MCSA/MCSE 2003 – 70-292 TechNotes:

REMOTE ADMINISTRATION

Remote Desktop

Remote Desktop is an essential new feature in Windows 2003 that actually is not that new. It is the same thing as running Terminal Services in Administration mode on a Windows 2000 server. Remote Desktop allows administrators to manage the server remotely without having to walk to the server room. It is installed by default on Windows 2003, but not enabled by default. Remote Desktop relies upon the Terminal Services service, which will start automatically when Remote Desktop is enabled.

Remote Desktop can be enabled on the Remote tab of the System Properties depicted below:

If you click the Select Remote Users button, you can specify users that should be allowed remote access in addition to the administrators. Users you add on the Remote tab of the System Properties are actually added to a default group called Remote Desktop Users. Members of this special group are granted the user right Allow log on through Terminal Services on the local computer. Remember that although they logon remotely, they are working on this computer locally, as if they were sitting in front of it. If they were physically sitting in front of it, they would not be able to log on. In Windows 2000, users needed the right to log on locally to logon remotely on a terminal server.

The client component, which enables users to connect to a computer running Remote Desktop, is appropriately called Remote Desktop Connection. (It was called Terminal Services Client before Windows XP/2003.) Remote Desktop Connection requires a LAN, VPN, or dial-up connection that supports the Remote Desktop Protocol (RDP).

Remote Assistance

Remote Assistance allows a user to request help from a remote user over the Internet. The user in need for assistance sends an invitation (by Messenger, E-mail, or file) to an expert. If the expert accepts the invitation, he or she can establish a remote session to view the user’s screen and chat with the user, and optionally, control mouse and keyboard input.

Remote Assistance is disabled by default on Windows 2003 servers and can be enabled on the Remote tab of the System Properties (see image in Remote Desktop section above). The Remote Assistance Settings, accessible thru the Advanced button on the Remote tab, allow you to put limitations on the use of Remote Assistance and the expiration period of invitations.

Remote Assistance invitations can be send in three different ways:
- Email – The recipient (helper/expert) will receive a message with an attachment called ‘RCBuddy.msrcincident’. When the recipient executes that file, a remote session will be established. The user requesting help will have to accept the session before the remote user can view the screen and/or control the computer.
- File – This option allows you to save the invitations on a floppy disk for example, or better, compress and encrypt it and then email it.
- Messenger – The process for Messenger is very similar and somewhat easier as remote assistance can be requested directly from Messenger, during a chat session with a help desk for example.

All three options are available from the Help and Support center in Windows XP (click Invite a friend to connect to your computer with Remote Assistance).

TERMINAL SERVER

Although the Terminal Services service is installed by default to allow Remote Desktop and Remote Assistance connections, it allows for only two concurrent user connections. You will need to install Terminal Server to serve a larger number of users. Windows 2003 Terminal Server allows users to work on the server remotely. Remote users can run applications, store data, and access the network on the Terminal Server, while using minimal resources of their local computer.

Terminal Server can be installed through the Add/Remove Windows Components option in the Add and Remove Programs wizard. You can use it without purchasing client licenses for a period of 120 days. After this initial grace period, Terminal Server requires a separate terminal services client license for each connected client . To issue licenses to clients, you need to install a Terminal Server Licensing server (which should be installed on a different server than the Terminal Server). Before the license server can issue client licenses, you must activate it though the Microsoft Clearinghouse by using the Terminal Server License Server Activation Wizard.

When you install Terminal Server, you must choose between Full Security, which denies applications on the server access to the registry and system files, or Relaxed Security, which allows access to the registry and system files and may be required for older applications you want to share on the Windows 2003 terminal server. If you choose Full Security and an application fails to run, you can change the setting by using the Terminal Server Configuration tool. Applications that were installed previously need to be reinstalled after installing Terminal Server in order to work properly for multiple users.

The 70-290 and 70-292 exam, for which these TechNotes are written, mention “Troubleshoot Terminal Services” and “Diagnose and resolve issues related to…” in the exam objectives (see list at the bottom). However, to be able to troubleshoot Terminal Services, and to be able to answer the corresponding exam questions, you need to know how to configure a Windows 2003 Terminal Server, because an incorrect configuration is usually the cause of the problem. If you are sure the TCP/IP connection is working properly, and licensing is not an issue (yet), you should check the configuration starting with the security settings.

