Windows Server 2008 R2 Unleashed (137 page)

2010 and System Center Operations Manager 2007 R2, are integrated with PowerShell and

add a host of cmdlets to help automate administration.

PowerShell is added as a feature in Windows Server 2008 R2. See Chapter 21,

“Automating Tasks Using PowerShell Scripting,” for more details on PowerShell and

Windows Server 2008 R2.

Print Management Console

The Print Management console enables administrators to manage printers across the

enterprise from a single console. It shows the status of printers on the network. It also

allows the control of those printers, such as the following:

. Pausing or resuming printing

. Canceling jobs

. Listing printers in Active Directory

. Deleting printers

. Managing printer drivers

Many of the operational controls support multiselecting printers, so that the commands

can be run against many printers at once.

Using Common Practices for Securing and Managing Windows Server 2008 R2

679

The Print Management console is available within the Server Manager console or as a

standalone tool. Server Manager is the preferred method of accessing the Print

Management console, as it will also manage the role and provide event messages and

other operational information.

The Print Management console supports printers running on a wide variety of operating

systems, including Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows

Vista, Windows Server 2003, Windows XP, and even Windows 2000.

Using Common Practices for Securing and

Managing Windows Server 2008 R2

There are a handful of practices used to secure and manage a Windows Server 2008 R2

environment. The first is to identify security risks to determine what the organization

needs to be concerned about when applying a security policy. The second is that the orga-

nization can implement a tool like Microsoft System Center Operations Manager to

monitor the network and simplify management tasks on a day-to-day basis. And the third

is to use maintenance practices to improve the ability of keeping the network environ-

ment stable and operational.

ptg

Identifying Security Risks

A network’s security is only as good as the security mechanisms put into place and the

review and identification process. Strong security entails employing Windows Server 2008

R2 security measures, such as authentication, auditing, and authorization controls, but it

also means that security information is properly and promptly reviewed. Information that

can be reviewed includes, but isn’t limited to, Event Viewer logs, service-specific logs,

application logs, and performance data.

All the security information for Windows Server 2008 R2 can be logged, but without a

formal review and identification process, the information is useless. Also, security-related

information can be complex and unwieldy depending on what information is being

recorded. For this reason, manually reviewing the security information might be tedious

but can prevent system or network compromise.

The formal review and identification process should be performed daily. Any identified

activity that is suspicious or could be potentially risky should be reported and dealt with

20

appropriately. For instance, an administrator reviewing a particular security log might

run across some data that might alert him of suspicious activity. This incident would

then be reported to the security administrator to take the appropriate action. Whatever

the course of action might be in the organization, there should be points of escalation

and remediation.

680

CHAPTER 20

Windows Server 2008 R2 Management and Maintenance Practices

Using System Center Operations Manager 2007 R2 to Simplify

Management

Many of the recommendations in this chapter focus on reviewing event logs, monitoring

the configuration, and monitoring the operations of the Windows Server 2008 R2 system.

This can be difficult to do for an administrator on a daily basis and the problem is propor-

tional to the number of servers that an administrator is responsible for. Microsoft has

developed a product to make these tasks easier and more manageable, namely System

Center Operations Manager 2007 R2.

System Center Operations Manager 2007 R2 is an enterprise-class monitoring and manage-

ment solution for Windows environments. It is designed to simplify Windows manage-

ment by consolidating events, performance data, alerts, and more into a centralized

repository. Reports on this information can then be tailored depending on the environ-

ment and on the level of detail that is needed and extrapolated. This information can

assist administrators and decision makers in proactively addressing Windows Server 2008

R2 operation and any problems that exist or might occur.

Many other intrinsic benefits are gained by using System Center Operation Manager 2007

R2, including, but not limited to, the following:

ptg

. Event log monitoring and consolidation

. Monitoring of various applications, including those provided by third parties

. Enhanced alerting capabilities

. Assistance with capacity-planning efforts

. A customizable knowledge base of Microsoft product knowledge and best practices

. Web-based interfaces for reporting and monitoring

See Chapter 23, “Integrating System Center Operations Manager 2007 R2 with Windows

Server 2008 R2,” for more details on System Center Operations Manager 2007 R2.

