2.5. Managing and Maintaining a Server EnvironmentManaging and maintaining a server environment encompasses many aspects of administration. Because server performance can degrade over time, you need to:
Beyond the essential monitoring that may be required for maintenance, you'll also need to manage the essential infrastructure, including any web servers, print queues, software licensing, and software updates. By closely watching essential services, queues, and infrastructure, you ensure that the server environment continues to operate as expected. 2.5.1. Monitoring and Analyzing EventsWindows Server 2003 includes a set of logfiles that are used to record system events of various types. If you suspect a system has a problem, the event logs should be the first place you look to diagnose the problem. 2.5.1.1. Understanding the event logsAll Windows Server 2003 systems have three general purpose logs:
The availability of other logs depends on the system configuration. Logs you may see include:
2.5.1.2. Accessing and reviewing eventsEvent logs are accessible in the Event Viewer (eventvwr.exe). In the Computer Management console (compmgmt.msc), you can view an event log by double-clicking System Tools, double-clicking Event Viewer, and then selecting the log you want to view as shown in Figure 2-24. Figure 2-24. Events are listed in date/time order.Events are recorded in date/time order with the most recent events at the start of the log and the oldest events at the end. When analyzing events, pay particular attention to the following:
You should use the event type designator to determine whether an event warrants further investigation. Event types you'll see include:
When you are troubleshooting system problems, the events you'll look most closely at are warnings and errors. For security issues, the events you'll look most closely at are failure audits. When working with a particular log, you can set properties that determine how events are recorded. You can also set filtering options so that you see only events that meet specific requirements. By default, Windows Server 2003 logs are configured to overwrite old events as needed. As a result, when a log reaches its maximum size, the operating system overwrites old events with new events. 2.5.1.3. Viewing and setting log optionsYou can view and set logging options on a per-log basis by completing the following steps:
You can set filtering options for a log by completing the following steps:
2.5.2. Monitoring System PerformanceGenerally, you'll use performance monitoring to ensure the ongoing performance of systems, to troubleshoot, and to optimize performance. Windows Server 2003 includes several tools for monitoring system performance. The two you'll use most frequently are:
Each tool has a specific use and a place in the overall system monitoring plan as well as for optimization and general troubleshooting. Task Manager can be used to diagnose non-responsive applications and identify possible problems with processors, network connections and memory. Performance Console is a power tool that can be used to pinpoint the exact origin of a performance problem and to help you optimize the system configuration. 2.5.2.1. Working with Task ManagerTask Manager displays the current status of applications, background processes, and system resources. To open Task Manager, log on to the computer you want to monitor, and then press CTRL+ALT+DEL Task Manager or type taskmgr at a command prompt. When you start Task Manager, the default tab accessed is the Applications tab as shown in Figure 2-27. The Applications tab shows the status of the programs that are currently running on the system. The status can be "Running" or "Not Responding." You can stop an application that isn't responding by clicking the application name and then clicking End Task. Start a new program by selecting New Task, and then enter a command to run the application. Go to the related process in the Processes tab by right-clicking an application and then selecting Go To Process. Figure 2-27. The Applications tab of Task Manager shows the status of applications.The Processes tab (see Figure 2-28) displays detailed information about processes, which are programs running on the computer and can include foreground applications run by users and background applications run by the operating system. You can work with this tab as follows: Figure 2-28. The Processes tab of Task Manager shows the foreground and background processes.
The Performance tab (see Figure 2-29) displays a real-time overview of resource usage. Graphs for each processor are provided to provide a visual summary of resource usage. CPU Usage History is a history graph of CPU usage plotted over time. Page File Usage History is a history graph of the paging file (or virtual memory) usage plotted over time. You can change the graphs using: Figure 2-29. The Performance tab of Task Manager shows resource usage.
