I’ve seen it more times than I can count. A company starts with a simple network of about ten PCs, a few clueless users, and an administrator who’s just starting to get into the whole networking thing. At first, things go really well, but the company begins to grow rapidly. Before too long, the network has a hundred clueless users who are all constantly calling the novice administrator with trivial questions. In spite of the simplicity of the users’ problems, the administrator is pulling his hair out because in the amount of time it takes him to travel to each user’s desk, more calls have come in. I’ve personally fought this losing battle and know from experience that it’s no fun.
Fortunately, there are ways to ease the administrative burden. One such technique involves implementing a remote administration strategy. The overall technique will depend on several factors. In this Daily Drill Down, I’ll explain the factors you should consider, and I’ll discuss several methods of remote administration.
Issues to consider
As I mentioned earlier, you must consider several issues when deciding which remote administration method you want to use. Perhaps the most important of these issues are the two Bs of networking: bandwidth and budget.
From a bandwidth standpoint, you need to take a look at how much bandwidth you have to spare. If network traffic is already slowing down your users, then you sure don’t want to implement a remote administration solution that will slow things down even more. On the other hand, if you have plenty of bandwidth to spare, then you can do some really cool things, as I’ll explain later.
When it comes to budget, you must determine what kind of remote administration solution you can afford. As you’ve probably already guessed, the most comprehensive remote administration solutions are also the most expensive. For the financially challenged, fear not—there are several free ways to remotely administer your network.
Full remote administration
When most people think of remote administration, they have visions of being able to see what the user is looking at and to take control of the user’s machine, all in real time. This is what full remote administration is all about. Unfortunately, implementing a full remote administration solution is expensive and consumes lots of bandwidth. On the bright side, though, it’s easy to implement on most medium-sized networks.
There are lots of ways to implement a full remote administration solution. My favorite method involves using Symantec’s pcAnywhere. This method works well on networks that are running TCP/IP but that aren’t divided into separate subnets. All you really have to do is purchase a copy of pcAnywhere for each PC that you want to have administrative capabilities on.
The setup process is simple. A wizard guides you through most of the options. Just configure the clients in such a way that they are set to always wait for a call from across the network (not using a modem). The clients should also be set up so that the Administrator has permission to take control of them once a remote session has been established.
When you load pcAnywhere on the Administrator’s machine, set it up to use the network as a communications medium instead of using a modem. When you go to connect a remote session, all you’ll have to do is select the PC that’s having trouble from a list of available PCs and you’re connected.
Of course, such a setup comes with inherent security risks. If security is a priority in your organization, you should carefully examine any possible remote access solution for security risks before you begin implementing it. For example, if the pcAnywhere solution sounds like something that you might be interested in, you might try loading it on two or three PCs and test how well it will hold up in your environment before you attempt to implement it across the entire organization.
Remote administration on a budget
If you want to implement a full remote administration solution but don’t have the budget, there’s a way to do it for free. Just remember that you get what you pay for. Windows 98 comes with a tool called NetMeeting that can be used to remotely control another PC on the network.
Before you can use NetMeeting, your network needs to be running TCP/IP as its primary protocol. You must also have a DNS server in place. You can use NetMeeting without a DNS server, but you’ll have to know the IP address of the machine you’re trying to connect to. Unless your network uses static IP addresses, using the addresses usually isn’t an option.
When you set up NetMeeting on each PC, you can set it to load at startup and wait for a call. The disadvantage to NetMeeting is that in most environments, the end user must perform some action to allow the remote control before you can begin the remote administration session. This is good from a security standpoint, but not so good if you have a user on the phone who can’t follow directions.
Partial remote administration
So far I’ve discussed remote administration methods that allow you to see everything users are seeing and take control of their machines. However, these methods consume a lot of bandwidth. If bandwidth is a concern, or if you aren’t yet running TCP/IP, you can still remotely perform some tasks. In the remainder of this Daily Drill Down, I’ll show you some techniques you can use to remotely administer some aspects of client machines.
Preparing the workstations
Before you can remotely administer any workstations, you must install the Remote Administration Service on all machines involved, including the machine from which you’ll be doing the remote administration. You must also set up each machine to employ user-level security. Naturally, this means you’ll have to install the file and print sharing services.
