location for user data files. By default, the Terminal Services Home Folder is created as a folder named Windows in the user’s profile. To manage where user data is stored, configure a user’s standard Home Folder setting on the Profile tab of the user account or redirect the My Documents folder.

The Remote Desktop Connection (Mstsc.exe) is installed by default on all Windows Server 2003 and Windows XP computers. The Remote Desktop Connection client sup-ports all 32-bit Windows platforms and can be installed with group policy on Windows 2000 systems or with other software deployment methods on earlier platforms. Once installed, the client can be difficult to find in the Start menu: look in the All Programs\Accessories\Communications program group and then and create a shortcut to the client in a more accessible location. Otherwise you will have difficulty finding it again.

Note: After a 120-day evaluation period, connections to a computer running Terminal Server will not be successful unless the terminal server can obtain a client licence from a terminal server licence server. Therefore, as part of your terminal server deployment, you must install a terminal server licence server, preferably on a server that is not itself a terminal server. Use Add or Remove Programs to install Terminal Server Licensing. You will be asked whether the server should be an Enterprise License Server or a Domain License Server. An Enterprise License Server is the most common configuration, as the server can provide licences to terminal servers in any Windows 2000 or Windows Server 2003 domain in the forest. Use a Domain License Server when you want to maintain a separate licence database for each domain, or when terminal servers are running in a workgroup or a Windows NT 4.0 domain. Once installed, Terminal Server Licensing is managed with the Terminal Server Licensing console in Administrative Tools. The first task you will perform is activating the terminal server licence server by right-clicking Terminal Server License Server and choosing Activate Server. Once the server has been activated, client licence packs must be installed. The Microsoft Help And Support Center includes detailed instructions for this task.

Note: Terminal Server Licensing is maintained separately from server and client access licences (CALs) for Windows Server 2003. Terminal server CALs are licences for the connection to a user session on a terminal server – you must still consider licensing requirements for the applications that users access within their session. Check the application’s End-user License Agreements (EULAs) to determine appropriate licensing for applications hosted on a terminal server. So you need CALs and EULAs.

Managing and troubleshooting a terminal server There are several tools that you can use to configure terminal servers, terminal services user settings, connections and sessions. These include Group Policy Object Editor, Terminal Services Configuration, Active Directory Users and Computers, and the Remote Desktop Connection client itself.

Keep in mind that when a user connects to a terminal server there are several processes that occur and at each step you can configure the connection. The Remote Desktop Connection client allows 32-bit Windows platforms to connect to a Terminal



Server using the Remote Desktop Protocol (RDP). The client has been greatly improved over earlier versions of the Terminal Services client and now includes a wider variety of data redirection types (including file system, serial port, printer, audio and time zone) and supports connections in up to 24-bit colour. The client includes a number of settings that configure the connection and can be customised to suit the user. When a user connects to a terminal server, the server examines the terminal services properties of the user’s account to determine certain settings. If terminal services user accounts are stored on the terminal server, the Local Users And Groups snap-in shows the terminal services settings in the properties of user accounts. More commonly, user accounts are in Active Directory, in which case Active Directory Users and Computers is used to display terminal services settings on the Environment, Remote, and Terminal Services Profile tabs within the user properties, as shown in Figures 66 to 68.

Figure 66: Environment tab



Figure 67: Remote tab

Figure 68: Terminal Services Profile tab

Note: Settings in the user account will override settings in the Remote Desktop client. A client connects to the terminal server by specifying the server’s name or IP address. The terminal server receives the connection request via the specified network adapter.



This connection is represented by a connection object, visible in Terminal Services Configuration. The connection object’s properties configure settings that affect all user connections through the network adapter. Settings in the connection will override client-requested settings and settings in the user account.

A terminal server’s RDP-Tcp connection properties, accessible through Terminal Services Configuration, will override client and user account settings for all user sessions through the connection on that individual terminal server. To configure connection properties, click the connection you wish to configure from Terminal Services Configuration, select Properties and the screen shown in Figure 69 is displayed.

Figure 69: RDP-Tcp Properties

Terminal Services Configuration Windows Server 2003 Group Policy includes a number of computer-based and user-based policies to control terminal services. Configurations specified by group policy objects (GPOs) override settings in Remote Desktop Connection, in the user account, or on the RDP-Tcp connections of terminal servers. Of course, those settings will apply only to the users or computers within the scope of the OU to which the GPO is linked. In an environment consisting only of terminal servers running one of the Windows Server 2003 family operating systems, group policy will enable terminal services configuration with the least administrative effort. Terminal services group policies do not apply to terminal servers running earlier versions of Windows. Once a user session has been enabled, the Terminal Services Manager administrative tool can be used to monitor users, sessions, and applications on each terminal server. Terminal Services Manager can also be used to manage the server and to connect to, disconnect from, or reset user sessions or processes. The



order of precedence for configuration settings is very important. If at all possible, try to memorise it.

1 Computer-level group policies. Most terminal services configurations can be set by GPOs linked to an OU in which terminal server computer objects are created. These policies override settings made with any other tool.

2 User-level group policies.

3 Configuration of the terminal server or the RDP-Tcp connection using the Terminal Services Configuration tool. While this tool is server and connection specific, and therefore cannot specify a single configuration as group policy can, this tool is able to configure Windows 2000 terminal servers. In addition, there are times when a configuration should be different between terminal servers or between connections.

4 User account properties configured with Active Directory Users and Computers.

5 Remote Desktop Connection client configuration.

A user’s ability to connect and log on to a terminal server is determined by a number of factors, each of which, if not functioning properly, produces a unique error message:

• The connection on the terminal server must be accessible. If the client cannot reach the server using TCP/IP or if the terminal server’s RDP-Tcp connection is disabled, a particularly uninformative error message appears that indicates the client cannot connect to the server.

• Remote Desktop must be enabled. The ability of a terminal server to accept new connections can be controlled on the Remote tab of System Properties or by using the change logon /disable and change logon /enable commands. If logon has been disabled, an error message appears indicating that terminal server sessions are disabled or that remote logons are disabled.

• The server must have available connections. The properties of the connection, e.g. the default RDP-Tcp connection, determine the number of available connections on the Network Adapter tab as shown in Figure 70. If not enough connections are available, an error message appears that indicates a network error is preventing connection.



Figure 70: Network Adapter tab

• Encryption must be compatible. The default allows any client to connect to a terminal server without regard to its encryption capability. If you modify the encryption requirements for a connection using the Encryption Level list on the General tab of the connection properties the screen shown in Figure 71 is displayed. Remember that if you set your encryption level too high, clients that are not capable of that encryption mode will not be allowed to connect. The user must have sufficient connection permissions. To do this, add them to the Remote Desktop Users group, which has sufficient permissions to log on to the server. The ACL of the connection can be modified to control access in configurations that differ from the default. If a user does not have sufficient permission for the connection, an error message appears that indicates they do not have access to the session.



Figure 71: Encryption level

• The permissions for the of the RDP-Tcp connection is accessible by clicking on connection from Terminal Services Configuration and clicking on properties. If you then choose the permissions tab it will look like the screen shown in Figure 72.

Figure 72: Permissions tab



• The user must have the user logon right to log on to the terminal server. Windows Server 2003 separates the right required to log on locally to a server from the right required to log on to a server using a remote desktop connection. So if the user does not have the correct right they will be unable to log on to Terminal Server. On domain controllers, only administrators have the right by default to log on to Terminal Server. If a user does not have sufficient logon rights, an error message will appear that clearly indicates the policy of the terminal server does not allow logon.

This should help when you are troubleshooting. The user must belong to the right group or groups. Assuming you have managed connection permissions and the right to log on through terminal services by assigning rights and permissions to a group, the user attempting to connect to the terminal server must be in that group. With the default configuration of Terminal Server on a member server, users must be members of the Remote Desktop Users group to successfully connect to a terminal server. Allow Logon To Terminal Server must be enabled, which is accessed via the user account’s Terminal Services Profile tab. If this setting is disabled, the user sees an error message indicating the interactive logon privilege has been disabled. This error message is easy to confuse with insufficient user logon rights; however, in that case, the error message indicates that the local policy of the server is not allowing logon.

Note: A terminal server has one RDP-Tcp connection by default and can have only one connection object per network adapter, but if a terminal server has multiple adapters, you can create connections for those adapters. Each connection maintains properties that affect all user sessions connected to the connection on that server.

Once a user has successfully connected, Windows Server 2003 and the Remote Desk-top Connection client provide a wide array of device redirection options, including:

• Audio redirection, which allows audio files played within the terminal server session to be played by the user’s PC. This feature is specified on the Local Resources tab of the Remote Desktop Connection client. But audio redirection (or audio mapping) is disabled by default on the Client Settings tab of the RDP-Tcp Properties dialog box. Audio redirection can be specified by a GPO.

• Drive redirection (or drive mapping) available from the RDP-Tcp Properties, Client Settings tab allows the user to access drives that are local to the user’s PC from within the terminal server session. Local drives are visible in My Computer under the Other group. This option is disabled by default and can be enabled on the Local Resources tab of the Remote Desktop Connection client. Terminal Server Configuration can override the client setting and disable drive redirection from the properties of the connection. These settings can also be specified by group policy.

• The user account’s Connect Printer Redirection (or Windows’ printer mapping) allows the user to access printers that are local to the user’s PC, as well as network printers that are installed on the user’s PC, from within the terminal server session. The Printers And Faxes folder displays printers that are installed on the terminal server as well as the client’s redirected printers. Like drive redirection, printer redirection is specified on the Local Resources tab of the Remote Desktop Connection client. Printer redirection can be disabled by properties of the RDP-Tcp connection. Printer redirection is also disabled if the



Connect Client Printers at Logon setting is not enabled in the user account properties. Note: Selecting this option in the user account does not cause printer redirection to occur. The client must specify redirection on the Local Resources tab. If this option is disabled, however, the user account setting will override the client setting. The user account properties also provide a Default To Main Client Printer setting which, if enabled while printer redirection is in effect, sets the default printer in the terminal server session to the default printer on the user’s PC. If the Default To Main Client Printer setting is disabled, the terminal server session uses the default printer of the terminal server computer.

• Serial port redirection allows a user to launch an application within a terminal server session that uses a device such as a barcode reader, attached to the serial port of the user’s PC. This feature is on the Local Resources tab of the client and can be disabled in the properties of the RDP-Tcp connection. Serial port redirection can be specified by a GPO.

• LPT and COM port mapping allows a user to install a printer within the terminal server session that maps to a printer attached to an LPT or COM port on the user’s PC. This method of printer redirection is not necessary with Windows Server 2003 and the Remote Desktop Connection client, which support printer redirection in a much simpler way, as described earlier. LPT and COM port mapping are, however, still done by default. The RDP-Tcp connection properties can disable port mapping, as can a GPO.

• Clipboard mapping allows the user to copy and paste information between a terminal server session and the desktop. This feature is enabled by default in the Remote Desktop Connection client and cannot be changed within the client’s user interface (UI). The RDP-Tcp connection properties can disable clipboard map-ping, as can a GPO. Managing User Sessions Windows Server 2003 provides flexible and powerful ways to manage, troubleshoot, and optimise user sessions on terminal servers.

Managing terminal server sessions and processes The Terminal Services Manager console provides the ability to monitor and control sessions and processes on a terminal server. You can disconnect, log off or reset a user or session; send a message to a user; or end a process launched by any user. Task Manager can also be used to monitor and end processes. To check, check the Show Processes from All Users check box. If a terminal server is running slowly, use Terminal Server Manager or Task Manager to look at the processes that all users are running to determine whether one process has stopped responding and is consuming more than its fair share of processor time. A number of settings determine the behaviour of a user session that has been active, idle or disconnected for a period of time. These settings can be configured on the Sessions tab of the RDP-Tcp Properties dialog box in the Terminal Services Configuration console (see Figure 73).



