Lead Image © Kati Molin, Fotolia

Lead Image © Kati Molin, Fotolia

11 Tricks for Windows servers

Knowledge

Article from ADMIN 59/2020
By
A number of techniques applied in PowerShell or other management tools can run Windows servers more effectively, harden them, and improve their performance.

Fine-tuning Windows servers doesn't have to be a complex process. Easily manageable commands and settings can have a great effect. In this article, I look at 11 practical tips for Windows servers.

1. Remote Desktop Settings

In many organizations, employees use the Remote Desktop tool, usually activated in the server's graphical user interface or from the Server Core text-based menu. On servers with a graphical user interface, the quickest way to find the settings is to call sysdm.cpl. However, you can also enable the remote desktop from the registry with the settings found in the HKLM | SYSTEM | CurrentControlSet | Control | Terminal Server key. With this approach, you can activate Remote Desktop by importing registry entries. The most important entry is fDenyTSConnection . A value of 0 activates Remote Desktop, and a value of 1 disables it. To see which users are connected to a server (Figure 1), run the command:

qwinsta /server:<server name>
Figure 1: Remote Desktop Protocol connections are displayed by the qwinsta command.

To deny access to certain users, use group policies. To block access to the Remote Desktop Services (e.g., for local administrators), you should manage the authorizations centrally. The path to the settings is Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment . The following two settings are important:

  • Deny log on through Remote Desktop Services
  • Deny log on locally

Here, you configure which users are allowed to log on to the server locally (i.e., directly at the console) and which users can connect to the server by Remote Desktop. Remote Desktop connections can also be used in the web browser if you use Windows Admin Center. The Remote Desktop menu item waits for connections and allows you to open a session.

2. Uninstalling Media Player

By default, Windows Media Player is installed on Windows Server 2019. Because this tool is not needed on production servers, it is an unnecessary function and therefore a potential vulnerability. To uninstall Media Player, run the command:

dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer /norestart

The command is also useful for deployment scripts or tools that distribute automatic settings to servers. Besides the Windows Admin Center and Server Manager, Media Player can also be uninstalled with the PowerShell command:

Disable-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer

3. Configuring LDAP Priorities and Weighting

Checking that the LDAP SRV entries are correct in the domain name system (DNS) can help you detect Active Directory (AD) issues. Correct accessibility of domain controllers (DCs) in the SRV entries is an important basis for many server-based services. You can launch the check with the fully qualified domain name (FQDN; e.g., joos.int in this example):

nslookup -type=all _ldap._tcp.dc._msdcs.joos.int

Domain controllers register multiple SRV records (Figure 2), which in turn tell clients to which DCs they should connect. If you set the priority to a high value (e.g., 1), these DCs are only addressed if no other DCs with a priority of   exist. The weighting distinguishes DCs with the same priority. A DC with a weighting of 10 is addressed more often than a DC with a weighting of 5. In other words, you can relieve the load on individual DCs by adjusting the weighting. This procedure is also useful if you want to replace a DC and reduce the number of requests on the server.

Figure 2: Checking the LDAP entries in the DNS on the command line.

The settings for weighting can be seen in the properties of the DNS record. The priority and the weighting are defined by registry entries, which can be found in the DC registry key at HKEY_LOCAL_MACHINE | SYSTEM | CurrentControlSet | Services | Netlogon | Parameters , where you enter the weighting and priority:

  • "LdapSrvWeight"=dword:00000001
  • "LdapSrvPriority"=dword:00000002

In most cases, you will have to create the two DWORD values again, which are enabled either after restarting the DC or after restarting the login service:

net stop NETLOGON && net start NETLOGON

To display the current values, again run the command:

nslookup -type=all _ldap._tcp.dc._msdcs.joos.int

The entries are displayed in the DNS record properties in the priority and weight fields (Figure 3).

Figure 3: The weightings of the LDAP requests are shown in the DNS properties.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Setting up and managing IPv6 on Windows Server 2016
    Windows Server 2016 automatically prefers IPv6 addresses, if available, but the manual configuration steps differ from IPv4 and necessitate new tools. Here's how to approach IPv6 in your daily admin work.
  • SMB 3.1.1 in Windows Server 2016
    We look at the new performance and security features of SMB 3.1.1 with Windows Server 2016 and Windows 10.
  • Remotely managing web access servers
    The Windows PowerShell web-based console lets you run PowerShell commands and scripts in your browser.
  • The best cmdlets for PowerShell
    Windows is no longer the system for mouse pushers. In the latest server version, the default installation installs without a GUI, and management via PowerShell is a part of everyday life for Windows administrators.
  • Top PowerShell Cmdlets

    Windows is no longer the system for mouse pushers. In the latest server version, the default installation installs without a GUI, and management via PowerShell is a part of everyday life for Windows administrators.

comments powered by Disqus