In an ideal world, if you wanted to install a new device in your server, you would simply power down the server, insert the new device, make sure it has power and signal cable attachments, and then power up the server. The new device would be ready immediately. That is the goal of the people who design hardware architecture, and, actually, with modern hardware and modern operating systems, we're almost there. With a motherboard that meets the ACPI standard, Windows Server 2003 recognizes and configures all hardware that is built to the Plug and Play specification. However, this is not an ideal world. If you have older devices, particularly devices that were built to the Industry Standard Architecture (ISA) specifications, Plug and Play won't be able to help you. (Some Plug and Play drivers were written for later ISA devices, but they don't always work effectively.) Sometimes the device is not recognized, or the device driver is corrupted or not available. That's where the skills covered in this section will come in handy.
What's the ACPI Standard?ACPI is the current standard for communication with a motherboard's basic input/output system (BIOS). The BIOS is the mechanism that allows an operating system to communicate with the devices on the computer. In older standards, Plug and Play negotiation and configuration was handled in hardware, but in an ACPI system, the configuration is handled by the operating system. With ACPI, all devices that have power-management capabilities (such as sleep mode or hibernation) can be controlled by the operating system. This allows the operating system to selectively shut down devices not currently in use, which gives maximum battery life to portable computing devices. ACPI is also needed for the OnNow Device Power Management initiative, which allows a computer to be started by simply touching any key on the computer's keyboard. ACPI is installed only if all components detected during setup support power management. This is because older components that do not support ACPI typically exhibit erratic behavior and can potentially cause system crashes. How Does the Operating System Manage a Device?A server contains many hardware devices: disk drives, network cards, display adapters, and any of a large number of peripherals. For them to be usable by the system, each must be identified by the operating system, and the appropriate device driver must be loaded. A device driver is a program that passes requests between the operating system and the device. For example, the user presses the A key on the keyboard, and the keyboard device driver notifies the operating system that A has been pressed on that device. Or, the program or operating system sends data to a disk drive: The device driver receives the data from the operating system and transfers it to the disk drive. Where Do Device Drivers Come From?Device drivers are critical to the proper operation of hardware devices, so it's important that you understand where they come from. If the device is listed on the Hardware Compatibility List (HCL) for an operating system, the device driver may have been written by the device manufacturer, shipped to Microsoft, and supplied on the distribution CD-ROM for the operating system. Alternatively, for common devices, Microsoft may provide a generic driver, and manufacturers write additions to control specific features of their devices. If you can't find a driver for a particular device on the Windows Server 2003 distribution CD-ROM, the device may have been produced after the Windows Server 2003 CD-ROM was made. In that case, the driver may be available on the Microsoft website or on the manufacturer's website.
What Drivers Are Running on My Computer?If you want to find out what drivers are currently running on your system, the command-line utility driverquery.exe nicely lists the running drivers for you. At a command prompt, enter driverquery >c:\driverquery.txt to put the output into the c:\driveryquery.txt file. Then you can read it with Notepad. This utility is available only in Windows XP and Windows Server 2003. If you use the /fo csv switch, the output from driverquery.exe will be created in comma-separated variable (CSV) format, making it suitable for loading into a database or a spreadsheet for analysis. Using the /s switch allows you to specify a remote system, and the /si switch provides information about signed drivers (see the next section). The following command provides a listing in CSV format (fo csv) of the drivers running on the remote system MERCURY (/s mercury), including information about signed drivers (/si): driverquery /fo csv /s mercury /si The first few lines of the output are as follows:
Updating Device DriversFrom time to time, hardware manufacturers will release new versions of their device drivers, usually to fix bugs, but sometimes to add functionality or increase the performance of the hardware device. When new drivers are released, your job as a system administrator is to download them from the web, and then install them on your server. Follow the procedure in Step by Step 15.1 to see how to update a device driver.