Figure 73: Sessions tab

The settings can also be configured with group policy to one server.

Remote Control Terminal Server This allows an administrator to view or take control of a user’s session. This feature not only allows administrators to monitor user actions on a terminal server, but also acts as remote assistance, for example, allowing a helpdesk employee to control a user’s session and perform actions that the user is able to see as well. To establish remote control, both the user and the administrator must be connected to terminal server sessions. The administrator must open the Terminal Server Manager console from the Administrative tools group, right-click the user’s session, and choose Remote Control. By default, the user is notified that the administrator wants to connect to the session, and then the user can accept or deny the request.

Note: Remote Control is available only by using Terminal Server Manager within a terminal server session. You cannot establish remote control by opening Terminal Server Manager on your PC.

Remote control settings include the ability to remotely view and control a session, as well as to control whether the user should be prompted to accept or deny the administrator’s access. These settings can be configured in the user account properties, on the Remote Control tab and they can be configured by the properties of the RDP-Tcp connection, which will override user account settings. Group policy can also be used to specify remote control configuration by using the Remote Control tab of a user’s Properties dialog box. In addition to enabling remote control settings, an administrator must have permissions to establish remote control over the terminal



server connection. You can assign full-control permission either by using the Permissions tab of RDP-Tcp Properties, or by clicking Advanced, selecting a permission entry, clicking Edit, and assigning the Remote Control permission to a group.

1 Is remote desktop for administration installed by default on 2000 and 2003

server operating systems?

2 Should domain controllers be configured as Terminal Servers? Justify your answer.

3 Why is it recommended that if possible Add/Remove Programs should be used to install applications on a terminal server?

4 If you have to install a software patch on an application on terminal server but are unable to do it through Add/Remove Programs, what should you do?

? 3.2



Control file system permissions When assigning permissions to files and folders to control access to them, the following simple rules make the administration and maintenance of file and folder permissions easier:

1 Assign permissions to groups rather than to users. (Because it is more time consuming and to maintain user accounts directly, assigning permissions on a user basis should be the exception.)

2 Set permission to be inheritable to child objects. (This means you don’t have to set them on all the sub folders and sub sub folders, as it is done automatically.)

3 Assign full control, if appropriate, rather than individual permissions. (All or nothing is easier to troubleshoot but might not always be appropriate. Deny should be used for these special cases.)

4 Use deny permissions to exclude a subset of a group that has allowed permissions. Or use deny to exclude one special permission when you have already granted full control to a user or group. (Deny overrides any allows.)

To set the permissions on files and folders, first navigate to the folder to which you wish to assign permissions. The default is full control access to a folder or file for the Everyone group. Right-click Properties and then click the Security tab. You can now amend the permissions to this resource as shown in Figure 74.

Figure 74: Amending permissions



Verify effective permissions, change ownership of files and folders The effective permissions a user has depend on their group membership. Permissions are cumulative, so if Sandy is a member of the Sales group and the Marketing group, and the Sales group have read access to the Brochure folder and the Marketing group has full control of the Brochure folder, Sandy has full control of the Brochure folder. If you had a work experience person in for a week from school in the Marketing department and their user account was a member of the Marketing group but you did not want them to see the Brochure folder, you would deny that one user account access and they would not see it. If you have a main folder called Money with sub-folders called Wages, Profit, Expenses and Materials, you can change the permissions on the top-level folder and, by default, the changes propagate down to sub-folders and sub-sub folders via inheritance. This is available from the Permissions tab of Advanced Security Settings for money as shown in Figure 75.

Figure 75: Advanced Security Settings

If you wanted to make the permissions for the sub-folders Wages and Profit different you would uncheck the inheritable permissions box as shown for Wages in Figure 76. The system displays a warning and gives you the option to copy the parent permission entries or remove them. If you remove them, you need to add users or preferably groups back in, otherwise no one will be able to access the resource.



Figure 76: Permissions for sub folder

The standard permissions for folders are:

• Full control

• Modify

• Read and execute

• List folder contents

• Read

• Write

• Special permissions (which are accessed from the Advanced button).

Standard Permissions for files are:

• Full control

• Modify

• Read and execute

• Read

• Write

• Special permissions (which are accessed from the Advanced button).



In Advanced Settings for files, the ‘replace auditing entries on all child objects with entries shown here that apply to child objects’, is not available, because files do not have sub-files or child objects.

The Auditing tab is shown in Figure 77.

Figure 77: Auditing entries

The default is no auditing events. If you click on Add, you are asked to choose the user(s) or group(s) you wish to audit, then the action and whether it was successful or failed for that object. You will be able to view the results in the Security log in the Event Viewer.

The Owner tab shows you who is the current owner of the file or folder and, if you wished to change ownership, who has the appropriate permissions (see Figure 78).



Figure 78: Owner tab

The Effective Permissions tab breaks down standard permissions, such as write, further. This is useful if you need to fine tune your access to resources more than the standard permissions allow. Sometimes it is difficult to find out what groups a user is a member of, especially if you have nested the groups several times. If you use Active Directory Users and Computers, you can only see nesting that is one level deep. So to find out all the groups a user is a member of, use the dsget command in the following format: dsget user “CN=Ben Lopez,CN=Users,DC=Loobyloo,DC=com” –memberof –expand The complete listing of all groups of which the user is a member is displayed. Use the dsget command to view the settings of various objects in the Loobyloo.com domain, including security and distribution groups.



Configure file system permissions

• Log on as Laurel and create a file in Microsoft Word called Blue Grass Mountains.

• Assign the file full control for Administrators and the Comedy group

• Deny Hardy permission to the file and give the Everyone group read access to the file.

• Log on as Hardy, can you access the file? If not, why not.

• Log on as Bill Yoursurname (the user you created in Section 2). Can Bill access the Blue grass mountains file? Can Bill delete the file?

• Now logon as administrator and change ownership of the file to Bill. (You do this from the Advanced tab in Security).

• Now logon as Bill and see if you can delete the file.

Make sure that each member of the group gets a chance to carry out all tasks and record all configuration changes in your log book.


Create a file and assign permissions 1 Log on as Stan Laurel.

2 Open Wordpad from the Start menu and enter Blue Grass Mountains of Virginia.

3 Save the file as Blue Grass Mountains.

4 Navigate to the Blue Grass Mountains file using My Computer and right-click the file.

5 Select Properties.

6 Select the Security tab.

7 Add the Administrators group with full control access.

8 Deny user Oliver Hardy access.

9 Add the Comedy group with full control access.

10 Change the Everyone group access to read.

Test permissons 1 Log off as Stan Laurel and log on as Oliver Hardy.

2 Try and access the Blue Grass Mountains file. You will be unable to do so, as access is denied.

A 3.2



3 Log off and log on as Bill Yoursurname (created earlier) and try and access the Blue grass mountains file. You should be able to do so through the Everyone group’s read access.

4 Try and delete the file. You will not be allowed to as you do not have the correct access.

Change file ownership 1 Log off and log on as administrator.

2 Go back to steps 4 to 6.

3 Click Advanced.

4 Select the Owner tab.

5 Change ownership of the file to Bill Yoursurname.

6 Log off and log on as Bill Yoursurname.

7 Now try deleting the file (you should be able to do this, as you are in the Owner group)

1 What are the standard permissions for folders?

2 What is the difference between file and folder permissions?

3 If you wanted to ensure that child objects(sub folders) had the same permissions as parent objects(folder sub folder is in) what would you use?

? 3.3



Summary of this section If you are configuring shared folders you can set them up manually or use the Share a folder Wizard. After using the wizard, you still need to carry out additional tasks, such as enabling Shadow Copies and setting NTFS permissions.

The permissions effective on shared folders when you connect over a network are the cumulative share and NTFS permissions. If you log in locally only, the NTFS permissions apply.

Terminal Services is enabled by default in Windows 2003.

The components of Terminal Server and Remote Desktop For Administration that are installed by default are the following:

• Terminal Services Configuration: this sets the properties on the Terminal Server, e.g. client desktop, client remote control settings.

• Terminal Services Manager: this is concerned with managing sessions, which involves sending messages to clients, establishing remote control or shadowing client sessions and disconnecting or logging off sessions.

• Remote Desktop Connection Installation Files: these do just what they say, install the client side of remote desktop software.

• Terminal Services Licensing: you need this if are going to use Terminal Services for application sharing. You do not need it if you only use Remote Desktop for Administration.

NTFS file permissions are set on the security tab of the files properties. If possible, put groups in here rather than individual users, as this is easier to manage. If a user or group is not on an ACL for a resource, it is the same as deny.



Answers to SAQs 3.1

1 Share permissions and NTFS permissions.

2 Share permissions only apply if you access the folder via a network,so he will have full control of the folder.

3 In Windows Explorer,navigate to the folder that is being shared, right-click it and select Sharing and Security. Click the radio button ‘Do not share this folder’ and it will no longer be shared.

4 No – shadow copies are configured on the volume

3.2 1 It is installed by default on Windows 2003.

2 No – it is a security risk.

3 Because applications will be in multi-user mode and their registry settings will be different from single-user mode. If you install using Add/Remove Programs, the operating system will amend the registry and other files that it needs to.

4 Issue the change user /install command before starting the installation or patch process. Once the process has completed, issue the change user /execute command.

3.3 1 The standard permissions for folders are:

o Full control

o Modify

o Read and execute

o List folder contents

o Read

o Write

2 On Folders you have the option to List Folder Contents

3 Inheritance, which is enabled by default.



Section 4: Manage and maintain a server environment




What this section is about In this section you’ll learn how to manage and maintain a server environment.


• Monitor and analyse events and system performance.

• Manage software updates and site licensing.

• Manage servers remotely.

• Monitor file and print servers.

• Monitor and optimise application performance.

• Manage a web server.



• A computer capable of running Windows 2003 Enterprise and Windows XP Professional.







When and where you will be assessed You’ll sit the closed book test after you have completed the outcomes(s) it covers

Record all activities in your logbook, but the following must be completed:

• Monitor and analyse events and system performance activity

• Manage software updates and licensing activity

• Manage server remotely activity.

What you have to achieve You have to complete the activities and achieve at least 70% in the closed book test or 70% in all the subtests individually.




Monitor and analyse events and system performance To monitor and analyse events in your system, you need to configure an audit policy to catch them. Windows 2003 has already configured some events for you by default in the Domain Controller audit policy, as shown in Figure 79.

Figure 79: Domain Controller

The default on Domain Controllers is to monitor and record in the security log when the following events successfully occurred:

• Account logon is when a user successfully logs on with a domain account and is generated on the domain controller. However, there is no record of failed attempts, which would give an indication that someone was trying to hack into the system. So you might want to configure account logon events for failures as well.

• Account management is when a user changes a domain account. This needs to be monitored, as only those with administrative privileges should be allowed to do this.

• Directory service access is when a user accesses an object that has its own system ACL. Logon events are stored in the security log of the workstation and are generated when you log on. Again, you might want to configure this for failure as well as success.



• Auditing object access has to be set up in the audit policy and on the Security tab of the object. It is not configured by default. Audit policy setup is shown in Figure 80.

Figure 80: Audit policy setup

The object side is set up under the Advanced security options from the properties of the object, so that the audit policy knows which objects to monitor (see Figure 81)

Figure 81: Advanced Security Settings



• Audit policy change is important because no one should be changing your audit policy once it has been set up apart from you.

• Audit privilege use is not configured by default and it covers events, such as logon locally, which are part of user rights.

• Audit process tracking is not configured by default. This monitors events such as a new process being created, a process being exited, a handle to an object duplicated, indirect access to an object obtained, whether auditable data was protected or unprotected, a process was assigned a primary security token, a user attempted to install a service and a scheduler job was created.

