Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
2010 and System Center Operations Manager 2007 R2, are integrated with PowerShell and
add a host of cmdlets to help automate administration.
PowerShell is added as a feature in Windows Server 2008 R2. See Chapter 21,
“Automating Tasks Using PowerShell Scripting,” for more details on PowerShell and
Windows Server 2008 R2.
Print Management Console
The Print Management console enables administrators to manage printers across the
enterprise from a single console. It shows the status of printers on the network. It also
allows the control of those printers, such as the following:
. Pausing or resuming printing
. Canceling jobs
. Listing printers in Active Directory
. Deleting printers
. Managing printer drivers
Many of the operational controls support multiselecting printers, so that the commands
can be run against many printers at once.
Using Common Practices for Securing and Managing Windows Server 2008 R2
679
The Print Management console is available within the Server Manager console or as a
standalone tool. Server Manager is the preferred method of accessing the Print
Management console, as it will also manage the role and provide event messages and
other operational information.
The Print Management console supports printers running on a wide variety of operating
systems, including Windows Server 2008 R2, Windows 7, Windows Server 2008, Windows
Vista, Windows Server 2003, Windows XP, and even Windows 2000.
Using Common Practices for Securing and
Managing Windows Server 2008 R2
There are a handful of practices used to secure and manage a Windows Server 2008 R2
environment. The first is to identify security risks to determine what the organization
needs to be concerned about when applying a security policy. The second is that the orga-
nization can implement a tool like Microsoft System Center Operations Manager to
monitor the network and simplify management tasks on a day-to-day basis. And the third
is to use maintenance practices to improve the ability of keeping the network environ-
ment stable and operational.
ptg
Identifying Security Risks
A network’s security is only as good as the security mechanisms put into place and the
review and identification process. Strong security entails employing Windows Server 2008
R2 security measures, such as authentication, auditing, and authorization controls, but it
also means that security information is properly and promptly reviewed. Information that
can be reviewed includes, but isn’t limited to, Event Viewer logs, service-specific logs,
application logs, and performance data.
All the security information for Windows Server 2008 R2 can be logged, but without a
formal review and identification process, the information is useless. Also, security-related
information can be complex and unwieldy depending on what information is being
recorded. For this reason, manually reviewing the security information might be tedious
but can prevent system or network compromise.
The formal review and identification process should be performed daily. Any identified
activity that is suspicious or could be potentially risky should be reported and dealt with
20
appropriately. For instance, an administrator reviewing a particular security log might
run across some data that might alert him of suspicious activity. This incident would
then be reported to the security administrator to take the appropriate action. Whatever
the course of action might be in the organization, there should be points of escalation
and remediation.
680
CHAPTER 20
Windows Server 2008 R2 Management and Maintenance Practices
Using System Center Operations Manager 2007 R2 to Simplify
Management
Many of the recommendations in this chapter focus on reviewing event logs, monitoring
the configuration, and monitoring the operations of the Windows Server 2008 R2 system.
This can be difficult to do for an administrator on a daily basis and the problem is propor-
tional to the number of servers that an administrator is responsible for. Microsoft has
developed a product to make these tasks easier and more manageable, namely System
Center Operations Manager 2007 R2.
System Center Operations Manager 2007 R2 is an enterprise-class monitoring and manage-
ment solution for Windows environments. It is designed to simplify Windows manage-
ment by consolidating events, performance data, alerts, and more into a centralized
repository. Reports on this information can then be tailored depending on the environ-
ment and on the level of detail that is needed and extrapolated. This information can
assist administrators and decision makers in proactively addressing Windows Server 2008
R2 operation and any problems that exist or might occur.
Many other intrinsic benefits are gained by using System Center Operation Manager 2007
R2, including, but not limited to, the following:
ptg
. Event log monitoring and consolidation
. Monitoring of various applications, including those provided by third parties
. Enhanced alerting capabilities
. Assistance with capacity-planning efforts
. A customizable knowledge base of Microsoft product knowledge and best practices
. Web-based interfaces for reporting and monitoring
See Chapter 23, “Integrating System Center Operations Manager 2007 R2 with Windows
Server 2008 R2,” for more details on System Center Operations Manager 2007 R2.
