Read an Excerpt
Chapter 10: Managing Day-to-Day OperationsIf it's true, as Mies van der Rohe said, that "God is in the details," then a network is a very holy place indeed. A network administrator's job consists of masses of details, and if you're to cope, you must find ways of handling and tracking them. Microsoft Windows 2000 supplies plenty of tools for this, including ones that allow you to delegate tasks to other users or groups, use scripts to automate tasks, and schedule tasks to run periodically. Nevertheless, administering a network is still largely a process of planning and organization, and in that area there's no substitute for brainpower. This chapter discusses some of the tools that can help in the daily business of network management.
Using the Secondary LogonRecommended administrative practice dictates that an administrator be logged on to a privileged account (one with administrative rights) only while doing chores that require privileges. For ordinary work, the administrator is supposed to log off from the privileged account and then log on again to an ordinary account. Of course, it's not unusual that ten minutes later a situation arises requiring use of the privileged account. So then it's necessary to log off from the ordinary account and log back on to the administrator account, with the process reversed again a few minutes later.
After a few days of this, even the most security-conscious person begins to toy with the idea of logging on to the administrator account and staying there. And in time, most administrators succumb to the temptation and stay in the privileged account most of the time.
This practice makes Microsoft Windows NT systems highly susceptible to "Trojan horse" attacks. Just running Microsoft Internet Explorer and accessing a nontrusted Web site can be very risky if done from an administrator account. A Web page with Trojan code can be downloaded to the system and executed. The execution, done in the context of administrative privileges, will be able to do considerable mischief, including such things as reformatting a hard disk, deleting all files, or creating a new user with administrative access. When you think about it, it's like handing the keys to your network to a complete (and malicious) stranger.
This problem is finally addressed in Windows 2000 with the RunAs service. This service enables you to work in a normal, nonprivileged account and still access administrative functions without logging off and then logging back on again. To set up the RunAs service, follow these steps:
- While logged on with administrative rights, choose RunAs Services from the Administrative Tools menu.
- In the list of services, double-click RunAs Service.
- Ensure that Startup Type is set to Automatic and that Current Status is set to Started. (If it isn't, click the Start button.) Click OK to close the dialog box.
After performing these steps, create an ordinary user account for your own use (if you don't have one already). Make sure that the user account has the right to log on locally at the machine you want to use.
Windows 2000 views all domain controllers as special cases. On a domain controller, for example, all management of users and groups must be done through the Active Directory Users and Computers snap-in. Also, by default, users can't log on locally to a domain controller. Chapter 9 has more on creating user accounts and granting rights.
Starting a Command-Line Window for AdministrationWith the RunAs service started, you can log on with your regular user account and then open a command shell for performing administrative tasks, as follows:
- After logging on as a regular user, open a command window and enter the command runas /user:<domain\username> cmd. In this case, username is the account with administrative privileges. If you are logged on as a local user, the command is runas /user:<machinename\username> cmd.
- A command-line window opens, and you're prompted for the password for the administrative account.
- After you enter the password, a second window opens. As shown in Figure 10-1, the title bar of the window clearly indicates that it is running as the account selected.
You can perform any command-line tasks you want from this window. Of course, there are some administrative tasks that can't be done from the command line or that can be done only with great difficulty. Some applications, such as Control Panel and the Printers folder, are launched from the shell at the time of logon, so if you're logged on as an ordinary user, the Control Panel functions stay in that context.
To stop the shell and start it again as an administrator so that you can use functions like Control Panel, follow these steps:
- Right-click the taskbar and choose Task Manager from the menu.
- Click the Processes tab. Highlight Explorer.exe, and click End Process. A warning message appears. Click Yes. The entire desktop, except for Windows Task Manager and any active applications, disappears.
- Select the Applications tab in Windows Task Manager, and then click New Task.
- In the Create New Task box, enter runas /user:<domain\username> explorer.exe. As before, username is the account with administrative privileges. If you're logged on locally, use the command runas /user:<machinename\username> explorer.exe.
- Enter the password for the user name. The desktop, along with the taskbar, returns. This desktop is in the security context of the user name you specified in the command.
To return to the ordinary user's desktop, use Task Manager to shut down Explorer.exe again. Then start a new instance by typing explorer.exe (without runas, so that Internet Explorer is restarted in the original security context) in the Create New Task dialog box.
Don't close Task Manager while you're working in the desktop's administrative context-just minimize it to the taskbar. Closing Task Manager can produce unpredictable results and is likely to cost you more time than you can possibly save by using RunAs.
Administration ToolsMost of the tools you'll need for managing a Windows 2000 network come as part of the Windows 2000 Server and Windows 2000 Advanced Server packages, but only a few of them are automatically installed along with the operating system. Table 10-1 gives the complete list of Administration Tools....
Installing Administration Tools Locally...To install the full set of Administration Tools locally, open the i386 folder on the Windows 2000 Server or Windows 2000 Advanced Server CD-ROM, and then double-click the Adminpak.msi file. This starts the Administration Tools Setup Wizard (Figure 10-2), which will install the tools (and later remove them and reinstall them, if you wish). Click Next and the installation proceeds.
Making Administration Tools Available RemotelyTo make the Administration Tools available to others on your network, you can assign the tools to other computers or publish them in Active Directory. Chapter 24 covers the process of assigning and publishing to other users.
Support ToolsThe Windows 2000 Support Tools are immensely valuable because they provide functionality not otherwise available in the operating system. You'll probably never use some of the tools, but a few will prove to be worth their weight in Microsoft stock options. This section discusses a few of these utilities. You can see a complete list by choosing Tools Help from the Windows 2000 Support Tools menu.