• Audit system events is configured to monitor successful events. These are events generated by the operating system. To view these events, you use the Event Viewer. To access the Event Viewer select it from Administrative Tools. The first screen you will see is shown in Figure 82. The audit events are stored in the security log and you need administrative privileges to view them. If you select the log you want to view, you get a list of events and the time at which they occurred. If you want more details on a particular event, select it and you see a screen similar to the one in Figure 83, which is useful if you are troubleshooting.

Figure 82: Event Viewer



Figure 83: Event Properties

Because there are so many events recorded, you might want to use the filter option to display only a subset. To access the filtering options, select the log you wish to filter, then select View from the menu at the top and then Filter. The screen shown in Figure 84 is displayed.

Figure 84: Security Properties



The default is shown in Figure 84, but you might want to limit it only to error events at a particular time. The filter gives you that ability.

If the security log becomes full, your system will not start. To prevent this happening, select the General tab from Properties and you will see the screen shown in Figure 85.

Figure 85: General tab

From here you can increase or decrease the log size and decide if you are going to overwrite events. If you have to keep the events until you have checked them, archive them, e.g. in a bank; you will want the option to only clear the log manually and you will increase the maximum log size. You do not have to be an administrator to view the other logs and their views can also be filtered in the same way as the event log.



System monitoring tools Windows 2003 has a number of built-in tools for enabling you to monitor and manage your system more effectively. They are under Performance from Administrative Tools (see Figure 86).

Figure 86: Performance

When you open Performance, it defaults to the system monitor, as shown. In previous operating systems there would be nothing to see until you had chosen and added the counters for the objects you wanted to monitor. Now, you will find it is already set up with three counters and objects that are included in nearly every system monitor, to save you adding them:

• Pages/sec on the object Memory

• Average disk queue length on the object Physical Disk

• % Processor Time on the object Processor.

When you are configuring monitoring tools, remember that you need immediate data if there is a crucial system problem and longer-term data so you can plan ahead to ensure that your system has enough capacity to meet user demand. To gather data for trend analysis, record the data at regular intervals, such as every 10 to 15 minutes. Once you have recorded the data in counter logs, it is advisable to keep the logs over



extended periods of time, store data in a database, and query the data to report on and analyse the data as needed. This is useful for overall performance assessment, trend analysis and capacity planning.

If you are troubleshooting and the server you are looking at has hung or is not responding, run System Monitor from another computer. Try to minimise the monitoring overhead by avoiding or minimising the following:

• running System Monitor in graph view;

• selecting an option other than the default (current value) for either the System Monitor graph or report views;

• sampling at very frequent intervals (less than 3 seconds apart);

• selecting many different objects and counters.

File size and disk space taken up by log files also have an impact on performance. To reduce file size and related disk space usage, extend the update interval. Also, log to a disk other than the one you are monitoring. Frequent logging also puts a burden on disk input and output (I/O). If monitoring overhead is an issue, run only the Performance Logs and Alerts service.

If you are logging remote counters, it is recommended that you store them locally and upload once a day to minimise network traffic.

Performance monitoring and management is an iterative process:

1 Analyse system performance.

2 Use it to create a baseline.

3 Establish acceptable tolerances.

4 Monitor your system to ensure it stays within the tolerances.

5 Tune your system to improve performance.

6 Go back to step 1, analyse system performance.

The second part of performance is Performance Logs and Alerts. Alerts are set up from Performance, selecting Logs and Alerts then selecting Alerts. If you go to Activity 1.2, this will take you through the steps required to set up an alert. They are used for events that an administrator has to act on in the short term.

Counter logs are for storing events captured for long-term trend analysis or audit purposes. Activity 1.2 also covers setting up a counter log.

Trace logs are also part of performance logs and alerts. They are set up in a similar way to counter logs, but they capture data about applications as shown in Figure 87.



Figure 87: Trace log

Monitor and analyse events and system performance

• Go into Performance (from Administrative Tools), the System Monitor opens by default with three counters already set up. Note what happens to them when you start to defragment your disk. Pay special attention to the counter for the object Physical Disk.

• Now go to Add Counters and either click on the counter under the graph or + from the icons above the graph.

• Choose the physical disk object and look at the list of counters associated with it. If you are not sure what they are for, select the counter, then click Explain.

• Choose another counter that you feel would be helpful in monitoring the defragmentation process. Justify your answer.

• Make a note of all tasks undertaken and options chosen in your logbook and take screen prints of the System Monitor before running Defragmenter and running Defragmenter with an additional counter. Make a note of what is happening in each case in your logbook and why you think that is. If you open System Monitor, then Defragmenter, then switch to System Monitor, you should

A 4.1



see what is happening in the Defragmenter below the system monitor, as shown in Figure 88.

Figure 88: System Monitor

Follow the step-by step instructions below:

1 From Administrative Tools, select Performance.

2 Keep Performance open and select Start, then Accessories, then System Tools.

3 From System Tools, select Disk Defragmenter.

4 Select Defragment. Notice the graph showing the changes as it is going through this process.

5 Once the Disk Defragmenter has completed, select + from the icons at the top of the graph. This opens the Add counter screen.

6 Under Object, Select the physical disk.

7 Choose an appropriate counter from the drop-down menu for this object.

8 Redo steps 3 and 4 and watch what happens to your new counter during defragmentation. Make a note in your logbook.



1 What three counters are enabled by default in System Monitor?

Performance monitoring and counters in real-life situations First, you want to monitor the following counters over a typical 24-hour period, i.e. not over a holiday and not at the end of the year, to give you an idea of what is happening on your server. Use counter logs in CSVDE format and open them in Microsoft Excel to quickly find average, maximum and minimum, as show by the table below.

Object Counter name Average Minimum Maximum

Memory Pages/sec

Memory Available Bytes

Physical disk % Disk time

Physical disk Avg. Disk Queue Length

Processor % Processor Time

System Processor Queue Length

Server Server Sessions

The recommended values for these counters are as described below.

Memory: Pages/sec This counter measures the number of pages per second that are paged out of RAM to disk, or paged into RAM from disk. The more paging that occurs, the more I/O overhead your server experiences; this can detract from your server’s performance. If possible, you should minimise paging to between 0 and 20. If it is averaging more than 20 pages per second, you probably have a memory bottleneck, which will be solved by additional RAM.

Memory: Available Bytes Another way to check to see if your server has enough RAM is to check the memory object Available Bytes counter. This value should be greater than 5 Mb. If not, your server needs more RAM.

Physical disk: % Disk Time This counter measures how busy a physical array of disks is (not a logical partition or individual disks in an array). It provides a good relative measure of how busy your disk arrays are. The % Disk Time counter should run at less than 55%. If this counter exceeds 55% for continuous periods (over 10 minutes or so during your 24-hour monitoring period), your server may be experiencing an I/O bottleneck. If it happens often (e.g. several times an hour), you can increase disk I/O by the following methods:

? 4.1



• adding drives to an array ;

• getting faster drives;

• adding cache memory to the controller card ;

• using a different version of RAID;

• getting a faster controller.

Physical disk: Avg. Disk Queue Length Besides monitoring the Physical Disk: % Disk Time counter, you should also monitor the Avg. Disk Queue Length counter. If it exceeds 2 for continuous periods (over 10 minutes or so during your 24-hour monitoring period) for each disk drive in an array, you may have an I/O bottleneck for that array.

You need to calculate this figure because Performance Monitor does not know how many physical drives are in your array. For example, if you have an array of 12 physical disks and the Avg. Disk Queue Length is 20 for a particular array, the actual Avg. Disk Queue Length for each drive is 1.66 (20/12 = 1.66), which is well within the recommended 2 per physical disk.

Use both the % Disk Time and the Avg. Disk Queue Length counters together to help you decide if your server is experiencing an I/O bottleneck.

Processor: % Processor Time The processor object % Processor Time counter is available for each central processing unit (CPU) (instance) and measures the utilisation of each individual CPU. This same counter is also available for all of the CPUs (total). This is the key counter to watch for CPU utilisation. If the % Total Processor Time (total) counter exceeds 80% for continuous periods (over 10 minutes or so during your 24-hour monitoring period), you may have a CPU bottleneck. If these busy periods only occur occasionally, and you think you can live with them, that's OK. But if they occur often, you may want to consider the following:

• reducing the load on the server;

• getting faster CPUs;

• getting more CPUs;

• getting CPUs that have a larger on-board L2 cache.

System: Processor Queue Length Together with the Processor: % Processor Time counter, you should also monitor the Processor Queue Length counter. If it exceeds 2 per CPU for continuous periods (over 10 minutes or so during your 24-hour monitoring period), you probably have a CPU bottleneck. If you have three CPUs in your server, the Processor Queue Length should not exceed a total of 6 for the entire server.

Use both the Processor Queue Length and the % Total Process Time counters together to determine if you have a CPU bottleneck. If both indicators are exceeding their recommended amounts during the same continuous time periods, you have a confirmed CPU bottleneck.



Server: Server Sessions

Since the number of sessions currently connected to a server affects its performance, you may want to keep an eye on the server object Server Sessions. This shows the number of server sessions that currently are connected to the server.



Manage software updates and site licensing Microsoft has installed Microsoft Windows Update by default with Windows 2003. This tool connects you to Microsoft’s site. It inspects the software on your system and puts together a customised download for you. It is split into high-priority updates and optional non-critical fixes. If you use Automatic (recommended by Microsoft), it will download all high priority updates. If you do it manually, the updates are split into Express and Custom. The Express are the high-priority ones that can be configured to download automatically and Custom contains option updates as well. The optional updates are not downloaded automatically.

Automatic Whenever you are connected to the Internet, the operating system checks Microsoft’s current list of available updates and if there are any that are applicable to you that you do not currently have, it downloads these updates in the background. You are not notified or interrupted during this process and the updates do not interfere with other downloads. If you do not change the default schedule, updates that have been downloaded to your computer will be installed at 3:00 am.

If your computer is turned off during a scheduled update, the operating system installs the updates the next time you start your computer. If the installation process requires user intervention, the operating system notifies you. For example, you might need to accept a EULA before some updates can be installed. If you need to restart your computer for an update to take effect, again the operating system notifies you and restarts your computer at the scheduled time.

Download updates for me, but let me choose when to install them This follows the same process as the automatic updates for finding and downloading the updates. The difference is it does not automatically install them. Instead, a member of the Administrators group receives an alert letting them know that there are updates available, and again after the download is complete, and the Windows Update icon appears in the notification area. To review and install available updates, click the icon or the alert. You can install all or some of the available updates.

Notify me but don't automatically download or install updates You can only manually download and install updates if you are a member of the Administrators group for your computer. The operating system still checks to see if there are any important updates and lets you know, but you have to download and install them. When the operating system finds updates for your computer, the Windows Update icon appears in the notification area and an alert pops up, letting you know that updates are ready to be downloaded. After you click the icon or the alert, you can select some or all of the updates to download. If you choose to download any of these updates, the download process takes place in the background and you are notified once it is complete. When downloading is complete, the Windows Update icon appears in the notification area again, this time to let you know that the updates are ready to be installed. You can choose to install all or some of the available updates.



Turn off automatic updates This option is not recommended, as it leaves your system vulnerable to security threats and harmful viruses that can damage your computer or your files. Viruses can spread over the Internet to other people with whom you have any network connection, whether to share files or exchange mail.

New viruses and security threats are continually developed by attackers, so protecting your system is a continual process. If you do not turn on Automatic Updates, Microsoft recommends that you regularly install updates from the Windows Update Web site (http://www.microsoft.com). You can configure this from System in Control Panel. Click the Automatic Updates tab and you see the following screen shown in Figure 89.

Figure 89: Automatic Updates

Installing updates before you shut down your computer is another way to keep your computer up to date and more secure. Do not turn off or unplug your computer while updates are installing. Windows will automatically turn off your computer after the updates are installed. Sometimes you might not want every computer to contact Microsoft and download updates itself (bandwidth, security issues) so what you do is you configure an intermediary server that decides what updates to download, downloads them, then other computers in your organisation can get their updates from this server. It is known as a SUS (Software Update Services) server. So the other computers poll their local SUS server not Microsoft’s website.



