Section 2.5. Managing and Maintaining a Server Environment


2.5. Managing and Maintaining a Server Environment

Managing and maintaining a server environment encompasses many aspects of administration. Because server performance can degrade over time, you need to:

  • Routinely monitor events in Event Viewer

  • Periodically monitor and optimize system performance

  • Periodically monitor and optimize servers for application performance

Beyond the essential monitoring that may be required for maintenance, you'll also need to manage the essential infrastructure, including any web servers, print queues, software licensing, and software updates. By closely watching essential services, queues, and infrastructure, you ensure that the server environment continues to operate as expected.

2.5.1. Monitoring and Analyzing Events

Windows Server 2003 includes a set of logfiles that are used to record system events of various types. If you suspect a system has a problem, the event logs should be the first place you look to diagnose the problem.

2.5.1.1. Understanding the event logs

All Windows Server 2003 systems have three general purpose logs:


Application

Contains events logged by Windows applications and printers configured on the system.


Security

Contains events related to security auditing. Only the events configured for tracking are logged. Accessible only to administrators by default. Grant others as necessary.


System

Contains events logged by operating system components and services. All events recorded in System category are preconfigured.

The availability of other logs depends on the system configuration. Logs you may see include:


DFS Replication

Records DFS events if the server is configured to use DFS replication.


Directory Service

Records events from Active Directory if the system is configured as a domain controller.


DNS Server

Records events from DNS if the system is configured as a DNS server.


File Replication Service

Records events from the File Replication Service if the system is configured as a domain controller.


Forwarded Events

Records forwarded events if event forwarding is configured.


Hardware Events

Records events from hardware subsystems on systems with this capability.

2.5.1.2. Accessing and reviewing events

Event logs are accessible in the Event Viewer (eventvwr.exe). In the Computer Management console (compmgmt.msc), you can view an event log by double-clicking System Tools, double-clicking Event Viewer, and then selecting the log you want to view as shown in Figure 2-24.

Figure 2-24. Events are listed in date/time order.


Events are recorded in date/time order with the most recent events at the start of the log and the oldest events at the end. When analyzing events, pay particular attention to the following:


Event type

Specifies the type of event that occurred.


Event source

Specifies the service, Windows component, or application for which the event was recorded.


Event category

Specifies the general category of the event, if applicable.

You should use the event type designator to determine whether an event warrants further investigation. Event types you'll see include:


Information

Routine events that typically record successful actions.


Success Audit

When auditing is enabled, these events record successful execution of an action, such as a successful logon.


Failure Audit

When auditing is enabled, these events record failed execution of an action, such as a failed logon.


Warning

Notification events alerting administrators to possible problems that may need attention.


Error

Notification events alerting administrators to specific problems and errors that need attention.

When you are troubleshooting system problems, the events you'll look most closely at are warnings and errors. For security issues, the events you'll look most closely at are failure audits.

When working with a particular log, you can set properties that determine how events are recorded. You can also set filtering options so that you see only events that meet specific requirements. By default, Windows Server 2003 logs are configured to overwrite old events as needed. As a result, when a log reaches its maximum size, the operating system overwrites old events with new events.

2.5.1.3. Viewing and setting log options

You can view and set logging options on a per-log basis by completing the following steps:

  1. Open Computer Management. Expand System Tools and Event Viewer.

  2. Right-click the log you want to work with and then select Properties.

  3. Use the options shown in Figure 2-25 to configure the maximum log size and overwrite options.

    Figure 2-25. Review the logging options and change settings as necessary.

You can set filtering options for a log by completing the following steps:

  1. Open Computer Management. Expand System Tools and Event Viewer.

  2. Right-click the log you want to work with and then select Properties.

  3. On the Filter tab, select the types of events to display and any other desired filtering options. For example, if you want to see Warning and Error events only, clear all the event type checkboxes except for Warning and Error, as shown in Figure 2-26.

    Figure 2-26. Use filtering options to help you find specific types of events.

  4. Now when you view the selected log, you'll see only the events that meet the filter requirements. To restore the view so that all events are displayed, click Restore Defaults on the Filter tab.

2.5.2. Monitoring System Performance

Generally, you'll use performance monitoring to ensure the ongoing performance of systems, to troubleshoot, and to optimize performance. Windows Server 2003 includes several tools for monitoring system performance. The two you'll use most frequently are:


Task Manager

Use this for basic monitoring of both application and system performance.


Performance Console

Use this for comprehensive monitoring and analysis of ongoing performance.

Each tool has a specific use and a place in the overall system monitoring plan as well as for optimization and general troubleshooting. Task Manager can be used to diagnose non-responsive applications and identify possible problems with processors, network connections and memory. Performance Console is a power tool that can be used to pinpoint the exact origin of a performance problem and to help you optimize the system configuration.

2.5.2.1. Working with Task Manager

Task Manager displays the current status of applications, background processes, and system resources. To open Task Manager, log on to the computer you want to monitor, and then press CTRL+ALT+DEL Task Manager or type taskmgr at a command prompt. When you start Task Manager, the default tab accessed is the Applications tab as shown in Figure 2-27. The Applications tab shows the status of the programs that are currently running on the system. The status can be "Running" or "Not Responding." You can stop an application that isn't responding by clicking the application name and then clicking End Task. Start a new program by selecting New Task, and then enter a command to run the application. Go to the related process in the Processes tab by right-clicking an application and then selecting Go To Process.

Figure 2-27. The Applications tab of Task Manager shows the status of applications.


The Processes tab (see Figure 2-28) displays detailed information about processes, which are programs running on the computer and can include foreground applications run by users and background applications run by the operating system. You can work with this tab as follows:

Figure 2-28. The Processes tab of Task Manager shows the foreground and background processes.


  • By default, processes run by remote users are not displayed. Select Show Processes From All Users to display remote user processes as well as local processes.

  • Right-click a process to display a list of options. Choose Set Priority to set processing priority. Most processes have Normal priority by default. Chose End Process to stop the process. Chose End Process Tree to stop the process and all child processes.

  • By choosing View Select Columns, you can change the available columns to include additional details on Base Priority (the priority of a process), CPU Time (CPU cycle time used by a process), Handle Count (the number of file handles used by a process), I/O Reads, I/O Writes (disk reads or writes since a process started), Page Faults (requests for a page in memory not found), Peak Memory Usage (highest amount of memory used by a process), Thread Count (number of threads a process is using), and more.

The Performance tab (see Figure 2-29) displays a real-time overview of resource usage. Graphs for each processor are provided to provide a visual summary of resource usage. CPU Usage History is a history graph of CPU usage plotted over time. Page File Usage History is a history graph of the paging file (or virtual memory) usage plotted over time. You can change the graphs using:

Figure 2-29. The Performance tab of Task Manager shows resource usage.



View Update Speed

Allows you to change the speed of graph updating or pause the graph.


View CPU History

On multiprocessor systems, allows you to specify how CPU graphs are displayed.

The text lists below the graphs summarize the usage of physical, kernel, and commit memory as well as the number of active handles, threads, and processes:


Physical Memory

Summarizes RAM usage on the system: Total (the configured amount of physical RAM), Available (RAM not currently being used), and System Cache (RAM used for system caching).


Commit Charge

Displays total memory usage: Total (current usage for physical and virtual memory), Limit (total physical and virtual memory available), and Peak (maximum memory usage since start).


Kernel Memory

Displays memory usage by the operating system kernel: Total (current page and nonpaged kernel memory usage), Paged (kernel memory that paged to virtual memory), and Nonpaged (kernel not paged to virtual memory).

