Secret ingredients to quality software

  • Services
    • Products
      • Training
        • User Group
          • Rules
            • About Us
              • SSW TV
              SSW Foursquare

              Rules to Better Windows Servers - 10 Rules

              1. Do you use Group Policy to manage your Windows Update Policy?

                We all know it’s important to keep our servers updated. Unfortunately though, by default, Windows will automatically download and install all new Windows Updates on your servers. This will mean the servers will occasionally restart to install updates when you don’t want them too. You will also get annoying popups trying to get you to restart the computer.

                Note: This rule is applied to both client PCs and servers.

                It is also one more reason developers don’t like to join a company domain on their personal laptops!

                Windows Update notification
                Figure: Bad example - Windows 10 shows a ‘Restart now’ – do not accidentally press it! Your production server and your users won't be happy!

                updates restart
                Figure: Bad example – Remember this nasty one from Vista days?

                Note: Server patching is also achievable via SCCM and you get more control over restarting windows like this. WSUS can also be used in conjunction with group policies to handle restart times better.

                The best ensure you are still downloading updates but not installing them automatically is to use Group Policy.

                1. Create an Organization Unit (OU) in Active Directory, and put all your Production Servers in the OU

                updates adou
                Add all your Production Servers to the Production Server OU

                1. Create a new Group Policy object and link it to the Production Server OU

                updates gpo
                Create a new Group Policy for your Production Servers

                1. Edit the new Group Policy object and drill down to
                  Computer Configuration | Policies | Windows Components | Windows Update
                2. Edit
                  Configure Automatic Update Properties item and enable it
                3. Set Configure Automatic Updating option to 3 – Auto download and notify for install

                updates editgp
                Edit Configure Automatic Updates Properties and enable 'Auto download and notify for install

                After the new Group Policy propagates, you will notice the update setting is now locked on the servers in the Production Server OU.

                updates updatesforced
                Figure: Good example - The Group Policy locks the Windows Update setting

                From now on your servers will be updated without unplanned reboots!

                Default domain policy1
                Figure: Good example - AD shows the Group Policy setting “3 – Auto download and notify for install”. This policy is applied to the specified OU eg. Production Servers joined to this domain

                Check out "auto-update" rules for PCs and Servers.

              2. Do you wait before applying Service Packs or upgrades?

                After a new Service Pack is released for a product (for example, Exchange 2010 Service Pack 1), users and management can get very excited about new features that the Service Pack will bring that will help them out, or fix problems that they had been having with the product.

                Microsoft generally test their Service Packs very well, but things can go wrong.

                As a general rule, we wait 4 weeks before installing a new Service Pack, and tell everyone to hold their horses.


                Figure 1 - Even though managers and users might be pressing you to install a Service Pack - tell them to hold their horses!

                After the 4 week period has expired perform the following tasks before installing the Service Pack:

                • Do an search for any trending problem when updating to the new Service Pack
                • Check for any known issues in the Microsoft KB with the Service Pack
                • Read installation documentation
                • Backup your system, or if you are using Hyper-V, take a snapshot
                • Reboot before you are about to install a Service Pack

                Following this rule should prevent disaster in the event that a Service Pack is troublesome.

              3. Web Servers - Do you know how to Setup NLB on Windows Server 2016? (aka Network Load Balancing)

                Downtime occurs when you have a single server setup.

                TODO: This is 2008 R2 – update to 2016 Note: 2008 R2 was not as reliable as later versions. So it would be better to use failover cluster in Server 2012 R2 or 2016 for a more reliable infrastructure configuration.

                Use NLB to allow load balancing and failover. On each of your Windows Servers, you will host your website.

                You need to follow these steps to get it up and running:

                1. On all nodes of the NBL cluster, the Network Load Balancing Feature needs to be installed.
                  Setup NLB
                  Figure: Install the NLB Feature
                2. Open the Network Load Balancing Manager from Administrative Tools
                  Setup NLB
                  Figure: Under the Cluster menu item, click New
                3. Enter the first node in the cluster in ‘Host’ and press ‘Connect’
                  Setup NLB
                  Figure: Select the interface for the node
                4. Enter a Priority as 1 (this is just a host identifier)
                  Setup NLB
                  Figure: In 'Priority' enter '1'
                5. NLB55
                  Setup NLB
                  Figure: Enter a virtual IP address for the cluster. eg.
                6. Choose the IP address of your cluster from the dropdown list Set a Full Internet Name eg. Ensure the Multicast Cluster operation mode is selected.
                  Setup NLB
                  Figure: Set the 3 cluster parameters
                7. You want sticky sessions so you don’t mistakenly bounce between servers (and lose your state)
                  Setup NLB
                  Figure: Leave the Port Rule as default. This will provide sticky session
                  Setup NLB
                  Figure: Success. The cluster configuration will show a green icon
                8. Right click the name of the cluster eg. Click Add Host To Cluster
                  Setup NLB
                  Figure: Add the 2nd web server with a priority of 2
                9. Open a command prompt and type in wlbs query to verify the cluster:
                  Setup NLB 13
                  Setup NLB
                  Figure: Type in wlbs query to verify the cluster
                10. Ping both nodes and the virtual IP address externally to verify they are all working
              4. Web Servers - Do you get Zero Downtime when Updating a Server?

                If you are dealing with a single server, there is no way to achieve 100% uptime, when updating or restarting a server.

                So set your website up correctly with at least 2 front ends, and 1 backend (the SQL Server).

                Server down Site up
                Server down, site up
                Figure: Good Example – When one server goes down, the website remains up Then, use a Network Load Balancer (we recommend Microsoft’s build in NLB) which allows you to spread website load to multiple servers, but even more helpful when you need to do Windows Updates or make changes to web servers in your environment.

                Follow the below steps on your test server first, get the application tested passed, then move on to production.

                1. Open the Network Load Balancing Manager
                2. Right click on the machine you want to update | Select Control Host | Click Drain Stop
                  Server drainstop
                  drain stop
                  Figure: The 2 green icons indicate both servers are live with users - Do a drain stop on the server you want to make changes too
                3. To view the current connections on the server, open a command prompt and enter netstat -an. You will be able to see the connections list dropping as users are sent to the other server
                  Server netstat
                  Figure: Run "netstat -an" to view the current connections on the server
                4. Allow the NLB to finish sending the connections to the remaining servers. The server you have drain stopped, will turn red when all the users have been moved to the other server
                  Server red
                  Server turns red
                  Figure: When the server turns red, the connections have been dropped and you're ready to update
                5. Optional – if you are using Hyper-V, take a snapshot of the server you are about to make changes on
                6. Restart
                  Server restart
                  Windows update
                  Figure: Now that the server isn't being hit with users, perform your updates. Click "Restart Now"7. Optional – Do a smoke test (open the site and check its working)
                7. Optional – Run any automated tests (for example Telerik Tests)
                8. When the server ready, add it back into the load balancer. Right click on the machine | Select Control Host | Click Start
                9. The server icon will return to green, and users will start being sent to the server again
                  Server green
                  Server OK
                  Figure: The server will now accept connections again11. Follow the same process for the other server (or multiple)

                Congratulations you've just updated your servers with 100% uptime.

              5. Printers - Do You Install Your Printers With Group Policy?

                It is important install your printers automatically to all clients that logon to the domain.

                This can be achieved via Group Policy. This can be set up easily in a Microsoft Windows 2008 Server R2:

                Note: It is better to deploy printers via GPO preferences to end users and also for large-scale environments. There are third-party products eg. Tricerat or Printer Logic which makes centralizing printer queues and servers more efficiently.

                • From Server Manager add the Print Services role
                  install print roles
                  Install the Print Services role
                  Figure: Install the Print Services role* When the role has installed, open Print Management from Administrative Tools
                • Install all your printers by right clicking on Printers and clicking Add Printer
                  add printers
                  Add all of your printers to the server
                  Figure: Add all of your printers to the server* Right click on Drivers and choose Add Drivers. From here you will be able to install the x86 and x64 drivers for your printers so all workstations in your organization get the printer drives automatically
                  add drivers
                  Add the additional drivers for both x86 and x64
                  Figure: Add the additional drivers for both x86 and x64* Click on Printers in the menu to get a list of your installed printers
                • Right click on the first printer you want to install via group policy and click on Deploy with Group Policy
                  deploy printer
                  Deploying your printer with Group Policy
                  Figure: Deploying your printer with Group Policy* Next, you need to choose a Group Policy Object (GPO) to add the printers too. You may wish to create a new GPO specifically for the printers, which you can do through the Group Policy Management tool in Administrative Tools
                  select gpo
                  Select the Group Policy Object (GPO) to add the printers to
                  Figure: Select the Group Policy Object (GPO) to add the printers to* Repeat the last 2 steps for each printer you want to add automatically using Group Policy
                • Reboot your workstations and the new printers will be added upon login
              6. Printers - Do you make your Printers easy to find?

