| TOGGIT
IN SEARCH OF CERTIFICATION |
|
 |
Test 070-290 - Managing and Maintaining a Microsoft Windows Server 2003 Environment
|
Logon to ToggIT Join ToggIT |
|||||||||||||||||||||||
| Home | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Microsoft | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Cisco | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| CompTia | |||||||||||||||||||||||
|
|||||||||||||||||||||||
| Study tools for exam 070-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment | |||||||
| The Exam | Exam Tips | What to know | Study Guide | Study Tools | Practice Test | ||
Sponsored
Links:
|
|||||||
|
Managing and
Maintaining a Monitoring Network Resources Windows Server 2003 includes the Computer Management and Shared Folders snap-ins that you can use to easily monitor access to network resources and send administrative messages to users. These tools can aid: Maintenance. When you must perform maintenance tasks on network resources, you will need to make certain resources unavailable to users. To do this you must determine which users are using the resource so that you can notify them before making the resource unavailable. Security. These tools can be used to verify that only authorized users have access to resources that are confidential. Planning. These tools can be used to meet the expanding needs of network users and allows you to determine which resources are being used and how much they are being used so that you can plan for future growth. Monitoring Access to Shared Folders You can monitor access to shared folders to determine how many users are currently connected to each folder. You can also monitor open files to determine which users are gaining access to the files, and you can disconnect users from one or all open files. Monitoring Shared Folders You can use the Shares folder in either the Computer Management snap-in or the Shared Folders snap-in to view a list of all shared folders on the computer and to determine how many users are connected to each folder. Note: You can use Shares Folders in Computer Management to identify the path to all shared folders in the domain as well as the administrative shares on the local computer. The Computer Management snap-in or Shared Folders snap-in can also be used to determine the maximum number of users that are permitted to gain concurrent or simultaneous access to a folder, and whether the maximum number of users that are permitted to gain concurrent access to a folder has been reached. This is one quick and easy way to troubleshoot connectivity problems. If a user cannot connect to a share, determine the number of connections to the share and the maximum connections allowed. If the maximum number of connections has already been made, the user cannot connect to the shared resource. Modifying Shared Folder Properties You can modify existing shared folders properties from the Shares folder clicking the shared folder, and then on the Action menu, click Properties. The General tab of the Properties dialog box shows you the share name, the path to the shared folder, and any comment that has been entered. The General tab also allows you to view and set a user limit for accessing the shared folder. The Security tab allows you to view and change the shared folders permissions. Monitoring Open Files The Open Files folder in either the Computer Management snap-in or Shared Folders snap-in can be used to view a list of open files that are located in shared folders and the users who are currently connected to each file. You can use this information to contact users so that you can notify them that you are about to shut down the system. Disconnecting Users from Open Files When you make changes to the NTFS permissions for a file that is currently opened by a user, the new permissions will not affect the user until he or she closes and then attempts to reopen the file as a user retains all permissions for a shared resource that Windows Server 2003 assigned when the user connected to it. These permissions are evaluated again the next time that a connection is made. Note: Disconnecting users from open files can result in data loss. To prevent data loss you should notify users that are connected to shared folders or files that there will be a disruption to the computer or resource availability. Monitoring Network Users You can also use the Computer Management snap-in or the Shared Folders snap-in to monitor which users are currently connected to shared folder resources on a server from a remote computer, and you can view the resources to which the users is connected. You can also disconnect users and send administrative messages to computers and users, including computers and users who are not currently connected to network resources from the Computer Management snap-in or the Shared Folders snap-in. Monitoring User Sessions You can use the Computer Management snap-in or the Shared Folders snap-in to identify which users have a connection to open files on a server and the files to which they have a connection. This information can be used to determine which users you should contact when you need to stop sharing a folder or shut down the server on which the shared folder resides. You can also disconnect one or more users to free idle connections to the shared folder, to prepare for a backup or restore operation, to shut down a server, and to change group membership and permissions for the shared folder. Disconnecting Users You can use the Shared Folders snap-in to disconnect one or all users that are connected though a network to a computer if: You have made changes to shared folder and NTFS permissions and want the changes to take immediate effect. You want to free idle connections on a computer so that other users can make a connection when you reach the maximum number of connections. You want to shut down a server. Note: Disconnecting users from open files can result in data loss. To prevent data loss you should notify users that are connected to shared folders or files that there will be a disruption to the computer or resource availability. Auditing You can track both user activities and system activities, which are called events, on a computer through auditing and you can specify that Windows Server 2003 write a record of an event to the security log. The security log maintains a record of valid and invalid logon attempts and events related to creating, opening, or deleting files or other objects. An audit entry in the security log contains information about: The action that