لطفا منتظر باشید ...
Choosing Software and Hardware Tools
After you determine how much you want to manage remotely, the next step is to select the tools and supporting components you need to accomplish your remote management tasks. Figure 5.3 illustrates the place of this step in the process.
Figure 5.3: Choosing Software Tools and Hardware Components
As you select your tools, think about the tasks you want to perform remotely when you have network access — by using in-band connections — and those you want to perform remotely when you do not have network access — by using out-of-band connections. As you select tools, evaluate their potential impact on your environment and build any needed environmental adjustments into your remote management plan.
Selecting In-Band or Out-of-Band Tools
In-band management is always the method of choice for managing servers when you can access them through their standard connections. If a server is functional enough to respond through the standard connection, conventional in-band management tools can provide a much broader range of functionality — and possibly greater security — than you might achieve with out-of-band management.
| Note | While the security of in-band management is highly dependent on the individual management tool, the security of out-of-band management is highly dependent on your out-of-band component configuration. For example, in a configuration that uses a remote serial connection, the security of the out-of-band management is dependent on the security built into the modem. For information about the security implications for different out-of-band configurations, see "Designing the Hardware Configuration" later in this chapter. |
Keep in mind that out-of-band management is a last resort when you cannot access the server in any other way. The goal of out-of-band management is always to bring a server back into service so that you can manage it with in-band tools.Table 5.1 shows whether to use in-band or out-of-band tools for various types of tasks during various operating states. After you know whether to use an in-band tool or an out-of-band tool, you can select the most appropriate specific tool or component, as described later in this chapter, for the tasks you want to perform remotely.
Evaluating Tools for Environmental Impact
As you evaluate the software and hardware tools to use, consider the impact they might have on your network environment. For example, some tools present more security risks than others, and some increase network traffic more than others. Considerations such as these might influence your selection of one tool over another, or they might identify additional changes you need to make to your environment to mitigate the impact. The documentation provided with a remote management tool might contain information indicating its potential impact on your environment and any configuration changes needed for its use. For more information about configuring your environment for remote management, see "Configuring Your Infrastructure for Remote Management" later in this chapter.As you develop your remote management plan, include the following lists:Tasks you plan to perform remotely The more comprehensive you make this list, the easier it will be to identify all the tools you need. A task can be broad in scope (for example, manage DHCP servers), or it can be narrow in scope (for example, change the static IP address on a server). This list should include not only in-band tasks but also any required out-of-band tasks, such as remotely installing the operating system or powering up the computer.Tools for performing the tasks Typically, you can use several different remote management tools to perform the same task. Include in your list all the tools that apply to each remote task you want to perform. In some cases, you do not need to use a specific tool to perform a remote administration task; rather, you simply need to change a configuration setting. If a task does not require a specific tool, note this in your remote administration plan. If your environment includes a mix of operating systems, you might need to look for tools that provide interoperability for some tasks. Make sure this list also includes any out-of-band tools or components you plan to obtain or install.
Network impacts to be addressed Remote administration can have any of several impacts on your network: it can increase network traffic, decrease server performance, or create security vulnerabilities. You might need to reconfigure network, system, or security settings to mitigate or eliminate these impacts. Include in this list each potential impact and the specific steps you plan to take to address it.
Choosing In-Band Management Tools
Windows Server 2003 supports a wide variety of in-band remote management tools that you can use to manage servers. Use in-band tools when your Windows Server 2003-based server is functioning and accessible through your standard network connection.Tools for remotely managing servers are available from many sources. Some of the tools are specific to a task, while others support a range of tasks. Some provide a command-line environment, while others provide a graphical user interface (GUI) environment. Some tools work best for managing a single computer at a time, while others support sessions with multiple computers.In addition to the many tools built in to Windows Server 2003, management tools are available from the following sources:
Windows Support Tools, located in the Support\Tools folder on the Windows Server 2003 operating system CD, provide command-line tools for specific management tasks in a variety of areas such as performance, security, and deployment. For more information about Windows Support Tools, in Help and Support Center for Windows Server 2003, click Tools, and then click Windows Support Tools.
