include information about Enforce and Block Inheritance flags in Group Policy imple-
mentation.These affect how GPOs are inherited throughout the AD infrastructure.
■
Trust relationships, both transitive and explicitly defined
■
Network connectivity hardware (switches, routers, firewalls, and other LAN and WAN
connectivity devices)
■
Client computer configuration, both hardware and software
■
Line-of-business application inventory and configuration
■
Backup, restore, and disaster recovery procedures
Windows Server 2003, built upon the same technology as Windows 2000, has been upgraded
and improved to address a variety of needs in today’s networked environment. We’ve reviewed the
new features in Windows Server 2003 and taken a quick look at some of the tools available to make
installing, maintaining and repairing Windows Server 2003 a bit easier. We’ve also reviewed the
basics of network design, planning and testing and we’re now ready to jump into the specifics of
Windows Server 2003.
26 Chapter 1 • Overview of Windows Server 2003
301_BD_Win2k3_01.qxd 5/12/04 10:53 AM Page 26
Using Server Management Tools
In this chapter:
■
Recognizing Types of Management Tools
■
Managing Your Server Remotely
■
Using Emergency Management Services
■
Managing Printers and Print Queues

■
Managing and Troubleshooting Services
■
Using Wizards to Configure and Manage Your Server
Introduction
The network administrator’s daily tasks can be made easier (or more difficult) by the
number and quality of administrative tools available to perform those tasks. In the pre-
vious chapter, we quickly reviewed some of the tools. In this chapter, we’ll take a more
in-depth look at specific server management tools.
In Windows Server 2003, Microsoft has provided administrators with a wealth of
graphical and command-line utilities for carrying out their job duties.The Administrative
Tools menu is the place to start, and there you’ll find predefined management consoles for
configuring and managing most of Server 2003’s services and components, including
Active Directory tools, distributed file system (Dfs), DNS, Security policies, Licensing,
Routing and Remote Access,Terminal Services, Media Services, and more.
But that’s only the beginning. Administrators can create customized Microsoft
Management Consoles as well, just as with Windows 2000.This makes it easier to per-
form tasks yourself, and easier to delegate administrative tasks to others, because you can
create consoles for specific purposes and enable only limited user access to them for
specified users or groups.
Chapter 2
27
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 27
For those who prefer the power and flexibility of the command line, many of these same
administrative tasks can be performed there, as well as other tasks that have no GUI interface.
Windows Server 2003 includes a huge number of command-line utilities, including dozens of new
ones that were not included in Windows 2000 Server.
Many of the more complex configuration tasks performed by administrators can be done via
Wizards that walk you through the steps.This makes it easier to set up services and server compo-
nents for those who are unfamiliar with the process.

In this chapter, we introduce you to many of the graphical management consoles and com-
mand-line administrative utilities that are included in Windows Server 2003, and show you how to
use them to manage your server and your network.
Recognizing Types of Management Tools
So many administrative tools are available, located in so many different places, that it can be
daunting for a new administrator of a Windows computer to know where to look. Of course, in the
fullness of time, experience brings familiarity - but even experienced administrators occasionally dis-
cover a tool that they haven’t seen before. In this section we will review where most of the
common administrative tools are located.
Administrative Tools Menu
The Administrative Tools menu is where many important tools are located. Click Start | Programs
| Administrative Tools to see what is available.You can change what appears in this folder by editing
the All Users profile in the Documents and Settings folder as shown in Figure 2.1.
Another way to access the same folder is by clicking Start | Settings | Control Panel, and
then double-clicking the Administrative Tools icon.
28 Chapter 2 • Using Server Management Tools
Figure 2.1 Location of the Administrative Tools Folder
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 28
Note that the items in the Administrative Tools menu folder are shortcuts, rather than the pro-
grams or console files themselves. Many of the actual management console files (.msc files) are
located in the <systemroot>\system32 folder.You can find the location of the .msc file by right-
clicking the shortcut in the right pane as shown in the figure, selecting Properties, and then
checking the Target field on the Shortcut menu.
Custom MMC Snap-Ins
The Microsoft Management Console (normally referred to as an MMC) is the framework for nearly
all Windows graphical administrative tools. It provides a blank sheet to which you can add your
favorite administration tools.The idea is that all administrative tools have a common look and feel
and that the management tool for an administrative task, such as adding users and groups, is written
as a snap-in for an MMC.The administrator can then choose which snap-ins to have in a console or
use one of the many pre-configured ones found in the Administrative Tools folder. Some of the