The Networking tab provides a summary for active network connections. A graph is provided to depict the percentage of utilization for each network connection. A text summary lists network connections by name, percent utilization, link speed, and operational status. By default, the graph displays network adapter history according to the total byte count. Click View Network History to add bytes sent and bytes received.

The Users tab provides a summary of interactive user sessions for both local and remote users. Users are listed by account name, session ID, status, originating client computer, and session type. Console sessions represents users logged on to the local system. RDP-Tcp represents users logged on using Remote Desktop Protocol over TCP. Right-click user sessions to display options for disconnecting, logging off, remote control, and logging off.

2.5.2.2. Working with the Performance console

Using the Performance console, you can perform in-depth monitoring and analysis of computer activity. Start the Performance console by clicking Start Programs Administrative Tools Performance or by typing perfmon.msc at a command prompt. The Performance consoles remote monitoring capabilities allow you to track the performance of multiple computers from a single, monitoring computer.

2.5.2.2.1. Understanding performance monitoring

As Figure 2-30 shows, the Performance console has two snap-ins:

Figure 2-30. Use the Performance console to monitor and analyze computer activity.



System Monitor

Used to collect real-time performance data from local and remote computers.


Performance Logs and Alerts

Used to record performance data in logs for later analysis and to configure alerts triggered when a performance parameter reaches a specific limit or threshold.

Users do not need to be administrators to monitor or log performance. Any user that is a member of the built-in group Performance Monitor Users can monitor performance counters, logs, and alerts. Any user that is a member of the built-in group Performance Log Users can schedule logging and alerting.

Whether you are monitoring system performance, configuring performance logs, or setting performance alerts, you specify the activity to track or alert by using:


Performance objects

Represent system and application components with measurable sets of properties. Most critical system components and services have related objects. Examples of objects you can monitor include PhysicalDisk, LogicalDisk, Memory, Processor, and Paging File.


Performance object instances

Represent specific occurrences of performance objects. For example, if a computer has multiple processors, physical disks, and logical disks, there'll be one object instance for each and you'll be able to track the instances separately or collectively.


Performance counters

Represent the measurable properties of performance objects. Every performance object has several performance counters associated with it. With the Process performance object, you can use the %Processor Time counter to measure processor usage. With the Memory performance object, you can use the Available MBytes counter to view the amount of physical memory available.


Tip: When working with performance objects, object counters, and object instances, you'll see various notation schemes. Typically, performance objects are referred to by name, such as the Memory object. Performance counters are referred to via the object to which they relate in the form ObjectName\CounterName. For example, to refer to the Committed Bytes counter of the Memory object, the notation Memory\Committed Bytes is used. Object instances are referred to with regard to the object and counter to which they relate in the form ObjectName(instance_name)\CounterName, such as Process(dns)\Pool Paged Bytes.

Data collected by System Monitor can be summarized in multiple formats: graphic, histogram, and report. Graph is the default format. When working with System Monitor, press Ctrl+B for histogram or Ctrl+R for report format.

2.5.2.2.2. Monitoring performance of local and remote systems

Performance can be tracked on the system you want to monitor or from another computer. To specify counters to monitor, follow these steps:

  1. Open the Performance console. Select the System Monitor node.

  2. To add counters, click the Add button on the toolbar or press Ctrl+L.

  3. In the Add Counters dialog box shown in Figure 2-31, use the Select Counters From Computer list to select the computer to monitor.

    Figure 2-31. Select the counters to monitor.

  4. Next, select a performance object to monitor using the Performance Object list.

  5. Specify counters. To track all counters for an object, click the All Counters radio button. To track selected counters for an object, click Select Counters From List and then click a counter.

  6. Specify instances. For each set of counters or selected counter, specify the related object instance. To track the counter for all instances of the object, click the All Instances radio button.

  7. Click the Add button to add the selected counters to System Monitor's list of items to monitor.

  8. Repeat this process for other objects, object counters, and object instances you want to monitor.

  9. Click Close when you are finished adding counters.

When working with System Monitor, you can stop monitoring a counter by clicking a counter in the counter list and then pressing Delete.

2.5.2.2.3. Performance logging

Real-time monitoring in System Monitor is useful when you are diagnosing a current performance issue or problem. When you want to track performance over time, however, you'll want to use performance logging. You can configure performance logging using:


Counter logs

Counter logs record performance data at specified intervals.


Trace logs

Trace logs record performance data whenever tracked events occur.

To create a performance log, follow these steps:

  1. Open the Performance console. Expand the Performance Logs And Alerts node and then select either Counter Logs or Trace Logs, depending on the type of log you want to create.


    Tip: Any current logs are listed with a red icon to indicate logging is stopped, or with a green icon to indicate logging is active.

  2. Right-click in the right pane and select New Log Settings.

  3. Type a name for the log and then click OK.

  4. With a counter log, you must next specify the objects, object counters, and object instances to log by clicking the Add Objects or Add Counters button. Set the sample interval. The default sample interval is 15 seconds.

  5. With a trace log, you must next specify the events to track. Select the Events Logged By System Provider radio button and then use the checkboxes provided to set the tracked events. The designated events are logged whenever they occur.

  6. Use the Log Files tab options to set the log file type and name. Logs are written to C:\PerfLogs by default.

  7. Use the Schedule tab options to specify when logging starts and stops.

  8. Click OK.

You can manually start or stop logging by right-clicking a log and then selecting either Start or Stop as appropriate. You can replay logged data at a later date to analyze performance by completing the following steps:

  1. Open Performance Monitor. Select the System Monitor node in the left pane.

  2. Click the View Log Data button on the System Monitor toolbar or press Ctrl+L.

  3. With binary or text-based logfiles, click Log Files, and then click Add. Select the log file you want to analyze, and then click Open.

  4. With SQL logging, click Database, and then provide the system DNS and log set details.

  5. Click the Time Range button, and then drag the Total Range bar to specify the appropriate starting and ending times

  6. On the Data tab, specify which of the logged counters to view. Click the Add button, and then select the counters to analyze.

  7. Click OK, and then use System Monitor to review the logged data.

2.5.2.2.4. Performance alerting

When you want to be alerted to potential problems or track specific conditions, you'll want to use performance alerting. To configure performance alerting, specify alerts that should be triggered when a performance parameter reaches a specific limit or threshold. Alerts can be configured to start applications and performance logs as well.

To create an alert, follow these steps:

  1. Open the Performance console. Expand the Performance Logs And Alerts node.


    Tip: Any current alerts are listed with a red icon to indicate alerting is stopped, or with a green icon to indicate alerting is active.

  2. Right-click Alerts, and then choose New Alert Settings.

  3. Type a name for the alert, and then click OK.

  4. Click Add to select the counters for which you want to configure alerts.

  5. Click Close when you're finished.

  6. Select each counter in turn and then use the Alert When Value Is . . . field to set the threshold for triggering the alert. For example, with %Processor Time, you might want to be alerted when value is more than 95.

  7. Set the sample interval. The default sample interval is five seconds.

  8. On the Action tab, choose the actions that you want the alert to perform whenever it is triggered. By default, an event is logged in the application event log. You can also send a network message, start a performance log, or run a program.

  9. Use the Schedule tab options to specify when alerting starts and stops.

  10. Click OK.

You can manually start or stop alerting by right-clicking a log and then selecting either Start or Stop as appropriate.

2.5.3. Monitoring and Optimizing a Server Environment for Performance

Monitoring Windows systems can help you establish baseline usage statistics and evaluate ongoing performance. Use baselines to determine how a system performs under various usage loads. Use performance evaluations to determine whether a system is performing as expected.