Resource Kit Tools provide a variety of command-line tools for specific tasks. For more information about Resource Kit Tools, click Tools on Help and Support Center for Windows Server 2003, and then click Windows Resource Kit Tools.
Third-party tools available from independent software vendors (ISVs) provide a wide variety of specific or general remote management capabilities.
This section describes major characteristics of some common remote management tools for servers. Some of these tools can also be used for performing management tasks through out-of-band connections. For in-depth information about the technical considerations and potential impacts of specific remote management tools, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit). For information about software distribution tools, see "Deploying a Managed Software Environment" in Designing a Managed Environment of this kit.Table 5.2 summarizes the characteristics of common remote management tools.
Tool | Key Characteristics |
|---|---|
Telnet | Command line; efficient and versatile; provides interoperability in mixed environments; in general, not secure |
Windows Management Instrumentation Command-line (WMIC) | Customized applications and command-line scripts for remote management |
Windows Script Host (WSH) | Customized scripts for remote management |
Microsoft Management Console (MMC) | Multiple sessions; variety of snap-ins for various administrative tasks |
Remote Desktop for Administration | GUI; multiple sessions; high resource usage |
Group Policy | Efficient way to manage a variety of settings for groups of servers |
Telnet
Telnet is a global, versatile tool that has minimal system resource and network bandwidth requirements and that provides interoperability with other operating systems. With Windows Server 2003 Telnet Server, any client that supports the Telnet protocol can connect to Windows-based systems. For example, a UNIX Telnet client can connect to a Windows-based server.By using Telnet, you can establish a command console session on a remote computer and use it to run command-line programs and shell commands, interacting with the remote server as though you were logged on locally. Telnet can establish any number of connections and supports interactive scripts.The Windows Server 2003 32-bit version of Telnet does not support secure logon, while the 64-bit version provides secure logon by using NTLM authentication. Some versions of Telnet provided with terminal concentrators also support secure logon. Telnet does not support encryption.By using Telnet, you can perform out-of-band management tasks by establishing a network connection to a terminal concentrator that is connected to servers through their serial ports. For more information about terminal concentrators, see "Terminal Concentrators" later in this chapter.
Windows Management Instrumentation
Windows Management Instrumentation (WMI) is an infrastructure that enables you to access and modify standards-based information about objects — such as computers, applications, and network components — in your enterprise environment. Using WMI, you can create powerful administration applications to monitor and respond to specific events in your environment. For example, you can create applications to check CPU usage on your Windows Server 2003-based servers and notify you when it exceeds a specified level. Although WMI is a powerful tool for building customized applications, it does require a certain amount of developer time and expertise.Windows Management Instrumentation Command-line (WMIC) provides a simplified interface to WMI. By using WMIC, you can access WMI-based information using the command line or scripts. You can use WMIC from any computer where WMIC is enabled to manage any remote computer. WMIC does not have to be available on the remote computer.For technical information about developing applications using WMI and using WMIC, see the WMI SDK link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Windows Script Host
Windows Script Host (WSH) is a language-independent scripting infrastructure that allows you to write scripts for local or remote management tasks. You can use WSH to write scripts that include WMI, Active Directory directory service, and other application programming interface (API) calls. WSH typically is used for noninteractive scripts, such as logon and computer automation scripts.
Microsoft Management Console
Microsoft Management Console (MMC) is a framework for hosting tools, also known as snap-ins, that you can use to manage servers locally or remotely. With MMC, you can create consoles that include the tools you use most often.Each MMC snap-in has unique advantages and disadvantages that make it suitable in some cases and unsuitable in others. For example, some are suitable for slow network connections and some transmit encrypted data. Before you use a snap-in to perform a remote management task, make sure that it is the best remote management tool for the task. For more information about using MMC snap-ins for remote management, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Remote Desktop for Administration
Remote Desktop for Administration is an MMC snap-in that you can use to establish a remote console session on one or more servers and switch between sessions. By using Remote Desktop for Administration, you can log on to a remote server and use the server's desktop to perform administrative tasks, just as if you were logged on locally. Remote Desktop for Administration supports Kerberos authentication and built-in encryption.Remote Desktop for Administration is a versatile remote management tool because it supports both GUI and command-line interfaces. Because Remote Desktop for Administration uses Remote Desktop Protocol (RDP), it efficiently transmits the user interface from the server to the client and keyboard sequences and mouse clicks from the client to the server. Nevertheless, this tool requires more memory and network bandwidth resources than many other tools.