Terminal Server requires the same security settings as Remote Desktop; users need the right to log on remotely on the server. The easiest way to assign this right to users is to add them to the local Remote Desktop Users group on the terminal server. By default, that would suffice to allow a user to use the terminal server, hence it is fairly simple to implement. However, there are many settings available to fine-tune the configuration of the terminal server. This allows you to tailor the terminal server to your needs, but when used incorrectly, these settings can prevent a successful connection or limit the user’s ability to use the terminal server.

There are two primary tools in Windows 2003 that you can use to configure settings related to Terminal Services. The first is the Active Directory Users and Computers snap-in (or the Local User and Groups snap-in if the Terminal Server is not in a domain), which allows you to configure settings for individual users and configure group policies. The second is the Terminal Services Configuration snap-in, which allows you to override user profile settings and configure settings for the connection that serves the remote clients.

Let’s start with the Active Directory Users and Computers snap-in. The following four tabs of a user’s Properties allow you to configure settings related to terminal services.

Terminal Services Profile

The Profile Path allows you to configure a roaming or mandatory profile for the user.
The Terminal Services Home options allow you to specify a unique home directory for every user that logs on to the terminal server. If you configured a profile or home directory on the Profile tab of the user’s Properties and you want to them to use the same settings when logged on to the terminal server, there’s no need to add them again on the Terminal Services Profile tab.

The most important option on this tab is the Allow logon to terminal server option. This option is enabled by default, and can be disabled to make an exception for this particular user. For example, if you add the global group Finance to the Remote Desktop Users local group on the terminal server, and you want to make an exception for user Joe who is a member of the Finance group, you can disable the option Allow logon to terminal server in Joe’s profile. If there are multiple terminal servers in the domain, Joe won’t be able to log on to any of them.

Environment

The settings on the Environment tab override the settings configured in the Remote Desktop Connection client software. The Starting program option allows you to specify a program that should be executed at logon, i.e. a login script. The Client devices settings allow you to control if local drives and printers are available in the terminal server session. Note that the Connect client drives at logon applies only to ICA clients. For users using the Remote Desktop Connection client you will need to configure the client software to map the local drives. This will be covered in more detail later on.

Remote Control

The Remote control tab settings dictate if, and how, an administrator can control a user’s terminal server session remotely. By default, remote control is enabled and requires the user’s permission. The level of control defaults to Interact with the session, which allows an administrator to join in on the user’s terminal server session to provide support. To remote control a session, the administrator must start a remote session with the terminal server, start the Terminal Services Manager admin tool, right-click the user’s session and select Remote Control.

Sessions

The Sessions tab allows you to configure session limits for terminal server sessions.
You can set three different limits for terminal server sessions:
- End a disconnected session – When a user disconnects from a terminal server session without logging off, the session including running programs will remain open on the server. This allows the user to reconnect, and find his remote desktop as he left it. In a large environment with many users, this can quickly lead to degrading performance on the server.
- Active session limit – This setting allows you to specify the limit for active session, during which a user is actively using the terminal server.
- Idle session limit – This settings allows you to specify the limit for idle sessions, during which there is no user activity on the terminal server.

The maximum settings are 49 days and 17 hours. You can configure the terminal server to disconnect or end sessions when the active or idle session limit is reached. If you choose to end sessions, the user may lose data in running programs. By default, a user can reconnect to a disconnected session from any client. If you select the option From originating client only in the Allow reconnection section, the user can reconnect to a disconnected session only from the computer the session was originally initiated.

Donwload Free PassGuide Braindumps-The Most Realistic Practice Questions and Answers,Help You Pass any Exams

All the settings above that are configured in Active Directory Users and Computers, can also be configured on a server level by using the Terminal Services Configuration snap-in on the terminal server to set the properties for the default RDP-Tcp connection. The following image shows the Sessions tab of the RDP-Tcp Properties. As you can see, it allows you to override user settings configured in the user’s properties. This is also the case for the other tabs discussed previously. Session limits are usually configured here, instead of on a per-user basis.

Remote Desktop Connection

If you are certain the server-side is configured correctly and is not the cause of the problem, you should check the Remote Desktop Connection client settings. Remote Desktop Connection is installed by default on Windows XP and Windows 2003 and can be found under All Programs|Accessories|Communications in the Start menu.