MMC snap-ins can be used to manage remote computers as well as the local computer (assuming
you have the appropriate rights). Many vendors of third-party management tools provide snap-ins
for their products, which you can add to your MMC consoles.
Note that some of the tools in the Administrative Tools folder, such as Licensing, are stand-
alone programs that don’t work with an MMC. When you look at the properties of those shortcuts,
you’ll find that the target files are executables (.exe) instead of MMCs (.msc).
After you’ve created an MMC, it can be saved as a stand-alone file and even e-mailed to
another administrator to use. Possession of an MMC file does not in itself give a user any additional
rights. So if you e-mail an MMC file with, for example, the Disk Management snap-in to a non-
administrative user, that user won’t be able to complete any disk management tasks even though he
or she can see the snap-in.
MMC Console Modes
MMC consoles can be configured to prevent anyone from changing them. A console can be saved
in one of four modes, each of which has varying restrictions.Table 2.1 shows the four modes and
the functionality of each.
Table 2.1 MMC Console Modes
Console Mode Functionality
Author mode Full access to the MMC and change all aspects.
User mode –full access Full access to the windowing commands but can’t add or
remove snap-ins.
User mode – limited access, Access only to the areas of the console as it was when
multiple window saved. Can create new windows but not close existing
windows.
User mode – limited access, Access to the console as it was when saved. Can’t open
single windows new windows.
Using Server Management Tools • Chapter 2 29
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 29
To give you an idea of how you can use the MMC, use the following steps to create a custom
MMC.You may choose to use this MMC or you may simply follow the steps to get a better idea of
how to create a custom MMC.

1. To create a new console, click Start | Run and type mmc in the dialog box.
2. Select Add/Remove Snap-in from the File pull-down menu.
3. In the Add/Remove Snap-in dialog-box, click the Add button.
4. In the Add Standalone Snap-in dialog box, scroll through the list and click Event
Viewer, and then click the Add button.
5. In the Select Computer dialog box, click Finish.
6. Click Close in the Add Standalone Snap-in dialog box, and then click OK in the
Add/Remove Snap-in dialog box.
7. Repeat steps 2 to 6, but for step 5 select Another Computer and enter the name of or
browse to another computer on your network.
8. Repeat steps 2 to 6, but for step 4 select Services and in step 5 select Local Computer.
9. In the left-hand pane, click the plus signs next to the two Event Viewer folders to expand
them.
10. Click Application under the Event Viewer (Local) folder.
11. You should now have a console similar to the one shown in Figure 2.2.
12. To save this console for future use, select Save from the File pull-down menu.Type
MyConsole in the File name box and click Save.
13. The console is saved and can be started again via Start | Programs | Administrative
Tools | MyConsole.msc.
30 Chapter 2 • Using Server Management Tools
Figure 2.2 Viewing the Application Log for the Local Computer
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 30
14. We will now look at opening multiple windows. Highlight Event Viewer (Local), and
then right-click and select New Window from Here.You now have two windows open,
which can be managed using the Window pull-down option.
15. Click Window and explore the various options for how the two windows are laid out.
16. Switch to the Event Viewer (Local) window and close this window by typing Ctrl-F4.
You should now have only one window called Console Root.
17. Click File and select Options.
18. In the Options dialog box that appears, click the pull-down menu for the Console

mode box and select User mode – limited access, single window, and then click
OK.
19. Click File and select Save.
20. Click File and select Exit.
21. Re-open the console by selecting Start | Programs | Administrative Tools |
MyConsole.msc.
22. Note that the Window pull-down option is no longer present, that you cannot add new
snap-ins via the File pull-down menu, and that you cannot close any of the snap-ins that
are in the MMC.
Command-Line Utilities
As the name suggests, command-line utilities are designed to be run in a command window (start by
selecting Start | Run, and then type cmd in the Open box and press Enter) or as part of batch files
or scripts. Administrators are forever looking for ways to simplify administration and using command
lines in batch files is a very good way of handling routine, repetitive tasks.You can perform some
administrative tasks using only a graphical interface, some using only a command-line utility, and
others can be done using either. Later in the chapter, we will examine printer administration, which is
a good example of something that can be managed using graphical or command-line tools.
Command-line utilities are written using a language that has to be run using a scripting host
such as Windows cscript and others run as compiled programs or executables.
Command-line utilities are harder to find because they are not in any of the Start menus (although
you can add them).A good place to look for information is in Windows Help and Support. Search
on Command-line Reference and you get an A-Z of Windows command-line tools.
Wizards
Wizards guide you through potentially complex tasks by taking you through a series of dialog boxes
where you answer questions or make choices; they are essentially wrappers around the underlying
graphical or command-line based tool. Each version of Windows increases the number of wizards in
an attempt to make administration easier for the inexperienced administrator. However, in some
cases it can be quicker for the experienced administrator to perform a task directly using the appro-
priate administrative tools rather than using a wizard.
Using Server Management Tools • Chapter 2 31