1 How does Microsoft recommend you obtain your software updates?

2 When would you use a SUS server?

Software licensing A software licence gives you the right to legally use a piece of software. Microsoft call their licences EULAs (End-user License Agreements). You need server licences for your Windows 2003 operating system, and you need a CAL (Client Access License) for each user or device that connects to the server. There are some tools to help you administer and keep track of your software licences. In order to access them you need administrative permissions. The Licensing option in the Control Panel displays the screen shown in Figure 90.

Figure 90: Choose Licensing Mode

Here you can change the licensing mode from per server to per user. If you have only one server, it makes sense to have a per server licence, because if you had three shifts of people you would only need a licence for one shift as only one-third of your staff would be logged on concurrently. But if your staff had to access a number of different servers, it would be more cost-effective to have a per device or per user licence. If you are using Terminal Services application mode, you require terminal licences. If you do not install the licences after 120 days, you will not be able to access your terminal server.

? 4.2



Manage software updates and licensing

• Go to System from the Control Panel and click the Automatic Updates tab. Here you will configure your server to ‘Download updates for me, but let me choose when I install them’, remember to click Apply, then OK.

• What happens now is that when you connect to the Internet, Windows Update checks to see what updates are available and compares them against the ones you already have. If you do not have them it downloads them and you get a message saying they are available and you can then decide when the most suitable time to install them is. When you get that message, install them immediately.

• This only installs priority updates. You want the optional ones as well, so select Windows Update from All Programs, select Custom installation and download and install all available updates. Now click on Review your update history and check what you have downloaded.

• You are also going to remove two CALS and change from per server to per user. This is done from Licensing on the Control Panel.

• Make sure you make a note of the changes you have made in your logbook and take screen prints.


Manage software updates 1 Select Control Panel.

2 Select Automatic Updates

3 Select Download updates for me, but let me choose when I install them

4 Click Apply, then click OK.

5 If you get a message saying there are available updates, select the option to install them immediately.

6 From the Start menu select All Programs.

7 Select Custom Installation.

8 Select ‘Download and install all available updates’.

9 Select ‘Review your update history’ and take a print of it for your logbook

Manage licensing 1 Select Control Panel from the Start menu.

2 Select Licensing

3 Remove two CALS.

4 Change from per server to per user.

A 4.2



1 What does EULA stand for?

2 What happens if you are running Terminal Server in application mode if you do not have terminal server licences?

? 4.3



Manage servers remotely You can use built-in system functions or you can create customised MMCs (Microsoft management consoles) to manage servers remotely. A MMC consists of a group of tasks. If you want to create one, enter MMC from Run on the Start menu and you will see the following screen (Figure 91):

Figure 91: Microsoft Management Console (MMC)

You can add the tasks that you want by adding snap-ins. Once you have completed this, you might not want your users to change it when you distribute it so change the mode from Author mode to User mode. Within User mode there are three options for setting the level of access which users can be given:

• full access - users have full access to the console tree and the windows management functionality, but they cannot add or remove snap-ins or change console file options.

• limited access, multiple window - users can access the areas of the console tree that were visible when the console was saved. They can create new windows but cannot close existing windows.

• limited access, single window.- users can access the areas of the console tree that were visible when the console was saved, but cannot create new windows.

Computer management You can remotely administer a remote computer using the Computer Management console by doing the following:

1 Right-click My Computer from the Start menu.

2 Choose Manage, this opens up Computer Management.

3 Choose Connect to Another Computer.

4 Enter the IP address (if you know it) of the computer you wish to manage remotely, otherwise browse the network to find it. Once you are connected to the remote computer, you can use all the administrative tool available under Computer Management.

Web Interface for Remote Administration You can also use Web Interface for Remote Administration to remotely manage a server using a web browser on a remote computer. This option is not available to remotely manage domain controllers because of the security risk, but if you are using Windows Server 2003, Web Edition, it is installed by default. It is installed using Add/Remove Programs from the Control Panel.

When you are using the Web Interface for Remote Administration to administer a server:

1 Open Internet Explorer (version 6 or greater).



2 Navigate to https://Computername:8098 (using secure socket layer and port 8098).

Remote Desktop for Administration The components of Terminal Server and Remote Desktop For Administration that are installed by default are the following:

• Terminal Services Configuration: sets the properties on the terminal server, e.g. client desktop, client remote control settings.

• Terminal Services Manager: concerned with managing sessions. This involves sending messages to clients, establishing remote control or shadowing of client sessions and disconnecting or logging off sessions.

• Remote Desktop Connection Installation Files: these do just what they say, install client side of Remote Desktop Software.

• Terminal Services Licensing: you need this if are going to use Terminal Services for application sharing. You do not need it if you only use Remote Desktop for Administration.

Manage servers remotely Work in groups of two (or three if there is an odd number) to do the following.

• Go to Computer Management, right-click My Computer and click Manage.

• When it opens up, the default is the local machine to manage another server remotely. Click Action and from the drop-down menu, select Connect to Another Computer. Once you have connected to it you can manage it as if you were logged on locally.

• Once you have connected to the remote server, navigate to Services and Applications and click on DNS. You should see the name of the other server, take a screen print of this.

• Make sure everyone in the group carries out this task.


1 From the Start menu select Computer Management.

2 Right-click My Computer and select Manage.

3 Select Action.

4 Select Connect to Another Computer.

5 Select another computer in your group.

6 Navigate to Services and Applications.

A 4.3



7 Select DNS (you should see the name of the remote computer you are managing).

8 Take a screen print for your logbook.

1 Name three methods of remotely administering a server.

2 Can you administer a domain controller with Web Interface for Administration?

? 4.4



Remote Assistance Sometimes you want a friend or colleague to see the same screens as you to help you solve a problem. You can do this if your colleague has Windows 2003 or Windows XP by using the remote assistance facility. With an Internet connection you can let someone you trust work on your computer, chat with you and see the same screens as you. By default Remote Assistance is disabled on Windows 2003 servers. Enable Remote Assistance, select the Remote tab in System Properties in the Control Panel.

To access Remote Assistance from the Start Menu, select Help and Support Center, then select Support and then select Get Remote Assistance. The screen shown in Figure 92 is displayed.

Figure 92: Remote Assistance

With Remote Assistance you are in control: you can terminate the remote session at any time and access is by invitation only. To issue an invitation, select ‘Invite someone to help you’. This does not work on domain controllers (because of security implications). There are a number of ways you can issue a request for help, they are:

If the contact is a Windows Messenger contact you can use Windows Messenger

• Use e-mail to send an invitation.

• Save the invitation as a file that your invited helper must have the ability to access. You have the option of password protecting; it is recommended that you do and use another method of communication to transfer the password.



• Once your helper has accepted the invitation, there are various levels of access you can give them from viewing your screens to taking control of your computer.

Monitoring file and print servers To set up a file or a print server, you can use Manage your Server as shown in Figure 93. If you click on ‘Add or remove roles’, it will tell you what roles you currently have on your server and give you the option to add more roles or remove existing roles.

Figure 93: Manage Your Server

If you select ‘Manage this file server’, the screen shown in Figure 94 is displayed.



Figure 94: File Server Management

Configuring a file server If you want to configure a file server, click File Server and the Configure your Server Wizard configures the file server role. The first option it sets is Default Disk Quotas on the File Server. If you configure disk quotas for individual users or groups, this overrides the default. The default applies to new users of this NTFS file system. You are now given the option whether to use Indexing Service or not. The Indexing Service can slow down the performance of your server but if users frequently search the contents of your file server, then the time it saves in searches will make up for the performance degradation. The default is ‘off’. After this, you are taken into the Share a Folder Wizard, which is covered in Section 3 of this unit. Once you have completed this wizard your File Server is set up, and the screen shown in Figure 95 is displayed.



Figure 95: File server configuration completed

There are still additional tasks you should carry out. If you click ‘View the next steps for this role’, you are taken into Microsoft’s comprehensive built-in Help system and you are given a list of tasks that have still to be carried out, what they are for, and a link to how to do them (see Figure 96).



Figure 96: Configuring Roles For Your Server

Not all of them will be applicable to your file server, but at a minimum you should configure the NTFS permissions on your shared files and folders to limit access to authorised users only and enable Shadow Copies to allow users to retrieve previous copies without you having to restore them, if they accidentally delete the wrong file. NTFS permissions and shadow copies are covered in Section 3 of this unit. You can also click on the link under Reference as shown in Figure 96 to get more information on how to set permissions.

When you have finished setting up your file server, should you wish to carry out further management open Manage your Server and select Manage this file server (as shown in Figures 93 and 94).

The Microsoft Management Console usefully groups together all the common administrative tasks in administering a file server.



Set up and configure a file server To set up and configure a file server, follow the step-by-step instructions below.

1 Select Manage your Server from the Start menu.

2 Select ‘Add/remove a role’, which opens the Configure your Server Wizard, click Next.

3 Select File Server and click Next.

4 On the File Server Disk Quotas screen, click ‘Setup default disk quotas for new users of this server’.

5 Limit disk quota space to 8 Mb and set the warning level at 7 Mb.

6 Select ‘Deny disk space to users exceeding limit’. Click Next.

7 Keep clicking Next until you have finished. The system will give you the option to share folders if you have not done so.

Share a folder 1 When the Share a Folder Wizard opens, select Browse.

2 Select C:/ and Click Make New Folder, call the folder fileshare. Click Next.

3 On the Name, Description and Settings screen, select Change.

4 Select Optimise for Performance, click OK, then click Next.

5 Select Use Custom Share and Folder Permissions. Select Customize.

6 On the Share Permissions tab, select Add and add the Comedy group created earlier.

7 Remove the Everyone group.

8 Select Security and notice that the Everyone group is already selected.

9 Click Finish and print out the summary screen of your shared folder settings. Click Close.

Configure shadow copies 1 You are now taken to a screen saying your server is now a file server select

‘View the next steps for this role’.

2 This takes you into Windows Help, select ‘To enable shadow copies of shared folders’.

3 Select the Computer Management hyperlink.

4 Right-click Shared Folders, then select All Tasks and Configure Shadow Copies.

5 Select the C:/ drive and select Enable. Click Yes (this creates shadow volumes with the default schedule, if you want to alter it click on settings), click OK.

A 4.4



Configuring a print server Using the Configure Your server Wizard to configure a print server is similar to using it to set up a file server, except the prompts are to do with settings tailored for a print server. To start, select Print Server from the Your Server Role screen. The first option is whether the print server is just going to be servicing Windows 2000 and Windows XP clients or all Windows clients. The wizard needs to know so that it can install the printer drivers for these clients. Next you are taken into the Add Printer Wizard to configure the printers your print server will be managing. You can add local, network and plug ‘n’ play printers. Windows searches for each printer and if it cannot find it, you are given the option to install it manually. Next you need to choose the printer port as shown in Figure 97.

Figure 97: Add Print Wizard

Context-sensitive help is available if you want to create a printer port but are not sure which kind of port you want to create.

Next you have to choose the printer driver for your printer. You are given a list of printer drivers that Windows 2003 has installed by default. You can scroll down the list and pick a printer if you can see you printer on the list. All these drivers are digitally signed, which means they have been tested for quality and can be relied upon. If your printer is not on the list, you have two options: you can use Windows Update to get more printer drivers downloaded from Microsoft or you can use the installation disk that came with the printer. The Windows Update option to access more drivers from Microsoft is new



to Windows 2003 server operating systems and Windows XP client systems. Once you have selected the printer driver, you are given an option to share your printer and the share name associated with it as shown in Figure 98. The default is share.

Figure 98: Printer sharing

The next screen prompts for a location and a comment. It is useful to users if they know where the printer is located, so they can collect their output. Also if they want to print in colour and the printer is monochrome only, it is not going to be suitable. This kind of information can be included in the comment.