| Important | Remote Desktop for Administration is affected by the Internet Explorer Enhanced Security Configuration, which places your server and Microsoft Internet Explorer in a configuration that decreases the exposure of your server to attacks that can occur through Web content and application scripts. As a result, some Web sites might not display or perform as expected. For more information, see "Setting up Remote Desktop Web Connection" and "Internet Explorer Enhanced Security Configuration" in Help and Support Center for Windows Server 2003. |
Windows Server 2003 Administration Tools Pack
The Windows Server 2003 Administration Tools Pack includes several of the most common tools for remotely managing servers from a Microsoft Windows XP Professional-based computer with Service Pack 1. Many of the tools are MMC snap-ins. The tools pack is included on the 32-bit version of the Windows Server 2003 operating system CD, and the Windows Installer package — Adminpak.msi — is placed in C:\windows\system32\adminpak during the operating system installation. For 64-bit versions, use Remote Desktop for Administration instead.For more detailed information about the tools pack, see "Windows Administration Tools Pack Overview" in Help and Support Center for Windows Server 2003. Help topics for the Administration Tools Pack are installed when you install the tools.
| Note | You cannot install the Windows Server 2003 Administration Tools Pack on a server that is running a member of the Microsoft Windows 2000 Server or Windows Server 2003 family operating systems. The administrative tools already exist on all servers running these systems. You can install the tools pack only on a computer that is running Windows XP Professional with Service Pack 1. |
Group Policy
In an Active Directory environment, you can use Group Policy to control such things as permissions, application availability, and security for member servers, domain controllers, and any other server running Windows Server 2003 within the scope of management. You can use Group Policy to manage registry-based policy by using Administrative Templates and to assign scripts, such as for startup and shutdown. For more information about Group Policy, see the following:
"Designing a Group Policy Infrastructure" in Designing a Managed Environment of this kit.
The Distributed Services Guide of the Windows Server 2003 Resource Kit (or see the Distributed Services Guide on the Web at http://www.microsoft.com/reskit).
Choosing Out-of-Band Management Tools
If you cannot manage a server by using conventional in-band tools for some reason, an out-of-band connection is the only way to remotely manage it. If you configure your servers for headless operation and you cannot access them by using your in-band tools, an out-of-band connection is the only way to manage them.To configure a server for out-of-band management, you need to consider software, firmware, and hardware. Emergency Management Services, which is included with Windows Server 2003, is the principal out-of-band component. With only Emergency Management Services and a serial port, you can manage most Windows Server 2003 operating states. When you combine Emergency Management Services with supporting firmware and hardware components, you can also perform tasks ranging from powering up computers to recovering unresponsive systems — everything, in fact, except for replacing and installing hardware.The additional components you choose depend on which tasks you want to perform remotely, how much you are willing to spend for extra features, and how many servers you have to manage. The following tools and components work with Emergency Management Services to support out-of-band remote management:
Firmware — BIOS for x86-based computers or EFI for Itanium-based computers — that provides console redirection
Serial ports and modems
Terminal concentrators
Service processors
Intelligent UPSs or intelligent power switches
By selecting the optional components that best meet your remote management requirements, you can capitalize on the full range of out-of-band management capabilities supported by Emergency Management Services.For more information about selecting hardware components, see "Best practices for selecting and configuring hardware" in Help and Support Center for Windows Server 2003.
Table 5.3 shows which out-of-band tools support various operating states and remote management tasks.
