Develop a strategy and reduce network management headaches

Remotely administering your Windows server systems can be incredibly annoying. Dozens of third parties offer tools that let you remotely manage servers and applications, but a clear path rarely emerges from the maze to announce "Do this!" At best, these tools give you the ability to manage a crucial application or two, or the base OS. At worst, you end up running all sorts of applications in a futile attempt to solve your global remote administration problem.

The first step in developing a remote administration strategy is to step back from the problem. Your initial impulse will be to find a comprehensive solution that applies horizontally across your systems environment. But such a solution doesn't exist—accept that fact and examine the problem before you look for the solution. (AT&T Laboratories Cambridge's Virtual Network Computing—VNC—comes close to being a comprehensive remote administration solution. VNC is a cool freeware tool that's worth a look if you're a Windows 2000/Windows NT/UNIX/Linux shop. For more information about VNC, go to http://www.uk.research.att.com/vnc/index.html.)

Begin by compartmentalizing tasks: Decide on the order in which you need to tackle your remote administration tasks, then use that order to plan. A good place to start is to determine whether basic OS tools are sufficient for your remote administration needs or you need a third-party solution.

The Terminal Services Solution
If your network runs on Win2K Server systems, you have a built-in remote management solution that's hard to beat: Terminal Services. Every copy of Win2K Server comes with a two-user Terminal Services license. I use the Terminal Services client to keep an eye on several critical servers in my office that are locked away even from the line IT staff. We're very careful about who has access to the servers that control our VPN and firewall, and although these machines run on Win2K Server, the boxes are headless with access only through Terminal Services.

I incur no real penalty for this headless system; I can easily display a full 1280 x 1024 screen in a window on my 1600 x 1200 desktop monitor. Performance across a 100Mbps Ethernet network is almost as good as it is from the console, and if need be, I can access our network from home or on the road through our VPN and run the Terminal Services client to handle my remote management tasks. I even have servers on the outside of the company firewall that I can use Terminal Services to log on to. These servers have local firewalls that allow connections on the port that RDP uses. By using Client Connection Manager, which automatically installs with the Terminal Services client, I can access all of my Terminal Services­controllable computers from one location. This setup is a huge improvement over checking each server manually. I even use Terminal Services to control test computers in my office. Although I have a keyboard/video/mouse (KVM) switch setup for my test servers, it's easier to connect through Terminal Services when I run a test server on my production network.

Working with NT
If you want to manage NT 4.0 servers remotely, you'll need to buy a third-party remote control software product, unless the server you want to manage is running Windows NT Server 4.0, Terminal Server Edition (WTS). But because WTS is a rare commodity, remote control software will be your primary tool for NT 4.0. Note that given the generally more secure environment we all run in these days, you'll need to find out how big a hole a remote control solution will require you to punch in your firewall, as well as determine which security mechanisms the solution puts in place to control access. When you move outside the OS, you're vulnerable to another avenue of attack.

Managing IIS Servers
Remember that if you're running Microsoft Internet Information Server (IIS) 4.0 on NT 4.0, Internet Service Manager (ISM) 4.0 can remotely manage any IIS server that it can access. If you need to manage Internet Information Services (IIS) 5.0, you have three options for remote Web server management. First, Terminal Services will work just fine and let you run the Microsoft Management Console (MMC) Internet Services Manager snap-in to manage all the available services. Alternatively, you can run Internet Services Manager (ISM) 5.0 from a local machine and manage other IIS 5.0 boxes, or you can configure a Web-based version of ISM 5.0 that lets you manage your IIS 5.0 servers through Internet Explorer (IE). You can find detailed instructions about remotely managing IIS 5.0 in the Microsoft article "HOW TO: Remotely Administer Internet Information Services 5.0 in Windows 2000" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q308169).

Make Your Choice
Many basic Win2K and NT administrative tools are remote-able; that is, you can point them at other computers on your network. Need to monitor the performance of your main Microsoft SQL Server box? Aim Performance Monitor at the system, configure a few counters, and you can have a near-realtime view of that system. Don't be too profligate about hooking counters on your machines, however; if you do, you could pummel your network with extraneous data or affect the overall performance of the system you want to watch. Third-party tools have the advantage in this situation, but be sure to look before you leap: Win2K Server OSs have significant tools that can provide many remote administration benefits that don't require you to resort to third-party add-ons.

Remote-application management is a horse of a different color. Although the Microsoft server products tend to add functionality to the basic OS tools (e.g., custom Performance Monitor configuration files that install when you install Microsoft Exchange Server or SQL Server, instrumented counters), most third-party applications add specific requirements for remote administration. You might find that using Terminal Services is your best option to remotely manage any Win2K or later server because then any application's natively installed administration tools will be available locally.

No matter which remote administration path you choose, make the choice a corporatewide process. Maintaining multiple remote administration technologies adds significant—and unnecessary—complexity to your network environment and increases your network enterprise's vulnerability to attack.