Windows 7 / Getting Started

Server Manager Configuration Page

The Configuration page in Server Manager is somewhat misleading. This is not the page from which you would configure the server. The Configuration node in Server Manager is simply a container for the following four snap-ins:

  • Task Scheduler
  • Windows Firewall with Advanced Security
  • Services
  • WMI Control

These snap-ins allow the administrator to control some elements of the server configuration and are covered in the next four sections.

Task Scheduler

One of the greatly expanded features of Windows 2008 is the Task Scheduler. In previous versions of Windows, this was an anemic service with limited options and auditing features. The Task Scheduler features in Windows 2008 have been expanded into a more sophisticated tool. The scheduler can start based on a variety of triggers, can take a number of predefined actions, and can even be mitigated by conditions and the settings.

Appropriately, there are new elements to the Task Scheduler:

  • Triggers: Tasks run when the trigger criteria are met. This could be a scheduled time, logon, startup, idle, log event, user session connect or disconnect, or workstation lock or unlock. These various triggers give the administrator a wide range of options on when to start a task.
  • Actions: The actions are the work that the task will perform. This can be executing a program, sending an email via SMTP, or displaying a message on the desktop.
  • Conditions: Conditions allow the task trigger criteria to be filtered. Conditions include if the computer is idle, on battery power, or connected to a network. This allows administrators to prevent tasks from running if the computer is busy, on battery, or disconnected from the network.
  • Settings: The settings control how a task can be executed, stopped, or deleted. In the settings of a task, the administrator can control if the task can be launched manually, if it runs after a missed schedule start, if it needs to restart after a failure, if it needs to run multiple tasks in parallel, or to delete it if it is not set to run in the future.

Another big improvement is the Task Scheduler Library, which includes approximately 20 different predefined tasks. These tasks include the following:

  • ScheduledDefrag: This task runs every week and uses the command defrag.exe -c -i -g to defragment all the volumes on the server. This is a major improvement of previous versions of Windows, which required this command to be run manually. However, the trigger for this task is disabled by default, so it will not run as shipped.
  • ServerManager: This task runs at user logon and runs the ServerManagerLauncher to launch the Server Manager console whenever a user logs on.

Both these tasks demonstrate the capabilities of the Task Scheduler to automate routine tasks or to ensure that certain tasks run at logon.

The Task Scheduler has a new feature that goes hand in hand with the library, namely the ability to create folders to store the tasks. This helps organize the tasks that are created. The scheduler includes a Microsoft folder for the tasks that ship with the operating system. Administrators can create other folders to organize and store their tasks.

Selecting the Task Scheduler folder in the System Manager configuration shows the Task Scheduler Summary. This window has two sections, Task Scheduler and Active Tasks. The Task Scheduler section shows the status of tasks within a time frame, by default the last 24 hours. The time frame can be set to the last hour, last 24 hours, last 7 days, or last 30 days. For each task that has run within the time frame, it shows the Task Name, Run Result, Run Start, and Run End. The section also summarizes the task status 51 total tasks have run with 1 running and 50 succeeded.

The Active Tasks name is somewhat misleading because it shows tasks that are enabled and their triggers. It does not show tasks that are running. For the scheduled tasks, it shows the Next Run Time. This section is very useful for seeing which tasks will run on a given server in response to a trigger, either a schedule or an event. If the task does not appear in this section, it will only be run if executed manually.

A quick review of the Active Tasks shows that the ScheduledDefrag task is not in the list. This is because the trigger for the task is disabled by default, so the task will not run and so does not show in the Active Tasks list.

To enable the ScheduledDefrag task, execute the following steps:

  1. Open the Server Manager console.
  2. Expand the Configuration folder.
  3. Expand the Task Scheduler folder.
  4. Expand the Task Scheduler Library folder.
  5. Expand the Microsoft, Windows folder and select the Defrag folder.
  6. Select the ScheduledDefrag task and select Action, Properties.
  7. Select the Triggers tab.
  8. Select the Weekly trigger and click the Edit button.
  9. At the bottom of the Edit Trigger window, check the Enabled box.
  10. Click OK.
  11. Click OK to close the Properties of the task.

Going back to the Task Scheduler Summary window, you will now find the ScheduledDefrag task listed with a Next Run Time of the following Wednesday at 1:00 a.m.

Windows Firewall with Advanced Security

The Windows Firewall with Advanced Security feature provides access to the combined Windows Firewall and Connection Security features of Windows 2008. These technologies work in tandem to provide protection from network-based attacks to the server. The firewall rules determine what network traffic is allowed or blocked to the server. The connection security rules determine how the allowed traffic is secured.