Operating State or Task | Type of Tool |
|---|---|
Windows Server 2003 is starting | Emergency Management Services |
Server fails to fully initialize | Emergency Management Services |
Administrator needs to run Recovery Console | Emergency Management Services |
Server is not functioning due to stop message | Emergency Management Services |
System is low on resources, resulting in slow or no response to requests | Emergency Management Services |
Network stack has malfunctioned or failed | Emergency Management Services |
System is not responding on the network | Emergency Management Services |
System is not responding on the network or to Emergency Management Services | Service processor |
System is powered down | Wake-on-LAN network adapter[*], intelligent UPS, intelligent power switch, or service processor |
BIOS is conducting POST | Redirecting firmware or service processor |
Change firmware configuration settings | Redirecting firmware or service processor |
Operating system installation by using RIS | Emergency Management Services (see "Selecting the Installation Method" later in this chapter |
[*]Wake-on-LAN is a combined hardware and software technology that allows you to remotely turn on Advanced Configuration and Power Interface (ACPI)-compliant computers. Several vendors provide Wake-on-LAN remote management solutions. Some vendors support this functionality across a local area network (LAN) or wide area network (WAN), while some support it over the Internet. For more information about Wake-on-LAN technology, use a Web search engine and search using the keyword "Wake-on-LAN." | |
Some trade-offs you might experience with out-of-band components include:
Limited maximum throughput.
No GUI support.
Optionally, additional hardware requirements.
Emergency Management Services
To manage a server from a remote computer when the server is not available on the network, you must enable Emergency Management Services. Emergency Management Services is a Windows Server 2003 service that runs on the managed server. This service is not enabled by default when you install the Windows Server 2003 operating system, but you can enable it during installation or at any later time.
Emergency Management Services features are available when the Windows Server 2003 loader or kernel is at least partially running. You can access all Emergency Management Services output by using terminal emulator software that supports VT100, VT100+, or VT-UTF8 protocols on the management computer, although VT-UTF8 is the preferred protocol. For more information about terminal emulator software and the supported protocols, see "Management Software for Out-of-Band Connections" later in this chapter. For more information about enabling, configuring, and using Emergency Management Services, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).When Emergency Management Services is enabled:
Console redirection automatically sends output to the out-of-band port for any supported operating state, as indicated in Table 5.4.
Task | Feature |
|---|---|
Selecting operating system during system load | Console redirection |
Running Recovery Console | Console redirection |
Viewing text mode setup messages | Console redirection |
Viewing GUI mode setup messages | SAC, including setup logs |
Viewing RIS loading messages | Console redirection |
Viewing Stop error messages | Console redirection |
Monitoring and managing with out-of-band connections | SAC |
Performing last-resort system recovery | !SAC |
You can use SAC to issue supported commands or switch to the command shell (cmd.exe) whenever the kernel is running.
You can view logs during the GUI-mode phase of Setup.
! SAC automatically becomes available whenever a system failure occurs.
Table 5.4 shows when you can use Emergency Management Services features for remote management, with or without special out-of-band hardware.
Emergency Management Services Console Redirection
Emergency Management Services console redirection redirects the output from supported Windows Server 2003 functions to the out-of-band port. When Emergency Management Services is enabled, you can perform remote management through the out-of-band port, as shown in Table 5.5.
Managed Operating State | Example Tasks |
|---|---|
Windows Server 2003 Loader | Select the operating system to load on x86-based multiple-boot systems. Verify the load of Windows Server 2003 components before in-band tools become available. |
Kernel at least partially functioning | Perform SAC commands, such as changing the priority of a process. Perform !SAC commands, such as viewing Stop messages when a system problem occurs. |
Recovery Console running | Troubleshoot startup problems. |
Text-mode Setup | View Windows Server 2003 Setup progress. Respond to text-mode Setup prompts. |
GUI-mode Setup | Perform SAC commands and monitor setup logs. |
RIS-based Setup | Respond to the F12 prompt to initiate RIS-based Setup. |
| Note | You must have firmware redirection to view server information before the Windows Server 2003 operating system starts. |
Special Administration Console
When Emergency Management Services is enabled, SAC is always available through the specified out-of-band port, as long as the Windows Server 2003 kernel is running. You can use SAC at any time to carry out out-of-band management commands during the following system operating states:
Normal system operation
Windows Server 2003 components initialization
Safe mode
GUI-mode during Windows Server 2003 Setup
The SAC prompt appears when you connect to a server that is running Emergency Management Services. The SAC command-line environment supports a specific set of commands. For information about SAC commands, see "Special Administration Console (SAC) and SAC commands" in Help and Support Center for Windows Server 2003.