When it comes to optimization, virtual memory is as important as physical memory. In most cases, servers with 2 GB or less physical memory should have virtual memory that is at least two times physical memory. For best performance, virtual memory should have a fixed size and be located on multiple physical disks. You can set virtual memory using the System utility, under the Control Panel. In the System utility, click the Advanced Tab, then under Performance, click Settings to display the Performance Options dialog box. In the Performance Options dialog box, click the Advanced tab, and then click Change, under Virtual Memory. You can then use the available options to view and manage the virtual memory settings for the computer.

2.5.3.1. Choosing objects to monitor

The object counters you choose to monitor will vary depending on the role of the computer you are working with. With most Windows systems, you'll want to monitor the four key performance areas:


Memory usage

Related objects include Cache, Memory, and Paging File


Processor usage

Related objects include Processor, Job Object, Process, and Thread


Disk

Related objects include LogicalDisk, PhysicalDisk, and System


Network

Related objects include Network Interface, Server, and Server Work Queues

If you create performance baselines for systems, you can compare these and other performance areas in the baselines to current performance. This will help you identify potential problems and bottlenecks that might cause a system to operate at less than optimal performance levels. Table 2-12 lists various server roles and the object typically monitored for those roles and provides guidelines on additional objects to add when troubleshooting.

Table 2-12. Performance objects to monitor based on server role

Server role

Objects typically monitored

When troubleshooting, add . . .

Application, mail, and web server

Memory, Processor, Network Interface, System, PhysicalDisk, and LogicalDisk

Cache, Paging File; instance-specific to application Job Object, Process, and Thread as appropriate

Backup server

Processor, Network Interface, System, and Server

Memory and Server Work Queues

Database server

Memory, Processor, Network Interface, System, PhysicalDisk, and LogicalDisk

Paging File, Server, and Server Work Queues

Domain controller

Memory, Processor, Network Interface, System, PhysicalDisk, and LogicalDisk

Paging File, Server, and Server Work Queues

File and print server

Memory, Network Interface, PhysicalDisk, LogicalDisk, Print Queue, and Server

Processor, Paging File, System, and Server Work Queues


2.5.3.2. Monitoring memory performance objects

Windows systems have both physical and virtual memory. Memory bottlenecks occur when low available memory conditions cause increased usage of the paging file. Page faults occur when requests for data are not found in memory and the system must look to other areas of memory or to virtual memory on disk.

Two types of page faults are tracked:


Soft page faults

These occur when the system must look for the necessary data in another area of memory.


Hard page faults

These occur when the system must look for the necessary data in virtual memory on disk.

When a system is running low on memory, hard page faults can make the system appear to have a disk problem due to excessive page swapping between physical and virtual memory. You can determine physical and virtual memory usage by using Memory\Available Kbytes and Memory\Committed Bytes. Memory\Available Kbytesis the amount of physical memory not yet in use. Memory\Committed Bytes is the amount of committed virtual memory. The Memory\PageFaults/sec counter helps you track page faults. Specific usage of the paging file can be tracked using Paging File\%Usage.

If the available memory is low, consider adding physical memory, virtual memory, or both to the system. You can determine the current amount of virtual memory available to a system using Memory\Commit Limit. The different between the commit limit and the committed bytes is the amount of virtual memory available for use.

Table 2-13 summarizes specific indicators of memory bottlenecks and potential resolutions.

Table 2-13. Resolving memory bottlenecks

Object\Counter

Alert threshold

Solution

Memory\Available Kbytes

Consistently lower than 10 percent total physical memory.

Identify process using high amounts of memory; install additional physical memory

Memory\Nonpaged Kbytes

Increasing over time without increased workload

May indicate a memory leak; identify program that might have the memory leak and look for updated version

Memory\Page Faults/sec

Consistently 5 percent or higher

Identify process causing page faults; install additional physical memory

Memory\Pages/sec

Consistently substantially higher compared to baseline

Identify process causing excessive paging; install additional physical memory

Paging File\%Usage

Consistently higher than 90 percent

Configure additional virtual memory. If virtual memory already twice physical RAM, add physical memory as well


2.5.3.3. Monitoring processor performance objects

Systems with high processor utilization may perform poorly. If a system's processor utilization peaks to 100 percent, the processor is fully utilized and the system is likely overloaded. You can determine processor utilization using Processor\%Processor Time. Another counter that can help you identity processor bottlenecks is System\Processor Queue Length, which tracks the number of threads waiting to be executed. If there are multiple threads waiting to execute, the processor isn't keeping up with the current workload. You can resolve this by shifting part of the system's workload to other computers or installing additional processors.

When programs allocate memory for use but do not fully release the allocated memory, the program may have a memory leak. Over time, a memory leak can cause a system to run low on or run out of memory. Rebooting the system can temporarily fix the problem. To help determine which specific process or processes are causing the processor bottleneck, you can use the counters of the Process object. Each running process has a separate instance of the Process object. You'll want to track Process(process_name)\Handle Count, Process(process_name)\Thread Count, Process(process_name)\Pool Paged Bytes, Process(process_name)\Private Bytes, and Process(process_name)\Virtual Bytes to determine how a particular process is using memory.

Table 2-14 summarizes specific indicators of processor bottlenecks and potential resolutions.

Table 2-14. Resolving processor bottlenecks

Object\Counter

Alert threshold

Solution

Process(process_name)\Pool Paged Bytes Process(process_name)\Private Bytes

Process(process_name)\Virtual Bytes

Increasing over time without increased workload

May indicate a memory leak; may need to install updated version of the program

Processor\%Processor Time

Processor\%Privileged Time

Processor\%User Time

Frequently sustained at 85 percent or higher

Upgrade the CPU; install additional CPU; shift workload

Processor\Interrupts/sec

High sustained values (relative to the baseline)

May indicate problem with a hardware device; if so, find and replace the faulty hardware device

System\Processor Queue Length

Server Work Queues\Queue Length

Sustained at 2 percent or higher

Upgrade the CPU; install additional CPU; shift workload


2.5.3.4. Monitoring network performance objects

The available network bandwidth determines how fast data is sent between clients and servers. When the network bandwidth is saturated, network performance suffers because clients and servers aren't able to communicate with each other in a timely and efficient manner. Most computers have network interfaces that operate at 100 megabits per second (100 Mbps) or at 1 gigabits per second (1 Gbps). Because most networks operate at these same speeds, the network typically would get saturated before a computer reaches maximum network utilization. That said, if you suspect the problem is with a particular computer rather than with the network itself, you can determine this using the Network Interface performance object.

The Network Interface\Output Queue Length counter can help you identify network saturation issues. You can use Network Interface\Current Bandwidth to determine the current bandwidth setting and total capacity of a particular network interface. The Network Interface\Bytes Total/sec provides the total bytes transferred or received per second. If the total bytes per second value is more than 50 percent of the total capacity, the system may have a network bottleneck problem. You can resolve this by shifting part of the system's workload to other computers or installing additional network interface cards.

Table 2-15 summarizes specific indicators of network bottlenecks and potential resolutions.

Table 2-15. Resolving network bottlenecks

Object\Counter

Alert threshold

Solution

Network Interface\Current Bandwidth

Network Interface\Bytes Total/sec

Total bytes transferred more than 50 percent capacity

Upgrade network adapters; install additional network adapters

Network Interface\Output Queue Length

High sustained queue length

Decrease saturation on the network; increase network bandwidth

Network Interface\Bytes Recd/sec

Total bytes received more than 50 percent capacity

Upgrade network adapters; install additional network adapters

Network Interface\Bytes Sent/sec

Total bytes sent more than 50 percent capacity

Upgrade network adapters; install additional network adapters


2.5.3.5. Monitoring disk performance objects

Disk performance is tracked using the PhysicalDisk and LogicalDisk objects. PhysicalDisk objects are available for each physical hard disk on a system. LogicalDisk objects are available for each logical volume created on a system. To track free space on logical disks, you can use the LogicalDisk\%Free Space counter. To determine the level of disk I/O activity, you can use the PhysicalDisk\Disk Writes/sec and Physical Disk\Disk Reads/sec counters.