By default, it opens in a minimized form, quickly allowing access to a terminal server. A user can select <Browse for more…> from the drop-down list to browse the network for terminal servers, or type in the name of the server they want to connect.

When you click the Options button, an arsenal of settings becomes available. On the General tab, depicted below, you can configure the logon settings and save a connection and its settings to an .rdp file. This also allows administrators to create preconfigured connection files.

Other mentionable settings are the Local devices settings on Local Resources tab. These settings allow users to map local disks, printers and serial ports on the terminal server. For example, if the option Disk drives is enabled, the user will be able to access its client’s local disk drives from the terminal server session. This allows a user to use an application on the terminal server, but store the data on local disk drives.

Remote Desktop Connection and Remote Assistance rely on the Terminal Services service and the Remote Desktop Protocol (RDP). When the terminal server is protected by a firewall, the port for RDP (3389) must be open to allow a successful connection.

QUESTION 1
You work as the network administrator at Certkiller .com. The Certkiller .com
network consists of a single Active Directory domain named Certkiller .com. All
servers on the Certkiller .com network run Windows Server 2003 and all client
computers run Windows XP Professional.
The Certkiller .com written security policy requires all servers must to the latest
available security updates installed. A server named Certkiller -SR07 has
Software Update Services (SUS) installed. You plan to deploy several new file
servers on the network. You need to enforce the written security policy for all new
file servers. Each new file server has two local user accounts. The administrator
account for each new file server is renamed.
You must make certain that none of the new file servers have any unnecessary
services enabled. You must also ensure that each file server has the latest available
security updates installed. You want to use the least amount of administrative effort
to determine whether any servers have missing security updates. You also want to
reduce the amount of bandwidth by scanning for only the required information on
each server.
What should you do?
A. Use Microsoft Baseline Security Analyzer (MBSA) on your client computer.
Scan each new file server for missing updates.
B. Use Security Configuration and Analysis on your client computer.
Scan each new file server’s security settings.
C. Use Security Configuration and Analysis on each new file server to scan for missing
updates.
D. Use Certkiller -SR07 to download all missing security updates on file servers.
Answer: A
Explanation: You should use the Microsoft Baseline Security Analyzer (MBSA) to

Actualtest.org – The Power of Knowing
check for and scan computers for security weaknesses, Windows vulnerabilities, and
missing security updates. MBSA can be downloaded from the Microsoft website,
and then used to scan for common security errors on a single computer or multiple
computers. When MBSA is run from the GUI, it places reports in the SecurityScans
folder of the user profile that creates the reports. You can also use MBSA from the
command-line to determine whether all the necessary security updates and service
packs have been installed on the computer.
Incorrect Answers
B, C: The Security Configuration and Analysis tool is used to scan a specific computer’s
security configuration against a reference computer’s security configuration. You need to
ensure that the new file servers have the latest available security updates installed, and
need to scan for missing updates.
D: Certkiller -SR07 can be used to deploy security updates for clients. You however
need to determine whether the file servers have missing security updates.
QUESTION 2
You work as the network administrator at CertKiller.com. The CertKiller.com
network consists of a single Active Directory domain named Certkiller .com. All
servers on the CertKiller.com network run Windows Server 2003 and all client
computers run Windows XP Professional.
A server named Certkiller -SR05 has Software Update Services (SUS) installed.
Client computers on the network use Certkiller -SR05 to download security
updates from. While examining a few randomly selected client computers, you
discover that a few critical security updates have not been installed on either of
them. You decide to check whether any client computers have these specific security
updates installed, and find that none do.
You find though that several other security updates which were downloaded from
Microsoft’s servers to Certkiller -SR05 last week, have been installed on the client
computers. You must determine why while some security updates have been
installed on client computers, other have not.
What should you do? (Each correct answer presents part of the solution. Choose
TWO.)
A. Reconfigure the client computers to download all updates from Certkiller -SR05.
B. Examine the content in the synchronization log on Certkiller -SR05.
C. Examine the content in the approval log on Certkiller -SR05.
D. Run the Microsoft Baseline Analyzer on Certkiller -SR05.
Answer: B, C
Explanation: The SUS server is responsible for synchronizing information on the
available updates, and then downloading the updates from Microsoft’s servers. You
have two issues on hand. One being that the missing updates might not been
downloaded from Microsoft’s servers, and the other being that while they were