Using SAC, you can perform management tasks such as the following:
Gathering server information, such as computer name and IP address.
Changing a server's TCP/IP networking information to resolve issues caused by incorrect parameters or a duplicate IP address.
Obtaining a list of processes and threads running on the computer to determine if they are causing a system performance problem, if you cannot perform this task by using in-band tools.
Raising or lowering the priority of a process, or ending a process that is consuming excessive server processor resources or other system resources to eliminate performance issues.
Restarting or shutting down a server as part of unplanned maintenance task, when the in-band mechanism fails.
Setting the system time and date, for example, for Kerberos authentication.
Starting a command shell and running text-based tools, and switching between the command prompt and SAC.
Viewing setup logs during GUI mode setup and switching between the setup logs and SAC.
!Special Administration Console
When Emergency Management Services is enabled and a system failure occurs, ! SAC — an abbreviated form of SAC — automatically replaces SAC as the command-line environment. For information about !SAC commands, see "! Special Administration Console (!SAC) and !SAC commands" in Help and Support Center for Windows Server 2003.
| Important | !SAC is not available if the debugger is running or the system is set to restart automatically when Stop errors occur. |
Using !SAC, you can perform tasks such as the following:
View redirected Stop messages.
Display computer identification information.
View an abbreviated log of loaded drivers and some kernel events.
Restart the computer.
Serial Ports
To perform out-of-band management, you need to establish a secure connection through a serial port, phone line, or an additional network connection. The serial port, also known as a COM port, is the most common out-of-band interface. It is the default out-of-band device for Emergency Management Services. You can provide remote access to an out-of-band serial port by using modems or terminal concentrators, as described later in this section.To use the serial port as an out-of-band device with Emergency Management Services, it must meet the following requirements:
The serial port must be a standard 16450 or 16550 Universal Asynchronous/Receive Transmit (UART) device. Windows Server 2003 tests the device for compliance before using it with Emergency Management Services.
The serial port interface must be provided by hardware, not by a Windows driver.
If the system firmware is compatible with Emergency Management Services, the firmware and the serial port must be configured to use the same serial port settings.
A kernel debugger cannot share the same COM port. To avoid this problem, disable kernel debugging on servers with Emergency Management Services enabled. For more information about using kernel debuggers with Emergency Management Services, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
The serial port must be the only out-of-band management port. Emergency Management Services does not support one out-of-band port for outbound communication and a second port for inbound communication.
Direct serial connections provide no logical security and therefore must be secured physically. For more information about security considerations, see "Providing Security for Remote Management" later in this chapter.
| Note | When you use Emergency Management Services with a serial port, use null modem cables that support the carrier detect signal. |
For Emergency Management Services technical details and information about configuring serial port settings, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Modems
A modem can provide remote access to a single server through its out-of-band serial port. Modems can be useful when you have just a few servers to manage remotely, such as a branch office with one or two servers. For an example of this type of implementation, see "Designing the Hardware Configuration" later in this chapter.Take the following considerations into account when selecting a modem to use for out-of-band remote management:
Security for modem connections is determined by the modem. The preferred security mechanism for modems is dial-back.
The modem must be configurable and must not rely on initialization. Emergency Management Services does not initialize the modem, so you must configure the modem to answer or dial back automatically and pass all serial data through unchanged. For information about configuring modems for callback, see "Configure client callback options" in Help and Support Center for Windows Server 2003.