Physical Disk\Avg. DiskWrite Queue Length, Physical Disk\Avg. DiskRead Queue Length, and Physical Disk\CurrentDisk Queue Length track disk-queuing activity. The write and read queue lengths are a measure of how well disks are performing. If there are multiple requests in a write or read queue waiting to be processed, the disk isn't performing as fast as is necessary to keep up with I/O requests.

As discussed previously, this problem could be due to the excessive page swapping that may occur if physical memory is low. An indicator of this may be a consistently high PhysicalDisk\%Disk Time value. However, if physical memory is not low, the disk itself is the problem and you'll need to upgrade to faster disks or shift the disk's workload to other disks.

Table 2-16 summarizes specific indicators of disk bottlenecks and potential resolutions.

Table 2-16. Resolving disk bottlenecks

Object\Counter

Alert threshold

Solution

LogicalDisk\%Free Space

85 percent or higher

Clean up drive; move data to free space

Physical Disk\Avg. DiskWrite Queue Length

Physical Disk\Avg. DiskRead Queue Length

Physical Disk\CurrentDisk Queue Length

Sustained at 2 percent or higher

Install faster drives; shift workload to use additional drives

PhysicalDisk\%Disk Time

Consistently at 50 percent or higher

Determine whether excessive paging is an issue; if not, install faster drives or shift workload to use additional drives


2.5.4. Monitoring File and Print Servers

When you manage file and print servers, two areas you'll need to monitor closely are disk quotas and print queues . Disk quotas help you track and manage disk space usage. Print queues are where printed documents are stored as print jobs before they are printed.


Tip: Exam 70-290 has specific objectives for monitoring NTFS disk quotas and print queues. There's also an objective for troubleshooting print queues. It is important to point out that Windows now supports two types of disk quotas: NTFS disk quotas (covered on the exam) and Storage Resource Manager disk quotas (included with Windows Server 2003 R2).
2.5.4.1. Monitoring disk quotas

NTFS disk quotas are the standard type of disk quotas supported on Windows Server 2003. With NTFS disk quotas, you configure quotas on a per-user, per-volume basis. Disk quotas cannot be configured for groups.

Any NTFS volume can use disk quotas, even system volumes. FAT/FAT32 volumes, however, cannot use NTFS disk quotas.

NTFS disk quotas can be configured through Group Policy or through the Quota tab on the NTFS volume. Policy settings override Quota tab settings in most cases. Specific quota limits and quota warnings can be set on each volume:

  • A quota warning is used to warn users that they've used more than a specified amount of disk space. A warning level can be exceeded.

  • A quota sets a specific limit on the amount of space that can be used. Users can be prevented from exceeding a quota limit. The built-in Administrators group, however, is not affected by enforced quota limits.

The disk space usage for each user is tracked separately. Because of this, disk space used by one user doesn't affect the disk quotas for other users. Only members of the domain Administrators group or the local system Administrators group can configure disk quotas.

To enable disk quotas using the Quota tab of an NTFS volume, follow these steps:

  1. Right-click the volume in Computer Management and then select Properties.

  2. On the Quota tab, select Enable Quota Management as shown in Figure 2-32.

    Figure 2-32. Use the Quota tab to enable and configure disk quotas.

  3. Select the Limit Disk Space To radio button and then set a quota limit and warning level.

  4. If you want to enforce the quota limit so that it cannot be exceeded, select the Deny Disk Space To Users Exceeding Quota Limit checkbox.

  5. To enable logging when users exceed a warning limit or the quota limit, select the Log Event checkboxes.

  6. Click OK. When prompted to confirm, click OK again.

After you enable quotas, users that exceed a warning or limit level will see a warning prompt. If you've enforced quota limits, the user will be prevented from exceeded the limit. If you've configured logging, administrators can determine which users have received warnings or reached limits using the Application event log.

You can view current usage on a per-user basis by viewing the disk quota entries. On the Quota tab, click the Quota Entries button. The Quota Entries For Local Disk dialog box (shown in Figure 2-33) shows the current disk space usage and quota settings for all users, including system user accounts and domain/local user accounts.

Figure 2-33. Disk quotas are tracked for system accounts, as well as user accounts.


Although quotas do not affect the built-in Administrators group, they do affect system user accounts and domain/local user accounts. Disk space used by the operating system is tracked according to the user account used during installation. Administrators can customize the disk quota entries on a per-user basis by double-clicking the entry and setting different limits and warning levels for the selected user. Administrators can also create custom quota entries for users who haven't yet saved data on a volume. To do this, click Quota New Quota Entry.

2.5.4.2. Monitoring and troubleshooting print queues

In Windows environments, printing can be handled in two ways:

  • Client computers can have their own print queues and send print jobs directly to a direct-attached or network-attached printer.

  • Client computers can access shared printers and send print jobs to the print queue on a print server, which in turn sends the print job to the printer.

Although the direct client to printer approach may seem more efficient, monitoring, maintaining, and troubleshooting such a configuration can be difficult and time-consuming because every user has a separate print queue. On the other hand, with a print server, all client computers share a common print queue on the print server. This means there's a central location for monitoring and a central location to look at when users have problems with a particular printer.

2.5.4.2.1. Working with print servers

Any workstation or server computer running Windows can be configured to act as a print server. A print server is simply a computer that is configured to share a printer.

Install and manage printers using the Printers And Faxes folder. You can access this folder on a local system by clicking Start Printers And Faxes. You can access this folder on a remote computer through My Network Places. In Windows Explorer, click My Network Places, click a domain, click a print server, and then double-click Printers.

When a user sends a print job to a shared printer, the print server spools the print job to the spooling folder on its local disk. Spooled print jobs are queued to be printed. Each printer has its own print queue. All printers have the same spool folder. Windows Server 2003 uses the Print Spooler service to control the spooling of print jobs. You can check the status of the Print Spooler service using Control Panel Services utility.

Print server properties control the general settings for all shared printers on the server. In the Printers And Faxes window, click File Server Properties to access the Print Server Properties dialog box shown in Figure 2-34. The tabs of the Print Server Properties dialog box are used as follows:

Figure 2-34. Manage general properties for all shared printers using the Print Server Properties dialog box.



Forms

Options allow you to view current document forms and create additional printer forms.


Ports

Allows you to view and manage printer ports for all configured printers. Direct-attached printers use LPT, COM, or USB ports. Network-attached printers use AppleTalk, LPR, or TCP/IP ports.


Drivers

Allows you to view and manage printer drivers for all configured printers. You can also add, remove, and reinstall drivers.


Advanced

Allows you to view and manage spooling and notification options. You can also view and set the spool folder.

The default location for the spool folder is %SystemRoot%\system32\spool\printers. The default permissions on this folder grant full control to Administrators, Print Operators, Server Operators, System, and Creator Owner. Full control for Creator Owner allows users to delete and manage their own print jobs. Authenticated Users have Read & Execute permissions so that authenticated users can access the spool folder. If these permissions are changed, spooling might fail.

2.5.4.2.2. Working with printer properties

In the Printers And Faxes window, all printers are listed by their local name. Shared printers also have a shared name. It is through the share name that users access print queues. Print jobs are routed to printers according to the port or ports configured for use with that printer. Print jobs are processed in first-in-first-out, priority order. Generally speaking, higher priority print jobs print before lower priority jobs. When there are multiple print jobs of the same priority, jobs are processed in the order they were received, with the first job in being the first processed and printed.