Actualtest.org – The Power of Knowing
downloaded, they might not approved to be installed on the client computers.
All SUS servers have a synchronization log and an approval log. The synchronization log
contains information on downloaded updates, such as which update packages have been
downloaded or updated since the last synchronization was performed, which update
packages was synchronization, and when synchronization last occurred. The approval log
contains information on which updates have been approved and which have not been
approved for deployment to client computers.
Incorrect Answers
A: This is unnecessary. There are some updates that have been installed on client
computers.
D: Running the Microsoft Baseline Analyzer on Certkiller -SR05 would not work.
You need to find out why some updates were installed on client computers, and why
others were not. You do not need to determine whether all the necessary security updates
and service packs have been installed on Certkiller -SR05.
QUESTION 3
You work as the network administrator at Certkiller .com. The Certkiller .com
network consists of a single Active Directory domain named Certkiller .com. All
servers on the Certkiller .com network run Windows Server 2003 and all client
computers run Windows XP Professional.
You are planning to implement a new security and software update infrastructure
for Certkiller .com. A SUS server named Certkiller -SR18 will be deployed in the
network. Client computers will be configured to download security updates from
Certkiller -SR18.
One of your requirements is to identify security vulnerabilities on all Certkiller .com
client computers. You want to use a solution that will only scan client computers for
security patches that have been authorized and deployed from Certkiller -SR18.
You do not want to scan the client computers for unnecessary information. You
want the results of your scan to include a separate security report for each client
computer. You install Microsoft Baseline Analyzer (MBSA) on a Windows Server
2003 computer.
What should you do next?
A. On the computer that has MBSA installed, run the mbsacli.exe/ sus command from a
command prompt to scan all client computers.
B. On the computer that has MBSA installed, run the mbsacli.exe/ hf command from a
command prompt to scan all client computers.
C. Modify the mssecure.xml file so that it includes all approved updates.
Run MBSA to scan the client computers.
D. Modify the approvedsecurity.text file so that it includes all approved updates.
Run MBSA to scan the client computers.
Answer: A

Actualtest.org – The Power of Knowing
Explanation:
You can use the MBSA from the command-line to check for missing security
updates and service packs. For computers running Internet Information Services
(IIS) or Microsoft SQL Server; MBSA can scan for a number of security
vulnerabilities. You however want MBSA to check client computers for security
updates that have been approved and implemented by your SUS server
( Certkiller -SR18), therefore, you should use the / sus switch with the SUS server
name to perform only this type of scan. After you install Microsoft Baseline
Analyzer (MBSA) on a Windows Server 2003 computer, you should run the
mbsacli.exe/ sus command from a command prompt to scan all client computers. A
separate security report will be generated for each client computer that is scanned.
Incorrect Answers
B: If you want to run an HFNetChk scan to check for missing security updates, then
you would the run the mbsacli.exe/ hf command. This type of scan displays the results
in the command-line window.
C: The mssecure.xml file should be used if you want to check for all updates available
on the Windows Update site. This file cannot be modified.
D: The approvedsecurity.text file is non-existent in the MBSA folder.

Free download:pass4sure Microsoft 70-292
Free download:testking Microsoft 70-292

password:www.certbible.org

High quality IT Certification Training Exam Questions, Study Guides and Practice Tests are in Downloadable PassGuide Testing Engine,Successful for IT Certification or Full Refund for you.Contact Us:Sales@PassGuide.com

Type	Exam Bible	New Questions & Answers	Latest Updated	Download link
PDF	All Certbible 's Exam Dumps	597	1 days ago	Available

PassGuide Training Materials & Practice Tests

• Microsoft Certified Systems Administrator (MCSA)
• testking Microsoft MCSA 2003 Exams
• Testking microsoft MCSA
• Pass4sure Microsoft mcsa 70-086 v2.93
• Pass4sure Microsoft mcsa 70-270 v2.93
• Pass4sure Microsoft 70-244 v2.93
• Pass4sure Microsoft MCSA 70-224 v2.93
• Pass4sure Microsoft mcsa 70-214 v2.93
• Testking microsoft MCSA EXAMS
• 70-290/70-291 VCE & Sims