Leveraging Windows Server 2008 R2 Maintenance Practices
Administrators face the often-daunting task of maintaining the Windows Server 2008 R2
environment in the midst of daily administration and firefighting. Little time is spent
identifying and then organizing maintenance processes and procedures.
To decrease the number of administrative inefficiencies and the amount of firefighting an
administrator must go through, it’s important to identify those tasks that are important to
the system’s overall health and security. After they’ve been identified, routines should be
set to ensure that the Windows Server 2008 R2 environment is stable and reliable. Many
of the maintenance processes and procedures described in the following sections are the
most opportune areas to maintain.
Keeping Up with Service Packs and Updates
681
Keeping Up with Service Packs and Updates
Service packs (SPs) and updates for both the operating system and applications are vital
parts to maintaining availability, reliability, performance, and security. Microsoft packages
these updates into SPs or individually.
An administrator can update a system with the latest SP or update in several ways:
Automatic Windows Updates, CD-ROM, manually entered commands, or Microsoft
Windows Server Update Services (WSUS).
NOTE
Thoroughly test and evaluate SPs and updates in a lab environment before installing
them on production servers and client machines. Also, install the appropriate SPs and
updates on each production server and client machine to keep all systems consistent.
Manual Update or CD-ROM Update
Manual updating is typically done when applying service packs, rather than hotfixes.
Service packs tend to be significantly larger than updates or hotfixes, so many administra-
tors will download the service pack once and then apply it manually to their servers, or
ptg
the service pack can be obtained on CD-ROM.
When a Service Pack CD-ROM is inserted into the drive of the server, it will typically
launch an interface to install the service pack.
In the case of downloaded service packs or of CD-ROM-based service packs, the service
pack can also be applied manually via a command line. This allows greater control over
the install (see Table 20.9), such as by preventing a reboot or to not back up files to
conserve space.
TABLE 20.9
Update.exe Command-Line Parameters
Update.exe
Parameter
Description
-f
Forces applications to close at shutdown.
-n
Prevents the system files from being backed up. This keeps SPs from
being uninstalled.
-o
Overwrites OEM files.
20
-q
Indicates Quiet mode; no user interaction is required.
-s
Integrates the SP in a Windows Server 2008 R2 share.
-u
Installs SP in Unattended mode.
-z
Keeps the system from rebooting after installation.
682
CHAPTER 20
Windows Server 2008 R2 Management and Maintenance Practices
Automatic Updates
Windows Server 2008 R2 can be configured to download and install updates automatically
using Automatic Windows Updates. With this option enabled, Windows Server 2008 R2
checks for updates, downloads them, and applies them automatically on a schedule. The
administrator can just have the updates downloaded, but not installed, to give the admin-
istrator more control over when they are installed. Windows Update can also download
and install recommended updates, which is new for Windows Server 2008 R2.
When the Windows Server 2008 R2 operating system is installed, Windows Update is not
configured and, as shown in Figure 20.14, the Server Manager Security Information
section shows the Windows Update as Not Configured. This can be an insecure configura-
tion, as security updates will not be applied.
ptg
FIGURE 20.14
Windows Updates Not Configured error.
Windows Updates can be configured using the following steps:
1. Launch Server Manager.
2. Click on the Configure Updates link in the Security Information section.
3. Click on the Have Windows Install Updates Automatically to have the updates
downloaded and installed.
4. The Windows Updates status will change to Install Updates Automatically Using
Windows Updates.
Keeping Up with Service Packs and Updates
683
The configuration of Windows Update can be reviewed by clicking on the Configure
Updates link again. The Windows Update console appears (shown in Figure 20.15). The
figure shows that updates will be installed automatically at 3:00 a.m. every day. The
console also shows when updates were checked for last. In the console, the administrator
can also do the following:
. Manually check for updates.
. Change the Windows Updates settings.
. View the update history.
. See installed updates.
. Get updates for more products.
The link to get updates for more products allows the administrator to check for updates
not just for the Windows Server 2008 R2 platform, but also for other products, such as
Microsoft Exchange and Microsoft SQL. Clicking the link launches a web page to autho-
rize the server to check for the broader range of updates.
Clicking the Change Settings link allows the Windows Update setting to be changed. The
Change Settings window, shown in Figure 20.16, enables the administrator to adjust the
ptg
time of installs, to install or just download, and whether to install recommended updates.
20
FIGURE 20.15
Windows Update console.