What Is Driver Signing and Why Should I Care?Device drivers are heavily used and very close to the kernel of the operating system. As a result, it is important that the device drivers in use are supplied by reputable sources. (Imagine the chaos caused by the installation of a bad driver for a backup tape drive. A seemingly perfect backup might turn out to be totally unusable!) Microsoft requests that manufacturers submit their drivers to be tested by the Windows Hardware Quality Labs (WHQL). Drivers submitted to WHQL that pass the certification tests for Windows Server 2003 are given a Microsoft digital signature. When the driver finishes the testing phase and is approved, a catalog (*.cat) is created. The CAT file is a hash of the driver binary file and other relevant information. This CAT file is then digitally signed with the Microsoft private key. When Windows Server 2003 inspects the driver, it examines the catalog file that is included. If the signature is authenticated, this is a guarantee that the driver was created by the owner of the catalog file and that the driver has not been tampered with since it was created. Signed driver files are distributed through the following methods, as well as on the Windows Server 2003 CD-ROM:
For the greatest device driver security, many administrators want to ensure that only signed device drivers are loaded. To achieve this situation, Windows Server 2003 can be configured to refuse to load unsigned drivers. Configuring Driver-Signing Options for a Single Computer
Normally, you would want to have only signed device drivers on your system. That is definitely the most secure way of operating. But what if you want to use a device driver that for some reason has not been signed? It might be a hot-off-the-press driver from the manufacturer's technical support staff, for example, that you need to try. Or it might be the only driver available for a particular device that you must use. In that case, you can change the default behavior of Windows Server 2003 to allow unsigned drivers to be loaded. Step by Step 15.2 walks you through this process.
Figure 15.4. To instruct Windows Server 2003 to allow loading of unsigned drivers, click IgnoreInstall the Software Anyway and Don't Ask for My Approval.
Exam Alert: Only for Administrators Only administrators can reduce the security level or turn off driver signing. Of course, it's not recommended that you leave your server configured this way. This is because with this type of configuration, the operating system would allow any unsigned driver to be installed. You should check back with your hardware vendor frequently to get a signed version of the driver as soon as possible, and you should reconfigure the driver-signing options when the signed driver is installed. Alternatively, to sidestep the problem completely, consider removing the problem device from the computer and substituting a device for which signed drivers are available. Exam Alert: Expect Driver Signing Questions Expect several exam questions that deal with the advantages of driver signing and when and how to disable it. As soon as you have installed the unsigned driver, you should return to the Driver Signing Options dialog box and choose BlockNever Install Unsigned Driver Software. Configuring Driver-Signing Options for Several Computers at OnceWhat if you want to ensure that there will be no unsigned drivers at all in your network? As you have seen, it's not difficult to change the driver-signing options on a few servers by following the steps just given on each one. But if you have hundreds or thousands of Windows 2000 or later workstations and/or Windows 2000 or later servers on your network, and you want to protect all of them from unsigned drivers, that would be a huge task. If you're like most administrators, you would prefer to manage all these computers at once, instead of configuring each one individually. Not only is this faster, it's also easier than keeping track of which computers have been configured. This is a job for Group Policy! You can create a Group Policy Object (GPO) and apply it to computers in a given part of the Active Directory tree. We can create a Group Policy Object to ensure that no unsigned drivers can be loaded. Step by Step 15.3 shows how to do this, starting with creating the necessary OU structure. Note that you must be a domain administrator, or have limited administrator rights delegated to you, to be able to create and manage GPOs.
Because this policy is linked to the Workstations OU, it will be applied to each of the computers whose accounts are located in that OU or in any OUs subordinate to the Workstations OU. Also, now that the policy has been created, it can be linked to any other OU in the Active Directory, such as to the Phoenix Workstations OU when it is created. Exam Alert: Group Policy Microsoft highly recommends using Group Policy to configure common settings such as driver signing. For the exam, be sure you know how to create a GPO and what settings to configure for driver signing. Determining Whether a Computer Has Unsigned DriversImagine you've just been made administrator of a network, and you want to know if there are any unsigned drivers on the computers you're responsible for. Microsoft has provided a tool with Windows 2003, Windows 2000, and Windows XP to check for exactly this situation. That tool is File Signature Verification, and you access it by using Start, Run, sigverif.exe. As you can see from the Advanced dialog box, shown in Figure 15.6, you can have File Signature Verification check only system files or check the file types you specify in a folder you browse to. Figure 15.6. Normally you would want to check the files in the Windows folder and its subdirectories, but you can choose to verify specific file types and folders.
As you can see in Figure 15.6, the Advanced settings allow you to narrow your search to specific file types and locations. When you click OK in the File Signature Verification dialog box, there will be a delay of a minute or more while every system file is checked for a signature. As you can see from Figure 15.7, several unsigned files exist on the sample Windows Server 2003 computer. These are Windows 2000 unsigned drivers for the HP OfficeJet printer. Figure 15.7. The sample Windows Server 2003 computer has 21 unsigned files.
