Microsoft Systems Management Server 2.0 Training Kit

• Initiate a Remote Tools session with a client computer.
• Describe the additional requirements for running a remote session over a RAS connection.
• Reconfigure the Remote Tools Client Agent at the client computer.

Initiating a Remote Tools Session

All remote functions, with the exception of Windows NT Diagnostics, are initiated from the Remote Tools window. Before any remote functions are performed, the viewing computer must be able to connect to the client computer. After the Start Remote Tools option is selected for a client computer appearing in a collection, an Attempting to Connect with computername message window appears. If the client computer cannot be reached, then the Remote Tools window shows a message stating that the remote control agent could not be found (Figure 6-9).

Figure 6-9. The Remote Tools message status window stating that a connection could not be established with computer DOSWIN.

Resolving this error will be discussed in Chapter 14, "Monitoring and Troubleshooting SMS"

If the connection is successful a Remote Tools _ computername, ipaddress window appears (Figure 6-2). The IP address information only appears if TCP/IP is installed on the client computer.

Choose a remote function, diagnostic, or the Ping Test from the toolbar appearing at the top of the Remote Tools window.

If you choose Remote Control, a window called the Remote Control — computername appears. If permissions from the client computer are required, the administrator sees the message box shown in Figure 6-10.

Figure 6-10. The permissions message box.

The client computer also receives a message box prompt. If the user clicks Yes, remote control is allowed. If the user clicks No, or if no button is clicked, the viewing computer receives a message stating that permissions were not granted.

If a remote control session is successfully established, the client computer's display data appears inside a black and yellow moving border on the viewing computer (see Figure 6-5). Other functions produce the appropriate dialog boxes for executing a program or copying a file, for example. These functions are permissions-based, unless permissions are not required.

Remote Login and Lock/Unlock

It is possible to remotely log on to a Windows NT/2000 client computer, as well as lock and unlock the desktop. This allows you to remotely operate a Windows NT/2000 server that has no user logged on.

This is carried out using buttons on the Remote Control window.

• Key button. Brings up the Windows NT/2000 Security window on the client computer.
• ALT button. Enables or disables the system key pass through to the client computer (ALT key).
• List button. Displays the Start menu of the client computer (CTRL+ESC).
• Arrow button. Switches foreground application (ALT+TAB).
• Hand button. Allows positioning of the display within the Remote Control window.

Exercise 37: Using Remote Tools

In this exercise, you will use SMS Remote Tools and Windows NT Diagnostics.

In the following steps, you will attempt to remotely control Computer 2. Remember that at the conclusion of Lesson 2, you stopped the SMS Remote Control Agent service. Make sure it is not started. Then complete this procedure from Computer 1, using the SMS Administrator console.

1. In the SMS console tree, expand Collections, then click All Systems.

The list of discovered resources in the site appears in the details pane.

2. In the details pane, click COMPUTER2, select the Action menu, and then choose All Tasks.

A menu appears.

3. Select Start Remote Tools.

The Remote Tools window appears as the remote control connection is attempted to Computer 2. The Attempting to Connect with COMPUTER2 message box appears indicating the connection to the remote client computer failed.

4. Click Cancel.

In the following steps, you will use Windows NT diagnostics to determine if the client computer's Remote Control Client Agent is started. This procedure starts from the All Systems collection in the SMS console tree.

1. In the details pane, click COMPUTER2, select the Action menu, and then choose All Tasks.

A menu appears.

2. Select Start Windows NT Diagnostics.

The Windows NT Diagnostics - \\COMPUTER2 window appears.

What version of Windows NT is running on Computer 2? Are any service packs applied?

Answer

3. Is the SMS Remote Control Agent started on Computer 2?

Answer

4. Click OK.

In the following steps, you will start the Remote Control Client Agent on Computer 2. Complete this procedure from Computer 2.

TIP

1. Log off as USER1, then log on as ADMINISTRATOR with no password.

Logging on as ADMINISTRATOR is necessary, as users cannot stop and start services.

2. Start the SMS Remote Control Agent service.

Log off as ADMINISTRATOR, then log on as USER1 with a password of PASSWORD.

