70-410 Chapter 6

As with previous versions of Windows, when you begin to deploy Windows Server 2012 R2, there will be a period of time in which previous versions must coexist. One of the great things about Windows Server 2012 R2 is that we can continue to manage our previous or ___installations of Windows Server 2008 and Windows Server 2008 R2.

"down-level"

MMC offers the following console configuration modes and options:

...

Some of the more common cmdlets are outlined in Table 6-4. Table 6-4 PowerShell Basic Cmdlets for Remote Administration.

...

Table 6-3 lists the more commonly used MMC snap-ins supported by Server Core. The table also lists the appropriate Firewall Rule Group Name required to complete the Netsh configuration.

...

Table 6-5 outlines the available actions. Table 6-5 Task Scheduler Actions

...

With the release of Windows Server 2008, Microsoft introduced us to version 3.0 of the MMC. In the latest version, MMC 3.0 includes the following new features:

...

Although WinRM has many uses, Table 6-2 outlines the most commonly used options.

...Table 6-2

As with previous versions, MMC 3.0 provides the ability to create custom or limited views for the specific MMC snap-ins. Once snap-ins have been configured and added to the console, the console can be saved as a ___file and distributed to delegates.

.MSC

As we have seen previously, PowerShell is a powerful command-line tool that has been available since Windows Server 2008. Microsoft has included Version___.0 with the release of Windows Server 2012 and Version ___.0 with 2012 R2.

3,4

Triggers

A trigger is a set of criteria that when met executes a specific task. Triggers can be based on a schedule, logon event, or startup event; during a period of inactivity; upon session connect/disconnect or workstation lock/unlock, and so on.

On the far right pane is a list of

Actions.

Server Manager can be used to perform a variety of Administrative tasks as outlined here:

Add/Remove remote servers to manage Create and manage server groups Install/Uninstall roles, role services, and features Start management tools such as PowerShell or MMC Snap-ins Manage remote servers with different credentials using the Manage As function Start/Stop Windows Services Configure Network Settings, Users, Groups, Remote Desktop Services, and so on Identify server status, events, and troubleshoot issues Restart servers

To use MMC to manage Server Core, you must first create ___rules to permit access.

Advanced Firewall

After adding a remote server, it will be listed under the Server Manager > ___group.

All Servers

Actions

An action refers to an event that occurs after a trigger is set. Actions include starting a program such as a script, sending an email, displaying an alert, and so on.

Similarly, remote management can be also be configured using the PowerShell command

Configure-SMRemoting.exe -Enable. This command is exclusive to Windows Server 2012 installations.

The server typically sits in a ___between the Client/Internet and the internal servers.

DMZ

Delegates will be able to manage local or remote servers assuming the following criteria has been met:

Delegates have been granted proper access to the server or resources. Windows Firewall has been configured to accept MMC connections.

Conditions

Enable you to specify how the actions should be taken. Conditions include items such as idle times, current power state, and whether the task should stop if the computer is on battery power.

To use PowerShell to manage remote computers, the following must be considered:

Ensure that WinRM is installed and running. Remote Management must be enabled on the Server Core Installation by executing the command Enable-psremoting. Not all cmdlets require this. For example, Get cmdlets do not require this level of access. Ensure that .NET Framework is installed. Although it's not required, the same version of PowerShell should be installed on both the local and remote server. Older versions can limit what can be configured remotely. The appropriate level of administrative access must be enabled for the service or resource. The appropriate firewall rules must be enabled.

To manage a Server Core Installation using RSAT, you must first configure the Windows

Firewall.

PowerShell Web Access works via a Windows PowerShell Web Access___.

Gateway

Author mode:

Grants users full access to all MMC functionality, which includes the ability to add or remove snap-ins, create new windows, create taskpad views and tasks, and view all areas of the console tree. This is the mode that is enabled by default for all new consoles. Typically consoles are set up by an administrator and then locked down by changing the mode to one of the user access modes.

You must specify a specific Rule ___Name to tell the Windows Firewall what traffic you want to allow.

Group

You will notice the Task Scheduler __on the left pane.

Library.

As we covered previously, before any remote management can occur, the remote servers must be configured to enable remote management. Down-level installations require some additional preparations, although it is much simpler to manage Windows Server 2012/2012 R2 installations. By default, remote management using Server Manager is enabled. This can be changed by navigating to the ___of Server Manager

Local Server properties

In situations where there are different security boundaries, such as managing nondomain joined servers, you will need to use the ___function within Server Manager to first supply the necessary authoritative credentials.

Manage As

As with previous versions of Windows, the ___is still a powerful tool used by administrators to manage local and remote servers, including Server Core installations. Custom read-only MMC consoles can be created with specific snap-ins containing only those tools required for the specific delegate function.

Microsoft Management Console (MMC)

Windows Remote Management (WinRM) is

Microsoft's version of the WS-Management protocol.

Using the dism command, install the following features:

MicrosoftWindowsPowerShell MicrosoftWindowsPowerShell-WOW64 NetFx2-ServerCore NetFx2-ServerCore-WOW64

While Server Manager has been used since the release of Windows Server 2008, Microsoft has enhanced the ability to manage multiple servers from within a single console. Server Manager runs in the___, so if you have removed this feature, you will need to reinstall it before continuing.