Many people view the file and print sharing services as a big security threat. However, in this case, the security risks are minimal for two reasons. First, you’re using user-level security. If you decide to set up a share point on a workstation, not just any idiot with a password can access it. Only users whose usernames have been added to the access list may access the share. Additionally, you may decide whether users on the list should receive read-only access or full read and write permissions to the share.
The second reason that installing these services is safe is that you don’t actually have to share anything. Sure, creating a root-level share on each partition of each workstation is a great way to be able to perform remote file manipulation, but if you’re worried about security, you don’t have to share a thing. Just the simple act of installing the file and print sharing services is enough. This is because installing the services creates two hidden shares that are used by the system. The shares are called Admin$ and IPC$. The IPC$ share gives the computer the ability to create an Interprocess Communication Channel (IPC Channel) between two machines. The Admin$ share gives the Administrator account the ability to access the file system of the workstation.
To enable the share-level security necessary to run the Remote Administration Service, open Control Panel and double-click the Network icon. When you see the Network Properties sheet, click the File And Print Sharing button. When you do, you’ll see the File And Print Sharing dialog box. Select both check boxes and click the OK button. Click OK again to close the Network Properties sheet. The system will copy a few files from your Windows 98 installation media. Once the copy process completes, the system will ask your computer to reboot.
Once the computer reboots, log in. After you’ve logged in, return to Control Panel and double-click the Network icon once again. When you see the Network Properties sheet, select the Access Control tab. The Access Control tab contains two radio buttons that you can use to establish the type of access control that will apply to share points on the machine. Select the User-Level Access Control radio button and fill in the name of your Windows NT domain in the space provided, as shown in Figure A. Click OK twice to close the dialog box and the Network Properties sheet. You’ll see a warning message that states all existing share points will be destroyed. Click OK to acknowledge the message. At this point, the machine will ask you to reboot once more.
|Select User-Level Access Control in the Network applet.|
The Remote Registry Service
When the computer reboots, you can log in normally. You must now install a service called the Remote Registry Service before you’ll be able to use most of the available remote administration options. There are a couple of different ways to install the Remote Registry Service. I like to use the manual installation method because some other methods have a tendency to grant undesirable permissions.
Begin by opening Control Panel and double-clicking the Passwords icon. When you see the Passwords Properties sheet, select the Remote Administration tab. Next, select the Enable Remote Administration Of This Server check box. Click the Add button and select the names of the people who you want to be able to remotely administer the system. Click OK to close the Password Properties sheet.
At this point, you’ve installed all the software necessary to begin remotely administering the system. A wide variety of tools is available for remote administration. Unfortunately, space doesn’t permit me to cover all the tools in this Daily Drill Down. Therefore, I’ll cover the tools in detail next time, in part 2.
In the meantime, though, it’s a good idea to go ahead and test the Remote Administration Service to make sure it’s functional. To do so, select a machine you’ve already installed the Remote Administration Service on. Make a note of that computer’s computer name. Next, verify that you’ve also installed the Remote Administration Service on your machine. You should also make sure that the two machines are running a common protocol and that the login name you’re signed in with has remote administration rights on the machine you’re about to test.
Once you’ve verified this information, open the Registry Editor on your machine by typing REGEDIT at the Run prompt. All of the standard disclaimers apply to the Registry Editor. Making changes to the registry can destroy Windows, your applications, or both. Therefore, don’t change anything in the registry unless you’ve made a backup first and you know exactly what you’re doing.
Once inside the Registry Editor, select the Connect Network Registry command from the Registry Editor’s Registry menu. When you do, you’ll see a dialog box that asks for the name of the remote computer. Enter the computer name of the machine you’re trying to remotely administer. Now, click OK, and you should see that computer’s registry appear. You’re now free to manipulate the remote computer’s registry from the comfort of your desk. Because the registry is the backbone of Windows, you’ll also be able to do many other remote administration tasks, but I’ll talk about those next time.
Remote administration can help to prevent administrators and help desk staff from balding at an early age. In this Daily Drill Down, I’ve discussed some issues to consider when deciding which remote administration strategy is right for you. I also explained how to enable Windows 98’s remote administration features. In part 2, I’ll cover the Windows 98 remote administration tools in detail.
Brien M. Posey is an MCSE who works as a freelance technical writer and as a network engineer for the Department of Defense. If you’d like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it’s impossible for him to respond to every message. However, he does read them all.)
The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.