Chapter 7: Operating Your Windows Server 2003 Environment

On This Page

Introduction and Goals Introduction and Goals
Managing Windows Server 2003 Managing Windows Server 2003
Auditing the Environment Auditing the Environment
Keeping up with Service Packs and Updates Keeping up with Service Packs and Updates
Maintaining Windows Server 2003 Maintaining Windows Server 2003

Introduction and Goals

This section addresses the need to operate a Windows Server 2003 environment after the migration project has been completed. Much of the detailed guidance can be found in existing documentation (see Windows Server 2003 Operations Reference to specific sources are made throughout this section. The guidance provided in this chapter supplements this documentation and addresses the areas of Windows Server 2003 Management and Maintenance.

Managing Windows Server 2003

Windows Server 2003 systems are now the heart of your IT infrastructure. These servers need to be managed and maintained to keep the business running optimally. Server management and maintenance help maximize your organization’s investment in infrastructure and productivity.

Server management entails many different tasks. They include, but are not limited to, administering and supervising servers based on functional roles, proactively monitoring the network environment, keeping track of activity, and implementing solid change control practices. These management functions for Windows Server 2003 can be performed both locally and remotely.

As systems' workloads, capacities, and usage change in the environment, the systems need to be maintained so that they operate as efficiently as possible. Without such maintenance, systems become more likely to cause slower response times and decreased reliability. Periodic system maintenance will help avoid any inefficiency. This section covers best practices on ways to maintain and manage your Windows Server 2003 environment.

Managing Based on Server Roles

Windows Server 2003 systems can participate in various responsibilities in a given network environment. Some of these responsibilities may be intertwined because of budget constraints, business requirements, or technical justifications. No matter how the roles and responsibilities are defined in the environment, it is important to manage them appropriately based on the roles of the server. The management aspects for some of the roles that Windows Server 2003 can undertake are defined as follows:

  • File Servers. File servers are primarily responsible for keeping data. This data must be available and quickly accessed. As such, management of these servers entails using the Disk Defragmenter utility to keep file access optimized. This helps keep reading and writing to disk more efficient than if files and the disk were fragmented. Disk capacity must also be managed so that there is always ample space available for additional data. Disk Quota management can also be an integral part of file server management. Disk quotas are used to control the amount of disk space that is available to the end users. When a disk quota is set, a specified amount of space on a volume can be set aside for a user or a group. Warning messages can be sent as the quota approaches the limit.

  • Print Servers. Managing print servers is an important but often overlooked aspect of managing Windows Server 2003, because printers on Windows Server 2003 are simple to manage. Although there is less management required for a print server, printing should still be audited and monitored.

  • Web Servers. Windows Server 2003 Web Servers offer an assortment of Internet-related functionalities, such as HTTP, FTP, SMTP, and more. Each of the services employed on the server must be managed to keep content and services up to date.

  • Domain Controllers. Domain controllers host Active Directory, which contains most, if not all, objects in the Windows Server 2003 environment. Active Directory has many functional roles in a Windows Server 2003 environment, including object management (additions, modifications, or deletions), authentication, replication, security, and more. Managing these Active Directory roles can be intimidating, especially in larger environments, but Active Directory has many useful tools to help manage the directory. They include, but are not limited to, Active Directory Domains and Trusts, Active Directory Sites and Services, and Active Directory Users and Computers.

Auditing the Environment

Auditing is a way to gather and keep track of activity on the network, devices, and entire systems. By default, Windows Server 2003 enables some auditing, whereas many other auditing functions must be manually turned on. This allows you to easily customize the features to be monitored.

Auditing is typically used for identifying security breaches or suspicious activity. However, auditing is also important to gain insight into how the network, network devices, and systems are accessed. As it pertains to Windows Server 2003, auditing can be used to monitor successful and unsuccessful events on the system. The auditing policies in Windows Server 2003 must first be enabled before activity can be monitored.