Minimal Server Graphical Interface

The following Netsh command is the basic syntax required:

Netsh advfirewall firewall set rule group="[Rule Group Name]" new enable=yes

User mode—limited access, single window:

Opens the snap-in console in single-window mode and prevents users from accessing areas of the tree that are not visible in the single snap-in console window.

You can configure Console Options via the ___menu item of the MMC File menu

Options

After you have confirmed access and enabled Remote Administration on Server Core installation, a series of PowerShell cmdlets are available to facilitate Remote Administration. One of the most powerful cmdlets is the ___cmdlet.

PSSession

After the Remote Server Administration Tools have been installed and enabled, you will be able to access Server Manager, Active Directory,___, and other snap-ins for MMC

PowerShell

User mode—limited access, multiple window:

Prevents users from accessing areas of the tree that are not visible in the snap-in console windows.

User mode—Full access:

Prevents users from adding or removing snap-ins or changing snap-in properties. Users have full access to the tree.

Do not save changes to this console (check box):

Regardless of what is changed, the console is not saved. Changes will be lost upon the next time it opens.

By default, members of the ___Desktop Users and Administrators groups have access. Click the Add or Remove button to add or remove users as appropriate, and click OK

Remote

Still useful with Windows Server 2012 R2, WinRM provides the following benefits:

Remote PowerShell Administration Execute custom scripts Manage Remote Hardware

Event Viewer

Remove event log management

MMC is designed to be used in a domain environment; however, in a workgroup environment with different security boundaries, you might be required to use the ___function for a custom MMC console. You might also need to adjust Windows Firewall settings, ensure that the Secondary Logon services are started, and ensure that an account with the appropriate permissions is available on the workgroup computers.

Run As

Execute custom scripts:

Scripts can be used to query data and perform management tasks using the Windows Management Interface (WMI).

Failing to properly authenticate can result in one or more of the following conditions:

Server Manager Notification messages indicating authentication failures due to authentication scheme differences Missing server informational details or the inability to refresh details for specifics servers listed under the All Servers dashboard Access is denied message when trying to perform remote management tasks such as remote computer management

Down-level installations can be managed using

Server Manager or Remote Server Administration Tools, both of which are discussed in more detail later.

Remote Server Administration Tools (RSAT) is a collection of tools that are useful for managing Server Core as well as Full GUI installations. RSAT includes

Server Manager, MMC snap-ins, PowerShell cmdlets, and additional command-line tools used to manage remote computers.

To act as a Web Access Gateway, the web server must meet the following prerequisites:

Server running Windows Server 2012 or Windows Server 2012 R2 Internet Information Services (IIS) role installed .NET Framework 4.0

Server Manager settings are stored in a ___file along with a User.config file located under the following paths: %appdata%\Microsoft\Windows\ServerManager\ServerList.xml %appdata%\Local\Microsoft_Corporation\ServiceManager.exe_StrongName_GUID\6.2.0.0\user.config

ServerList.xml

PSSession

Similar to telnet session PSsession creates a persistent connection to the remote computer. From here you can execute virtually any commands that you could if you are logged on locally. Commands can be executed until you exit the session using the exit - PSsession command

Settings

Specifies additional settings such as what to do if the task fails or if the schedules are missed due to the computer being offline.

By default, the WinRM command-line tool performs the following actions:

Starts the WinRM service and configures it for autostart Creates a WS-Management listener service using TCP 5985 Creates a Windows Firewall exception for the listener service

The PSSession cmdlet functions similar to a ___session in that you connect directly to the remote server. Once connected, you virtually have full access to run all commands as if you were sitting in front of the Server Core console.

Telnet

To confirm WinRM functionality, use the ___command.

Test-WSMan [remote computer]

Improved dialog boxes:

The Add/Remove snap-in dialog has been updated to allow for better snap-in organization

Action pane:

The action pane is located on the right side of the console. It lists all actions available to users.

Improved error handling:

This version of MMC provides additional error handling notices and provides the ability to take specific actions when the errors occur.

Manage Remote Hardware:

Through the use of management controller interfaces, servers can be managed even in cases where the operating system might be malfunctioning.

To enable remote management on legacy systems, you might be required to perform additional configuration steps such as enabling ___through the Windows Firewall service.

WMI

Allow the user to customize views (check box):

When checked, this option allows the user to customize console views, including enabling filters.

Remote PowerShell Administration:

WinRM is the foundation for executing PowerShell cmdlets received from remote management computers.

Windows Firewall with Advanced security

Windows Firewall Remote Management

Note RSAT tools are included as an installable feature under the Windows Server Full GUI installation, or they can also be downloaded from Microsoft and installed under Windows 8/8.1. They cannot be run from a

Windows Server Core computer.

To use WinRS, you must ensure the following requirements are met:

Your local computer must be Windows Vista or higher. You must enable the WinRM listener on your servers. Windows Firewall exceptions must have been made. You must have the appropriate access to execute remote commands.