You can use the printer's Properties dialog box to manage its properties. You access the Properties dialog box by completing these steps:

  1. Open the Printers And Faxes window on the computer you want to work with.

  2. Right-click the icon of the printer you want to configure and then select Properties.

  3. Set the printer properties using the Properties dialog box shown in Figure 2-35.

    Figure 2-35. Use the printer's Properties dialog box to manage the ports, share name, and other configuration options being used.

The available tabs in a printer's Properties dialog box depend on the type and model of printer. Options on the most common tabs are used as follows:


General

View or set the printer name, location, and comments. Click the Printing Preferences button to set default printing preferences for page layout, quality, etc. Click the Print Test Page button to print a test page.


Sharing

View or set the printer share name. Select List In The Directory to list the printer in Active Directory. Click the Additional Drivers button to install additional drivers for users. By default, only x86 drivers for Windows 2000 or later computers are installed for most printers. You can add x86 drivers for pre-Windows 2000 computers, x64 printer drivers, and Itanium drivers by selecting the related checkboxes.


Tip: If you change the printer share name, you will need to update related printer mapping on client computers so that it uses the new share name. This can be done manually by logging on to client computers or automatically through logon scripts or some other automation technique.

Ports

View or set printer ports. If the hostname or IP address of a printer changes, you will need to click the current port, click Configure Port, set the new hostname or IP address, and then click OK. Printers that use TCP/IP use either a specific RAW port or a named LPR print queue. If this information is incorrectly configured, you need to click the current port, click Configure Port, modify the protocol settings as appropriate, and then click OK.


Tip: On the Ports tab, the Enable Printer Pooling checkbox should be selected only when two or more identical printers are pooled through one logical print device. In the case of pooling, there will be one configured port for each printer. If one of the printers should go offline, you need to disable the related port by clearing the associated port checkbox. If there is then only one printer online, you need to clear the Enable Printer Pooling checkbox.

Advanced

View or set availability, priority, and spooling options. Printers can be always available, or available only during specified hours. Print queues can have a default priority of 1 (low) to 99 (high). The current print driver is listed here. If you want to upgrade or reinstall the print drivers for all clients, click the New Driver button and then follow the Add Printer Driver Wizard prompts.


Security

View or set access permissions for the print queue. Print queue permissions are separate from the NTFS access permissions on the related spooling folder. By default, the special identity Everyone has permission to print. Creator Owner can manage documents and print. Administrators, Print Operators, and Server Operators can print, manage printers, and manage documents.

2.5.4.2.3. Working with print queues and print jobs

Manage print queues and the jobs they contain using the print management window. Double-click the printer icon in the Printers And Faxes folder. The print management window shows information about documents waiting to print, including the document name, status, owner, pages, size, and date submitted for printing.

You can manage individual print jobs by right-clicking a document and choosing to pause, restart, or cancel it. You can also right-click a document and choose Properties to view its properties.

You can manage the printer itself as well by pausing, canceling, or resuming printing. Click Printer Pause Printing to pause printing. Click Printer Pause Printing a second time to resume printing. To delete all print jobs queued for printing, click Printer Cancel All Documents.

2.5.5. Managing Web Servers

Most network environments have web servers these days. Windows Server 2003 includes Internet Information Services (IIS) 6.0 to provide essential web services. When you install IIS on a server, you'll find there are a number of management tools that can be used. The key tool you'll use, however, is Internet Services Manager.

2.5.5.1. Installing Internet Information Services

With most versions of Windows Server 2003, IIS is not installed during the installation of the operating system. IIS is an application server component and can be installed as part of an application server configuration or separately. IIS itself includes many components that can be installed:

  • Background Intelligent Transfer Service (BITS) Server Extension

  • File Transfer Protocol (FTP) Server

  • FrontPage Server Extensions

  • Internet Services Manager

  • Internet Printing

  • Network News Transfer Protocol (NNTP) service

  • Simple Mail Transfer Protocol (SMTP) service

  • World Wide Web Server

To install and manage a web server, you need at a minimum the Internet Services Manager and World Wide Web Server components. You can install IIS by completing these steps:

  1. In Control Panel, click Add Or Remove Programs.

  2. Click Add/Remove Windows Components.

  3. Select Application Server, making sure not to check or clear the related checkbox. Click Details.

  4. Select Internet Information Services (IIS), making sure not to check or clear the related checkbox. Click Details.

  5. Select IIS components to install or uninstall them.

  6. Click OK twice to close all open dialog boxes and return to the Windows Component Wizard.

  7. Click Next and then click Finish.

2.5.5.2. Working with the IIS Management Tools

Once you've installed IIS, you can configure and manage IIS using the Internet Services Manager (see Figure 2-36). Click Start Programs Administrative Tools Internet Information Services (IIS) Manager. Internet Services Manager is also available as a snap-in that can be added to MMC.

Figure 2-36. Use Internet Services Manager to configure and manage IIS.


Internet Services Manager can be used to manage both local and remote servers. When you connect to multiple computers, each computer will have a separate management node. To connect to a remote computer in Internet Services Manager, follow these steps:

  1. Right-click the Internet Information Services node, and then click Connect.

  2. In the Connect To Computer dialog box, type the computer name, fully qualified computer name, or IP address in the Computer Name text box.

  3. If you need to use different logon credentials, select the Connect As checkbox and then type the username and password for the account.

  4. Click OK.

In the default configuration, web documents are stored under %SystemDrive%\Inetpub\wwwroot and web server logfiles are written to %SystemRoot%\system32\LogFiles\w3svc. A number of management scripts are also provided under %SystemRoot%\system32, including:


Iisapp.vbs

Lists application pools and worker processes. Type iisapp /? to obtain syntax and usage details.


Iisback.vbs

Backs up or restores the IIS configuration. Type iisback /? to obtain syntax and usage details.


Iiscnfg.vbs

Imports or exports the IIS configuration. Type iiscnfg /? to obtain syntax and usage details.


Iisvdir.vbs

Manages IIS web directories. Type iisvdir /? to obtain syntax and usage details.


Iisweb.vbs

Creates, queries, and manages web sites. Type iisweb /? to obtain syntax and usage details.


Tip: The IIS scripts must be run with the command-line scripting host, CScript, rather than the GUI script host, WScript.

IIS Reset (iisreset.exe), also provided in the %SystemRoot%\system32 folder, is used to stop and then restart all IIS-related services, including IIS Admin service, FTP Publishing service, and World Wide Web Publishing Service. You can use IIS Reset to reset IIS if services become unresponsive or stop responding.

In Internet Services Manager, you can reset IIS by right-clicking the hostname of the server computer, clicking All Tasks Restart IIS, and then clicking OK in the Stop/Start/Restart dialog box. The default "What Do You Want To Do?" option is to restart IIS.

2.5.5.3. Configuring IIS

You manage the configuration of IIS at three levels:


General IIS settings (see Figure 2-37)

Control editing of the IIS metabase and available MIME types. In Internet Services Manager, access general settings by right-clicking the name of the server and then selecting Properties. Enable editing of the metabase while IIS is running by selecting the Enable Direct Metabase Edit checkbox. View and configure available MIME Types by clicking the MIME Types button.

Figure 2-37. General IIS settings.


Global sites settings (see Figure 2-38)

Determine the global settings for all sites of a particular type. To manage global settings, right-click the Web Sites node and then select Properties. Use global settings to set default properties for new sites created on a server. If you change global settings, existing sites typically (but not in all cases) inherit the changes as well.