                For PCs that are not in the domain, the printers won’t be automatically installed.

                So you should add a DNS alias which maps \printer to your print server.

                add printer via connect
                Figure: \printer takes to this window, were you can "Add" the printer via Connect

                Note: It is better to automate mappings via GPO preferences. As a backup, you can allow users to manually map as above.

              7. Do you know what to request if someone wants more RAM and processors on a VM or a PC?

                A “Too slow” is not enough info.

                Request an image of the “Resource Monitor”

                Then after you decide there is justification:

                • Do a typical action – take a new image or baseline.
                • Give the additional resources e.g. Ram and processors...
                • Do the typical action again – take another image of the “Resource Monitor”
                • If there is some improvement, reply “done” (otherwise reply “not done”)

                Note: An ideal email subject prefix for more resources would be e.g. “Performance issue – “Machine name”

                resource monitor
                Figure: Use “Resource Monitor prior to allocating more RAM on a VM

                Figure: If you see something like this, pass their request :-)

              8. Do you turn on file auditing for your file server?

                Windows Server has a built-in solution for auditing who accessed your files in a file share or non-shared files in your file system, but it is turned off by default.

                "Advanced Audit Policy Configuration" is a Group Policy setting in Windows that enables several audit options for your files, e.g.:

                1. Object Access - Audit who opened, closed or modified files and folders in your system
                2. Logon/Logoff - Audit who's logged on and off the server

                To get to this setting, you need to:

                1. Open your domain's or server's Group Policy (or Local Group Policy)
                2. Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration
                3. Choose the setting that applies to you e.g. Object Access
                4. Edit the subcategory | Check "Success" and "Failure" as best practices

                auditing success and fail
                Figure: Good Example - Auditing Successes and Failures in your file shares

                After that, your server will start logging audit events in the Event Viewer. To filter relevant events, do the following:

                1. Open Window's Event Viewer | Windows Logs | Security
                2. Click "Filter Current Log..." | IDs 4663, 4660, 5145:

                  1. 4663 (An attempt was made to access an object) - Event ID when a user accesses a file system file
                  2. 4660 (An object was deleted) - Event ID when a user deletes a file system file
                  3. 5145 (A network share object was checked to see whether the client can be granted desired access.) - Event ID when a network user accesses a file share file
                3. The relevant logs will start popping up:

                filtered logs
                Figure: Good example - Filtered logs with file access information

                1. Click on each entry for a detailed explanation on which file was opened, which IP address was used and which user initiated the action

                This kind of audit tool is an important part of any SysAdmin or Security Engineer to better see what is going on in your Windows environment.

              9. Do you use the best Windows file storage solution?

                Windows has a built-in storage solution called Storage Spaces that allows you to group 3 or more storage drives to create a bigger pool; however, that technology, whilst useful, has some better third-party contenders like Drive Bender, which does the same thing better and faster.

                With Drive Bender, you also have software RAID, disk grouping, and file duplication that you find in Storage Spaces, but with a better interface and faster transfer rates.

                Drive Bender Pros

                1. Nice UI with lots of functionality
                2. Regular updates
                3. Heaps of configuration options
                4. Friendly (and fast!) customer support (Bonus: They are located in Sydney, Australia, just like SSW! 😃)
                5. Easy add and remove of drives to the pool
                6. Check your disk health automatically
                7. Get notifications on pool status

                Drive Bender Cons

                1. Storage Spaces is "free" (built-in in Windows Server), Drive Bender is $54.95 for 3 machines (still cheap, forever)

                Have a look at Drive Bender website for more info!

                storage spaces
                Figure: Bad example – Bad UI for Storage Spaces

                drive bender
                Figure: Good example – Nice UI for Drive Bender

              10. Do you run services on their own AD accounts?

                When using service accounts, you should have a specific AD account for each major service.

                Figure: Bad example - using the default Administrator account

                Figure: Better example - At least don't use the Administrator account, create a new account

                Figure: Best example - A specific AD account for each major server

                Figure: Bad example - using the network admin's name

                Figure: Good example - a specific SQL Server account being used (Suggestion: Make the text box wider and link to the one in 'Services')

              We open source. Powered by GitHub