Terminal Concentrators
Terminal concentrators provide remote access to multiple servers through their out-of-band serial ports. The servers connect to the serial ports on the terminal concentrator with null modem cables. The remote management computer establishes a network connection to the terminal concentrator by using its network port. Typically, you use Telnet or a Web interface to remotely perform management tasks on the servers connected to the terminal concentrator.Terminal concentrators facilitate remote management of servers in the following ways:
You can manage servers using a serial connection without being within the distance of a serial cable length.
You can monitor and manage multiple servers simultaneously from a single management computer.
Several administrators can simultaneously view information for different servers.
Setup, configuration, and features for terminal concentrators vary by manufacturer. When choosing a terminal concentrator, assess the following features:
Number of available serial ports.
Built-in security features, such as use of passwords and encryption.
Power switch capabilities.
Number of available Ethernet ports, if important in your environment.
Some terminal concentrators support Secure Shell (SSH), which is a secure command-line alternative to Telnet. SSH is a protocol for establishing secure connections over networks. It provides logical security for the in-band connection from the management computer by supporting strong authentication and encryption and protecting against a variety of network-level attacks. Because SSH is independent of the operating system, it provides interoperability in environments with mixed operating systems. Several vendors provide Windows implementations of SSH clients and servers. Use a Web search engine and search using the keyword "SSH" to find a variety of SSH vendors, as well as frequently asked questions (FAQs) and other documentation.You need to provide physical security for the serial connections from the servers to the terminal concentrator. Because the security features for terminal concentrators are not standardized, you might need to provide your own logical security for the in-band connection. If your terminal concentrator does not support authentication and encryption, consider using one of the following techniques to secure the connection:
Use a secondary private management network that you can access with direct-dial remote access or with a VPN connection.
Use a router to secure the network traffic.
Use SSH, if the terminal concentrator supports it, instead of Telnet to provide authentication and encryption.
Firmware Console Redirection
Console redirection provided by system firmware (either BIOS for x86-based computers or EFI for Itanium-based computers) provides out-of-band access to server information before the Windows Server 2003 operating system starts. Firmware console redirection works together with Emergency Management Services console redirection to provide out-of-band support for any operating state.If your firmware does not provide console redirection — and you do not have a service processor that provides console redirection, as described later in this chapter — you cannot remotely manage servers during the time between system restart and the initial loading of the Windows Server 2003 operating system.If you configure your servers for headless operation, you need to have either firmware console redirection or a service processor with console redirection so that you can access the servers when the Windows Server 2003 operating system is not functioning.
| Note | Firmware console redirection typically redirects only during text mode, not during GUI mode. |
By using firmware console redirection, you can perform the following out-of-band tasks from a remote computer:
View server status before the operating system starts up. For example, you can view POST status or disk-related error messages. Firmware console redirection typically allows the POST to complete without a local keyboard, mouse, or monitor.
View and make modifications to firmware settings, such as disabling a peripheral device or changing boot sequence, with the built-in firmware configuration program.
View master boot record (MBR) errors.
Start a RIS-based setup by responding to the F12 network boot prompt. This support is required only if the F12 prompt is presented by the firmware.
Boot the computer from the CD drive by responding to the Press Any Key to Boot from CD prompt.
When assessing firmware console redirection for use in conjunction with Emergency Management Services, verify that the firmware meets the following criteria:
Shares the serial port with Emergency Management Services and releases control to Emergency Management Services after the Windows operating system starts.
Supports VT-UTF8, VT100+, or, at minimum, VT100 terminal emulator conventions. For more information, see "Management Software for Out-of-Band Connections" later in this chapter.
Preferably, supports the Serial Port Console Redirection (SPCR) table.
An SPCR table is provided with some ACPI-compliant system firmware for specifying how the out-of-band management port is used. For example, if the out-of-band port is a serial port, the SPCR table contains information such as serial port number, baud rate, terminal type, and other settings used for out-of-band communication. When this table exists, Emergency Management Services uses the information in it to ensure a consistent transition between firmware console redirection and Emergency Management Services console redirection. The SPCR table is recommended for use with both 32-bit and 64-bit versions of Windows Server 2003. For more information about the SPCR table and Emergency Management Services, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).