If you don't see the Support Tools on your Programs menu, you'll need to install them. To install the Windows 2000 Support Tools, insert the Windows 2000 CDROM. Open the Support folder and then the Tools folder. Double-click Setup.
The tools provided on the Windows 2000 CD-ROM are a subset of the tools you can get by purchasing the full Microsoft Windows 2000 Server Resource Kit. The Resource Kit is a separate product with its own companion CD, available from Microsoft Press.
Network Connectivity TesterNetwork connections can fail in a spectacular number of ways-at any number of servers and in a variety of client configurations. Determining the source of a problem can be a daunting process. Netdiag.exe can report on an equally spectacular number of functions, running tests on the DNS server, the WINS server, Kerberos, the bindings, the WAN, trust relationships, the IP configuration, the routing table, IPX, NetWare, DHCP, the default gateway, and more. Netdiag.exe can be run on Windows NT and Windows 95/98 as well as Windows 2000, so you can use this excellent troubleshooting tool on servers and clients alike.
Domain ManagerWith Netdom.exe, most forms of domain management can be handled from the command line. Machine accounts can be added, removed, renamed, or moved to another domain. Netdom.exe also retrieves information about trusts and lets you establish trusts, synchronize the time, and verify secure channel passwords. The syntax for Netdom.exe is simple, but the range of possible parameters is extensive.
Command syntax and examples are available in the Support Tools Help files. To find the syntax for a specific tool, open a command window and enter tool_name /?.
Active Directory Replication MonitorRather than merely monitoring low-level replication among servers, the Active Directory Replication Monitor (Replmon.exe) reports on a wide range of Active Directory functions. It displays the site topology while reporting on the server's properties, indicating whether it is a Global Catalog server, and listing its replication partners, its replication history, and the attributes replicated.
The units of replication among domain controllers are directory partitions that must contain the most current information about objects in the domain. If a server is down or the network is disrupted, the information may not be completely up-to-date. The Replication Monitor can synchronize a monitored server with a specific replication partner to get everything back in order. It also generates status reports for servers throughout a forest for troubleshooting replication errors.
Disk ProbeDisk Probe (Dskprobe.exe) is indispensable when a critical hard disk goes bad. It is a sector editor that you can use to repair damaged partition tables, replace the master boot record, and repair or replace partition boot sectors. Even better, Disk Probe will save master boot records and partition boot sectors as files that can be used to restore the sectors if they become damaged in the future. This can be a great benefit because these data structures aren't part of the file system and are not backed up by any backup program. Table 10-2 briefly describes some of the Windows 2000 Support Tools. For a complete list, see Appendix F....
Microsoft Management Console BasicsThe Microsoft Management Console (MMC) is a powerful addition to the system administrator's arsenal. The MMC works as a packager of system tools, enabling the system administrator to create specialized tools that can then be used to delegate specific administrative tasks to users or groups. Saved as MMC (.MSC) files, these custom tools can be sent by e-mail, shared in a network folder, or posted on the Web. With system policy settings, they can also be assigned to users, groups, or computers. The tools are flexible enough to be modified, scaled up or down, and generally shaped for any use to which you might want to put them.
To build a custom tool, you can either start with an existing console and modify it or start from scratch. In a mature network, you'll most likely use the former method, taking predefined consoles and adding or subtracting snap-ins.
Creating an MMC-Based Console with Snap-ins Building your own tools with the MMC's standard user interface is a straightforward process. The next few sections walk you through the creation of a new console and describe how to arrange its administrative components into separate windows.
- Click the Start button and select Run. In the Open text box, type MMC, and then click OK. An empty MMC window opens, as shown in Figure 10-3, ready for you to add snap-ins.
- From the Console menu, select Add/Remove Snap-in. (The menu commands on the menu bar at the top of the MMC window apply to the entire console.) The Add/Remove Snap-in dialog box opens. Here you can choose which snap-ins are in the console file as well as enable extensions. In the Snap-ins Added To box, accept the default, Console Root.
- Click the Add button. This opens a dialog box listing the snaps-ins installed on your computer (Figure 10-4).
- Highlight a snap-in to see a description of its function. Double-click a snap-in to add it to the console. For this example, we'll add Computer Management. The Computer Manager dialog box asks you to select the computer to manage (Figure 10-5).
- Select the Local Computer option, and select the check box Allow The Selected Computer To Be Changed When Launching From The Command Line. These options are common to many of the snap-ins. Click Finish.
- From the Add Standalone Snap-in dialog box, select Event Viewer, and click Add. As before, select the Local Computer option, and select the check box. Click Finish, then close the list of available snap-ins. The Add/Remove Snap-in dialog box lists two snap-ins: Computer Management (Local) and Event Viewer (Local).
- Click the Extensions tab. By default, the box labeled Add All Extensions is checked, which means that when this console is opened on a particular machine, all extensions that are locally installed on that machine will be used. If this box isn't checked, only extensions that are selected on the list of available extensions will be loaded.
- Click OK to close the Add/Remove Snap-in dialog box. The Console Root window now has two snap-ins, rooted at the Console Root folder.
Save the console by choosing Save from the Console menu. You will be prompted for a name-be as descriptive as possible. The file is saved in the Administrative Tools folder by default. This folder is part of your profile, so an added benefit is that if you use roaming profiles, any tools you create will go with you. See Chapter 9 for information on creating roaming profiles....