was performed The user who performed the action The success or failure of the event When the event occurred Using an Audit Policy An audit policy defines the types of security events that Windows Server 2003 records in the security log on each computer and allows you to specify the events that you want to track. Using Event Viewer to View Security Logs You can use Event Viewer to view the security logs that Windows Server 2003 recorded events in. You can also archive log files to track trends over time. Note: You must have the Manage Auditing And Security Log user right for the computer where you want to configure an audit policy or review an audit log. By default, Windows Server 2003 grants these rights to the Administrators group. Furthermore, the files and folders to be audited must reside on NTFS volumes. Setting Up Auditing To set up auditing in Windows Server 2003 you must perform two steps: Set the audit policy, which enables auditing of objects but does not activate auditing of the specific objects. Enable auditing of specific resources, which could be for files, folders, printers, or Active Directory objects. Windows Server 2003 will then tracks and logs the specified events. Note: Changes made to a computers audit policy do not take effect until the computer is restarted. Auditing Object Access In Windows Server 2003, objects include Registry keys, printers, computers, files and folders. Each object has a security information object, which is called the security descriptor, attached to it. The security descriptor contains information about the groups or users that can access an object, and the types of access, i.e., the permissions, granted to those groups or users. This part of the security descriptor is called the Discretionary Access Control List (DACL). In other words, the DACL is the part of the security descriptor that grants or denies access to the object to groups or users. The security descriptor also contains the auditing information for the object. This part of the descriptor is called the System Access Control List (SACL). The SACL describes the auditing activity on a group basis. You can specify the audit permissions for objects that are in the inheritance tree using the SACL. This enables all child objects to inherit the audit policy from their parent objects. Auditing Access to Files and Folders You can set up auditing for files and folders on NTFS partitions to track security breaches. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders. Once you have set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access, by which users or groups, to audit. Auditing Access to Printers To audit access to printers you must set your audit policy to audit object access. Object access includes printers. Then enable auditing for specific printers and specify which types of access to audit and which users will have access. To audit a printer: Using Event Viewer You can use Event Viewer to perform a number of tasks, including viewing the audit logs that are generated as a result of setting the audit policy and auditing events. You can also use Event Viewer to view the contents of security log files and find specific events within log files. Event Viewer has three logs available to view: The Application Log, which contains errors, warnings, or information that programs, such as a database program or an e-mail program, generate. The program developer presets which events to record. The Security Log, which contains information about the success or failure of audited events. The events that Windows Server 2003 records are a result of your audit policy. The System Log, which contains errors, warnings, and information that Windows Server 2003 generates. Windows Server 2003 presets which events to record. Viewing Security Logs Windows Server 2003 records information about events that are monitored by an audit policy, such as failed and successful logon attempts in the security log. In the details pane, Event Viewer displays a list of log entries and summary information for each item. Successful events appear with a key icon and unsuccessful events appear with a lock icon. Other important information that is recorded in the log includes the date and time that the event occurred, the category of the event, and the user who generated the event. Note: Windows Server 2003 records events in the security log on the computer at which the event occurred. You can view these events from any computer if you have administrative privileges on the computer where the events occurred. To view the security log on a remote computer, start the MMC and create a custom console; point Event Viewer to a remote computer when you add this snap-in to a console. Locating Events By default, Event Viewer displays all events that were recorded in the selected log. You can change the type of events that appears in the log by using the Filter command in the view menu. You can also search for specific events by using the Find command. Managing Audit Logs You can track trends in Windows Server 2003 by archiving event logs and comparing logs from different periods. Viewing trends can be used to determine resource use and to plan for growth. Windows Server 2003 also allows you to control the size of each audit log and to specify the action that Windows Server 2003 takes when the log becomes full. These can be configured in the PROPERTIES of each individual audit log. The default the maximum log size is 512 KB but you can set it to be from 64 KB to 4,194,240 KB (4 GB) in size. The action that you can specify for when a log file becomes full are: Overwrite Events As Needed. This setting requires no maintenance but you could lose information if the log becomes full before you archive it. Overwrite Events Older Than [number] Days. This is the default setting. You must select the number of days for this option; the default is seven. You could lose information if the log becomes full before you archive it. Do Not Overwrite Events (Clear Log Manually). With this option no security log entries will be overwritten therefore there will be no information loss. It however requires that you to clear the log manually. When the log becomes full, Windows Server 2003 will stop. Note: When the log file becomes full and you have specify the Do Not Overwrite Events (Clear Log Manually) action, Windows Server 2003 stops. You can therefore use this configuration to ensure that Windows 2000 only operates while auditing occurs. Using Group Policy You can apply an audit policy to Active Directory users and