Service Processors
Service processors provide robust remote management support that is independent of the operating system. Because Emergency Management Services is available only when the loader or kernel is at least partially running, you might need such support when the system experiences severe problems that cause it to stop responding completely. Table 5.3, included earlier in this chapter, shows some of the operating states supported by service processors but not by Emergency Management Services. Consider a service processor if you need a high degree of reliability and availability for your servers or you decide to configure your servers for headless operation.
Typically, service processors are integrated into the system motherboard or into an add-in PCI adapter. Servers that have on-board service processors might offer higher out-of-band throughput by using higher-speed serial or Ethernet connections. Service processors operate independently from the main processor, use their own custom firmware, and sometimes include their own power supply. When you connect to a server through an out-of-band connection, you can communicate directly with the service processor.Service processor features, client interfaces, and management tools vary by manufacturer. If you plan to use the service processor with Emergency Management Services, it is recommended that the service processor support these functions:
Console redirection
Remote power on and power off
Remote reset
Access to Emergency Management Services at all times
To be compatible with Emergency Management Services, make sure that the service processor also meets the following requirements:
If the service process uses the serial port as its interface, it must share the serial port with Emergency Management Services and must release control to Emergency Management Services after the operating system has started.
The UART interface must be described in the SPCR table, or in the EFI console device path for the 64-bit versions of Windows Server 2003.
It supports VT-UTF8, VT100+, or, at minimum, VT100 terminal emulator conventions. For more information, see "Management Software for Out-of-Band Connections" later in this chapter.
Manufacturers offer a wide range of additional features. Evaluate the features and tools provided to ensure that they meet your needs. Additional features you might consider include:
Access to Emergency Management Services through hardware interfaces other than serial, such as modem or RJ-45 Ethernet. The type of connection determines the additional components you need and the security requirements for out-of-band access to your server. For more information about configuring components for a service processor, contact the manufacturer.
Console redirection of GUI screens.
Any of a variety of management and troubleshooting tools.
Client interfaces that range from simple Telnet consoles to complex Web browsers.
Intelligent UPSs and Intelligent Power Switches
An uninterruptible power supply (UPS) provides backup power to a server in the event of a power failure. Some UPS units, known as intelligent UPSs, and intelligent power switches can provide limited remote management capabilities such as powering up, powering down, and resetting a server.If an intelligent UPS or intelligent power switch is integrated with terminal concentrator functionality, it can provide pass-through serial connection between the management computer and the server running Windows Server 2003. In this case, the port on the management computer has a serial connection to an external serial port on the UPS or power switch, which in turn has a serial connection to the server.The situation just described can provide a more economical solution than an internal service processor: You can access the intelligent UPS, firmware console redirection, and Emergency Management Services through the same communication channel if all these components use the same terminal conventions, such as VT-UTF8. When the components share the same terminal conventions, each component can consistently interpret escape sequences passed to it. For an example of this type of configuration, see "Designing the Hardware Configuration" later in this chapter.If the intelligent UPS or intelligent power switch shares the same management channel with Emergency Management Services, the UPS or power switch must passively monitor the serial data stream and respond only when it detects VT-UTF8, VT100+, or VT100 escape sequences that apply to it. For more information about using an intelligent UPS or intelligent power switch with Emergency Management Services, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit).If you plan to use an intelligent UPS or intelligent power switch with Emergency Management Services, the server running Windows Server 2003 must be configured to start automatically when power is applied.
| Tip | The firmware for your server might provide a configuration option for automatically starting the computer when power is applied. |
Management Software for Out-of-Band Connections
Typically, you use terminal emulation software on the management computer to connect to and communicate with a server through an out-of-band connection. The two most common methods are the following:
Use Telnet — or a secure alternative such as SSH — to connect to a terminal concentrator through an in-band connection, which then connects to the server through an out-of-band connection.
Use HyperTerminal to connect directly to the server.