The Windows Firewall with Advanced Security folder shows a summary of which profile is active (Domain, Private, or Public), the profile's high-level configuration, and links to the other components of the snap-in.

The other components of the Windows Firewall with Advanced Security snap-in are for configuration and monitoring the features. These components are as follows:

  • Inbound rules
  • Outbound rules
  • Connection Security rules
  • Monitoring

The inbound and outbound rules control what traffic is allowed in to and out of the server. There are several hundred rules governing what traffic is allowed. These are organized into profiles for ease of application. Table-2 shows these profiles.

TABLE-2 Firewall Profiles 
Profile 		Description
Domain Profile		Applied when the server is connected to
                        its Active Directory domain
Private Profile		Applied when the server is connected to 
                        a private network but not to the Active 
                        Directory domain
Public Profile 		Applied when the server is connected to
                        a public network

Clearly, the vast majority of services will have the Domain Profile active, as they will likely be on a network with Active Directory. Each of the profiles has a set of rules associated with it. In addition, a number of rules apply to all profiles, which are designated as "Any." Some of the rules are disabled by default.

Connection Security rules are stored in the likewise named folder. The rules specify how the computers on either side of a permitted connection authenticate and secure the network traffic. This is essentially the IPSec policy from previous versions of Windows, albeit with a much improved interface. By default, there are no Connection Security rules created in Windows 2008. Rules can be created and reviewed in this portion of the snap-in.

The Monitoring folder is somewhat limited in scope. It has a Firewall folder and a Connection Security Rules folder. These two folders simply show what rules are active, but show no traffic details or if the rules have blocked or allowed anything. In effect, they show the net result of the profile that is active.

More useful in monitoring is the Security Associations folder. This folder lists the security associations with the local and remote IP addresses, authentication methods, encryption, integrity, and key exchange. You can see that the local address of the server is 172.16.1.101 and the other server is 172.16.1.100. The computers are authenticating using Kerberos and the user is also authenticating at the connection level using Kerberos. Finally, the network traffic confidentiality is protected with the AES- 128 encryption algorithm and the network traffic is protected from modification by the SHA-1 integrity algorithm. There are multiple security associations listed, reflecting various connections that have been established between the two servers.

Services

The Services snap-in in the Configuration container in Server Manager is essentially unchanged from the previous version of Windows. All the services are listed, along with their status, startup type, and logon credentials.

From the Services snap-in, administrators can control services on the server, including the following:

  • Start or stop the services.
  • Change the startup type to set the service to start automatically, be started manually, or even prevent the service from starting at all.
  • Change the account the service runs under.
  • Set up recovery actions if the service stops, such as restarting the service or even restarting the server.
  • View the configuration details of the service, such as what the executable is, what the service name is (which is shown in the Task Manager window), and what dependencies it has.

A new feature is the Automatic (Delayed Start) startup type. This is a setting used to reduce the crunch of services starting all at once during bootup of the server. All the services with the Automatic (Delayed Start) setting will be started after the services with the automatic setting. This allows all the services to come up automatically, but allows essential services to start first.

WMI Control

The last snap-in in the Configuration container of the Server Manager is the WMI Control tool. This is a new tool that allows administrators to maintain the Windows Management Instrumentation (WMI) configuration on the server. With this tool, an administrator can do the following:

  • Back up the WMI repository.
  • Change the default scripting namespace (root\cimv2).
  • Manage access to the WMI via the Security tab.

Before the introduction of the WMI Control tool, these tasks were difficult to accomplish. For example, to back up the WMI repository, perform these steps:

  1. Open the Server Manager console.
  2. Expand the Configuration folder.
  3. Select the WMI Control folder.
  4. Select the Action menu and then Properties.
  5. Select the Backup/Restore tab.
  6. Enter a filename with a full path. The file type will be a WMI Recovery File (.rec).
  7. Click Save to save the file.
  8. Click OK to exit the tool.

Interestingly, the tool is not an integrated snap-in, but rather a separate tool.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server 2008 Management and Maintenance
  2. Initial Configuration Tasks
  3. Managing Windows Server 2008 Roles and Features
  4. Server Manager
  5. Server Manager Diagnostics Page
  6. Server Manager Reliability and Performance Monitor
  7. Server Manager Configuration Page
  8. Server Manager Storage Page
  9. Auditing the Environment
  10. Auditing Resource Access
  11. Managing Windows Server 2008 Remotely
  12. Server Manager Command-Line Tool
  13. Using Common Practices for Securing and Managing Windows Server 2008
  14. Keeping Up with Service Packs and Updates
  15. Maintaining Windows Server 2008
  16. Running the Domain Controller Diagnosis Utility