Other Methods for Protecting Device DriversDevice drivers and other system files are automatically protected against improper replacement by the Windows File Protection facility. This facility runs in the background (invisible to the user and the administrator) and is alerted whenever a file in a protected folder is changed. It determines whether the new version of the file is signed, and if not, Windows File Protection automatically rolls back the file to the version kept in the %systemroot%\system32\dllcache folder. If the desired version of the file is not in the dllcache folder, Windows File Protection asks for the Windows Server 2003 CD-ROM to be mounted, and it copies the file from there.
An administrator can run the System File Checker (sfc.exe) to explicitly schedule a scan of the system files immediately, at the next reboot, or at every reboot. Also, if the dllcache folder is corrupted or needs to be repopulated for some other reason, the administrator can run the System File Checker (SFC) with the /purgecache switch to cause the folder to be emptied and reloaded. Configuring Resource Settings for a Device
On a Windows Server 2003 machine, it is rarely necessary to configure devices manually, because most hardware sold since 1995 complies with the Plug and Play specification. The operating system identifies any conflicts and configures the devices to avoid them. However, you should know how to configure settings, in case you need to resolve a conflict on non-Plug and Play devices. What Are Resource Settings?Resource settings are mechanisms by which the device can communicate with other hardware or the operating system. The following list describes some resources in greater detail:
If two devices attempt to use the same resources, and the particular resource is not sharable, one or both of the devices may be unusable. Configuring Device Properties and Settings
In general, there is no need to change the configured settings of a device. What might require you to do so is a situation in which one or more of the communications channels used by a device is already in use by another device. This is known as a conflict. To configure a device's properties and settings, the tool to use is Device Manager. Device Manager is available as a snap-in to a Microsoft Management Console (MMC), as a subentry under Computer Management, and from the Hardware tab of System Properties. If you need another way to get to Device Manager, you can create a desktop shortcut, giving devmgmt.msc as the location of the item. It's a good idea to start Device Manager occasionally, to check that all devices are working properly. Figure 15.8 shows Device Manager with one device in an error state. (Devices that are not working properly are shown with a yellow question mark icon. Devices that are disabled have a red X over the icon.) Figure 15.8. From within Device Manager, double-click a device's icon to see its properties.To see the properties of a device, double-click its icon in the Device Manager listing. Figure 15.9 shows the General tab of the PS/2 Compatible Mouse Properties dialog box. Figure 15.9. The General tab shows basic information about the device, has a Troubleshoot button in case there are problems, and allows you to enable or disable the device in the current configuration.
Click the Advanced Settings tab, if there is one, to see special settings for this type of device. See Figure 15.10 for the advanced settings for the PS/2 mouse. Figure 15.10. The Advanced Settings tab allows you to make changes to the special settings for a device.
Select the Resources tab to see what system resources are reserved for the device. Figure 15.11 shows this tab. Figure 15.11. The Resources tab for the PS/2 mouse is very simple. Only one resource, the IRQ level, is used, and it cannot be changed.
A more complex set of resources is allocated to the display driver. In Figure 15.12, you'll see that IRQ, I/O port, and memory resources are allocated. Figure 15.12. A display driver is substantially more complex than a mouse. It uses several channels to communicate with the CPU.
Note the check box Use Automatic Settings, which is set by default. If this check box is enabled, it can be cleared, and then you can manually select the settings you want to use. Note: Automatic Settings For most devices, you will find that the Use Automatic Settings check box is checked, meaning that automatic settings will be used, and dimmed, meaning that you cannot access the check box. This happens when there are no alternative settings for that resource on the device or the device's resources are controlled by Plug and Play. If all combinations of settings result in conflicts, you may find that it is impossible to use that combination of devices, and one of them will have to be removed or disabled. To see the resources assigned on your computer, open Device Manager; on the View menu, choose Resources by Type. Then click the plus sign beside each resource type. Figure 15.13 shows the IRQ assignments on the sample server. Figure 15.13. The assigned IRQ resources are visible by choosing View, Resources by Type.Note: Managing Drivers for Printers and Faxes Device Manager does not manage device drivers for printers and fax devices. They are managed through the Printers and Faxes applet in Control Panel. This procedure was covered back in Chapter 6, "Implementing Printing."
|