OUs by editing an applicable Group Policy object. This is similar to enabling audit policy on files and folders. The Shutdown Event Tracker You can use the Shutdown Event Tracker to monitor the shutdowns on their servers. A computer can be shut down for various reasons that fall into two broad categories: expected and unexpected shutdowns. An expected shutdown is one that you anticipate in response to a particular action. An expected shutdown can be either planned or unplanned. System administrators have control over a planned shutdown while an application on the server can cause an unplanned shutdown and restart automatically. An unexpected shutdowns cause the Windows Server 2003 systems to shut down unexpectedly. This could be due to non-applications or operating system functions, such as a power failure. In Windows Server 2003, shutdown events are controlled by the Shutdown Event Tracker and shutdown command-line utility. The Shutdown Event Tracker tool is enabled by default but can be configured by using the Group Policy Object Editor. If the Display Shutdown Event Tracker policy is configured to display the Shutdown Event Tracker, the Shutdown Windows dialog box is displayed whenever the system shuts down. Note: The Shutdown Event Tracker does not record Logoff or Hibernate actions. It only logs complete shutdowns of the system. Monitoring System Performance Windows Server 2003 provides a number of tools that you can use to monitor system performance. These tools include the System Monitor, the Performance tab on the Task Manager and a few command-line utilities. The System Monitor The System Monitor is the primary tool for monitoring system performance and is located in the Performance console in Administrative Tools. This can be used to determine the computer's efficiency and locate and resolve current or potential bottleneck problems. You can also monitor the performance of remote computers from the local System Monitor console. System Monitor contains a number of objects, each with its own set of counters. The available System Monitor objects include: Cache, Processor, Memory, Logical Disk, Physical Disk, Network Interface, Server, System, Terminal Services, and Web service. Information about these objects and their counters can be displayed in three formats: as a graph, as a histogram, or as a text report. You can alter these views by clicking one of the three buttons in the button bar directly above the graph. Adding Performance Counters To monitor the performance of an object, you must add the appropriate counter that is relevant to the aspects of the object you want to monitor. Performance Logs and Alerts The Performance console also has a Performance Logs and Alerts node, which you can use to configure logging of performance related information and to configure the system to alert you when thresholds are reached. The Performance Logs and Alerts node has three child nodes: Counter Logs; Trace Logs; and Alerts Counter Logs and Tracer Logs The counter logs store the performance counter information while the trace logs enable you to trace applications and processes. You can use these logs to analyze data at a later opportunity. The creation of the counter logs and the trace logs are similar. Alerts You can configure the system to alert you when one of the performance thresholds is met. You can create an alert by right-clicking Alerts in the console tree of the Performance console and selecting New Alert Settings. You must enter a name for the alert, and then configure the settings for it. Using Task Manager to Monitor Performance The Task Manager displays all the applications and processes running on the Windows Server 2003 computer. It also displays some common performance measures. You can access the Task Manager by pressing CTRL + ALT + DELETE on the keyboard and selecting the Task Manager button from the pop-up menu; or right-click an empty area of the taskbar and select Task Manager. As illustrated in Figure 9.1, the Performance tab of Task Manager, displays the CPU and memory usage of the system. The CPU Usage section displays the current CPU usage as a percentage of the maximum CPU utilization. The CPU Usage History section plots the recent CPU usage on a graph and is an indicator for the behavior of the CPU utilization of the system. The PF Usage section displays the current Page File usage in megabytes (MB) while the Page File Usage History section plots the recent Page File usage on a graph. The Totals section displays the total handles, threads, and processes currently running on the system. The Physical Memory section displays the total available memory, the amount currently available, and the System Cache size. The Commit Charge section is related to the Kernel Memory section and displays the virtual memory details. Click here to see Task Manager Performance tab Command-Line Monitoring Tools Windows Server 2003 also provides a number of command-line tools to monitor performance. These are the logman utility (logman.exe), the relog utility (relog.exe), and the typeperf utility (typeperf.exe). You can use these command-line tools to monitor performance locally or on a remote computer. The Logman Utility You can use the logman command-line utility to manage and schedule performance counters and trace logs. You can use this utility on a remote computer provided you have the proper administrator credentials to access the remote computer. You can create, start, stop, delete, query, and update performance counters and traces using the logman command. The syntax for this command is: Logman [create {<counter | trace>} <collection_name>] [start | stop | delete | update <collection_name>] [query <collection_name | providers>] Microsoft TechNet documentation on LOGMAN The RELOG Utility You can use the relog command-line utility to extract data from performance counter logs and convert it to tab separated value (.tsv), Comma-Separated Value (.csv), binary log file (.blg), or SQL formats. This tool can also be used to create source data files for database manipulation tools. The syntax for this command is: relog [<file_name> [<file_name> ...]] [option] Microsoft TechNet documentation on RELOG 9.3.3 The typeperf Utility The typeperf command-line utility is similar to relog command-line utility. It allows you to write performance log file data onto a command window or a file. The syntax for this command is: Typeperf {counter [counter ...] | [-cf <file_name> | [-q [object] | [-qx [object]} [options] Microsoft TechNet documentation on TYPEPERF
|