Leveraging Windows Server 2008 R2 Maintenance Practices

Administrators face the often-daunting task of maintaining the Windows Server 2008 R2

environment in the midst of daily administration and firefighting. Little time is spent

identifying and then organizing maintenance processes and procedures.

To decrease the number of administrative inefficiencies and the amount of firefighting an

administrator must go through, it’s important to identify those tasks that are important to

the system’s overall health and security. After they’ve been identified, routines should be

set to ensure that the Windows Server 2008 R2 environment is stable and reliable. Many

of the maintenance processes and procedures described in the following sections are the

most opportune areas to maintain.

Keeping Up with Service Packs and Updates

681

Keeping Up with Service Packs and Updates

Service packs (SPs) and updates for both the operating system and applications are vital

parts to maintaining availability, reliability, performance, and security. Microsoft packages

these updates into SPs or individually.

An administrator can update a system with the latest SP or update in several ways:

Automatic Windows Updates, CD-ROM, manually entered commands, or Microsoft

Windows Server Update Services (WSUS).

NOTE

Thoroughly test and evaluate SPs and updates in a lab environment before installing

them on production servers and client machines. Also, install the appropriate SPs and

updates on each production server and client machine to keep all systems consistent.

Manual Update or CD-ROM Update

Manual updating is typically done when applying service packs, rather than hotfixes.

Service packs tend to be significantly larger than updates or hotfixes, so many administra-

tors will download the service pack once and then apply it manually to their servers, or

ptg

the service pack can be obtained on CD-ROM.

When a Service Pack CD-ROM is inserted into the drive of the server, it will typically

launch an interface to install the service pack.

In the case of downloaded service packs or of CD-ROM-based service packs, the service

pack can also be applied manually via a command line. This allows greater control over

the install (see Table 20.9), such as by preventing a reboot or to not back up files to

conserve space.

TABLE 20.9

Update.exe Command-Line Parameters

Update.exe

Parameter

Description

-f

Forces applications to close at shutdown.

-n

Prevents the system files from being backed up. This keeps SPs from

being uninstalled.

-o

Overwrites OEM files.

20

-q

Indicates Quiet mode; no user interaction is required.

-s

Integrates the SP in a Windows Server 2008 R2 share.

-u

Installs SP in Unattended mode.

-z

Keeps the system from rebooting after installation.

682

CHAPTER 20

Windows Server 2008 R2 Management and Maintenance Practices

Automatic Updates

Windows Server 2008 R2 can be configured to download and install updates automatically

using Automatic Windows Updates. With this option enabled, Windows Server 2008 R2

checks for updates, downloads them, and applies them automatically on a schedule. The

administrator can just have the updates downloaded, but not installed, to give the admin-

istrator more control over when they are installed. Windows Update can also download

and install recommended updates, which is new for Windows Server 2008 R2.

When the Windows Server 2008 R2 operating system is installed, Windows Update is not

configured and, as shown in Figure 20.14, the Server Manager Security Information

section shows the Windows Update as Not Configured. This can be an insecure configura-

tion, as security updates will not be applied.

ptg

FIGURE 20.14

Windows Updates Not Configured error.

Windows Updates can be configured using the following steps:

1. Launch Server Manager.

2. Click on the Configure Updates link in the Security Information section.

3. Click on the Have Windows Install Updates Automatically to have the updates

downloaded and installed.

4. The Windows Updates status will change to Install Updates Automatically Using

Windows Updates.

Keeping Up with Service Packs and Updates

683

The configuration of Windows Update can be reviewed by clicking on the Configure

Updates link again. The Windows Update console appears (shown in Figure 20.15). The

figure shows that updates will be installed automatically at 3:00 a.m. every day. The

console also shows when updates were checked for last. In the console, the administrator

can also do the following:

. Manually check for updates.

. Change the Windows Updates settings.

. View the update history.

. See installed updates.

. Get updates for more products.

The link to get updates for more products allows the administrator to check for updates

not just for the Windows Server 2008 R2 platform, but also for other products, such as

Microsoft Exchange and Microsoft SQL. Clicking the link launches a web page to autho-

rize the server to check for the broader range of updates.

Clicking the Change Settings link allows the Windows Update setting to be changed. The

Change Settings window, shown in Figure 20.16, enables the administrator to adjust the

ptg

time of installs, to install or just download, and whether to install recommended updates.

20

FIGURE 20.15

Windows Update console.