Using the options on the Service tab, you can manage the operating mode and HTTP compression settings for all web sites. The default operating mode is Worker Process Isolation Mode. By selecting Run WWW Service In IIS 5.0 Isolation Mode, you can reset the server so that IIS 5 Isolation Mode is used, as may be necessary for backward compatibility with applications created for IIS 5. However, IIS 5 Isolation Mode disables many of IIS 6's features.

Figure 2-38. Global site settings.


Local site settings (see Figure 2-39)

Determine the effective settings for a specific site. To manage local site settings, right-click the site name and select Properties. If changes to global settings modify local settings, you can override these changes by reconfiguring the local site settings as may be necessary.

Figure 2-39. Local site settings.

You can back up or restore the IIS configuration in its entirety using the Configuration Backup/Restore feature. In Internet Services Manager, right-click the computer name and click All Tasks Backup/Restore Configuration. An initial backup is created automatically when IIS is installed. Automatic backups can be created in some cases as well.

With the Configuration Backup/Restore dialog box displayed, you can:

  • Create a backup by clicking Create Backup.

  • Restore a selected backup by clicking Restore.

  • Delete a selected backup by clicking Delete.

2.5.5.4. Managing security for IIS

When users connect to web servers in a browser, two levels of security apply: IIS security and Windows security. Similar to web shares, IIS provides the top layer of security and Window provides the bottom layer. IIS security focuses on:

  • Authentication controls

  • Content permissions

2.5.5.4.1. Understanding and configuring authentication controls

All web content accessed in a browser is subject to IIS's content permissions. Two types of access are allowed:

  • Anonymous access

  • Authenticated access

Most public web sites allow users to anonymously access content pages. When a user anonymously accesses an IIS server in a browser, the Internet guest account (IUSR_ComputerName) determines the level and type of access granted. By default, the Internet guest account grants the user the right to log on locally or as a batch job. If this account is disabled or locked out, anonymous users won't be able to access content pages on an IIS server. If this IIS server is a member of a Windows domain, the Internet guest account is a member of the Domain Users and Guests groups by default.

With web applications, the web application account (IWAM_ComputerName) can be used to grant anonymous access to a web application. The web application account grants the anonymous user the right to log on as a batch job. If this account is disabled or locked out and the server is running in IIS 5 isolation mode, out-of-process applications won't be able to start. When a server is operating in IIS 6 worker process mode, this account is used only when configured for a specific application pool or pools. If the IIS server is in a domain, the web application account is a member of the Domain Users and IIS_WPG groups.

Access to IIS can be controlled using authentication. The five configurable authentication modes are:


Anonymous authentication

Allows users to access resources without being prompted for username and password information. IIS logs users on automatically using the Internet guest or web application account as appropriate.


Basic authentication

Provides the most basic authentication controls. Users are prompted for a username and password, which is passed to the IIS server as clear text unless Secure Sockets Layer (SSL) is configured and used.


Digest authentication

Uses HTTP 1.1. digest authentication to securely transmit user credentials. The user must have a valid domain account, and the IIS server must be a member of an Active Directory domain.


Integrated Windows authentication

Uses standard Windows security to validate a user's identity. Users are not prompted for logon information. Instead, the Windows logon credentials are related to the server in an encrypted format that does not require the use of SSL. Only Internet Explorer browsers support this authentication mode.


.NET Passport authentication

Uses .NET Passport authentication to validate user access and credentials. When validating the user, the server checks for a Passport Authentication ticket. If the ticket exists and the user has valid credentials, the server authenticates the user. If no valid ticket is available, the user is redirected to the Passport Logon Service.

Authentication controls can be set globally or individually for each site hosted by an IIS server. At the site level, different authentication levels can be set for the site as a whole, directories within the site, and pages without directories. This allows you to have secure directories within otherwise unsecure sites or even secure pages within unsecure directories. You can configure access and authentication for any of these levels by completing the following steps:

  1. Open IIS Manager.

  2. Right-click the Web Sites node, a site node, a directory node, or a file within a directory, and then select Properties.

  3. Click the Directory Security or File Security tab as appropriate.

  4. Under Authentication And Access Control, click Edit.

  5. You can manage access and authentication using the dialog box shown in Figure 2-40 and employing the following techniques:

    Figure 2-40. Configure access and authentication controls using the Authentication Methods dialog box.

    • To disable anonymous access (and require authenticated access), clear the Enable Anonymous Access checkbox.

    • To change the name of the account used for anonymous access, type a username and password that should be used for anonymous access. Click Browse to select a user account.

    • To enable .NET passport authentication, select the .NET Passport Authentication checkbox. Optionally, set a default realm to specify the access level within the IIS metabase hierarchy, such as W3SVC/1/root for access to the root of the first web site instance.

    • To enable basic authentication, select the Basic Authentication checkbox. Optionally, set a default domain that should be used if no domain information is provided.

    • To enable digest authentication, select the Digest Authentication checkbox. Optionally, set a default realm.

  6. Click OK twice to save and apply the changes.

2.5.5.4.2. Understanding and configuring content permissions

Content permissions provide the top level of security for IIS. Use content permissions to determine the general allowed permissions for users who are allowed access to an IIS site, directory, or file. Content permissions granted can be further restricted or completely denied by the underlying NTFS permissions. For example, if users are granted anonymous access to a site, but NTFS permissions do not grant any permissions to the Internet guest account, users will not be able to access content regardless of the content permissions.

Content permissions can be set both globally and locally. Apply global permissions using settings of the Web Sites node; these settings are in turn inherited by all the web sites, directories, and files on a server. If you set content permissions locally for a site, directory, or page, you can override the global permissions. In cases where global and local permissions conflict, you typically will see a prompt asking whether you want to apply the global settings (and in doing so override the local settings) or retain the local settings.

The content permissions are similar to those that can be applied to web shares. Content permissions include:


Read

Allows web users to read files in the folder.


Write

Allows web users to write data in the folder.


Script Source Access

Allows web users to access the source code for scripts (not recommended).


Directory Browsing

Allows web users to browse the folder and its subfolders (not recommended).


Index This Resource

Allows the Indexing Service to index the resource so that keyword searches can be performed.


Log Visits

Ensures access to files is recorded in the IIS logs.

As with web shares, application permissions can be set as well. The configurable application permissions are:


None

Disallows the execution of programs and scripts.


Scripts Only

Allows scripts to run when accessed via IIS.


Scripts and Executables

Allows both programs and scripts to run when accessed via IIS.

You can configure global and local content permissions by completing the following steps:

  1. Open IIS Manager.

  2. Right-click the Web Sites node, a site node, or a directory node, and then select Properties.

  3. Click the Home Directory or Directory tab as appropriate.

  4. Set the content permissions using the checkboxes provided (see Figure 2-41).

    Figure 2-41. Set content and application permissions using the Home Directory or Directory tab.

  5. Using the Execute Permissions list box, you can set the permission level for applications.

  6. Click OK to save and apply the settings.

You can configure content permissions for individual files by completing the following steps:

  1. Open IIS Manager.

  2. Right-click a file and then select Properties.

  3. On the File tab, set the content permissions.

  4. Click OK to save and apply the settings.

2.5.6. Installing and Configuring Software Update Infrastructure

Maintaining the Windows operating system and software deployed throughout the organization is a critically important area of administration. Operating systems and application software that is not properly maintained will not function as expected. To help you maintain the operating system, Microsoft offers Automatic Updates . A system can automatically connect to Windows Update or a designated update server in your organization and obtain any necessary operating system updates.

As Automatic Updates have evolved, so have the related features:

  • Automatic Updates for Windows 2000 Service Pack 3, Windows XP, and Windows Server 2003 allow you to automatically download and install critical updates.

