Remote Administration for Windows Server

If you manage a Windows server and you don't have remote administration options set up, chances are good that you get up from your desk and traipse over to the server in order to perform such routine mundane tasks as creating a new user account or defragmenting the hard drive.

This can be a bit inconvenient — after all, there might not be a chair in the server room, which could be little more than a closet. The monitor on the server is inevitably small and grainy. Sometimes the server is on a different floor. Maybe you just don't need all that extra exercise.

Wouldn't it be nice if you didn't have to physically visit the server to administer it? Why, that would mean that you wouldn't have to run downstairs and cram yourself into that stuffy network closet. Maybe you could even administer the server from outside the building.

Remote administration has been possible for some time, but only with remote-control software like PC Anywhere or Timbuktu. Allow me to let you in on a little secret: if you have a computer running Windows 2000 Server or Windows Server 2003, you can remotely control it without purchasing any additional software or licenses. This feature, variously called "Terminal Services Remote Administration Mode" and "Remote Desktop," is just waiting for you to pick it up and use it.

Requirements for remote administration over the LAN:

• Windows 2000/2003 Server (or Windows NT 4.0 Terminal Services edition)

Requirements for remote administration over the Internet:

• A high-speed Internet connection
• A router capable of port-forwarding

Secure Those Servers

Of course, if you want to use these services, you'll have to make sure that only authorized users will be able to access your server.

Step 1

Check the Administrators group in Active Directory Users and Groups (ADUC) and remove anyone who shouldn't be there.

Step 2

Ensure that any members of the Administrators group — including the "Administrator" account — have strong passwords. By "strong," I mean they should contain:

• Eight characters or longer.
• No dictionary words in any language.
• A combination of uppercase letters, lowercase letters, numbers, and non-alphanumeric characters (!@#$).

Step 3

On the server, visit http://windowsupdate.microsoft.com and install any updates the server is lacking.

Install and Configure Terminal Services (aka Remote Desktop)

Now that your server is as secure as you can make it, you're ready to install and configure terminal services.

Configure Windows 2000 Server:

• Click Start > Settings > Control Panels > Add/Remove Programs.
• Click Add/Remove Windows Components > Install Terminal Services.
• Select Remote Administration mode.

Configure Windows Server 2003:

• Right-click "My Computer," and choose "Properties."
• Click on the "Remote" tab and enable Remote Desktop.

Confirm That Terminal Services is Working

In order to remotely control a server, your computer must have the Remote Desktop client installed.

Windows XP already has it. You can find it under Start > Programs > Accessories > Communications > Remote Desktop Connection.

In earlier versions of Windows, it was necessary to install the Remote Desktop Connection Client.

Once you have located or installed the client on your computer, open it, enter the name of your server, then click "Connect." If it works, the next steps will be obvious. If it doesn't work, you'll get an error message about not being able to connect. If this happens, revisit your earlier work to see if you made a mistake.

At this point, the server can be remotely controlled by any computer on the LAN that has the Remote Desktop Connection client installed. If you do not wish to control the server from outside the your private network, the next set of instructions are not necessary.

Expose the Server to the Public Internet

These steps assume you have a simple, small network where a router has the only public IP address, and the server is on the private network. Remember that you can skip this part if you only need to access your server from your private LAN.

Step 1

If the server is on a private network, make sure it has a static IP address. If it doesn't have a static IP address, assign it one that is not in the range of IP addresses that is handed out by the DHCP server.

Step 2

If your organization does not have a static IP address on the Internet, set up a dynamic DNS hostname with http://www.dyndns.org/. If your organization does have a static IP address on the public Internet, make note of what it is.

Step 3

Open TCP and UDP ports 3389 in your firewall or router. For example, let's say you have a Linksys router. To open these ports, point your Web browser to http://192.168.1.1 (or whatever the address of your router is) and log in. Look for the area in the settings called "Applications," "Port forwarding," or "Advanced." (Consult the documentation for your router if you need help with this step.) In a Linksys router, the settings will look something like this if your server has the IP address 192.168.1.2:

Application: RDP Port range: 3389 - 3389 Protocol: Both IP Address: 192.168.1.2

Step 4

If your Internet connection uses PPPoE, make sure your router is configured to keep the Internet connection alive at all times.

Step 5

Test the connection from a remote computer by entering the public IP address or name of your router. If you can connect, you're good to go. If you can't connect, revisit your work to see what the problem might be.

For more information on Remote Desktop, see these links: