Microsoft KB Archive/90083

{|
 * width="100%"|

INFO: Windows NT Servers in Locked Closets

 * }

Q90083

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), used with:
 * the operating system: Microsoft Windows NT, versions 3.5, 3.51, 4.0
 * the operating system: Microsoft Windows 2000

-

SUMMARY
Some installations are required to restrict access to a server so that access to the server's keyboard/mouse is unavailable to most personnel. This type of server is referred to as a server in a locked closet.

The server administrators may provide an emergency reset button to end users (for example, factory floor workers) in case the system locks up and no administrators are present. In the case where an emergency reset button cannot be provided, an administrator must come and physically unlock the closet to reset the system. Remote administration is possible if the machine in the locked closet is a node on a network.

Server software can be implemented as a Windows service so that it is not necessary for a user to be interactively logged on to run the software. For Windows in a locked closet, the service should be configured to start automatically during restart.

MORE INFORMATION
Windows NT and Windows 2000 requires that the user press CTRL+ALT+DEL to log on. This requirement implies that Windows doesn't lend itself well to the server in a locked closet situation. A user must press CTRL+ALT+DEL and enter a user ID and a password to log on and use the keyboard or mouse to interact locally with a Windows computer. However, it is possible to configure the machine as a server in a locked closet so that an administrator is not required to unlock the door to start software or reset the system. The administrator can configure the system so that services are started automatically during startup. Once all the services are started, then the system is fully functional and the administrator does not need to intervene. If certain services fail to come up, but network service does come up, then the system can be remotely administered.

Remote administration is possible, assuming that the required basic system services are running. The computer must be on the network. The procedure requires only Windows Workstation. In other words, Windows Server is not an additional requirement.

Make sure that you have taken the following steps to start system services automatically at system startup and to enable remote administration in case of failure:


 * 1) Use the Service Control Manager to programatically install any application code that must be started as soon as the Windows NT or Windows 2000 computer restarts.

Write an application that installs the services and specifies that they should be started automatically. To find more information on the Win32 APIs that support Services, search on &quot;Services Overview&quot; in the Win32 SDK Programmer's Reference.

Once this is done, the necessary application code can be made to start automatically upon system restart, without anyone needing to press CTRL+ALT+DEL to log on or to take any other action using the server's local mouse/keyboard.
 * 1) Make sure that the Workstation and Server services start automatically upon restart.

Use the Services application in Control Panel to make sure that both the Workstation and Server services start automatically upon reboot.

This permits an authorized person to remotely administer the system from another computer on the network. Thus, if something from step 1 goes wrong, the administrator still does not need to physically unlock the closet and log on. The administrator can log on to any computer on the network and use the tools on that computer to interact with the server.

For remote administration to be effective, the remote workstation must be logged on to by either a domain user who has administrative privileges to the Windows NT computer in the locked closet, or by a workgroup user who is an administrator of the Windows NT computer in the locked closet.

When you configure Windows for use in a locked closet for a domain network installation, use User Manager (with Windows NT) or the the &quot;Local Users and Groups&quot; MMC Snap-in (with Windows 2000) to add a user from the domain to the Administrators Group for the computer. That domain user must log on to a remote machine to administrate the machine in the locked closet.

When configuring Windows for use in a locked closet for a workgroup installation, use User Manager o r MMC Snap-in on the remote workstation to create a user with the same name and password as an administrator user of the computer in the locked closet. The remote computer and the computerin the locked closed must be in the same workgroup, domain or a trusted domain to allow remote administration.

Remote administration through dial-up telephone lines is available, but requires Microsoft Remote Access Service (RAS). RAS permits a machine to dial over telephone lines into a network, and to become a full participant on the network. In this way, a system dialing in over RAS can be used to remotely administer the system in the locked closet.

Note that while these steps allow servers locked in closets to be restored without local (interactive) administration, it is still preferable to install a UPS uninterruptable power supply (UPS). Servers in locked closets usually need to provide uninterrupted service to their clients, so a UPS is a better solution. The capability to do remote administration serves as a backup in case of failure.

Additional query words:

Keywords : kbprogramming kbnokeyword kbKernBase kbOSWinNT310 kbOSWinNT350 kbOSWinNT351 kbOSWinNT400 kbOSWin2000 kbDSupport kbGrpDSKernBase

Issue type : kbinfo

Technology : kbAudDeveloper kbWin32sSearch kbWin32API