  • Automatic Updates for Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 allow you to automatically download and install critical updates, security updates, update roll-ups, and service packs.

An extension of Automatic Updates, called Microsoft Update, allows you to use the Automatic Update feature to maintain the operating system and select Microsoft products, including Office 2003 and Office XP. Microsoft Update will eventually allow you to maintain all Microsoft products using Automatic Updates.

An extension of Automatic Updates, referred to as the WSUS client, allows you to use Automatic Updates with Windows Server Update Services (WSUS). Computers running Windows XP Service Pack 2 or later and Windows Server 2003 Service Pack 1 or later already have the Automatic Updates extension for WSUS.

Microsoft Update is recommended for consumer use and for small businesses that do not have a full-time Windows administrator. In all other environments, both large and small, Microsoft recommends using WSUS in a client/server configuration. Every administrator should know how to install, configure, and maintain WSUS clients and servers.


Tip: Through the summer of 2006, Exam 70-290 objectives will cover Software Update Services (SUS). However, SUS is being phased out in favor of WSUS. SUS is no longer available for download and will be supported only through December 6, 2006. The discussion in this study guide focuses on WSUS.
2.5.6.1. Understanding Windows Server Update Services (WSUS)

WSUS (previously called Windows Update Services) is provided as a patch and an update component for Windows Server. WSUS has both a server and client component. The WSUS client can run on Windows 2000 Service Pack 3 or later, Windows XP, and Windows Server 2003. Each managed client requires a Windows Server CAL.

The WSUS server component uses a data store that runs with MSDE, WMSDE, or SQL Server. With SQL Server 2000 or SQL Server 2005, every device managed by WSUS requires a SQL Server CAL or a per-processor license.

SUS 1.0 servers can be migrated to WSUS using the WSUSITIL.EXE tool, which is provided in the Tools folder of the WSUS server installation.

The WSUS scanning engine is built into the Windows Update agent, which is included with Windows and is the same component that enables Automatic Updates from Windows Update. WSUS is designed to handle updates for Microsoft products, including Windows 2000, Windows XP Professional, Windows Server 2003, Office 2003, Office XP, Exchange 2003, SQL Server 2000, SQL Server 2005, and MSDE 2000. All Microsoft products will eventually be supported.

2.5.6.2. Installing Windows Software Update Services

As discussed previously, WSUS uses a client-server architecture. The WSUS server must have an NTFS-formatted system partition. The partition on which you install WSUS must likewise be formatted with NTFS. WSUS requires:

  • IIS (you must install the World Wide Web Server Service at a minimum)

  • Background Intelligent Transfer Service (BITS) 2.0

  • Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003

The WSUS server component uses IIS to obtain updates over the Internet using HTTP port 80 and HTTPS port 443. WSUS also uses IIS to automatically update client computers with the necessary client software for WSUSa WSUS-compatible version of the Automatic Updates feature. Typically, the update is installed under a virtual directory named Selfupdate, and accessed over HTTP port 80. During setup of WSUS, you can also create a custom web site for Selfupdate, which then has a port of 8530 by default.

For performance and network load balancing, large enterprises may want to have an extended WSUS environment with multiple WSUS servers. In a multiple WSUS server environment configuration, one WSUS server can be used as the central server for downloading updates, and other WSUS servers can connect to this server to obtain settings and updates.

You can install WSUS on a server by completing the following steps:

  1. Download WSUSSetup.exe from the Microsoft web site (http://go.microsoft.com/fwlink/?LinkId=47374).

  2. Double-click WSUSSetup.exe to start the installation.

  3. Click Next. Click I Access The Terms Of The License Agreement, and then click Next.

  4. On the Select Update Source page, specify where client computers get updates. For central download and distribution, you want WSUS to download updates and make updates available locally, so select Store Updates Locally and then specify the download folder. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates. Click Next.

  5. On the Database Options page, select the software used to manage the WSUS database. By default, the SQL Server Desktop Engine is used. For a more reliable and robust solution, you can use an existing database server if you'd like as well. Click Next.

  6. On the Web Site Selection page, specify the web site that will be used by WSUS. If you select Use The Existing IIS Default Web Site, WSUS will use port 80. If you select Create A Microsoft Windows Server Update Services Web Site, WSUS will use port 8530. Click Next.

  7. On the Mirror Update Settings page, select This Server Should Inherit The Settings From . . . if you have centralized control of WSUS and multiple WSUS servers. Then enter the fully qualified domain name of the central WSUS server and the port over which connections should be made. Click Next.

  8. Review the settings. Click Next to begin the installation, and then click Finish.

  9. The root folder of the drive on which WSUS stores updates (and folders used by WSUS) must grant read permission to the special identity NT Authority\Network Service.

2.5.6.3. Configuring Windows Software Update Services

Once you've installed the WSUS server component, you can use the WSUS console to configure the automatic client update settings. You must be a member of the local Administrators group or the WSUS Administrators group. Access the WSUS console after installation using the URL: http://WSUSServerame:portnumber/WSUSAdmin. On the WSUS server, you can click Start Programs Administrative Tools Microsoft Windows Server Update Services.

If the network has a proxy server, you can use the WSUS console to configure WSUS to use the proxy server. This allows WSUS to access Microsoft Update on the Web. You can configure the proxy server by completing the following steps:

  1. Open the WSUS console.

  2. Click Options Synchronization Options.

  3. To connect to the proxy server using specific user credentials, click Use User Credentials To Connect To The Proxy Server. Enter the username, domain, and password of the authorized user account.

  4. Click Tasks, click Save Settings, and then click OK.

Next, you should specify the products or product families that will be maintained using WSUS. To do this, follow these steps:

  1. Open the WSUS console.

  2. Click Options Synchronization Options.

  3. In the Add/Remove Products box, under Products, select the products or product families to maintain, and then click OK.

  4. Under Update classifications, click Change.

  5. In the Add/Remove Classifications box, under Classifications, select the update classifications for the obtained updates, and then click OK.

After you specify the products to maintain, you can synchronize WSUS. When you do this, WSUS downloads updates from Microsoft Update or another WSUS server as appropriate. Only new updates made available since the last time you synchronized are downloaded. If this is the first time you are synchronizing the WSUS server, all of the updates are made available for approval. When you approve updates, they are made available to clients for installation.

You can synchronize the WSUS server and approve updates by completing the following steps:

  1. Open the WSUS console.

  2. Click Options Synchronization Options.

  3. Click Updates to view the list of updates.

  4. Select the updates you want to approve for installation.

  5. Under Update Tasks, click Approve For Installation.

  6. In the Approve Updates dialog box, the action for the Approve list is set to Install for the All Computers group by default. You can specify a different group if desired.

  7. Click OK to approve the selected updates for the desired group.

2.5.6.4. Installing and configuring Automatic Update client settings

Once you've configured WSUS, you only need to make the client computer aware of the WSUS configuration to ensure approved updates can be downloaded and installed according to the Automatic Updates settings. Do this by configuring Automatic Updates to download and install updates, and by specifying through policy that the WSUS server should be used for obtaining updates.


Tip: The WSUS extension of Automatic Updates allows client computers to use Automatic Updates with WSUS. Computers running Windows XP Service Pack 2 or later and Windows Server 2003 Service Pack 1 or later already have the Automatic Updates extension for WSUS. Other Windows 2000, Windows XP, and Windows Server 2003 computers typically will update themselves automatically when they retrieve Automatic Updates.

On Windows XP and Windows Server 2003 computers, Automatic Updates can be managed using the options in the Automatic Updates tab of the System utility or Group Policy. Policy settings made in Group Policy always have precedence over user-defined settings.