Auditing Policies

Auditing policies are the basis for auditing events on a Windows Server 2003 system. Depending on the policies set, auditing may require a substantial amount of server resources in addition to those resources supporting the server's functionality. Otherwise, auditing could potentially slow server performance. Also, collecting lots of information is only as useful as the evaluation of the audit logs. In other words, if a lot of information is captured and a significant amount of effort is required to evaluate those audit logs, the whole outcome of auditing is not as effective. As a result, it's important to take the time to properly plan how the system will be audited. This allows the administrator to determine what needs to be audited, and why, without creating an abundance of overhead.

Audit policies can track successful or unsuccessful event activity in a Windows Server 2003 environment. The types of events that can be monitored include:

  • Account logon events. Each time a user attempts to log on, the successful or unsuccessful event can be recorded. Failed logon attempts can include logon failures for unknown user accounts, time restriction violations, expired user accounts, insufficient rights for the user to log on locally, expired account passwords, and locked-out accounts.

  • Account management. When an account is changed, an event can be logged and later examined.

  • Directory service access. Any time a user attempts to access an Active Directory object that has its own system access control list (SACL), the event is logged.

  • Logon events. Logons over the network or by services are logged.

  • Object access. The object access policy logs an event when a user attempts to access a resource (for example, a printer or shared folder).

  • Policy change. Each time an attempt to change a policy (user rights, account audit policies, trust policies) is made, the event is recorded.

  • Privileged use. Privileged use is a security setting and can include a user employing a user right, changing the system time, and more. Successful or unsuccessful attempts can be logged.

  • Process tracking. An event can be logged for each program or process that a user launches while accessing a system. This information can be very detailed and take a significant amount of resources.

  • System events. The system events policy logs specific system events, such as a computer restart or shutdown.

The audit policies can be enabled or disabled through the local system policy, domain controller security policy, or Group Policy objects. Audit policies are located within the Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy folder.

Using Microsoft Operations Manager to Simplify Management

Microsoft Operations Manager (MOM) is an enterprise-class monitoring and management solution for Windows environments. It is designed to simplify Windows management by consolidating events, performance data, alerts, and more into a centralized repository. Reports on this information can then be tailored depending on the environment and on the level of detail that is needed and extrapolated. This information can assist administrators and decision makers in proactively addressing Windows Server 2003 operation and any problems that exist or may occur. For more information on Microsoft Operations Manager, see Microsoft Operations Manager 2005 (

Keeping up with Service Packs and Updates

Service packs and updates for both the operating system and applications are vital parts of maintaining availability, reliability, performance, and security. Microsoft packages these updates into service packs or individually. There are several ways an administrator can update a system with the latest service pack or update: CD-ROM, manually entered commands, Windows Update, or Microsoft Software Update Server (SUS).

Note: Thoroughly test and evaluate service packs and updates in a lab environment before installing them on production servers and client computers. Also, install the appropriate service packs and updates on each production server and client computer to keep all systems consistent.

Windows Update

Windows Update is a Web site that scans a local system and determines whether there are updates to apply to that system. Windows Update is a great way to update individual systems, but this method is sufficient for only a small number of systems. If administrators chose this method to update an entire organization, there would be an unnecessary amount of administration.

Software Update Services

Realizing the increased administration and management efforts administrators must face when using Windows Update to keep up with service packs and updates for anything other than small environments, Microsoft has created the Software Update Services (SUS) client and server versions to minimize administration, management, and maintenance of mid- to large-sized organizations. SUS communicates directly and securely with Microsoft to gather the latest service packs and updates.

The service packs and updates downloaded onto SUS can then be distributed to either a lab server for testing (recommended) or to a production server for distribution. After these updates are tested, SUS can automatically update systems inside the network.

Maintaining Windows Server 2003

The processes and procedures for maintaining Windows Server 2003 systems can be separated based on the appropriate time to maintain a particular aspect of Windows Server 2003. Some maintenance procedures require daily attention, whereas others may require only yearly checkups. The maintenance processes and procedures that an organization follows depend strictly on the organization; however, the categories described in the following sections and their corresponding procedures are best practices for organizations of all sizes and varying IT infrastructures.

Daily Maintenance

Certain maintenance procedures require more attention than others. The procedures that require the most attention are categorized as daily procedures. Therefore, it is recommended that an administrator take on these procedures each day to ensure system reliability, availability, performance, and security. There are three components to daily maintenance:

  • Verifying that Backups are Successful. To provide a more secureand fault-tolerant organization, it is imperative that a successful backup to tape be performed each night. In the event of a server failure, the administrator may be required to perform a restore from tape. Without a backup each night, the IT organization will be forced to rely on rebuilding the server without the data. Therefore, the administrator should always back up servers so that the IT organization can restore them with minimum downtime in the event of a disaster. Because of the importance of the tape backups, the first priority of the administrator each day needs to be verifying and maintaining the backup sets.

    Although the Windows Server 2003 backup program does not offer alerting mechanisms to bring attention to unsuccessful backups, many third-party programs do. In addition, many of these third-party backup programs can send e-mail messages or pages reporting if backups are successful or unsuccessful.

  • Checking Overall Server Functionality. Although checking the overall server health and functionality may seem redundant or elementary, this procedure is critical to keeping the system environment running smoothly and users working productively. Some questions that should be addressed during the checking and verification process are the following:

    • Can users access data on file servers?

    • Are printers printing properly? Are there long queues for certain printers?

    • Is there an exceptionally long wait to log on (that is, longer than usual)?

    • Can users access messaging systems?

    • Can users access external resources?

  • Monitoring the Event Viewer. The Event Viewer is used to check the System, Security, Application, and other logs on a local or remote system. These logs are an invaluable source of information regarding the system. The following event logs are present for Windows Server 2003 systems:

    • Security log. The Security log captures all security-related events that are being audited on a system. Auditing is turned on by default to record the success and failure of security events.

    • Application log. Specific application information is stored in the Application log. This information includes services and any applications that are running on the server.

    • System log. Windows Server 2003–specific information is stored in the System log.

    Domain controllers also have these additional logs:

    • File Replication Service.  Any events relating to the File Replication Service are captured in this log.

    • Directory Service. Events regarding Active Directory, such as connection problems with a global catalog server or replication problems, are recorded here.

    • DNS Server. Anything having to do with the DNS service is cataloged in the DNS Server log.

Weekly Maintenance

Maintenance procedures that require slightly less attention than daily checking are categorized as weekly procedures:

  • Checking Disk Space. Disk space is a precious commodity. Although the disk capacity of a Windows Server 2003 system can be virtually endless, the amount of free space on all drives should be checked daily. Serious problems can occur if there isn't enough disk space. To prevent problems from occurring, administrators should keep the amount of free space to at least 25 percent. This should be verified through manual methods, or with the assistance of automated alerting software such as Microsoft Operations Manager (MOM) 2005.

  • Verifying Hardware. Hardware components supported by Windows Server 2003 are reliable, but this doesn't mean that they'll always run continuously without failure. Hardware availability is measured in terms of mean time between failures (MTBF) and mean time to repair (MTTR). This includes downtime for both planned and unplanned events. These measurements provided by the manufacturer are good guidelines to follow; however, mechanical parts are bound to fail at one time or another. As a result, hardware should be monitored weekly to ensure efficient operation.

  • Checking Archive Event Logs. The three event logs on all servers and the three extra logs on a domain controller can be archived manually or a script can be written to automate the task. You should archive the event logs to a central location for ease of management and retrieval. The specific amount of time to keep archived log files varies on a per-organization basis. For example, banks or other high-security organizations may be required to keep event logs up to a few years. As a best practice, organizations should keep event logs for at least three months.

  • Running Disk Defragmenter. Whenever files are created, deleted, or modified, Windows Server 2003 assigns a group of clusters depending on the size of the file. As file size requirements fluctuate over time, so does the number of groups of clusters assigned to the file. Even though this process is efficient when using NTFS, the files and volumes become fragmented because the file doesn't reside in a contiguous location on the disk. To minimize the amount of fragmentation and give performance a boost, the administrator should use Disk Defragmenter to defragment all volumes. Disk defragmentation can be manually performed or automated with the use of third-party tools or scripts that run on a designated basis.