The text lists below the graphs summarize the usage of physical, kernel, and commit memory as well as the number of active handles, threads, and processes:
The Networking tab provides a summary for active network connections. A graph is provided to depict the percentage of utilization for each network connection. A text summary lists network connections by name, percent utilization, link speed, and operational status. By default, the graph displays network adapter history according to the total byte count. Click View Network History to add bytes sent and bytes received. The Users tab provides a summary of interactive user sessions for both local and remote users. Users are listed by account name, session ID, status, originating client computer, and session type. Console sessions represents users logged on to the local system. RDP-Tcp represents users logged on using Remote Desktop Protocol over TCP. Right-click user sessions to display options for disconnecting, logging off, remote control, and logging off. 2.5.2.2. Working with the Performance consoleUsing the Performance console, you can perform in-depth monitoring and analysis of computer activity. Start the Performance console by clicking Start Programs Administrative Tools Performance or by typing perfmon.msc at a command prompt. The Performance consoles remote monitoring capabilities allow you to track the performance of multiple computers from a single, monitoring computer. 2.5.2.2.1. Understanding performance monitoringAs Figure 2-30 shows, the Performance console has two snap-ins: Figure 2-30. Use the Performance console to monitor and analyze computer activity.
Users do not need to be administrators to monitor or log performance. Any user that is a member of the built-in group Performance Monitor Users can monitor performance counters, logs, and alerts. Any user that is a member of the built-in group Performance Log Users can schedule logging and alerting. Whether you are monitoring system performance, configuring performance logs, or setting performance alerts, you specify the activity to track or alert by using:
Tip: When working with performance objects, object counters, and object instances, you'll see various notation schemes. Typically, performance objects are referred to by name, such as the Memory object. Performance counters are referred to via the object to which they relate in the form ObjectName\CounterName. For example, to refer to the Committed Bytes counter of the Memory object, the notation Memory\Committed Bytes is used. Object instances are referred to with regard to the object and counter to which they relate in the form ObjectName(instance_name)\CounterName, such as Process(dns)\Pool Paged Bytes. Data collected by System Monitor can be summarized in multiple formats: graphic, histogram, and report. Graph is the default format. When working with System Monitor, press Ctrl+B for histogram or Ctrl+R for report format. 2.5.2.2.2. Monitoring performance of local and remote systemsPerformance can be tracked on the system you want to monitor or from another computer. To specify counters to monitor, follow these steps:
When working with System Monitor, you can stop monitoring a counter by clicking a counter in the counter list and then pressing Delete. 2.5.2.2.3. Performance loggingReal-time monitoring in System Monitor is useful when you are diagnosing a current performance issue or problem. When you want to track performance over time, however, you'll want to use performance logging. You can configure performance logging using:
To create a performance log, follow these steps:
You can manually start or stop logging by right-clicking a log and then selecting either Start or Stop as appropriate. You can replay logged data at a later date to analyze performance by completing the following steps:
2.5.2.2.4. Performance alertingWhen you want to be alerted to potential problems or track specific conditions, you'll want to use performance alerting. To configure performance alerting, specify alerts that should be triggered when a performance parameter reaches a specific limit or threshold. Alerts can be configured to start applications and performance logs as well. To create an alert, follow these steps:
You can manually start or stop alerting by right-clicking a log and then selecting either Start or Stop as appropriate. 2.5.3. Monitoring and Optimizing a Server Environment for PerformanceMonitoring Windows systems can help you establish baseline usage statistics and evaluate ongoing performance. Use baselines to determine how a system performs under various usage loads. Use performance evaluations to determine whether a system is performing as expected. When it comes to optimization, virtual memory is as important as physical memory. In most cases, servers with 2 GB or less physical memory should have virtual memory that is at least two times physical memory. For best performance, virtual memory should have a fixed size and be located on multiple physical disks. You can set virtual memory using the System utility, under the Control Panel. In the System utility, click the Advanced Tab, then under Performance, click Settings to display the Performance Options dialog box. In the Performance Options dialog box, click the Advanced tab, and then click Change, under Virtual Memory. You can then use the available options to view and manage the virtual memory settings for the computer. 2.5.3.1. Choosing objects to monitorThe object counters you choose to monitor will vary depending on the role of the computer you are working with. With most Windows systems, you'll want to monitor the four key performance areas:
If you create performance baselines for systems, you can compare these and other performance areas in the baselines to current performance. This will help you identify potential problems and bottlenecks that might cause a system to operate at less than optimal performance levels. Table 2-12 lists various server roles and the object typically monitored for those roles and provides guidelines on additional objects to add when troubleshooting.
