Using Microsoft tools to manage your servers from afar
I began my computer consulting career when the word "windows" meant little more to me than a semiannual household chore involving vinegar and paper towels. My clients ran UNIX or Novell NetWare networks. When a client called with a problem, I dialed in to the network. When I started installing and maintaining Windows NT networks, dialing in was a complicated affair that often failed or was too slow because of the GUI bandwidth requirements (the lack of command-line tools was a real problem). As a result, when a client with an NT network called with a problem, I had to drive in.
If you're an administrator, you’re probably not as physically far from your servers as I was, but without remote administration tools, you must leave your workstation and go to the server, which might be down the hall, on another floor, or in a remote branch office. Life as an administrator is a lot easier when you can administer your servers remotely, from the comfort of your own office or cubicle.
Windows 2000 Server made remote administration of servers viable, thanks to better command-line tools and a completely reconfigured feature called Win2K Server Terminal Services. Microsoft built support for Terminal Services right into the kernel of all Win2K Server versions. Even better, when you install Terminal Services, you can limit the installation to Remote Administration Mode, which Microsoft designed specifically for remote administration of servers and which doesn't require you to purchase and install Terminal Services user licenses.
Windows Server 2003 makes Terminal Services even easier and better by making Terminal Server Administration Mode part of the OS. The Windows 2003 version is called Remote Desktop, and you need only to enable the feature to begin using it to administer servers from your workstation.
Let's discuss using terminal services for remote administration for both Windows 2003 and Win2K. Other remote administration tools exist, but I’ve found terminal services to be the easiest to use and the most reliable. (Incidentally, this component was called Terminal Server in Windows NT 4.0, became Terminal Services in Win2K, and is once again Terminal Server in Windows 2003.) In future articles, I’ll discuss my experiences with some of the other remote administration tools in Windows 2003, such as support for headless servers and the Emergency Management System (EMS).
Installing Terminal Services in Win2K
If you didn’t install the Terminal Services component when you installed Win2K Server, you can run the Control Panel Add/Remove Programs applet, and move to the Windows Component section to install it. Install Terminal Services Remote Administration Mode directly on the server you want to administer. You can install the software on any server or servers in your system. The Remote Administration Mode leaves out the application-sharing components, which means the program requires very little overhead. Therefore, you can install Remote Administration Mode on servers that are already performing important functions. In fact, Remote Administration Mode has so little impact on the server that there's no reason not to enable it on all your servers.
To install Remote Administration Mode, perform the following steps:
- Run the Add/Remove Programs applet, then click Add/Remove Windows Components.
- Scroll through the component list to find Terminal Services, and select it.
- Click Details to see the Terminal Services component selection window.
- Select both options, Client Creator Files and Enable Terminal Services, then click OK to return to the Windows Components window.
- Click Next. Select Remote Administration Mode, then click Next again. (If your Win2K installation isn't from a network share point, you'll have to insert your Win2K CD-ROM.)
- After the files are copied to the server, click Finish.
- Close the Add/Remove Programs applet, then restart the server.
After the server boots up, you'll notice several additions to it. The Administrative Tools menu will have new entries for Terminal Services Client Creator, Terminal Services Configuration, and Terminal Services Manager, and you'll see a new directory, %SystemRoot%\system32\clients\tsclient, which contains subdirectories for Terminal Services clients.
Enabling Remote Desktop in Windows 2003
You don’t have to install Terminal Server Administrative Mode in Windows 2003 because it's included with the OS. However, as I mentioned earlier, you must enable the feature on any server that you want to administer remotely. Right-click My Computer, then select Properties. On the Systems Properties dialog box, select the Remote tab, then select the option to accept remote desktop access.
Next, you must establish a list of users who have permission to access the server remotely by adding their names to the Windows 2003 local users group named Remote Desktop. Members of the domain's Administrators group are automatically granted access to the server, but you might want to add other users. To do so, click Select Remote Users to open the Remote Desktop Users dialog box. Click Add to select usernames from the domain for people who you want to let administer this server remotely.
