Administering Windows Server 2003 Remotely
- Jul 30, 2004
- Using Remote Desktop for Administration
- Taking Advantage of Windows Server 2003 Administration Tools
- Using Out-Of-Band Remote Administration Tools for Emergency Administration
- Using and Configuring Remote Assistance
- Securing and Monitoring Remote Administration
- Delegating Remote Administration
- Administering IIS in Windows Server 2003 Remotely
In This Chapter
Using Remote Desktop for Administration
Taking Advantage of Windows Server 2003 Administration Tools
Using Out-Of-Band Remote Administration Tools for Emergency Administration
Using and Configuring Remote Assistance
Securing and Monitoring Remote Administration
Delegating Remote Administration
Administering IIS in Windows Server 2003 Remotely
There are several methods by which system administrators can manage the IT environment's server resources. Though it is possible to manage each server locally, managing these resources remotely can greatly improve productivity. Remote administration reduces the administrative overhead required to manage servers in any size IT organization because it provides the flexibility for administrators to be centrally located while managing distributed server resources.
Windows Server 2003 provides the tools necessary for administrators to perform a vast array of management functions on remotely located servers. Server application and operating system upgrades can be performed remotely, as well as domain controller promotion/demotion and disk defragmentation.
This chapter describes the tools available for administrators to manage Windows Server 2003 servers remotely and provides best practices for leveraging remote administration features.
Using Remote Desktop for Administration
Remote Desktop for Administration is one mode of the Terminal Services built into Windows Server 2003. Terminal Services can be enabled in one of two ways:
Terminal Server mode. This is the Application Server mode that was available in Windows 2000 Server.
Remote Desktop for Administration. This is an enhancement of the Remote Administration mode of Windows 2000 Server.
This second Terminal Services mode is used to administer Windows Server 2003 servers remotely. Remote Desktop for Administration provides remote access to the graphical interfacebased tools available in the Windows environment. Remotely managing servers with Remote Desktop for Administration does not affect server performance or application compatibility.
Unlike the other terminal service mode, no terminal server Client Access Licenses (CALs) are required to use Remote Desktop for Administration. Windows Server 2003 provides two remote administrative sessions, for collaborative purposes, and a console session.
Enhancements to Remote Administration with Remote Desktop Connection
By taking advantage of the new Terminal Services client, known as the Remote Desktop Connection (RDC), remote administration is enhanced in Windows Server 2003 in several ways.
The RDC supports a wide selection of hardware devices, so servers can be managed remotely from several different types of client hardware. The RDC is supported on the following hardware types:
16-bit Windows-based computers running Windows for Workgroups with TCP/IP.
32-bit Windows-based computers running every Windows OS from Windows 95 to Windows Server 2003.
Windows CE-based handheld devices.
Windows CE-based terminals, or thin clients.
The RDC allows for automatic restoration of interrupted network connections. This is key for remote administration. In the event that an administrator is disconnected in the middle of a mission-critical operation, the RDC will reconnect the session without losing the administrator's place in the operation.
The RDC supports a great deal of customization for the look and feel of a remote session. Providing high color, audio, and full screen sessions, the RDC allows you to control the graphic options and connection speed. This is an important feature because as you connect remotely to servers over a slow WAN link you will want to throttle the bandwidth usage for those particular sessions.
One of the biggest improvements to the RDC involves client resource redirection, which is available to Windows Server 2003 and Windows XP. You now have the capability to access local drives, network drives, and printers through the remote connection. Cut and paste, as well as large file transfers, can be accomplished between the client and server in a remote administration session.
Finally, in addition to the two remote sessions available for remote administration, Windows Server 2003 allows a console mode that enables you to connect to the "real" console of the server. Now administrative functions, such as some software installations that previously required local interaction, can be performed remotely.
Enabling Remote Desktop for Administration
Enabling Remote Desktop for Administration is a simple procedure. Unlike Windows 2000, the Remote Desktop for Administration feature is now a separately configurable component from Terminal Services and has some new flexibility options previously unavailable.
The default level of encryption for remote sessions
The default level of encryption for remote sessions is bidirectional 128-bit. Some older terminal service clients might not support 128-bit encryption.
The Remote Desktop for Administration feature is actually installed by default in Windows Server 2003, but it is installed in a disabled status for security reasons. To enable the feature with a default Start menu configuration, perform the following steps:
From the Control Panel, double-click the System icon.
Choose the Remote tab.
On the bottom of the screen, click the check box to Allow Users to Connect Remotely to your computer, as shown in Figure 8.1.
Click OK to complete the configuration.
Figure 8.1 Enabling Remote Desktop for Administration.
If the Windows Server 2003 will be accessed remotely from a terminal server client that does not support high encryption, the encryption level of the remote session can be set to Client Compatible. This encryption level will provide the highest level of encryption to the remote session supported by the client. To change the default encryption level on the server to Client Compatible, follow these steps:
Open Terminal Services Configuration from All Programs\Administrative Tools.
In the right pane, under the Connection column, right-click RDP-Tcp, and choose Properties.
Set the encryption level to Client Compatible, as shown in Figure 8.2, and click OK to complete the configuration.
Figure 8.2 Setting the encryption level for Remote Administration.
Best Practices for Remote Desktop for Administration
Understanding the following aspects of remote administration will enable system administrators to make the best use of the new Remote Desktop for Administration features in Windows Server 2003:
Use the Console Mode
With the new console mode of connection available in Windows Server 2003, you can interact with the remote server as if you are directly at the physical server. This enables you to see pop-ups and messages that might only appear at the console.
Configure Disconnect and Reset Timeouts
By default, disconnect and reset timeouts are not set. This has the potential to lock you out of remote sessions if there are two remote sessions that are active but in a disconnected state. On the flip side, when configuring the timeouts, allow enough time so that accidental disconnections can be resumed without resetting the session. By default, when a connection is broken, the session goes into a disconnected state and continues to execute whatever process it is running at that time. If the session is configured to reset when the connection breaks, all processes running in that session will be abruptly stopped. Disconnect and reset timeouts can be configured using the Terminal Services Configuration Administrative tool.
For security purposes, when you are using the console mode of remote administration, the physical console of the server is automatically locked to prevent eavesdropping.
Coordinate Remote Administration
With Windows Server 2003, administrators are able to collaborate through multiple remote sessions. This feature has potential problems, though, if two administrators are unknowingly connected remotely to the same server. For instance, server data might be lost if two administrators attempt to perform disk defragmentation from two remote sessions at the same time.
Distinguish Terminal Services from Remote Administration
Although administrators have the capability to install software through a Remote Desktop for Administration session, Terminal Services running in Terminal Server mode provides better installation and environment settings for office applications. For general desktop and remote application access functionality, use a dedicated Terminal Server solution.