In the following steps, you will remotely control Computer 2. Complete this procedure from Computer 1, using the SMS Administrator console and the All Systems collection.

1. In the details pane, click COMPUTER2, select the Action menu, and then choose All Tasks.

A new menu appears.

2. Select Start Remote Tools.

The Remote Tools window appears as a remote session is established to Computer 2. Notice in the right half of the status bar the status of Remote Control Agent found using TCP. The agent is configured to use Windows Sockets over TCP/IP rather than NetBIOS over TCP/IP.

3. Click Remote Control (the first button on the toolbar).

A Remote Control message box appears indicating permission is being requested at the client computer.

4. From Computer 2, click Yes when the Remote Control Agent message box appears requesting that granting permission is to be remotely controlled by administrator.

NOTE

5. On Computer 1, the client computer's desktop appears in the Remote Control window. Experiment with the remote control features.
6. Close the Remote Control window.
7. Close the Remote Tools window.

Exercise 38: Using Remote Tools to Solve Problems

In this exercise, you will use the remote functions of SMS 2.0 to solve user support problems.

Scenario One

In this scenario, you will use a remote function to automatically restart Computer 2 after changing a registry setting. As an administrator, you have decided User1 should not be able to shut down the computer without first logging on. You also do not want the last logged-on user name to be displayed, as sometimes you may need to log on remotely to administer the computer. You could change these settings using Remote Control, but do not want the user to see the registry path, so you will change it by opening the registry remotely, and then restarting the computer using SMS.

From Computer 2, click Yes whenever prompted to allow the administrator to perform a remote action. Complete the following steps from Computer 1.

1. Start REGEDT32.EXE. Then from the Registry menu, choose Select Computer.

The Select Computer window appears.

2. Choose COMPUTER2 and click OK.
3. From the HKEY_LOCAL_MACHINE on COMPUTER2 window, open the following key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON.
4. Change the ShutdownWithoutLogon value from 1 to 0 and click OK.
5. Add the DontDisplayLastUserName valuename with a type of Reg_Sz and a value of 1.
6. Close the remote registry, then exit Registry Editor.
7. Use the SMS Remote Tools window to reboot Computer 2. The Reboot button is the second button on the toolbar.

After you click Yes on Computer 2, a Remote Reboot message box appears on Computer 1, indicating the client computer has acknowledged the reboot request.

8. Click Yes from Computer 1 to reboot Computer 2.

Computer 2 is shut down and restarted automatically. Eventually, the Begin Logon message box appears on Computer 2.

In the following steps, you will watch as Computer 2 is restarted. Then you will verify the `Shutdown' option is not available at logon time. Complete this procedure from Computer 2.

1. Press ctrl+alt+del to access the Logon Information dialog box.

The Logon Information dialog box appears. Notice the user name is blank, and the Shutdown option is not available.

2. Log on as USER1 with a password of PASSWORD.

Scenario Two

In this scenario, you will use a remote function to force a check disk of the client computer's hard disk. USER1 does not have permission to perform a check disk procedure locally. Through the remote session, you will send the output from CHKDSK.EXE to a text file that will be collected later.

From Computer 2, you should click Yes whenever prompted to allow the administrator to perform a remote action. Complete this procedure from Computer 1.

1. Open the Remote Tools window for Computer 2.
2. Click Remote Execute (the fifth button on the toolbar).

The Run Program at User's Workstation dialog box appears.

3. In the `Command Line' field, type cmd /c chkdsk c: > c:\disk.log and then click Run.

After clicking Yes on Computer 2, the command executes, then generates a log file on Computer 2.

4. Click Close to close the Run Program at User's Workstation dialog box.

In the following steps, you will use the SMS file transfer utility to transfer the log file generated by CHKDSK.EXE to Computer 1.

The user logged on at Computer 2 should click Yes whenever prompted to allow the administrator to perform a remote action on their client computer. Complete this procedure from Computer 1.

1. In the Remote Tools window for Computer 2, click File Transfer (the fourth button on the toolbar).

The Remote Tools - File Transfer - COMPUTER2, ipaddress:1761 window appears. Inside the window, local files (Computer 1) appear in the top pane, and the remote computer's (Computer 2) files appear in the bottom pane. The top pane is called the Console pane, and the bottom pane is called the Remote Machine pane.

2. In the Console list box, select D:\.
3. In the Remote Machine list box, select C:\DISK.LOG, and then click Copy Selected Files button.

The file is copied from Computer 2 to Computer 1.

4. Close the Remote Tools window.
5. View the contents of D:\DISK.LOG with a text editor.

Scenario Three

In this scenario, you will use a remote function to establish a chat session with the user, and then complete a client configuration request using remote control. As a user, the logged-on account at the client computer does not have permission to complete the configuration. As a result, the SMS administrator will remotely control the client computer to implement the change.

From Computer 2, click Yes whenever prompted to allow the administrator to perform a remote action. Complete the following two steps from Computer 2.

1. In the Control Panel, double-click the Date/Time icon.

A Date/Time Properties message box appears indicating that the user cannot change the date and time. These options can only be set by an administrative user.

2. Click OK, then close the Control Panel.

In the following steps, the SMS administrator will establish a remote chat session with Computer 2 to determine the exact configuration change that must be implemented. Complete this procedure from Computer 1.

1. Open the Remote Tools window for Computer 2.
2. Click Chat (the third button on the toolbar).

After the user at Computer 2 clicks Yes, the remote user's typing area appears in the top of the Remote Tools window. The local user's typing area appears in the bottom pane of the Chat window.

3. Complete the chat session at each computer using the following information. Type the text in order, from top to bottom.

Computer	Text to type
Computer 1:	How can I help you?
Computer 2:	I need to verify my time zone is set correctly.
Computer 1:	Okay, I need you to allow me to log on remotely to your computer to verify that for you.
Computer 2:	That's fine, I'll permit it.

4. Click Exit Chat.

The Remote Tools window displays a blank screen.

In the following steps, the administrator will establish a remote control session with Computer 2 to change the client computer's time/date settings. Complete these steps from Computer 1.

1. In the Remote Tools window, click Remote Control.

After clicking Yes at Computer 2, the Remote Control window displays the client computer's desktop.

2. Attempt to change the date.

A Date/Time Properties message box appears indicating the user cannot change the date and time. These options can only be set by an administrator. Even though you are an administrator, Remote Control operates in the context of the logged on user, who is a local user at the remote client computer.

3. Click OK, but do not end the remote control session.
4. Click the gold key icon on the top of the Remote Control window toolbar.

The Windows NT Security dialog box appears.

5. Click Logoff.

The Logoff Windows NT dialog box appears.

6. Click OK.

The local user is logged off, and the Begin Logon dialog box appears.

7. Click the gold key icon, then log on as ADMINISTRATOR with no password.

Normally, an administrator would not allow a user to watch the logon process or view an administrative user account name. However, in this case, assume the client computer was a server in a server room with no one logged on. The same procedure can be used to log on remotely to the server.

8. In the Control Panel, double-click the Date/Time icon.

The Date/Time Properties dialog box appears. Notice that no error appears, as you are logged on as an administrator of the local computer. Also notice the Current time zone option is listed.

9. Verify that you can change the time and the date settings.
10. Click Cancel so that any changes that you made are not saved.
11. Close the Control Panel, then use the gold key icon to log off as administrator.
12. Close the Remote Control window.

The Remote Tools window displays a blank screen.

13. Close the Remote Tools window.

Using Remote Tools with TCP/IP and NetBIOS

The SMS remote functions communicate over NetBIOS using any of the core transport protocols, IPX, or Windows Sockets over TCP/IP. If NetBIOS is used, the remote tools utilities register and use special NetBIOS names to communicate between the viewing computer and the client computer.