The users you add to the Remote Desktop group don’t have to have elevated privileges; you can select ordinary domain users. As a result, members of your IT staff can administer the server even if they’ve logged on to their workstations with an account that isn’t a member of the Administrators group. However, note that any user account, including an Administrator account, that lacks a password can't access a Windows 2003 computer for remote administration. No password, no entry. In fact, this restriction applies for many features in Windows 2003.
Installing the Client Software for Win2K Terminal Services
The Terminal Services installation process creates a %SystemRoot%\System32\clients\tsclient\net\win32 folder on your Win2K server that contains the software necessary to set up 32-bit client computers for administering Win2K servers remotely. Share that folder so that users can find it easily, then notify members of your administrative staff that they can access the folder and run setup.exe. (Other subfolders exist in the \tsclient subfolder that contain files for creating disks to install the client software and for 16-bit client computers.)
Installing the Client Software for Windows Server 2003 Remote Administration
XP has the remote desktop client built in, so connecting to a Windows 2003 computer from XP is a point-and-click operation. In fact, this feature is a good reason to make sure that all the members of your administrative staff have XP machines. The program, called Remote Desktop Connection, is in the Accessories\Communications submenu. You can right-click Remote Desktop Connection and choose Pin to Start Menu to avoid navigating through the menus in the future. Or create a shortcut on the Quick Launch toolbar.
For other Windows clients that you want to use to administer Windows 2003 servers, install the Remote Desktop Connection client software from the Windows 2003 CD-ROM or from a network share point that contains the Windows 2003 installation files:
- Launch setup.exe (the file might run automatically if you’re using the Windows 2003 CD-ROM) on the client machine.
- Choose Perform Additional Tasks.
- Choose Set Up Remote Desktop Connection.
- Follow the wizard’s prompts to accept the license agreement and to install the software for all users of the computer or for the current user only.
- When the wizard finishes installing files, Remote Desktop Connection appears on the Programs menu.
The Remote Desktop Connection software on the Windows 2003 CD-ROM is version 5.2, which is a later version than the version that shipped with XP and XP Service Pack 1 (SP1). Version 5.2 has an additional feature for accessing a server console session (without this version, you can only access the console session from a command line).
Performing Administrative Tasks Remotely
To connect to a server to administer it, launch the client-side software (Terminal Services Client for Win2K administration; Remote Desktop for Windows Server 2003 administration), then enter the name or IP address of the server. After you’re connected, you can open and manipulate Control Panel applet settings, configure the server (including promoting it to a domain controller—DC—if it isn’t a DC), run system tools, and generally work as if you were sitting in front of the server. If the server is a DC, you can run administrative tasks in Active Directory (AD), such as adding users, computers, and organizational units (OUs), in addition to setting domainwide Group Policies.
Taking Over the Console Session in Windows 2003
A Windows 2003 server that has Remote Administration enabled can support two remote sessions in addition to the console session. The Remote Desktop Connection client software can take over the console session remotely if you have some reason to work as if you were sitting in front of the computer. The most useful application of this feature is for administering headless servers, if you’ve installed any. Note that if you do take over the console session, you bump off any interactive user that's logged on.
If you’re running Remote Desktop Connection 5.2 (or later), you can use the GUI to perform this action, but if you’re working with version 5.1, you must use the command line. In version 5.2, simply add a space and the /console switch after you enter the name or IP address of the server, as in servername /console.
If you’re running version 5.1, open a command window and enter the command
mstsc -v:<servername> /F -console</servername>
If a user is logged on to the computer, the system warns you that you’ll be logging that user off.
I run two discrete Windows networks in my office—one is a Windows 2003 domain, and the other is a Win2K domain. My office is in my home, so I can use my XP laptop to manipulate my network, perform heavy-duty management tasks on the DCs, and troubleshoot servers from anywhere in the house. More important, I can do the same thing for all the servers on my clients’ systems.