The last option is to print out a test page. It is advisable always to print a test page so that you can check the printer is working correctly. You are now given a summary of the printer settings as shown in Figure 99. The option of restarting the wizard to add another printer is already selected. This is because a print server generally looks after more than one printer. If this is the only/last printer you are adding then uncheck this box before clicking Finish.



Figure 99: Printer settings

There are some additional tasks for setting up a print server once the wizard is complete that you should consider carrying out. When the Wizard completion screen is displayed, click on ‘View the next steps for this role’.

Figure 100: Configure Your Server Wizard completion screen

This takes you to the appropriate screen in Microsoft’s built-in help as shown in Figure 101.



Figure 101: Configure Your Server

Not all of the options will be applicable to your Print server, but at a minimum you should configure printer permissions, advanced options and publish your printer in active directory (this makes it easier for users to find).

Printer permissions To set printer permissions, go to Printers and Faxes, right-click the printer you wish to configure permissions for, select Properties, then select the Security tab. The default permissions will be similar to those shown in Figure 102.



Figure 102: Printer permissions

• Administrators, as expected, have all three permissions. To modify special permissions, click the Advanced button.

• Members of the Creator Owner group are allowed to manage documents (this means users can manage documents that they have created but not documents that others have created).

• Users in the Everyone group are allowed to print.

• Print operators have all three permissions.

• Server operators have all three permissions.

You should consider at least removing the Everyone group and adding the Authenticated Users group, so that only users logged on can print. If you had an expensive to run colour printer, you might want the only graphics artists to be able to use it. In that case you would remove the Everyone group and replace it with the Graphics Artists group.

Advanced options • Change printing time (you might want all printing from a particular printer to

occur overnight, or if it is for sensitive data, during the day only.) From Printers and Faxes, select the printer you want to set the printing time for, then click Properties on the Advanced tab (see Figure 103). Click the ‘Available from’ radio button and select the times you want this printer to be available from and to.



Figure 103: Advanced tab

• Set print priorities (managers might want their output to print before the rest of the staff). To do this, add multiple logical printers for the same physical printer, then using printer permissions, limit some logical devices to certain groups, e.g. managers only. In the advanced properties of these logical devices, change the priority from the default of 1 to a higher number. Jobs sent to this logical device will then print before jobs sent to the logical device with the lower priority number.

• Keep a copy of everything printed (sometimes output goes astray and if you have a copy it is less work to reprint it). This is not enabled by default, however. If you want to enable it click on Keep printed documents from the Advanced tab.

• Set a printer to print to multiple print devices (this is useful to spread the load). This is done by enabling printer pooling. Printer pooling is enabled from the Ports tab in printer properties (see Figure 104) and by selecting the Enable printer pooling radio button. To enable printer pooling, the printers you wish to pool must already be in the Printer and Faxes folder. They must also be the same type of printer and be using the same printer driver.



Figure 104: Ports tab

• Start and stop the print spooler (you might need to do this to clear a print job). The print spooler is a service that runs under the Local Computer system account by default. If you want to stop and start it, go into Services and Applications, which is available in Computer Management as shown in Figure 105.

Figure 105: Computer Management



Click on Services and Applications, then click on Services. This gives a list of services, a brief description, whether the service is started, its startup type (some services are started automatically by Windows 2003) and what it is logged on as. When you scroll down to Print Spooler, you can see it is automatically started by Windows 2003.

Figure 106: Services

To stop or start the print spooler, select it. If it is running, you can select Stop or Restart. You would be able to select Start if the print spooler was not running.

• Publish your printer in Active Directory. This is done automatically if you selected Share this Printer in the Add Printer Wizard. A printer has to be shared before it can be published in Active Directory. To do this manually, select the printer from Printers and Faxes. Click on Sharing, make sure the printer is shared, and check the List in the directory box.

Once you have configured the file and print servers (they could be on the same server; as shown in Figure 93, a server can carry out more than one role.) you are going to monitor and manage it. There are two sets of system tools that you can use to monitor your file server: Performance Tools, which we looked at in Section 1 of this unit, and the Task Manager. We will next look at the Task Manager and then how you would use the Performance Tools to monitor your File Server.



1 What tool would you use to set up a File Server and a Print Server?

? 4.5



Monitoring and optimising application performance You can monitor application performance using Windows Task Manager, which you access by clicking the CTRL, ALT and DEL keys at the same time. The default screen displayed is shown in Figure 107.

Figure 107: Windows Task Manager

This screen shows you the applications that you have running and their status. If an application is very slow in responding, it could be because it has stopped responding. This shows up under Status, and you can select the application and end the task. Note also that although there are only seven applications running, there are 41 processes in this example. To examine the processes further, select the Processes tab (see Figure 108).



Figure 108: Processes

This shows all the processes that are running, including those run by the operating system, where the user name is SYSTEM or LOCAL SERVICE. You can also see which user is running the process, so if a user is hogging most of the CPU you can identify them and find out what they are doing. You have also the ability to end troublesome processes here.

The Performance tab is similar to System Monitor in that it shows what is happening in graphical form (see Figure 109).



Figure 109: Performance

Because the Task Manager is primarily concerned with the processor you will only see a graph of the CPU usage and the page file usage. If you have more than one CPU, both will be displayed here.

The Networking tab monitors the load on your Local Area Connection, as shown in Figure 110.



Figure 110: Networking

Finally, the Users tab (see Figure 111) displays a list of the users that are logged onto your system and gives you the option to disconnect them, log them off or send them a message. This can be useful if a user has started a troublesome process; you can send them a message and ask what they are doing!



Figure 111: Users

Performance Tools consists of System Monitor and Performance Logs and Alerts. You decide which objects you want to monitor, so if you wanted to monitor the print server, you would pick a relevant object such as Print Queue. You can decide which aspects of the object you would like to monitor from the menu shown in Figure 112. But if you choose a lot of counters, the monitoring itself could have an impact on performance, and it is more work interpreting the data you have gathered because there is more of it.



Figure 112: Add Counters

There are a lot of objects; choose the ones that are appropriate for your system (see Figure 113).



Figure 113: Add Counters

For each of these objects there are a large number of counters, so you can customise System Monitor and Performance Logs and Alerts to capture the data that you need. System Monitor shows the counters in graphical form. If, for example, you want a warning when printers have printed a certain number of pages so that you can proactively replace the toner/drum before the users notice a deterioration in print quality, you would set up an alert to send you a message when the total number of pages exceeds a certain level. There are also objects and counters you might want to monitor for trend analysis so that you can be proactive in your capacity planning. You can add these counters to a counter log and store them in CSV format so they can be used in a database or other another application that allows easy manipulation of data.

1 What are the five Task Manager tabs?

2 From which tab can I send a message to a user?

? 4.6



Managing a web server For security reasons, IIS version 6 is not installed with In Windows 2003 by default. When you do install IIS version 6 it is fully locked down by default, which means that unless you configure it otherwise, it can only serve static content. If you wish to use ASP (Active Server Pages), ASP.NET, Indexing Service, FrontPage extensions and WebDAV(Web Distributed Authoring and Versioning) you must enable them using the IIS Manager. To create a web site, you first need to upload some web pages. Once you have created a website, it can be configured and managed. To set up a new website, use IIS. (If you have not already installed IIS, do so now. It is accessible from Administrative Tools.) Click the computer that is going to be the web server for the site, then right-click the Web Sites folder, choose New and then Web Site. A screen similar to the one shown in Figure 112 is displayed.

Figure 114: IIS Manager

The Web Site Creation Wizard now opens. The first thing you prompted for is a description. The next screen asks for the IP address, which you can select from the pull-down menu. (Make sure that your web server is set up with a static IP address in TCP/IP properties.) Click Next. If you know where you have stored the website, you can enter the path to the home directory; otherwise you can browse for it. If you browse, you must not make any typing errors when you are entering the path. If the



folder does not exist, you have the option to create a new one. This is new to Windows 2003 operating systems. You are then asked what website access permissions you want to set up for your site. The default is read and run scripts. This is the last option that you configure using the Wizard. To configure other options and to modify options that you have already configured, go into the website properties, as shown in Figure 115.

Figure 115: Web site properties

If you right-click the website, you get the options shown in Figure 116, one of which is Properties.



Figure 116: Web site Properties

Under the Documents tab you set up the default home page. Make sure you type it exactly as it is in the home directory including the file extension, otherwise it will not be picked up.

If you made a mistake when you entered the home directory or want to change it for another reason, you can do this under the Home Directory tab. You can also change the website access permissions here. On the Performance tab you can limit the bandwidth available to this site (bandwidth throttling) and you can limit the number of connections.

On the Web Site tab, you can modify the description, the IP address and the connection timeout.

When you right-click the Web Site in IIS there is a Permissions option. This is the NTFS permissions for the home directory. You can amend these here to give and restrict user access across the whole website. But if you want to set up specific access on certain pages, you have to do it from Windows Explorer.

1 Where would I set up a website?

2 What do I have to do to my website to enable it to serve dynamic pages?

? 4.7



Summary of this section

Domain controllers have some default auditing configured. The three default counters in System Monitor are Pages/sec on the Memory object, Average Disk Queue Length on the Physical Disk object and Processor Time on the Processor object.

Microsoft Windows Update allows you to download the updates that you require. You can automate the download and installation process. Clients can use a SUS server to download updates so that all users do not need to connect to the update site.

You need a software licence to legally use a piece of software. If you do not install Terminal Server licences and you use a terminal server in application mode, it will fail to respond after 120 days.

You can remotely administer your server(s) with a number of different tools: Computer Management, Web Interface for Administration (you cannot use this on a domain controller) and Remote Desktop for Administration.

Windows 2003 includes Manage your Server, which you can use to access wizards to setup typical server roles including file servers and print servers.

Task Manager is useful for monitoring what is happening at any point in time to the applications and processes running in your system. You have the option to end tasks and processes and to disconnect users if they are using too much CPU.

Websites are set up under IIS version 6, which is the version that comes with Windows 2003. This is not installed by default, so if you want to set up a web server, you have to install IIS first. IIS is also fully locked down by default to make it more secure.



Answers to SAQs 4.1

1 Pages/sec on the Memory object, Average Disk Queue Length on the Physical Disk object and %Processor Time on the Processor object.

4.2 1 By Automatic Update.

2 You would use a SUS server when you only wanted certain computers to access the Microsoft Update site and download updates. This could be because there is a security issue or because there is not enough bandwidth, so you want to get the updates from an internal SUS server instead.

4.3 1 End User License Agreement.

2 After 120 days you will not be able to connect to it.

4.4 1 Computer Management, Remote Desktop for Administration and Web Interface

for Administration.

2 No, it is deemed a security risk.

4.5 1 Managing Your Server Roles Wizard from Manage your server.

4.6 1 Applications, Processes, Performance, Networking and Users

2 Users.

4.7 1 On any computer within your network.

2 Enable using IIS Manager. By selecting Web Service Extensions node, all extensions are disabled by default. Select the Active Server Pages Web Service Extension and select allow.



Section 5: Manage and implement disaster recovery




What this section is about In this section you’ll learn how to manage and implement disaster recovery.


• Perform system recovery for a server.

• Manage backup procedures.

• Recover from server hardware failure.

• Restore backup data.

• Schedule backup jobs.



• A computer capable of running Windows 2003 Enterprise and Windows XP professional.







When and where you will be assessed You’ll sit the closed-book test after you have completed the outcomes(s) it covers.

Record the activities in your log book as complete them. Activities 5.1, 5.3 and 5.4 are mandatory.

What you have to achieve You have to complete the activities and achieve at least 70% in the closed book test or 70% in all the subtests individually.




Performing system recovery for a server There are a number of system tools available in Windows 2003 to aid system recovery for a server. If you are having trouble logging on to your system to fix the problem, choose one of the following options from the Windows Advanced Options menu:

• Safe Mode

• Safe Mode with Networking

• Safe Mode with Command Prompt

• Enable Boot Logging

• Enable VGA Mode

• Last Known Good Configuration (your most recent settings that worked)

• Directory Services Restore Mode (Windows domain controllers only)

• Debugging Mode

• Start Windows Normally.

• Reboot

These options are available from For Troubleshooting and Advanced Startup Options, which are accessed during the boot process by pressing PF8.

Last known good configuration The last known good configuration is a backup copy of the current configuration stored in the registry key HKLM\System\CurrentControlSet. It is updated when a user shuts down the system after successfully logging on. Restoring the information from this registry key can repair your system. This would be used if you had installed/updated some drivers and they prevented the operating system from loading. So when you change the configuration of your system and the operating system fails to load after you restart the computer, press F8 when you see the message ‘Please select the operating system to start, and select the Last Known Good Configuration from the Windows Advanced Options Menu’. The Last Known Good configuration is only useful if you have not logged on yet. When you log on and shut down or restart the system, the current configuration will become the last known good configuration.

Safe mode If you still cannot start Windows, and you already tried the last known good configuration, then try to boot Windows in Safe mode. In Safe mode, Windows loads only the mouse, monitor, keyboard, mass storage, and basic video drivers. Only the default system services are started and there is no support for networking. This allows you to troubleshoot the system if it does not start normally. A common situation in which you should start in Safe mode is when Windows doesn't start because of incorrect video drivers or settings. In Safe mode, the default VGA (video graphics array) driver is used with the display settings 640 x 480 with 16 colours. You can access the settings and change them to the correct ones.



The Safe Mode with Networking option loads all of the essential services and drivers required to support networking. Use this if you need network support to be able download drivers or tools to repair the system.

Safe Mode with Command Prompt is the same as Safe mode, but starts the command prompt .

Enable VGA Mode starts Windows with a resolution of 640 x 480 using the current video driver. This is useful if you think the problem is the display settings.

Debugging Mode starts Windows in Debugging mode, allowing you to send debugging information across a serial cable to another computer running a debugger.

Enable Boot Logging enables logging when the computer is started in a Safe mode. The information will be stored in the Ntbtlog.txt file in the %SystemRoot% folder.

Automated system recovery When the operating system does not start and the logon screen does not appear, you should first try to access and repair the system by booting in Safe mode or using the last known good configuration. If that does not work, you can try Automated System Recovery (ASR) as a last resort. An ASR backup set is created by using the ASR Wizard in Backup, or you can access the ASR Wizard from the tools menu. The wizard backs up the system state, system services, and all disks associated with the operating system components. It also creates a file containing information about the backup, the disk configurations (including basic and dynamic volumes) and how to accomplish a complete restore.

To use ASR to restore the system, place the original installation CD in your CD drive, then restart your computer ensuring that it boots from CD. You then need to press PF2 when prompted for ASR in the Text mode part of setup. You need to provide the floppy disk that contains the file created by the ASR Wizard, the media containing the actual data backup and the Windows 2003 Installation CD. First, the volumes and partitions required to start the computer are recreated, and after a minimal version of Windows is installed, ASR restores the backup created by the ASR wizard. If you have a mass storage controller that has a separate driver file, you need the CD with the driver file. Remember to press PF6 when prompted to install the driver; if you don’t the operating system might not recognise your hard drive.



Use an ASR set to recover the system Follow the step-by-step instructions below (it is recommended that you do Activity 5.3, Create an ASR set, first).

1 Make sure you have your ASR set (backup tapes/disks and floppy disk that was created with these backups) and your original Windows Server 2003 installation CD.

2 Insert the Windows 2003 installation CD into your CD drive.

3 Restart your computer, press key if you need to boot from the CD.

4 Press PF2 when you are prompted.

5 You will be prompted to enter your ASR boot disk.

6 Follow the directions given on screen.

Manage backup procedures Backup is an essential administrative task. You need backups for routine day-to-day operations such as audit trails and restoring accidentally deleted files. They should also be done before any major hardware or software change to your system, so if your upgrade fails you can restore your previous system for your users. You also need to take backups in case you have a major disaster and need to restore your systems; sometimes, in the case of a fire or flood, this restore might have to take place in a different location.

You do not know in advance when you are going to have a disaster or when someone is going to delete files by mistake, so you have to back up on a regular basis to be prepared. In the case of a system restore, unless you back up your system after all user changes to data are made there will be some degree of lost work and some rework will be required from your users. What you want to do is minimise the amount of time your system is out of action and the amount of rework needed in a cost-effective way. You could carry out full backups of your system every 10 minutes, so if there were any problems you would at most only have 10 minutes of rework to do. This would tie up a lot of resources and might not be cost-effective. If your system is that crucial, you might consider a clustering hardware configuration with only 50% utilisation, so if you had problems with one server you could switch over to the other. But you still need to carry out backups in case the server room is hit by a disaster, e.g. flood, fire, etc.

Windows 2003 has a Task Scheduler that is used to automate essential routine tasks. The Task Scheduler (or Scheduled Tasks) can be used to schedule batch files, scripts, system backups and security and can be accessed from the Control Panel or from All Programs/Accessories/System Tools/Scheduled Tasks. This tool can be used to automate regular tasks such as security scans and system backups. The advantage of using a scheduler is that routine but crucial tasks are not overlooked. If you open up Scheduled Tasks then click on Add Scheduled Task you are taken through the Scheduling Wizard, which helps you to configure the schedule. You are given a list of programs to choose from, then a choice of when you want the task to run and how



often. After this you are taken through options specific to the task. When you have finished with the wizard, a screen like the one shown in Figure 117 is displayed.

Figure 117: Scheduled Tasks

Try and schedule your backups for a time when the computer is not being used much, if at all. You can back up files that are open or in use, but the Backup utility might miss some files that are held open by other processes. If possible have all your applications closed when you are running Backup. This minimises the number of files that could be missed. You should at a minimum schedule a normal (full) backup of your data once a week. This must include your System State data (registry, COM+ Class Registration database, system files, boot files and files under Windows protection). If you have any encryption keys, you should also back them up. If you make a lot of changes to your data, you should consider some additional differential or incremental backups during the week. Normal and incremental backups mark the files that have been backed up. Differential backups do not. When you are scheduling the backup, you are asked who is running it; if the user account you are logged on with does not have the permissions and rights to back up folders, you are required to supply a user account and password that does have the permissions and rights to run backups.

The permissions required are as follows:

• Member of the Backup Operators group



• Member of the Domain Admins group

• Owner of the files and folders you want to back up

• Have at least one of the following permissions for the files and folders you want to backup:

o Read

o Read and execute

o Modify

o Full control

You can start Backup from the Start menu by clicking Backup from All Programs → Accessories → System Tools (see Figure 118). When Backup runs for the first time, the Backup or Restore Wizard starts by default. Backup can also be accessed from Scheduled Tasks.

Figure 118: Starting Backup from the Start Menu

Selecting the option ‘Back up data that is in remote storage’ backs up data that has been designated for remote storage. If you select this option, remote storage reparse points (placeholder files) are backed up. Remote storage data can only be restored on



an NTFS volume. You would use this to create tapes to be taken off-site so you can recover from a disaster such as fire or flood. You should do a full backup to remote storage at least once a week and move tapes off-site as soon as possible after the backup. There is no point in storing the tapes at the same site, because in the case of a major disaster you would lose them too and have nothing to restore from.

The option ‘Verify data after backup’ allows you to verify that the backup is exactly the same as the original data. This usually has a huge impact on the time it takes to perform a backup, but there is no point in having corrupt backup tapes. If you cannot afford to use the Verify option every time you backup, at least switch it on when you are doing your weekly full backups, and if possible once midweek, so if you have corrupt data or a worn tape, it minimises the risk of potential loss of data.

The option ‘If possible, compress the backup data to save space’ allows you to compress tape backups. This option is available only if you have a tape drive attached to your computer that supports data compression.

The option ‘Automatically back up system protected files with the system state’ allows you to include all system files that are in your system root directory (i.e. C:\Windows) in addition to the files that are included with the system state data by default.

The option ‘Disable volume shadow copy’ disables the point-in-time shadow copy method. If this option is disabled, files that are in use or open might be skipped.

This is why it is advisable to schedule your Backups outside the hours that you users are normally accessing the system. Backups also take up a lot of resources, so if they are carried out in the course of the working day, users will notice a degradation in response time. Backups normally are scheduled overnight together with batch processing programs.

Under Backup Type, you are asked to select one of the following: Normal, Copy, Daily, Incremental, Differential or Restore. To understand the various common backup types, first we need to know about the archive file attribute. If a file has this attribute set, it means it has changed since the archive attribute was turned off. An archive attribute can be turned off by performing certain types of backup, or manually by using the 'attrib' command line utility.

Backup types are :

• Normal/full: backs up every selected file, regardless of the archive attribute setting, and clears the archive attribute.

• Copy: backs up every selected file, regardless of the archive attribute setting. Does not clear the archive attribute.

• Daily: Backs up every selected file that has changed that day, regardless of the archive attribute setting. Does not clear the archive attribute.

• Incremental: Backs up only those files created or changed since the last normal or incremental backup and clears the archive attribute. This method is used in combination with a full backup, e.g. a normal/full backup on Fridays at the end of the working week and an incremental backup on Monday, Tuesday, Wednesday and Thursday. In case of a restore, you need the last normal backup as well as all incremental backups since the last normal backup.



• Differential: backs up only those files created or changed since the last normal/incremental backup, but does not clear the archive attribute. This method is also used in combination with a full backup, e.g. a normal/full backup on Fridays at the end of the working week and an incremental backup on Monday, Tuesday, Wednesday and Thursday If you have to perform a restore, you need the last normal backup and the last differential backup.

• Restore: the Restore and Manage Media tab of the Backup utility allows you to restore backups and manage backup media. The latter includes formatting, erasing and naming tapes as well as maintaining catalogs. To restore a backup, select the backup on disk, tape or other media, select the restore location and click the Start Restore button. You can choose to restore the files to their original location, an alternative location or a single folder. When you choose to restore the backup to a single folder, the directory structure is lost, thus all files are placed in the same folder.

When you click the Start Restore button, a restore confirmation screen is displayed (see Figure 119).

Figure 119: Restore confirmation screen.

In most cases you will click Finish to start the restore, but in some situations you may want to set Advanced Restore Options by clicking the Advanced button (see Figure 120).



Figure 120: Advanced Restore Options

• Restore security settings: this option is enabled by default and only available if the backup is from an NTFS volume and you are restoring it to an NTFS volume. If you disable this option, security settings for files and folders, such as permissions, ownership, and audit entries, will not be restored.

• Restore junction points, and restore file and folder data under junction points to the original location: this option restores the junction points on your hard disk and the data that the junction points point to. If you are restoring a backup of a mounted drive and the data on it, this option must be enabled.

• When restoring replicated data sets, mark the restored data as the primary data for all replicas: this allows you to ensure that restored File Replication Service (FRS) data is replicated to your other servers to ensure that other servers participating in the replicated data set do not overwrite the restored data because it is older.

• Restore the Cluster Registry to the quorum disk and all other nodes: this ensures that the cluster database is replicated to all nodes in a server cluster. This is essential if you have a cluster configuration. These options are disabled, as in Figure 118, if they do not apply.

• Preserve existing volume mount points: prevents any volume mount points you have created on the partition or volume Before to the restore from being overwritten. Disable this option if you want to restore the volume mount points from backup.



After you have set the advanced options, click OK, and then click OK again to start the restore. At the end of the restore you will be able to view a report showing a summary log of the restore operation.

System state data should always be included in your backups. System state data includes the registry, COM+ Class Registration database, and boot files. The advanced options of a backup job allow you to include all system files under Windows File Protection that are in your system root directory (i.e. C:\Windows), if you back up the system state data. This allows you to create a comprehensive backup of ‘just’ the operating system. To create a backup of the system state data, you can either run the Backup Wizard or use the Backup Utility. On the Backup tab of the Backup Utility, select System State Data .You must be an administrator on the local computer to back up and restore system state data. You can only back up the system state data on the local computer, not on a remote computer.