The remote tools initialize communication with each other by performing a NetBIOS name look-up to find each client computer. While broadcasts are not efficient from a network perspective, they are used as a standard look-up method for NetBIOS communication using the NetBEUI or NWLink protocols, since they simplify protocol configuration. TCP/IP, on the other hand, was designed to be a robust, configurable protocol in order to scale to large network implementations. Most TCP/IP routers connecting multiple networks are not configured to forward broadcasts, since such a connection would be inefficient for large networks. So, additional configuration is necessary to operate Remote Tools using NetBIOS over TCP/IP in a multi-segment network.

TIP

Using WINS

SMS takes advantage of WINS on Windows NT to offer seamless remote access across a WAN without the need to manually edit and maintain LMHOSTS files. When the Remote Tools program is run, it checks with the WINS server to determine the client computer's IP address, then uses this address to establish communications.

Configuring the LMHOSTS File

If you do not have a WINS server and want to use NetBIOS over TCP/IP, you will need to configure the LMHOSTS file on the viewing computer. Windows NT contains a file called LMHOSTS.SAM located in winnt_root\SYSTEM32\DRIVERS\ETC which, when renamed to LMHOSTS, allows remote NetBIOS names to be resolved. The LMHOSTS file contains NETBIOS names mapped to IP addresses.

Follow these rules when adding or editing entries in the LMHOSTS file:

• Each entry must be exactly 16 characters long.
• The 16th and last character must be either C, A, or E. Using the space bar, add spaces to the 16th character.
• The quotation marks are NOT optional.

The following are LMHOSTS entries for a viewing computer to support a single client computer:

<IP address><tab>"<client name> C" (Letter C enables remote control)

<IP address><tab>"<client name> E" (Letter E enables file transfer)

The following are examples of three entries to support a client computer named SMS_Client with an IP address of 130.20.37.30:

130.20.37.30 "SMS_Client C"

130.20.37.30 "SMS_Client E"

Using Remote Tools Over RAS

Oftentimes remote support must extend beyond the reach of the LAN or high-speed WAN. By leveraging the capabilities of Microsoft's Remote Access Services (RAS), you can help users via a modem, X.25, ISDN, or SNA connection to the network. RAS adds an additional layer of configuration to run SMS Remote Tools.

The following are the requirements for monitoring and controlling supported client computers through RAS:

• On the viewing computer, the RAS dial-out software must be installed.
• At the site containing the remote client computer, a RAS server must be located on the same network segment as the client computer.
• The viewing computer, the RAS server, and the remote client computer must be running the same NetBIOS transport or be using Windows Sockets over TCP/IP.
• To use the Remote Tools, the RAS communications link should be 28,800 baud or greater. At lower baud rates, the communications link might time-out during a Remote Tools session.

Manual and Automatic RAS Connections to Remote Sites

Figure 6-11 shows the configuration necessary for an administrator to provide support via an RAS connection to a client computer. In this case, a Windows NT/2000 computer, with the SMS Administrator console and RAS client software installed, initiates a connection with an RAS server. After a connection has been made, the administrator selects the client computer from a collection in the SMS console tree to provide remote support.

Figure 6-11. Providing remote support by means of an RAS connection.

SMS can also provide support to client computers at another SMS site that is connected using RAS. To do this, a RAS sender must be configured for access to the remote client computer's site. Senders are discussed in Chapter 11, "Site-to-Site Communications" Once a sender is configured between the sites, any Remote Tools utility can be started from the SMS Administrator console. Starting the utility will initiate an automatic RAS connection to the site, and access to the client computer is gained.

If the site address for a client is an RAS address, SMS uses GATEWAY.DLL to make an automatic RAS connection and gain access to the client computer. GATEWAY.DLL initiates the RAS connection to the remote LAN and authenticates the user by communicating with an RAS server that exists on the same LAN as the client computer. When the work is done, the Remote Tools utility terminates and GATEWAY.DLL disconnects the remote LAN, closes the RAS session, and frees up the port and modem.

