INFO: Windows NT Servers in Locked Closets

ID: Q90083

The information in this article applies to:

SUMMARY

Some installations are required to restrict access to a server so that access to the server's keyboard/mouse is unavailable to most personnel. This type of server is referred to as a server in a locked closet.

The server administrators may provide an emergency reset button to end users (for example, factory floor workers) in case the system locks up and no administrators are present. In the case where an emergency reset button cannot be provided, an administrator must come and physically unlock the closet to reset the system. Remote administration is possible if the machine in the locked closet is a node on a network.

Server software can be implemented as a Windows NT service so that it is not necessary for a user to be interactively logged on to run the software. For Windows NT in a locked closet, the service should be configured to start automatically during boot.

MORE INFORMATION

Windows NT requires that the user press CTRL+ALT+DEL to log on. This requirement implies that Windows NT doesn't lend itself well to the server in a locked closet situation. A user must press CTRL+ALT+DEL and enter a user ID and a password to log on and use the keyboard or mouse to interact locally with a Windows NT machine. However, it is possible to configure the machine as a server in a locked closet so that an administrator is not required to unlock the door to start software or reset the system. The administrator can configure the system so that services are started automatically during boot. Once all the services are started, then the system is fully functional and the administrator does not need to intervene. If certain services fail to come up, but network service does come up, then the system can be remotely administered.

Remote administration is possible, assuming that the required basic system services are running. The machine must be on the network. The procedure requires only Windows NT Workstation. In other words, Windows NT Server is not an additional requirement.

Make sure that you have taken the following steps to start system services automatically at system boot and to enable remote administration in case of failure:

1. Use the Service Control Manager to install any application code that

   must be started as soon as the Windows NT machine reboots.

   Write an application that installs the services and specifies that they
   should be started automatically. To find more information on the Win32
   APIs that support Services, search on "Services Overview" in the Win32
   SDK Programmer's Reference.

   Once this is done, the necessary application code can be made to start
   automatically upon system reboot, without anyone needing to press
   CTRL+ALT+DEL to log on or to take any other action using the server's
   local mouse/keyboard.

2. Make sure that the Workstation and Server services start automatically
   upon reboot.

   Use the Services application in Control Panel to ensure that both
   the Workstation and Server services start automatically upon
   reboot.

   This will permit an authorized person to remotely administer the system
   from another machine on the network. Thus, if something from step 1 goes
   wrong, the administrator still does not need to physically unlock the
   closet and log on. The administrator can log on to any machine on the
   network and use the tools on that machine to interact with the server.

For remote administration to be effective, the remote workstation must be logged on to by either a domain user who has administrative privileges to the Windows NT machine in the locked closet, or by a workgroup user who is an administrator of the Windows NT machine in the locked closet.

When you configure Windows NT for use in a locked closet for a domain network installation, use User Manager to add a user from the domain to the Administrators Group for the machine. That domain user must log on to a remote machine to administrate the machine in the locked closet.

When configuring Windows NT for use in a locked closet for a workgroup installation, use User Manager on the remote workstation to create a user with the same name and password as an administrator user of the machine in the locked closet. The remote machine and the machine in the locked closed must be in the same workgroup to allow remote administration.

Remote administration via dial-up telephone lines is available, but requires RAS (Microsoft Remote Access Service). RAS permits a machine to dial over telephone lines into a network, and to become a full participant on the network. In this way, a system dialing in over RAS can be used to remotely administer the system in the locked closet.

Note that while these steps allow servers locked in closets to be restored without an administrator, it is still preferable to install a UPS (uninterruptable power supply). Servers in locked closets usually need to provide uninterrupted service to their clients, so a UPS is a better solution. The capability to do remote administration serves as a backup in case of failure.

Keywords          : kbprg kbnokeyword kbKernBase kbGrpKernBase 
Version           : 3.5 3.51 4.0
Platform          : NT WINDOWS
Issue type        : kbinfo

Last Reviewed: April 13, 1997