301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 31
Many wizards can be accessed through the Manage Your Server tool and the Configure Your
Server Wizard in Administrative Tools.
Windows Resource Kit
The Windows Resource Kit, available for download from Microsoft’s Web site, provides even more
tools for administrators to use to manage Windows servers in a large network. If you are responsible
for many servers, you should download this kit and spend some time reviewing its contents.
The Run As command
It is good practice for administrators not to log on using an account that has administrative rights.
This prevents accidental changes to the file server, viruses having more access than otherwise, and so
on. As an administrator, you should log on using an ordinary user account and when you need to
perform an administrative task you can use the Run as option to choose an administrator account.
Run as is available by right-clicking an item in the start menu.
The Run as option won’t appear in the right context menu for every Start menu item, just for
executables, management consoles, and other programs that can be run.
You can also use the runas command in a command prompt for command-line utilities. Start a
command prompt and then type runas /user:administrator cmd.This will start a new command
prompt with administrator privileges.
Managing Your Server Remotely
How often have you had to walk to the other end of a building to perform a server task or – even
worse – had to drive or fly to another office? One of the main aims for any administrator is to be
able to manage all the servers without leaving his or her desk! Windows Server 2003 provides you
with a variety of methods to remotely manage your servers depending on your scenario.
Remote Assistance
Remote Assistance is designed for users to request help on their PCs (which must be running
Windows XP or later) from another user.The user requesting help sends an invitation to assist, using
Windows Messenger or e-mail via the Help and Support Center.The request includes an attach-
ment (which contains details of how to connect to the user’s PC) that the recipient double-clicks to
start a Remote Assistance session with the requesting user’s PC. Once connected, the helper can
view the desktop of the requesting user and chat online with him.The helper can also, with the

user’s permission, take control of his desktop.
The request can optionally include an “expiry” (expiration) date, after which the Remote
Assistance request is no longer valid.This is used to reduce the risk of unauthorized access to the
user’s computer.The user requesting help can also require the helper to use a password to connect
to his computer.The user must communicate this password to the helper.
The user can review his invitations in the Help and Support Center. Figure 2.3 shows a
summary of invitations that have been sent out.
Although the usual method is for the user requesting help to initiate the Remote Assistance ses-
sion, it is also possible within a domain for a helper to offer assistance.An administrator can set
32 Chapter 2 • Using Server Management Tools
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 32
group policy to prevent users from requesting remote assistance, or to restrict whether users will be
able to enable a helper to remotely control their computers or only view them.
Both users need to be connected to the Internet in order to use Remote Assistance and if fire-
walls are in use, port 3398 must be open.You can disable Remote Assistance completely to prevent
any Remote Assistance invitations being sent.
To configure Remote Assistance, right-click My Computer and select Properties, and then
click the Remote tab.
Using Web Interface for Remote Administration
If you need to manage your servers from home or perhaps from another office, one option is to use
a standard Web browser to administer your servers using the remote administration component of
Windows Server 2003.You must configure your server first, but after you have done this, you can
simply point the browser to your server’s IP address and you can administer it from anywhere in the
world.To access the server over the Internet, the following conditions must be met:
■
The Remote Administration (HTML) component must be installed on the server. It is not
installed by default (with the exception of Windows Server 2003 Web Edition).
■
Port 8098 on the server must be accessible through your Internet connection.
■