RAS Connection Support

Remote Tools support (NetBEUI, TCP/IP over NetBIOS or Windows Sockets, and NWLink IPX/SPX) over RAS. Native NetWare client computers are not supported. Modem, ISDN, X.25, and SNA networks are supported. In addition, the Point-to-Point-Tunneling Protocol (PPTP) available in Windows NT version 4.0 and later can be used to establish a RAS connection. PPTP allows Remote Tools to establish a connection to the remote network by using the Internet rather than a long-distance dial-up connection. However, the additional overhead requires higher bandwidth (greater than 28.8 Kb/s) for acceptable performance of Remote Tools.

Setting Remote Access Properties at the Client Computer

If the administrator allows adjustments to be made to the Remote Tools Client Agent, the user at the client computer can set remote access settings using the Remote Control application accessed via the Control Panel. If adjustments to the client agent are not made, the agent will use the site default settings (administrator settings). Figure 6-12 shows the steps to follow on a client computer to change remote control settings. Run the Remote Control application (step 1), select either the General tab or the Notification tab (step 2), then clear the `Use administrator settings' checkbox (step 3). If you are modifying settings on the General tab, click the Settings button (step 4). The Notification tab contains checkboxes and radio buttons that control how you are notified of a remote session.

Figure 6-12. Navigating the Remote Control application to reconfigure Remote Tools Client Agent settings.

NOTE

If the `Clients cannot change Policy and Notification settings' checkbox is not selected, the user can change the following site default settings:

• Which Remote Tool functions to allow (step 4 in Figure 6-12)
• Whether or not the user must grant permission prior to a remote tool session (under the General tab in Figure 6-12)
• Which, if any, audible or visible indicators should be used during a remote session (under the Notification tab in Figure 6-12)

Exercise 39: Configuring Client-Specific Remote Session Settings

In this exercise, you will configure the site-wide Remote Tools setting that allows individual users to set specific configuration values at the client computer.

1. In the SMS console tree, select the Site Settings node and then select the Client Agents node.

The list of client agents appears in the details pane.

2. In the details pane, select Remote Tools Client Agent. Then from the Action menu, choose Properties.

The Remote Tools Client Agent Properties dialog box displays general settings for the Remote Control Client Agent.

3. Clear the `Clients cannot change Policy or Notification settings' checkbox, then click OK.

The SMS Administrator console appears.

4. To verify the Remote Tools Client Agent reconfiguration, view the contents of CAP_S01\CLICOMP.BOX.

Notice the date and time stamp of REMCTRL.CFG. When this file is updated to the current date and time, the site server has replicated the updates to the CAP.

Complete this procedure from Computer 2.

1. Logon as ADMINISTRATOR with no password.
2. In the Control Panel, double-click the Systems Management icon.

The Systems Management Properties dialog box appears.

3. Select the Sites tab.

The Systems Management Properties dialog box displays the sites in which the local client computer is a member. The only site listed should be the S01 site.

4. Click Update Configuration, then click OK.

The SMS client software is executed and the Remote Tools Client Agent settings are updated.

5. In the Control Panel, double-click the Remote Control icon.

The Remote Control Properties dialog box appears. Notice that administrator settings are listed. Also notice that in the lower left corner of the dialog box the 'Use administrator settings' checkbox is selected, indicating that settings are specified by the site administrator, but the local user can modify the settings.

6. If the settings have not been updated, you can run windir\MS\SMS\CLICOMP\REMCTRL\RCCLICFG.EXE from Computer 2, which will manually update the settings instead of waiting for SMS to do so. It takes up to one hour for SMS to process the change.
7. Clear the 'Use administrator settings' checkbox.

To allow the local user to control remote control activity the Remote Control Properties dialog box displays all configuration settings as 'enabled.' Notice under 'Level of remote access allowed' that the default setting is Limited.

8. Click Settings.

The Limited Remote Control Settings dialog box appears, allowing the local user to configure the remote control features to be allowed on the local client computer.

9. Clear the 'View your screen and control your keyboard and mouse' checkbox, then click OK.

The Remote Control Properties dialog box appears.

Click OK, then close the Control Panel.

10. From Computer 1, open the Remote Tools window for Computer 2.

Notice that the Remote Control icon is not available.

11. Close the Remote Tools window.
12. Reset Computer 2 so that remote control is allowed.