If you want to restore the system state data on a computer that is running, you should use the Backup utility and perform the restore as you would perform a basic restore. Just select the system state data from the backup file or media and click Start Restore.

Windows XP also includes the command-line utility Ntbackup.exe. This utility can only be used to back up data, not to restore data. It can be used to create backups by running it from the command prompt, but more often it is used in batch files.



Create a backup activity To create backup disks/tapes you need to have the correct rights and permissions. Follow the step-by-step instructions below.

1 Open Backup.

2 Click on Advanced.

3 Select the Backup tab.

4 Select Job then select New.

5 Navigate to the Nursery.txt file you created earlier. (If you have not created this, cancel and create it and then re-open Backup). Select System State Data.

6 In Backup Destination, select File (this is the default).

7 In Backup Media or Filename, click Browse to find the file you want, Nurserybackup, create this if it does not exist.

8 Select Tools, then select Options and select Normal for backup type.

9 Select Advanced and select Data Verification.

10 Click Start Backup .

11 Once Backup is complete, check the Nurserybackup file to see if it has backed up. Before you click finish select Report to check how your backup went.

Creating an ASR set ASR (Automated System Recovery) is a new feature with Windows 2003 server operating systems. It replaces ERD (Emergency Repair Disk). It should be used as well as your regular backups. You also use Backup to create this. You should create an ASR set before and after any major changes to your system such as a software upgrade or installing new hardware. This makes it easier to restore if you have any problems. An ASR set contains the following:

• a bootable 3.5 inch floppy disk (contains asr.sif and asrpnp.sif )

• a backup of the operating system files.

Create an ASR set Follow the step-by-step instructions below.

1 Open Backup (this opens the Backup and Restore Wizard).

A 5.3

A 5.2



2 Click Next.

3 Ensure Backup Files & Settings is selected.

4 On the What to Backup screen, make sure ‘All information on this computer is selected’, and click Next.

5 On the Backup Type, Destination, and Name screen, choose File in ‘Select the backup type’.

6 Browse to choose a location for your file and create a file called ASRbackup on your CD drive.

7 Name you backup ASR test.

8 On the Completing the Backup or Restore Wizard screen, check that all of the information is correct. Click Finish to start creating the ASR set. This can take up to 15 minutes.

9 When the Backup Utility message appears, follow the directions and insert a 1.44 Mb floppy disk into drive A:, and click OK.

10 A message telling you to remove the floppy disk and label it with the on-screen information is displayed. Do what is says and click OK.

11 The Backup Progress dialog box lets you know when the backup is finished. To view additional information about what happened during the backup process, click Report to open the backup report in Notepad and print it out. Click Close.

12 After you have created the ASR set, label the floppy disk and backup media carefully and keep them together. To use the backup media, you must have the floppy disk that you created with that set of media. You cannot use a floppy disk created at a different time or with a different set of media. You must also have your installation CD available at the time you perform ASR.

Note: Keep the ASR set in a secure location. The ASR set contains information about your system's configuration that could be used to harm your system.

Schedule backup jobs and manage backup procedures

• Use the Task Scheduler to create a normal backup of your system to a file called Backup, select the option to verify the data.

• Start the job to run in 10 minutes and schedule it to run at the same time every week. Take a note in your logbook of your configuration options and include screen prints.

You are now going to create an ASR backup, as follows:

• Select Backup from the Start menu, then the Backup and Restore Wizard

A 5.4



• Decide what information you want you want to back up and where you want to store the backup.

• The system prompts you to insert a floppy disk, as ASR writes vital files to the floppy disk to speed up the recovery process if you have a disaster.

Follow the step-by-step instructions below:

1 Open the Control Panel and select Scheduled Tasks

2 Select Add a Scheduled Task. This opens the Scheduled Task Wizard. Click Next

3 Select Backup from the list of applications and click Next.

4 Select ‘Perform this task weekly’ and click Next.

5 Select the start time as 10 minutes from now and the day as today. Click Next.

6 Confirm the credentials of a user who has the correct rights and permissions to run backup. Enter Administrator and Administrator password, confirm the password, and click Next.

7 Click Finish You have now scheduled a default backup (normal) to be run once a week at the time, and on the day you have chosen.

Now use an ASR set to recover the system by following the instructions in Activity 5.1.

Microsoft recommends that you create a summary backup log that you review on a regular basis to check that the backup was successfully completed.

To do this, click the Tools menu, and then click Options. On the Backup Log tab, select Summary.

If your backup is not occurring as expected you might want to check Scheduled Tasks from the Control Panel.

Verifying data after backup is complete This done using a checksum. If any files are in use during the backup, they might have verification errors but these can be ignored. However, if there is a large number of verification errors, it could indicate a faulty tape, so you might want to consider changing the backup tape to a new one.

To verify data after backup, in the Backup or Restore Wizard, select the ‘Verify data after backup check box’ on the How to Back Up screen.

1 What options have you got on Windows Advanced Option menu?

2 If you have installed a faulty driver and your system will not load which option should you take?

? 5.1



Shadow copies of shared folders Shadow Copies is a new feature of Windows XP and 2003; it does not replace backups and cannot be used as permanent archives. It is designed to enable users who have accidentally deleted a file, or who want to see a previous version of a file, to be able to recover it without the need for intervention from an administrator.

When you enable Shadow Copies, the default schedule is as follows:

• one copy taken per day

• copy taken at 7:00 am Monday to Friday.

If this schedule not suitable, you can amend it

You can only enable shadow copies on a per volume basis. The default storage settings are:

• Shadow copies stored on the source volume (not recommended if you have high I/O can change to another volume.

• Storage size is 10% of source volume (can be amended). If have reached limit will overwrite oldest copies.

• 64 shadow copies kept (cannot be changed when it is reached 65 overwrites 1)

Recover shadow copy activity

• To implement Shadow Copies, follow the instructions in Activity 4.4.

• To create a shared folder follow the instructions in Activity 3.1.


1 Create a shared folder called Mywork, and a notepad file in the folder called Yourname, in which you have typed yourname and the date and time.

2 From Computer Management right-click Mywork and select All Tasks. Then select Configure Shadow Copies.

3 Select Create Now to create a shadow copy.

4 Navigate to folder Mywork using My Network Places so you see it as a shared folder. Left-click Mywork and select Properties

5 Select the Previous Versions tab.

6 From the list of previous versions take the most recent and select View (check that it is the copy you want to restore). Close.

7 Select Restore.

A 5.5



8 Select OK when you get the warning message. You will now see a confirmation message that you have restored a previous version successfully.

Note: The minimum permissions required to view or copy a previous version are read for a shared folder, and to restore it, read and execute.



Recover from server hardware failure Server hardware failure can be caused by a number of different factors such as an actual hardware component that is faulty, or has just failed, corrupt system data, viruses, a corrupt boot file. In the case of faulty hardware you need to replace the component and ensure that the system recognises the replacement. In the case of disks with data, if you have not implemented a fault tolerant configuration such as RAID 1 (mirroring) or RAID 5 (parity) after you have added the new disks, you need to restore the lost data. If you have RAID 1, unless you have lost both sides of the duplexing you should be able to replicate to the replacement disk from the other half. If you have a RAID 5 configuration, whether you can replicate the lost data from the remaining disks or whether you have to recover it from backups depends on how many disks you lose.

It is always useful to have some spare components in case of failure so that they can be replaced immediately. How many spare components you keep depends on the risk to you of the component failing, the chance of it failing, the cost of the component and how long would it take to get another from the supplier. If it is crucial that your system is always available you might consider a 50/50 Active Cluster configuration where only 50% of the capability of the cluster in terms of processing, memory, storage is actually used at any one time. Thus if any part of it goes, you can switch to the ‘spare’ capacity. This is also useful from the point of view that the components are in use so they are being tested. If you have spare components, it is advisable to have a testing timetable to ensure that they are still working just as when you have a road safety test on your car, such as an MOT, the spare tyre is checked; if you have a puncture you need the spare tyre to be OK. If you only check spare components when you need them it is too late to repair any faults.

In the case of a corrupt system data, viruses or a corrupt boot file causing your server to fail there are a number of system tools to help you restore your system. If you have backed up your system state data on a regular basis, when you need to restore your system data you can restore the system state data.

To restore system state data, start the Backup and Restore Wizard, then click Restore and Manage Media and select System State. The system state data is now restored together with anything else you have chosen.

You need administrative privileges to restore system state data. If you are restoring system state data on a domain controller, you have to decide whether it is an authoritative restore or a non-authoritative restore. Non-authoritative restores are easier to carry out than authoritative restores but most of the time they are not enough. This is because the domain controllers in each domain keep a variety of information in Active Directory and changes made to Active Directory are replicated from one domain controller to the rest of the domain controllers in the domain. Replication occurs at intervals, not continuously. Therefore, the Active Directory on any domain controller is in loose consistency with those on other domain controllers because the most recent changes on each domain controller may not have been replicated to the others. Objects’ attributes are assigned version numbers that are incremented when the attributes are changed so that the replication process can determine which changes are the most current.



Active Directory data stored on domain controllers and replicated between them includes information about objects, configuration data (such as a list of all domains and the locations of their domain controllers) and schema data, which defines the types of objects that can be stored in the directory and the attributes they can have. This information is used by network applications and services. To restore Active Directory data:

1 Boot a domain controller in Directory Services Restore mode and press PF8 to take you into the Windows Advanced Options Menu.

2 Select Directory Services Restore Mode (Windows domain controllers only; Active Directory only exists on domain controllers). This runs through some basic checks of your hardware and boots the system in Safe mode.

3 You are prompted to log on and again warned that the system is in Safe mode.

4 Use Backup to restore the Active Directory database (NTDS.dit); the initial restore is a non-authoritative restore. The settings and entries maintain the version numbers they had at the time of backup.

After the domain controller is restored, it is updated using normal replication methods from other domain controllers. However, any object that was deleted after the last backup will be restored with the database file, but if the domain controller is then booted to normal Active Directory mode, the object will be deleted again during the replication process because of its lower version number. If you want to keep the object, you have to carry out an authoritative restore, which allows you to selectively increment the version numbers of attributes to make them authoritative in Active Directory. So when replication occurs after the restoration, when the version numbers of objects are compared, the objects and attributes on the restored domain controller that were restored authoritatively will have higher version numbers than those on the other domain controllers, and will replicate out to the other domain controllers instead of being overwritten as out-of-date. This allows you to recover deleted objects even after the deletion has been replicated throughout the enterprise.

Usually, an authoritative restore of selected objects and attributes follows a non-authoritative restore of the whole database. Accordingly, when you need to recover deleted objects from a backup or roll back changes to objects, you first need to perform a non-authoritative restore and then do an authoritative restore, even though it is more complex. To perform an authoritative restore after you have restored non-authoritatively at the command prompt enter ntdsutil, then enter authoritative restore then enter the restore database. When prompted select Yes. The attribute version numbers for all your records in Active Directory are incremented by 100,000. If you do not wish to restore all of Active Directory, but only a part of it, when you do the non-authoritative restore make sure that in ‘Restore files to’, you click Original Location. In the authoritative restore, instead of entering the restore database enter:

subtree ou=organisational unit name, dc= domain,dc=xxx (e.g. com).

So, if you wanted to restore the organisational unit education in the domain Scotland.com, the command would be: subtree ou=education, domain=Scotland,dc=com



Simple non-authoritative restores are useful if you need to recover a domain controller that has crashed and that has a slow connection to the next domain controller. This restores an old version of Active Directory and only the differences between the restored domain controller and its replication partners need to be transmitted. If bandwidth is not an issue, you do not need to do a restore at all; if a domain controller crashes, you can simply promote a Windows 2000/2003 server to be a domain controller, and a clean version of Active Directory will replicate to it from an existing domain controller. If you are running Windows Server 2003, you can do this very efficiently by promoting a server to be a domain controller using the Install from Media feature.