2.5.3.2. Monitoring memory performance objectsWindows systems have both physical and virtual memory. Memory bottlenecks occur when low available memory conditions cause increased usage of the paging file. Page faults occur when requests for data are not found in memory and the system must look to other areas of memory or to virtual memory on disk. Two types of page faults are tracked:
When a system is running low on memory, hard page faults can make the system appear to have a disk problem due to excessive page swapping between physical and virtual memory. You can determine physical and virtual memory usage by using Memory\Available Kbytes and Memory\Committed Bytes. Memory\Available Kbytesis the amount of physical memory not yet in use. Memory\Committed Bytes is the amount of committed virtual memory. The Memory\PageFaults/sec counter helps you track page faults. Specific usage of the paging file can be tracked using Paging File\%Usage. If the available memory is low, consider adding physical memory, virtual memory, or both to the system. You can determine the current amount of virtual memory available to a system using Memory\Commit Limit. The different between the commit limit and the committed bytes is the amount of virtual memory available for use. Table 2-13 summarizes specific indicators of memory bottlenecks and potential resolutions.
2.5.3.3. Monitoring processor performance objectsSystems with high processor utilization may perform poorly. If a system's processor utilization peaks to 100 percent, the processor is fully utilized and the system is likely overloaded. You can determine processor utilization using Processor\%Processor Time. Another counter that can help you identity processor bottlenecks is System\Processor Queue Length, which tracks the number of threads waiting to be executed. If there are multiple threads waiting to execute, the processor isn't keeping up with the current workload. You can resolve this by shifting part of the system's workload to other computers or installing additional processors. When programs allocate memory for use but do not fully release the allocated memory, the program may have a memory leak. Over time, a memory leak can cause a system to run low on or run out of memory. Rebooting the system can temporarily fix the problem. To help determine which specific process or processes are causing the processor bottleneck, you can use the counters of the Process object. Each running process has a separate instance of the Process object. You'll want to track Process(process_name)\Handle Count, Process(process_name)\Thread Count, Process(process_name)\Pool Paged Bytes, Process(process_name)\Private Bytes, and Process(process_name)\Virtual Bytes to determine how a particular process is using memory. Table 2-14 summarizes specific indicators of processor bottlenecks and potential resolutions.
2.5.3.4. Monitoring network performance objectsThe available network bandwidth determines how fast data is sent between clients and servers. When the network bandwidth is saturated, network performance suffers because clients and servers aren't able to communicate with each other in a timely and efficient manner. Most computers have network interfaces that operate at 100 megabits per second (100 Mbps) or at 1 gigabits per second (1 Gbps). Because most networks operate at these same speeds, the network typically would get saturated before a computer reaches maximum network utilization. That said, if you suspect the problem is with a particular computer rather than with the network itself, you can determine this using the Network Interface performance object. The Network Interface\Output Queue Length counter can help you identify network saturation issues. You can use Network Interface\Current Bandwidth to determine the current bandwidth setting and total capacity of a particular network interface. The Network Interface\Bytes Total/sec provides the total bytes transferred or received per second. If the total bytes per second value is more than 50 percent of the total capacity, the system may have a network bottleneck problem. You can resolve this by shifting part of the system's workload to other computers or installing additional network interface cards. Table 2-15 summarizes specific indicators of network bottlenecks and potential resolutions.