Your server must have a valid external IP address.
If you want to access your servers only over your company network, an external IP address is not
necessary, but you must still be able to communicate with port 8098 on the server. Microsoft recom-
mends that the browser you use for remote administration be Internet Explorer version 6.0 or later.
To access your server over the Web, browse to https://servername:8098.You must use a
secure connection.The :8098 in the URL directs the browser to connect to port 8098 on the
server instead of the default port 80.You can change your server to work on a different port in
Internet Information Services (IIS) Manager.After you’ve connected to the server, you’ll see the
Welcome page, as shown in Figure 2.4.
Using Server Management Tools • Chapter 2 33
Figure 2.3 Summary of Remote Assistance Invitations
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 33
Through this Web site, you can carry out the more common administration tasks, such as con-
figuring Web sites, managing network settings, and administering local user accounts.
Remote Desktop for Administration
The Remote Desktop (RD) for Administration facility enables users to connect to a Windows
Server 2003 or a Windows 2000 Server computer desktop from any computer that has the Remote
Desktop client software. In Windows 2000, this facility was called Terminal Services Administration
mode. Remote Desktop for Administration is effectively Terminal Server installed in a special mode
that enables up to two remote users and one local user (at the console) to connect to a server for
administration purposes and does not require any additional licensing.Terminal Server can also be
used in application mode to enable many users to connect to your server using Remote Desktop
from their computers and run applications in a “thin client” computing model. Application mode
requires Terminal Server licensing to be set up.
You can connect to the server from any client computer running the RDC client or the
Windows terminal services client. Microsoft provides an RDC client for Windows 95, 98/98SE,
ME, NT 4.0 and 2000.You can also download an RDC client for Macintosh OS X.
The Remote Desktop snap-in is a very useful tool for adding Remote Desktop functionality to
an MMC. With this tool, you can connect to the server’s console session.
Administration Tools Pack (adminpak.msi)

The Windows Server 2003 Administration Tools Pack is used on client computers running
Windows XP Professional to provide management tools for Windows Server 2003 computers.The
client computers must have Windows XP Service Pack 1 applied.
You can install the Administration Tools from the adminpak.msi file, which you can find on
the Windows Server 2003 CD or in the system32 folder of a computer running Windows Server
2003. Double-click the adminpak.msi file to install the tools.
34 Chapter 2 • Using Server Management Tools
Figure 2.4 Welcome Page for Server Web Administration
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 34
After the tools are installed, you’ll have all the administrative tools that we looked at earlier in
this section available on your Windows XP computer and you’ll be able to perform server and net-
work administrative tasks from the XP client. In particular, this includes tools for server-based ser-
vices such as DNS, DHCP, and Active Directory.
Windows Management Instrumentation (WMI)
Windows Management Instrumentation (WMI) provides an object-based method for accessing
management information in a network. It is based on the Web-Based Enterprise Management
(WBEM) standard specified by the Distributed Management Task Force (DTMF) organization and
is designed to enable the management of a wide range of network devices. WMI is Microsoft’s
implementation of WBEM for Windows operating systems.
WMI is used with programs or scripts to retrieve management information or change configu-
rations of Windows computers, but using WMI is not trivial and requires programming skills. WMI
can be used at the command line using WMIC, but you need knowledge of the WMI database of
objects. For more information on this topic, refer to Microsoft’s WMI Software Development Kit.
Some enterprise Microsoft tools, such as Systems Management Server (SMS) and Health
Monitor in the Back Office products use WMI to manage computers. For more information on
WMI, have a look at Microsoft’s Web site at www.microsoft.com/windows2000/techinfo/howit-
works/management/wmiscripts.asp.
Using Computer Management
to Manage a Remote Computer
Computer management is available on client and server computers to perform management tasks

and is actually a pre-configured MMC console.To start computer management, select Start |
Settings | Control Panel, double-click Administrative Tools, and then double-click
Computer Management.Alternatively, right-click the My Computer icon and select Manage.
You can also use computer management to connect to another computer (providing you have
the appropriate rights). Select Connect to another computer… from the Action pull-down
menu, and then enter the name of the remote computer in the Another computer: box or
browse for it by clicking the Browse button.
Figure 2.5 shows Computer Management on a server with the Disk Management snap-in
expanded. On a server computer, Computer Management has additional snap-ins for server-based
services, so you won’t see exactly the same snap-ins in Computer Management on a computer run-
ning Windows 2000 Professional or Windows XP Professional.
Computer Management has three nodes that group the management tasks, as shown in Table
2.2. Expanding each node reveals the snap-ins. System Tools contains snap-ins for local management
tasks, the Storage node contains snap-ins for tasks related to local disks and storage devices (such as
tape drives), and the Services and Applications node contains snap-ins for other server-based applica-
tions.The contents of this node vary depending on whether the computer is running a client or
server operating system and the server components that have been installed.Table 2.2 shows only
some of the possible snap-ins under Services and Applications.
Using Server Management Tools • Chapter 2 35
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 35