Task Scheduler is

a MMC snap-in that enables you to schedule and automate tasks to perform a specific action at a specific time. It can also be used to trigger an event as a follow-up to another event occurring. For example, suppose you need to restart your server every day at 2 a.m. One option is to set your alarm clock every morning at 2 a.m. just to restart the server. On the other hand, using a scheduled task to run automatically seems a bit easier. Tasks can be configured to run under a specific local or domain service account. Here are a few components associated with Task Scheduler:

After all prerequisites have been addressed, you will be able to ___remote servers from Server Manager or Remote Server Administration tools.

add

WinRS enables you to

administer a server installation, including Server Core, remotely via the command line. It relies on the WinRM service to execute commands remotely.

To use WinRS, you must be logged on to the client computer with

an account that is authorized to execute the remote command. If not, you might be required to use the winrs -u and -p switches to supply the username and password combination for an authorized account.

The WS-Management protocol is

an open standard for querying and exchanging management data between devices that use this protocol.

Even though many MMC snap-ins are available, not all are ___by default for managing Server Core. Many of the administrative tasks for Server Core are completed via command-line applications or PowerShell cmdlets, as discussed previously.

available

Server Manager settings can be ___up and restored to alternative management stations. This is particularly helpful in an unplanned recovery situation or if you simply want to copy settings to another server or client workstation containing Server Manager.

backed

As a best practice, RSAT should be installed on a dedicated management server or ___computer to limit the amount of access or load on production servers.

client

These items can be addressed through the use of the winrm ___tool. Several configuration options are available via the winrm command.

command-line

For example, you might decide to delegate the ability for local site admins to manage a specific portion of Active Directory. After you configure the appropriate permissions in Active Directory, you might decide to author a custom MMC snap-in for Active Directory Users and Computers. Perhaps you want to allow the site administrator to view only a specific OU. This can be accomplished by creating a ___and limiting the access for the console.

custom filter

If you are managing down-level Server Core installations, the same prerequisites apply; however, each down-level Server Core installation requires additional features to be installed using the ___/online /enable-feature—[feature name] command.

dism

After you create a custom MMC console, lock it down using the appropriate console option and/or filters using the View menu, simply save the console as an .MSC file, and ___it accordingly.

distribute

As mentioned in the previous section, Enable-PSremoting -Force can be used for ___installations.

down-level

Invoke

enables you to run a single command on one or more computers. As commands are executed a remote session is established and disconnected upon completion. This cmdlet is particularly helpful for automating some manual tasks

shared folders

file and printer sharing

To start using WinRM, a couple of prerequisites must be addressed. Secondly, the Windows Firewall must be configured to allow

incoming request for WS Management listener service.

Server Manager can show the online/offline status for only ___Windows Server 2003 servers.

legacy

When Microsoft created WinRM, their goal was to

leverage existing technologies to create a command-line application that by default communicated over TCP port 80. This later changed to TCP 5985 under Server 2008 R2.

To start using WinRM, a couple of prerequisites must be addressed. First, the WinRM service must be installed and configured with the appropriate

listener ports.

Using the Server Manager Properties dialog box (available from the Manage button), you might choose to specify a data refresh period. Depending on how many servers you are managing, you might choose to create a more or less frequent refresh period. The more servers you have, the ___it will take to refresh, so a more frequent refresh interval can result in performance issues. If you do not want to have Server Manager start automatically upon logon, enable the check box for Do not start Server Manager automatically at logon

longer

To enable Remote Administration on Server Core installations, issue the command

netsh advfirewall firewall set rule group="Remote Administration" new enable=yes.

Custom groups can be created to

organize and contain servers of the same type. For example, you might choose to create a File Server Group that contains all of your file servers. Similarly, you might choose to organize by operating system type, location, or any other criteria that best suits your needs.

reliability and performance

performance logs and alerts, file and print sharing

If security is not a major concern, you might also choose a blanket approach, enabling the Remote Administration Rule Group, which allows

remote access for all supported MMC snap-ins.

services

remote service management

task scheduler

remove scheduled tasks and management

To list available administrative tasks, highlight the remote server and ___-click to display remote administration options

right

PowerShell Web Access is a new function available under Windows Server 2012. Using Web Access, you can create a

secure central portal to use PowerShell Sessions, cmdlets, and scripts to manage a remote computer.

Once enabled for remote management, use the add other servers to manage feature from the Server Manager Dashboard. The Add Servers dialog box enables you to search for remote servers using Active Directory by importing a list from a ___file or by using DNS as shown in Figure 6-4.

text

The Windows Remote Shell (WinRS) is

the client component used in conjunction with WinRM.

The WS-Management protocol relies on specifications established under the Simple Object Access Protocol (SOAP). SOAP defines

the structure to exchange information using XML-formatted data that is exchanged typically using Web Services (HTTP/HTTPS) or in some cases Simple Mail Transfer Protocol (SMTP).

Get

used to retrieve or get information about a specific function

The gateway is essentially a

web server with the Web Access Gateway Role/Feature components installed.

For example, if you need to retrieve the IP Address of ServerB, execute the following command from ServerA:

winrs -r:ServerB ipconfig

The basic syntax for the WinRS command is

winrs -r:[remote computer] command.