You can enable Automatic Updates on a computer by completing the following steps:

  1. Open System in Control Panel.

  2. Click the Automatic Updates tab as shown in Figure 2-42.

    Figure 2-42. Configure Automatic Updates using the System utility or Group Policy.

  3. Because only approved updates are made available to computers, Automatic Updates should be configured to automatically download and install updates. Select Automatic.

  4. Specify the download interval and time. The download and install interval can be every day or a specific day of the week. The download time can be set to any time when the computer is on (and optimally when network activity is low).

  5. Click OK.

The preferred way to configure Automatic Updates for domain computers is to use policy settings. Typically, you'll do this with the Configure Automatic Updates policy located in the applicable GPO under Computer Configuration\Administrative Templates\Windows Components\Windows Update. Follow these steps:

  1. Open the applicable GPO for editing.

  2. Expand Computer Configuration Administrative Templates Windows Components Windows Update.

  3. Select the Enabled radio button.

  4. Select "4 - Auto download and schedule the install."

  5. Set the install day and time.

  6. Click OK.

To specify the WSUS server from which updates should be obtain, follow these steps:

  1. Open the applicable GPO for editing.

  2. Expand Computer Configuration Administrative Templates Windows Components Windows Update.

  3. Select the Enabled radio button.

  4. Type the URL of the WSUS server in both of the text boxes provided.

  5. Click OK.

Once group policy is refreshed, client computers will start using the WSUS server for updates. Periodic refresh of group policy happens automatically. You can force a computer to refresh policy by typing gpupdate /force at a command prompt.

2.5.7. Managing Software Site Licensing

Microsoft and other software vendors do not sell their software; they license it for use. When you buy operating system and product software, you are buying a license to use the software in accordance with the End User Licensing Agreement (EULA) and copyright law.


Tip: Managing software site licensing is a major objective on Exam 70-290. Typically, you'll see several licensing questions on the exam.
2.5.7.1. Understanding licensing

Microsoft offers:


Retail product licenses

Typically, individuals and small business will use retail product licenses. During installation of a retail product, a special license key must be provided. After installation, the product usually will need to be activated over the Internet or by phone so that it can be used.


Volume licensing

Organizations that use multiple Microsoft products or require multiple licenses typically will use volume licensing to get discount pricing. Most software obtained through volume licensing does not require a product key during installation or activation prior to use.

With server products, licensing extends to the clients that access the server. This means there's both a server license and a client access license:

  • Every Windows server system must have a server license for the operating system and separate licenses for any server products that are installed, such as Exchange or SQL Server.

  • Every client or device that connects to a server must have a client access license (CAL).

Client access licenses can be managed:


Per server

Each concurrent connection to a server requires a client access license. This hard limit on the number of concurrent connections cannot be exceeded. If a server has 100 CALs, the 101st connection would be denied.

Per-server CALs are specific to a particular server. If clients connect to multiple servers, each server must have its own set of CALs, and you must purchases at least as many CALs for a given server as the maximum number of clients that might simultaneously connect to that server.


Per user or device

Each client that connects to a server requires a client access license that allows it to connect to any server in the organization. Each client (a user or a device) must have a CAL for each type of server to which it will connect. For example, one CAL for Windows Server 2003, one CAL for Exchange Server, and one CAL for SQL Server.


Per processor

Each processor (physical or virtual) on a server must have a license. This license allows an unlimited number of clients to connect to the server and does not require a separate license for each client. SQL Server can be licensed on a per-processor basis.

Determining which licensing technique to use isn't always easy. Here are some guidelines:

  • Per-server licensing may be a good option when an organization has few servers and there is limited access of these servers. If the organization has 10 servers that will each be accessed by 100 clients, each server would need 100 CALs (for a total of 1,000 CALs).

  • Per-user or per-device licensing typically is the best option for an organization's internal network. With per-user or device licensing, the total number of CALs needed is determined by the number of users, devices, or mixture thereof that needs access. Allowing for a mixture of users and devices can save the organization a lot of money. If 90 shift workers use 30 computers, 30 device CALs can be used. If 30 workers each have 3 computers, 30 user CALs can be used.

  • Per-processor licensing allows for an unlimited number of client connections and is most useful in large enterprises and on the Internet where thousands of users may simultaneously connect to a server.

Windows Server 2003 Terminal Services includes two CALs for remote desktop administration. This allows up to two administrators to remotely manage a server using remote desktop. For connections to applications hosted on a terminal server, all clients must have a CAL. This CAL may or may not be included with the operating system license.

2.5.7.2. Configuring server licensing

You set a server's licensing mode when you install the server. Microsoft allows you to make a one-time only switch from per-server licensing to per-user/per-device licensing. Microsoft does not permit switching from per-user/per-device licensing to per-server licensing.

After you install a Windows server, you can track CAL licensing for the server. When you install other Microsoft server products, such as Exchange Server or SQL Server, you can use CAL licensing of these products as well. To manage licensing, you must be a member of the Administrators group for the local server or for the domain. Two licensing tools are available:


Licensing utility in Control Panel

In workgroups or for individual severs, you can manage server licensing separately for each Windows server using the Licensing tool in Control Panel (see Figure 2-43). With per-server licensing, you can add licenses by selecting a product on the Product list, clicking the Add Licenses button, and then specifying the licenses to add.

Figure 2-43. Use the Licensing utility to control licensing on individual computers.


Licensing console under Administrative Tools

In Active Directory domains, you can centralize the control of licensing on a per-site basis through a designated site-licensing server, and then replicate the licensing throughout that site. You manage site licensing using the Licensing console (see Figure 2-44). Click Start Programs Administrative Tools Licensing. The License Logging service is used to manage enterprise licensing and must be running for you to assign licenses, track license usage, and manage license configurations.

Figure 2-44. Use the Licensing console to manage enterprise site licensing.

In Active Directory domains, you must work with the proper site-licensing server to manage licensing. You can determine the site-licensing server by completing the following steps:

  1. Open Active Directory Sites And Services.

  2. Click the node for the site.

  3. Double-click Licensing Site Settings.

  4. The current site-licensing server is displayed by name and domain as shown in Figure 2-45.

    Figure 2-45. Determining the site licensing server.

By default, the license server is the first domain controller installed in a domain. Site licensing can be moved to a member server or domain controller by clicking Change on the Licensing Settings tab and selecting the member server or domain controller to which you want to move site licensing. To maintain the licensing history, you must immediately stop the License Logging service on the new site licensing server, copy licensing history from the old server to the new, and then restart the License Logging service. The files to copy are %SystemRoot%\system32\cpl.cfg, %SystemRoot%\Lls\Llsuser.lls, and %SystemRoot%\Lls\Llsmap.lls.

Per-device and per-user licensing require one CAL for each device. The License Logging service, however, tracks licenses by username. When multiple users share one or more devices, you must create license groups to prevent the License Logging service from incorrectly tracking license usage.

A license group is a collection of users who share one or more CALs. With a license group, the License Logging service tracks users by name, but assigns a CAL from the allocation assigned to the related license group. For example, if Alpha group in your company has 3 shifts of workers, you might create a license group with 30 users as members and assign the group 10 CALs to represent the 10 devices they share.

To create a license group, use the following technique:

  1. Open the Licensing console under Administrative Tools.

  2. Click Options Advanced New License Group.

  3. Using the Add button, add each user that should be a member of the license group.

  4. Click OK.




MCSE Core Required Exams in a Nutshell
MCSE Core Required Exams in a Nutshell: The required 70: 290, 291, 293 and 294 Exams (In a Nutshell (OReilly))
ISBN: 0596102283
EAN: 2147483647
Year: 2006
Pages: 95

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net