Note: By default in Active Directory backups are only valid for 60 days, so you will not be able to restore an object that has been deleted more than 60 days ago. This has been changed to 180 days with Windows Server 2003 Service Pack but only for new deployments of Active Directory. If the system is upgraded to Windows 2003 SP1, the 60-day interval remains, unless changed manually on the NT Directory Service (NTDS) configuration object.

1 What is the difference between an authoritative and a non-authoritative restore?

2 How do you carry out an authoritative restore?

3 What do you need to carry out an ASR recovery?

? 5.2



Summary of this section There are a number of ways to access Backup and Restore. The most common types of backup are: full, copy, daily, incremental and differential.

ASR is designed to speed up the recovery process; it replaces ERD.

If you delete an organisational unit you need to do an authoritative restore.

Use Scheduled Tasks to automate important tasks such as backup and security scans.

If Shadow Copies is enabled, users can restore a previous copy of a shared folder (within limits) if they have the correct permissions.

If you have not created an ASR and you cannot start your system, use the Recovery console.



Answers to SAQs

5.1 1 Safe Mode; Safe Mode with Networking; Safe Mode with Command Prompt;

Enable Boot Logging; Enable VGA Mode; Last Known Good Configuration (your most recent settings that worked); Directory Services Restore Mode (Windows domain controllers only); Debugging Mode; Start Windows Normally; Reboot

2 Restore last Known Good Configuration, because that will restore the previous registry before the driver was installed.

5.2 1 If you carry out a non-authoritative restore, you are restoring the whole

database. If you have fast links and the other domain controllers are OK, you could just replicate from them. You would do the non-authoritative restore if you have slow links, so only a small amount of replication is needed to get your system back up to the current level. An authoritative restore is when you want the copy you are restoring to be replicated to the other domain controllers. To ensure it overwrites and is not overwritten, its version number is increased by 100,000. This is more complex than a non-authoritative restore and would be used if someone had deleted a group or organisation unit in error.

2 Start System in Active Directory Restore mode, use Backup to restore the Active Directory Database, then use the command ntdsutil and the Authoritative Restore mode and then enter what you want to restore.

3 ASR recovery disk (floppy disk), backup tapes and the Windows 2003 installation CD.



Mock test

1 What group do I need to be part of to access Disk Management?

a. Authenticated Users

b. Everyone

c. Administrators

d. Power Users

2 Can I convert cluster disks to dynamic disks?

a. Yes

b. No

3 When you convert from basic to dynamic disks what do you have to reserve 1 Mb for?

a. Disk label

b. Master boot record

c. Disk catalog

d. Dynamic index

4 How would you initialise a new disk?

a. Right-click disk from Disk Management and select initialise

b. Open Disk from Disk Management, select Properties, select the initial tab and click on Start initialisation

c. Add New Disks and Drivers and Windows 2003 automatically initialises the disk

d. Use Initialise Disk Wizard from Disk Management

5 Which of the following is not a valid number of partitions for a basic disk?

a. Two primary partitions

b. Four primary partitions and one extended partition

c. Three primary partitions and one extended partition

d. Four primary partitions

6 How would you reassign drive letters?

a. From the command prompt enter a: change b:

b. From the command prompt enter change a:b

c. From Disk Management right-click volume whose drive letter you wish to change then select Change Drive letter and Paths from short cut menu.

d. From Disk Management right-click the volume whose drive letter you wish to change, select Properties and change the letter on the Drive tab



7 What does Performance Tools consist of?

a. System Monitor and Performance Logs and Alerts

b. Performance Monitor and Task Manager

c. Alerts and Task Manager

d. Performance Monitor and Performance Logs and Alerts

8 Which of the following dynamic disks gives the fastest write access?

a. RAID 0

b. RAID 1

c. RAID 5

d. Spanned

9 Where are roaming profiles stored?

a. In the registry

b. In the place specified in the profile path on the Profile tab of the User object.

c. In the place specified in the profile path on the Environment Tab of the user object.

d. In the System folder

10 User Account is also referred to as a User ______ in Active Directory.

a. Name

b. Logon

c. Computer

d. Object

11 What tool would you use to set up different roles on a server?

a. Server Wizard

b. Setup Wizard

c. Configure your Server Wizard

d. Configure your Roles Wizard

12 Which of the following is not part of the default password policy?

a. Cannot contain all or part of user’s name

b. Must be at least eight characters in length

c. Can contain only lowercase characters

d. Cannot have £ in it

13 What does the Group Policy Management console do?

a. Provides a tool to monitor and manage group policy settings



b. Resets user passwords

c. Creates new users

d. Lists members of security groups

14 Where would I access logon hours on a User’s account?

a. From the General tab in user properties

b. From the Environment tab in user properties

c. From the Dial-In tab in user properties

d. From the Account tab in user properties

15 How would you select multiple user accounts?

a. Go to Action and select Multiple

b. Hold down the SHIFT key and select the accounts

c. Hold down the ALT key and select the accounts

d. Hold down the CTRL key and select the accounts

16 Which of the following displays the properties of an object in Active Directory?

a. dsget

b. dsmod

c. dsquery

d. dsmove

17 What tool would you use to setup sharing and shared access on a folder?

a. The Folder Wizard

b. System Tools

c. The Access Wizard

d. The Share Folder Wizard

18 How are shadow copies configured?

a. In Computer Management select Shared Folders, then Select All Tasks, then Configure Shadow Copies

b. In Windows Explorer, select File then Configure Shadow Copies

c. In the Hardware tab from System Properties, select Shadow

d. In Backup, select Shadow Copies

19 What permissions apply to Shared Folders when logging in across the network?

a. Share permissions only

b. NTFS permissions only

c. Share and Network permissions

d. Share and NTFS permissions



20 Which of the following is installed on Windows 2003 by default?

a. IIS version 6

b. Remote Desktop for Administration

c. DHCP

d. Microsoft Office®

21 Which of the following would you use to connect to a server session from a remote client?

a. Server connect

b. Remote Desktop for Administration

c. Windows Explorer

d. Configure Server Wizard

22 Why should domain controllers not be configured as terminal servers?

a. Not enough memory

b. Security risk

c. Poor network connection

d. Limited number of connections to domain controller

23 If you are using a terminal server in application mode, how long have you got to get licences?

a. 24 hours

b. 7 days

c. 120 days

d. 1 year

24 If you want a sub-folder to have different permissions to its parent folder, what would you do?

a. Enable inheritance

b. Enable no override on the parent folder

c. Make the parent folder read only

d. Block inheritance

25 Which of the following does not minimise performance tools overhead?

a. Sample at less frequent intervals

b. Run system monitor in graph view (default)

c. Select less objects and counters

d. Log to different disk to that which you are monitoring



26 What type of software update does Microsoft recommend?

a. Manual

b. Automatic

c. Express

d. Custom

27 If you are using automatic update, by default when are the updates downloaded to your computer?

a. Once a week at 3:00 am

b. Once a day at noon

c. Once a day at 3:00 am

d. Once a week at noon

28 Which of the following are reasons for not turning automatic update off?

a. Low bandwidth

b. Risk of viruses

c. Access limited to firewall only

d. System not connected to a network

29 Which of the following are not components of Terminal Server and Remote Desktop For Administration?

a. Web Interface for Administration

b. Terminal Services Licensing

c. Terminal Services Configuration

d. Terminal Services Manager

30 When you use the wizard to configure a File Server, which of the following tasks are not carried out?

a. Share permissions set up

b. Folder shared

c. NTFS permissions set up

d. Shadows copies enabled

31 Which of the following server roles is not configured using the Configure Server Wizard?

a. File server

b. Web server

c. Domain controller

d. Print server



32 How would you stop the Print spooler?

a. By stopping the Print Spooler Service from Services

b. By stopping the print spooler from Action in Printer and Faxes

c. By selecting Printer then selecting Stop Spooler

d. By using Task Manager and ending the Print Spooler task

33 How do you access Windows Advanced Option menu?

a. From the Start menu

b. From Administrative Tools

c. It boots automatically into the Windows Advanced Option menu

d. Press PF8 when prompted during the boot process

34 What is the Last Known Good Configuration?

a. A backup set of drivers

b. Roll-back drivers

c. Last copy of shadow copy

d. Backup of the last configuration that was used when you successfully logged on

35 Where is the Last Known Good Configuration kept?

a. In the registry key HKLM\System\CurrentControlSet

b. In the System folder

c. Where you specify on the User’s Account tab from Properties

d. In Active Directory

36 .Which of the following drivers does Safe Mode not load?

a. Mass storage

b. Network adapter

c. Printer

d. Mouse

37 How is an ASR backup created?

a. Using the Recovery Wizard

b. Using Backup

c. Using the ASR Wizard

d. Using the Restore Wizard

38 What tool is used to automate routine essential tasks?

a. Task Scheduler

b. Calendar



c. Disk Management

d. Defragmenter

39 Which of the following is not a valid backup type?

a. Normal

b. Difference

c. Incremental

d. Copy

40 Which of the following Backup types resets the archive attribute?

a. Normal

b. Differential

c. Copy

d. Incremental

Mock test answers 1c, 2b, 3b, 4d, 5b, 6c, 7a, 8a, 9b, 10d, 11c, 12b,c,d, 13a, 14d, 15b,d, 16a, 17d, 18a, 19d, 20b, 21b, 22b, 23c, 24d, 25b, 26b, 27c, 28b, 29a, 30c,d, 31b, 32b, 33d, 34d, 35a, 36b,c, 37b,c 38a, 39b, 40a,d



Useful websites To find out the meaning of any technical term, try http://www.webopedia.com

To study for the restricted-response closed-book test(s), try:

• http://certification.about.com/cs/sampletests/a/mcse70290.htm

• http://www.hotscripts.com/Detailed/43554.html

• http://www.sharewareriver.com/product.php?id=14695

The website below has study guides as well:

• http://www.certyourself.com/

The website below is a tutorial that takes you through Administering Windows Server 2003:

• http://www.learnthat.com/certification/learn.asp?id=422&index=1

If you have any problems with any of the activities, the best place to go for troubleshooting advice is Microsoft itself:

• http://www.microsoft.com

The home page for windows 2003 server systems is:

• http://www.microsoft.com/windowsserver2003/default.mspx

And you can search the site using the search facility at the top right-hand side of the page.



Glossary Technical terms can be found in: http://www.webopedia.com

ACL Access control list

ADSI Active Directory Service Interface

ASP Active Server Page

ASR Automated System Recovery

CAL Client Access License

CDFS Compact Disk File System

CPU Central processing unit

DFS Distributed File System

EFS Encrypted File System

ERD Emergency Repair Disk

EULA End User License Agreement

FAT File Allocation Table.

FRS File Replication Service

GPO Group Policy Object

I/O Input/Output

IAS Internet Authentication Service

IIS Internet Information Services

LDAP Lightweight Directory Access Protocol

MBR Master Boot Record

MMC Microsoft Management Console

NetBIOS Network Basic Input/Output System.

NTDS NT Directory Service

NTFS NT file system

NTLM NT LAN Manager

OU Organisational Unit

PDC Primary Domain Controller

RAID Redundant Array of Independent (Inexpensive) Disks

RAM Random Access Memory

RAS Remote Access Service

RDP Remote Desktop Protocol

RDP-Tcp Remote Desktop Protocol over TCP/IP.



RSoP Resultant Set of Policy

SAM Security Accounts Manager

SCSI Small Computer Systems Interface

SID Security Identifier

SUS Software Update Services

TCP/IP Transmission Control Protocol/Internet Protocol

UPN User Principal Name

USB Universal Serial Bus

VGA Video Graphics Array

WAB Windows Address Book

WebDAV Web Distributed Authoring and Versioning