If you use a service processor, it might require specific software to work with it and to interact with Emergency Management Services. For example, manufacturers might provide a Web browser or custom software.Make sure that the terminal emulation software you use supports serial port and terminal definition settings that are compatible with Emergency Management Services, as well as with your service processor or system firmware. If possible, use terminal emulation software that supports the VT-UTF8 protocol because VT-UTF8 support for Unicode provides for multilingual versions of Windows. If English is the only language you need to support, the VT100+ terminal definition is sufficient. At minimum, you can use the VT100 definition, but this terminal definition requires that you manually enter escape sequences for function keys and so forth. For more information about terminal definitions and what they support, see the Server Management Guide of the Windows Server 2003 Resource Kit (or see the Server Management Guide on the Web at http://www.microsoft.com/reskit). For more information about the VT-UTF8 terminal definition, see the Emergency Management Services Design link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.If your hardware and firmware use the same terminal definition settings that Emergency Management Services uses, you can always use the same escape sequences for managing computers, regardless of what is controlling the port — hardware, firmware, or Emergency Management Services. If you use different terminal types, the escape sequences you need to use vary depending on what is controlling the serial port, making it difficult to determine the appropriate sequence to send.
Examples: Selecting Remote Management Tools
After you define your remote management requirements, you can select the tools and components you need to perform remote management tasks. The following illustrations describe the tools for the business situations and remote management levels described in "Examples: Determining Remote Management Requirements" earlier in this chapter.
Minimal Remote Management
Because the branch office in this business situation has low availability requirements and has on-site support, this situation requires no special out-of-band support. Emergency Management Services together with the basic serial port can provide out-of-band management support for the few times when administrators need to perform remote out-of-band tasks. Although this organization decided to use existing hardware, the OEM can provide a BIOS upgrade that supports console redirection. Remote Desktop for Administration provides remote in-band support in this situation.For this branch office, administrators can perform tasks such as the following remotely:
All in-band tasks, such as monitoring, configuring, and troubleshooting when the operating system is responding over the network.
Monitoring operating system startup.
Troubleshooting when the operating system is low on resources, such as when CPU usage is excessively high.
Running Recovery Console.
Monitoring firmware initialization and configuring firmware settings.
Administrators must perform the following types of tasks locally:
Powering up and powering down.
Resetting.
Viewing POST status.
Troubleshooting when the operating system is unresponsive.
For an illustration of out-of-band hardware configuration for this example, see "Configuring for Direct Serial Connection" later in this chapter.
Moderate Remote Management
Because the data center in this business situation has many high-availability servers, the organization does not want to incur the costs of upgrading to new computers to obtain out-of-band management support. The BIOS for some of the existing servers can be upgraded to provide console redirection; for other servers, such an upgrade is not available. Emergency Management Services together with a serial port provides out-of-band support when the Windows Server 2003 operating system is functioning.This data center is configured with terminal concentrators to consolidate access to many servers by using a single in-band network connection. These terminal concentrators have SSH built in to provide authenticated and encrypted remote console sessions. They also have a built-in intelligent UPS for power backup and remote power functionality.In this data center, administrators can perform tasks such as the following remotely:
All in-band tasks, such as monitoring, configuring, and troubleshooting when the operating system is responding over the network.
Monitoring operating system startup.
Troubleshooting when the operating system is not responding over the network, such as when CPU usage is excessively high.
Running Recovery Console.
Administrators must perform the following tasks locally:
For servers without firmware console redirection, viewing POST results.
For servers without firmware console redirection, monitoring firmware initialization and configuring firmware settings.
Troubleshooting when the operating system is not responding to Emergency Management Services or the network.
For an example configuration for this example, see "Configuring for Terminal Concentrator Connections" later in this chapter.
Maximum Remote Management
In this business situation, the headless servers support Emergency Management Services and include firmware console redirection and built-in service processors. The servers are configured with a terminal concentrator that has built-in intelligent UPS functionality and built-in SSH for secure communications.Administrators perform all tasks — except hardware replacement — remotely. The Windows Server 2003 operating system is also installed remotely by using RIS.For possible out-of-band hardware configurations that are appropriate for this business situation, see "Configuring for Intelligent UPS and Terminal Concentrator" and "Configuring for Network Service Processor" later in this chapter.