2.5.3.5. Monitoring disk performance objectsDisk performance is tracked using the PhysicalDisk and LogicalDisk objects. PhysicalDisk objects are available for each physical hard disk on a system. LogicalDisk objects are available for each logical volume created on a system. To track free space on logical disks, you can use the LogicalDisk\%Free Space counter. To determine the level of disk I/O activity, you can use the PhysicalDisk\Disk Writes/sec and Physical Disk\Disk Reads/sec counters. Physical Disk\Avg. DiskWrite Queue Length, Physical Disk\Avg. DiskRead Queue Length, and Physical Disk\CurrentDisk Queue Length track disk-queuing activity. The write and read queue lengths are a measure of how well disks are performing. If there are multiple requests in a write or read queue waiting to be processed, the disk isn't performing as fast as is necessary to keep up with I/O requests. As discussed previously, this problem could be due to the excessive page swapping that may occur if physical memory is low. An indicator of this may be a consistently high PhysicalDisk\%Disk Time value. However, if physical memory is not low, the disk itself is the problem and you'll need to upgrade to faster disks or shift the disk's workload to other disks. Table 2-16 summarizes specific indicators of disk bottlenecks and potential resolutions.
2.5.4. Monitoring File and Print ServersWhen you manage file and print servers, two areas you'll need to monitor closely are disk quotas and print queues . Disk quotas help you track and manage disk space usage. Print queues are where printed documents are stored as print jobs before they are printed. Tip: Exam 70-290 has specific objectives for monitoring NTFS disk quotas and print queues. There's also an objective for troubleshooting print queues. It is important to point out that Windows now supports two types of disk quotas: NTFS disk quotas (covered on the exam) and Storage Resource Manager disk quotas (included with Windows Server 2003 R2). 2.5.4.1. Monitoring disk quotasNTFS disk quotas are the standard type of disk quotas supported on Windows Server 2003. With NTFS disk quotas, you configure quotas on a per-user, per-volume basis. Disk quotas cannot be configured for groups. Any NTFS volume can use disk quotas, even system volumes. FAT/FAT32 volumes, however, cannot use NTFS disk quotas. NTFS disk quotas can be configured through Group Policy or through the Quota tab on the NTFS volume. Policy settings override Quota tab settings in most cases. Specific quota limits and quota warnings can be set on each volume:
The disk space usage for each user is tracked separately. Because of this, disk space used by one user doesn't affect the disk quotas for other users. Only members of the domain Administrators group or the local system Administrators group can configure disk quotas. To enable disk quotas using the Quota tab of an NTFS volume, follow these steps:
After you enable quotas, users that exceed a warning or limit level will see a warning prompt. If you've enforced quota limits, the user will be prevented from exceeded the limit. If you've configured logging, administrators can determine which users have received warnings or reached limits using the Application event log. You can view current usage on a per-user basis by viewing the disk quota entries. On the Quota tab, click the Quota Entries button. The Quota Entries For Local Disk dialog box (shown in Figure 2-33) shows the current disk space usage and quota settings for all users, including system user accounts and domain/local user accounts. Figure 2-33. Disk quotas are tracked for system accounts, as well as user accounts.Although quotas do not affect the built-in Administrators group, they do affect system user accounts and domain/local user accounts. Disk space used by the operating system is tracked according to the user account used during installation. Administrators can customize the disk quota entries on a per-user basis by double-clicking the entry and setting different limits and warning levels for the selected user. Administrators can also create custom quota entries for users who haven't yet saved data on a volume. To do this, click Quota New Quota Entry. 2.5.4.2. Monitoring and troubleshooting print queuesIn Windows environments, printing can be handled in two ways:
Although the direct client to printer approach may seem more efficient, monitoring, maintaining, and troubleshooting such a configuration can be difficult and time-consuming because every user has a separate print queue. On the other hand, with a print server, all client computers share a common print queue on the print server. This means there's a central location for monitoring and a central location to look at when users have problems with a particular printer. 2.5.4.2.1. Working with print serversAny workstation or server computer running Windows can be configured to act as a print server. A print server is simply a computer that is configured to share a printer. Install and manage printers using the Printers And Faxes folder. You can access this folder on a local system by clicking Start Printers And Faxes. You can access this folder on a remote computer through My Network Places. In Windows Explorer, click My Network Places, click a domain, click a print server, and then double-click Printers. When a user sends a print job to a shared printer, the print server spools the print job to the spooling folder on its local disk. Spooled print jobs are queued to be printed. Each printer has its own print queue. All printers have the same spool folder. Windows Server 2003 uses the Print Spooler service to control the spooling of print jobs. You can check the status of the Print Spooler service using Control Panel Services utility. Print server properties control the general settings for all shared printers on the server. In the Printers And Faxes window, click File Server Properties to access the Print Server Properties dialog box shown in Figure 2-34. The tabs of the Print Server Properties dialog box are used as follows: Figure 2-34. Manage general properties for all shared printers using the Print Server Properties dialog box.