  • Running the Domain Controller Diagnostic Utility. The Domain Controller Diagnostic (DCDiag) utility provided in the Windows Server 2003 Support Tools is used to analyze the state of a domain controller. It runs a series of tests, analyzes the state of the DC, and verifies different areas of the system, such as connectivity, replication, topology integrity, security descriptors, netlogon rights, intersite health, roles, and trust verification. The DCDiag utility should be run on each DC on a weekly basis or as problems arise. For more information on the DCDiag utility, see DcDiag.exe: Domain Controller Diagnostic Tool (

Monthly Maintenance

It is recommended that you perform the tasks outlined in the section on a monthly basis.

  • Maintaining File System Integrity. CHKDSK scans for file system integrity and can check for lost clusters, cross-linked files, and more. If Windows Server 2003 senses a problem, it will run CHKDSK automatically at startup. Administrators can maintain FAT, FAT32, and NTFS file system integrity by running CHKDSK once a month or during regular server maintenance cycles. For more information on the CHKDSK utility, see Chkdsk (

  • Testing the UPS. An uninterruptible power supply (UPS) should be used to protect the system or group of systems from power failures (such as spikes and surges) and keep the system running long enough after a power outage so that an administrator can gracefully shut down the system. It is recommended that an administrator follow the UPS guidelines provided by the manufacturer at least once a month. Also, monthly scheduled battery tests should be performed. Many third-party UPS products automate this type of functionality, or you can develop scripts to run this as well.

  • Validating Backups. Once a month, an administrator should validate backups by restoring the backups to a server located in a lab environment. This is in addition to verifying that backups were successful from log files or the backup program's management interface. A restore gives the administrator the opportunity to verify the backups and to practice the restore procedures that would be used when recovering the server during a real disaster. In addition, this procedure tests the state of the backup media to ensure that they are in working order and builds administrator confidence for recovering from a true disaster.

  • Updating Automated System Recovery Sets. Automated System Recovery (ASR) is a recovery tool that should be implemented in all Windows Server 2003 environments. It backs up the system state data, system services, and all volumes containing Windows Server 2003 system components. ASR replaces the Emergency Repair Disks (ERDs) used to recover systems in earlier versions of Windows Server.

    After building a server and any time a major system change occurs, the ASR sets (that is, the backup and floppy disk) should be updated. Another best practice is to update ASR sets at least once a month. This keeps content in the ASR sets consistent with the current state of the system. Otherwise, valuable system configuration information may be lost if a system experiences a problem or failure.

    For more information on ASR, see How ASR Works (

  • Updating Documentation. An integral part of managing and maintaining any IT environment is to document the network infrastructure and procedures. For assistance in updating documentation see the Job Aid, Worksheet A.12 Updating Network Documentation" in the Windows Server 2003 Deployment Kit (

Quarterly Maintenance

As the name implies, quarterly maintenance is performed four times a year. Areas to maintain and manage on a quarterly basis are typically self-sufficient and self-sustaining. Infrequent maintenance is required to keep the system healthy. This doesn't mean, however, that the tasks are simple or that they aren't as critical as those tasks that require more frequent maintenance.

  • Checking Storage Limits. Storage capacity on all volumes should be checked to ensure that all volumes have ample free space. Keep approximately 25 percent free space on all volumes.

  • Changing Administrator Passwords. Administrator passwords should, at a minimum, be changed every quarter (90 days). Changing these passwords strengthens security measures so that systems can't easily be compromised. In addition to changing passwords, other password requirements such as password age, history, length, and strength should be reviewed.

  • Maintaining the Active Directory Database. Active Directory is the heart of the Windows Server 2003 environment. Objects such as users, groups, OUs, and more can be added, modified, or deleted from the Active Directory database. This interaction with the database can cause fragmentation. Windows Server 2003 performs online defragmentation nightly to reclaim space in the Active Directory database; however, the database size doesn't shrink unless offline defragmentation is performed. Offline defragmentation of the Active Directory database can only be accomplished by taking the domain controller offline, restarting into Directory Services Restore Mode, and running defragmentation tools against the NTDS.DIT database file.