The default location for the spool folder is %SystemRoot%\system32\spool\printers. The default permissions on this folder grant full control to Administrators, Print Operators, Server Operators, System, and Creator Owner. Full control for Creator Owner allows users to delete and manage their own print jobs. Authenticated Users have Read & Execute permissions so that authenticated users can access the spool folder. If these permissions are changed, spooling might fail. 2.5.4.2.2. Working with printer propertiesIn the Printers And Faxes window, all printers are listed by their local name. Shared printers also have a shared name. It is through the share name that users access print queues. Print jobs are routed to printers according to the port or ports configured for use with that printer. Print jobs are processed in first-in-first-out, priority order. Generally speaking, higher priority print jobs print before lower priority jobs. When there are multiple print jobs of the same priority, jobs are processed in the order they were received, with the first job in being the first processed and printed. You can use the printer's Properties dialog box to manage its properties. You access the Properties dialog box by completing these steps:
The available tabs in a printer's Properties dialog box depend on the type and model of printer. Options on the most common tabs are used as follows:
2.5.4.2.3. Working with print queues and print jobsManage print queues and the jobs they contain using the print management window. Double-click the printer icon in the Printers And Faxes folder. The print management window shows information about documents waiting to print, including the document name, status, owner, pages, size, and date submitted for printing. You can manage individual print jobs by right-clicking a document and choosing to pause, restart, or cancel it. You can also right-click a document and choose Properties to view its properties. You can manage the printer itself as well by pausing, canceling, or resuming printing. Click Printer Pause Printing to pause printing. Click Printer Pause Printing a second time to resume printing. To delete all print jobs queued for printing, click Printer Cancel All Documents. 2.5.5. Managing Web ServersMost network environments have web servers these days. Windows Server 2003 includes Internet Information Services (IIS) 6.0 to provide essential web services. When you install IIS on a server, you'll find there are a number of management tools that can be used. The key tool you'll use, however, is Internet Services Manager. 2.5.5.1. Installing Internet Information ServicesWith most versions of Windows Server 2003, IIS is not installed during the installation of the operating system. IIS is an application server component and can be installed as part of an application server configuration or separately. IIS itself includes many components that can be installed:
To install and manage a web server, you need at a minimum the Internet Services Manager and World Wide Web Server components. You can install IIS by completing these steps:
2.5.5.2. Working with the IIS Management ToolsOnce you've installed IIS, you can configure and manage IIS using the Internet Services Manager (see Figure 2-36). Click Start Programs Administrative Tools Internet Information Services (IIS) Manager. Internet Services Manager is also available as a snap-in that can be added to MMC. Figure 2-36. Use Internet Services Manager to configure and manage IIS.Internet Services Manager can be used to manage both local and remote servers. When you connect to multiple computers, each computer will have a separate management node. To connect to a remote computer in Internet Services Manager, follow these steps:
In the default configuration, web documents are stored under %SystemDrive%\Inetpub\wwwroot and web server logfiles are written to %SystemRoot%\system32\LogFiles\w3svc. A number of management scripts are also provided under %SystemRoot%\system32, including:
Tip: The IIS scripts must be run with the command-line scripting host, CScript, rather than the GUI script host, WScript. IIS Reset (iisreset.exe), also provided in the %SystemRoot%\system32 folder, is used to stop and then restart all IIS-related services, including IIS Admin service, FTP Publishing service, and World Wide Web Publishing Service. You can use IIS Reset to reset IIS if services become unresponsive or stop responding. In Internet Services Manager, you can reset IIS by right-clicking the hostname of the server computer, clicking All Tasks Restart IIS, and then clicking OK in the Stop/Start/Restart dialog box. The default "What Do You Want To Do?" option is to restart IIS. 2.5.5.3. Configuring IISYou manage the configuration of IIS at three levels:
You can back up or restore the IIS configuration in its entirety using the Configuration Backup/Restore feature. In Internet Services Manager, right-click the computer name and click All Tasks Backup/Restore Configuration. An initial backup is created automatically when IIS is installed. Automatic backups can be created in some cases as well. With the Configuration Backup/Restore dialog box displayed, you can:
2.5.5.4. Managing security for IISWhen users connect to web servers in a browser, two levels of security apply: IIS security and Windows security. Similar to web shares, IIS provides the top layer of security and Window provides the bottom layer. IIS security focuses on:
2.5.5.4.1. Understanding and configuring authentication controlsAll web content accessed in a browser is subject to IIS's content permissions. Two types of access are allowed:
Most public web sites allow users to anonymously access content pages. When a user anonymously accesses an IIS server in a browser, the Internet guest account (IUSR_ComputerName) determines the level and type of access granted. By default, the Internet guest account grants the user the right to log on locally or as a batch job. If this account is disabled or locked out, anonymous users won't be able to access content pages on an IIS server. If this IIS server is a member of a Windows domain, the Internet guest account is a member of the Domain Users and Guests groups by default. With web applications, the web application account (IWAM_ComputerName) can be used to grant anonymous access to a web application. The web application account grants the anonymous user the right to log on as a batch job. If this account is disabled or locked out and the server is running in IIS 5 isolation mode, out-of-process applications won't be able to start. When a server is operating in IIS 6 worker process mode, this account is used only when configured for a specific application pool or pools. If the IIS server is in a domain, the web application account is a member of the Domain Users and IIS_WPG groups. Access to IIS can be controlled using authentication. The five configurable authentication modes are:
Authentication controls can be set globally or individually for each site hosted by an IIS server. At the site level, different authentication levels can be set for the site as a whole, directories within the site, and pages without directories. This allows you to have secure directories within otherwise unsecure sites or even secure pages within unsecure directories. You can configure access and authentication for any of these levels by completing the following steps:
2.5.5.4.2. Understanding and configuring content permissionsContent permissions provide the top level of security for IIS. Use content permissions to determine the general allowed permissions for users who are allowed access to an IIS site, directory, or file. Content permissions granted can be further restricted or completely denied by the underlying NTFS permissions. For example, if users are granted anonymous access to a site, but NTFS permissions do not grant any permissions to the Internet guest account, users will not be able to access content regardless of the content permissions. Content permissions can be set both globally and locally. Apply global permissions using settings of the Web Sites node; these settings are in turn inherited by all the web sites, directories, and files on a server. If you set content permissions locally for a site, directory, or page, you can override the global permissions. In cases where global and local permissions conflict, you typically will see a prompt asking whether you want to apply the global settings (and in doing so override the local settings) or retain the local settings. The content permissions are similar to those that can be applied to web shares. Content permissions include:
As with web shares, application permissions can be set as well. The configurable application permissions are:
You can configure global and local content permissions by completing the following steps:
You can configure content permissions for individual files by completing the following steps:
2.5.6. Installing and Configuring Software Update InfrastructureMaintaining the Windows operating system and software deployed throughout the organization is a critically important area of administration. Operating systems and application software that is not properly maintained will not function as expected. To help you maintain the operating system, Microsoft offers Automatic Updates . A system can automatically connect to Windows Update or a designated update server in your organization and obtain any necessary operating system updates. As Automatic Updates have evolved, so have the related features:
An extension of Automatic Updates, called Microsoft Update, allows you to use the Automatic Update feature to maintain the operating system and select Microsoft products, including Office 2003 and Office XP. Microsoft Update will eventually allow you to maintain all Microsoft products using Automatic Updates. An extension of Automatic Updates, referred to as the WSUS client, allows you to use Automatic Updates with Windows Server Update Services (WSUS). Computers running Windows XP Service Pack 2 or later and Windows Server 2003 Service Pack 1 or later already have the Automatic Updates extension for WSUS. Microsoft Update is recommended for consumer use and for small businesses that do not have a full-time Windows administrator. In all other environments, both large and small, Microsoft recommends using WSUS in a client/server configuration. Every administrator should know how to install, configure, and maintain WSUS clients and servers. Tip: Through the summer of 2006, Exam 70-290 objectives will cover Software Update Services (SUS). However, SUS is being phased out in favor of WSUS. SUS is no longer available for download and will be supported only through December 6, 2006. The discussion in this study guide focuses on WSUS. 2.5.6.1. Understanding Windows Server Update Services (WSUS)WSUS (previously called Windows Update Services) is provided as a patch and an update component for Windows Server. WSUS has both a server and client component. The WSUS client can run on Windows 2000 Service Pack 3 or later, Windows XP, and Windows Server 2003. Each managed client requires a Windows Server CAL. The WSUS server component uses a data store that runs with MSDE, WMSDE, or SQL Server. With SQL Server 2000 or SQL Server 2005, every device managed by WSUS requires a SQL Server CAL or a per-processor license. SUS 1.0 servers can be migrated to WSUS using the WSUSITIL.EXE tool, which is provided in the Tools folder of the WSUS server installation. The WSUS scanning engine is built into the Windows Update agent, which is included with Windows and is the same component that enables Automatic Updates from Windows Update. WSUS is designed to handle updates for Microsoft products, including Windows 2000, Windows XP Professional, Windows Server 2003, Office 2003, Office XP, Exchange 2003, SQL Server 2000, SQL Server 2005, and MSDE 2000. All Microsoft products will eventually be supported. 2.5.6.2. Installing Windows Software Update ServicesAs discussed previously, WSUS uses a client-server architecture. The WSUS server must have an NTFS-formatted system partition. The partition on which you install WSUS must likewise be formatted with NTFS. WSUS requires:
The WSUS server component uses IIS to obtain updates over the Internet using HTTP port 80 and HTTPS port 443. WSUS also uses IIS to automatically update client computers with the necessary client software for WSUSa WSUS-compatible version of the Automatic Updates feature. Typically, the update is installed under a virtual directory named Selfupdate, and accessed over HTTP port 80. During setup of WSUS, you can also create a custom web site for Selfupdate, which then has a port of 8530 by default. For performance and network load balancing, large enterprises may want to have an extended WSUS environment with multiple WSUS servers. In a multiple WSUS server environment configuration, one WSUS server can be used as the central server for downloading updates, and other WSUS servers can connect to this server to obtain settings and updates. You can install WSUS on a server by completing the following steps:
2.5.6.3. Configuring Windows Software Update ServicesOnce you've installed the WSUS server component, you can use the WSUS console to configure the automatic client update settings. You must be a member of the local Administrators group or the WSUS Administrators group. Access the WSUS console after installation using the URL: http://WSUSServerame:portnumber/WSUSAdmin. On the WSUS server, you can click Start Programs Administrative Tools Microsoft Windows Server Update Services. If the network has a proxy server, you can use the WSUS console to configure WSUS to use the proxy server. This allows WSUS to access Microsoft Update on the Web. You can configure the proxy server by completing the following steps:
Next, you should specify the products or product families that will be maintained using WSUS. To do this, follow these steps:
After you specify the products to maintain, you can synchronize WSUS. When you do this, WSUS downloads updates from Microsoft Update or another WSUS server as appropriate. Only new updates made available since the last time you synchronized are downloaded. If this is the first time you are synchronizing the WSUS server, all of the updates are made available for approval. When you approve updates, they are made available to clients for installation. You can synchronize the WSUS server and approve updates by completing the following steps:
2.5.6.4. Installing and configuring Automatic Update client settingsOnce you've configured WSUS, you only need to make the client computer aware of the WSUS configuration to ensure approved updates can be downloaded and installed according to the Automatic Updates settings. Do this by configuring Automatic Updates to download and install updates, and by specifying through policy that the WSUS server should be used for obtaining updates. Tip: The WSUS extension of Automatic Updates allows client computers to use Automatic Updates with WSUS. Computers running Windows XP Service Pack 2 or later and Windows Server 2003 Service Pack 1 or later already have the Automatic Updates extension for WSUS. Other Windows 2000, Windows XP, and Windows Server 2003 computers typically will update themselves automatically when they retrieve Automatic Updates. On Windows XP and Windows Server 2003 computers, Automatic Updates can be managed using the options in the Automatic Updates tab of the System utility or Group Policy. Policy settings made in Group Policy always have precedence over user-defined settings. You can enable Automatic Updates on a computer by completing the following steps:
The preferred way to configure Automatic Updates for domain computers is to use policy settings. Typically, you'll do this with the Configure Automatic Updates policy located in the applicable GPO under Computer Configuration\Administrative Templates\Windows Components\Windows Update. Follow these steps:
To specify the WSUS server from which updates should be obtain, follow these steps:
Once group policy is refreshed, client computers will start using the WSUS server for updates. Periodic refresh of group policy happens automatically. You can force a computer to refresh policy by typing gpupdate /force at a command prompt. 2.5.7. Managing Software Site LicensingMicrosoft and other software vendors do not sell their software; they license it for use. When you buy operating system and product software, you are buying a license to use the software in accordance with the End User Licensing Agreement (EULA) and copyright law. Tip: Managing software site licensing is a major objective on Exam 70-290. Typically, you'll see several licensing questions on the exam. 2.5.7.1. Understanding licensingMicrosoft offers:
With server products, licensing extends to the clients that access the server. This means there's both a server license and a client access license:
Client access licenses can be managed:
Determining which licensing technique to use isn't always easy. Here are some guidelines:
Windows Server 2003 Terminal Services includes two CALs for remote desktop administration. This allows up to two administrators to remotely manage a server using remote desktop. For connections to applications hosted on a terminal server, all clients must have a CAL. This CAL may or may not be included with the operating system license. 2.5.7.2. Configuring server licensingYou set a server's licensing mode when you install the server. Microsoft allows you to make a one-time only switch from per-server licensing to per-user/per-device licensing. Microsoft does not permit switching from per-user/per-device licensing to per-server licensing. After you install a Windows server, you can track CAL licensing for the server. When you install other Microsoft server products, such as Exchange Server or SQL Server, you can use CAL licensing of these products as well. To manage licensing, you must be a member of the Administrators group for the local server or for the domain. Two licensing tools are available:
In Active Directory domains, you must work with the proper site-licensing server to manage licensing. You can determine the site-licensing server by completing the following steps:
By default, the license server is the first domain controller installed in a domain. Site licensing can be moved to a member server or domain controller by clicking Change on the Licensing Settings tab and selecting the member server or domain controller to which you want to move site licensing. To maintain the licensing history, you must immediately stop the License Logging service on the new site licensing server, copy licensing history from the old server to the new, and then restart the License Logging service. The files to copy are %SystemRoot%\system32\cpl.cfg, %SystemRoot%\Lls\Llsuser.lls, and %SystemRoot%\Lls\Llsmap.lls. Per-device and per-user licensing require one CAL for each device. The License Logging service, however, tracks licenses by username. When multiple users share one or more devices, you must create license groups to prevent the License Logging service from incorrectly tracking license usage. A license group is a collection of users who share one or more CALs. With a license group, the License Logging service tracks users by name, but assigns a CAL from the allocation assigned to the related license group. For example, if Alpha group in your company has 3 shifts of workers, you might create a license group with 30 users as members and assign the group 10 CALs to represent the 10 devices they share. To create a license group, use the following technique:
|