EMS additional crib notes

EMS white papers and ppts
See also Mark's 70-296 weblinks (where this stuff came from)
70-296 Exam Objectives Outline with more exam objectives

Table 5.1 Choosing In-Band or Out-of-Band Tools

During This Operating State	For This Type of Task	Use This Type of Tool
System powering on or off, or resetting	Power up, power down, reset	Out-of-band and in-band with Remote Desktop for Administration
Firmware initializing	Configure firmware, troubleshoot, restart	Out-of-band with supporting firmware
Operating system loading	Choose operating system to start, troubleshoot	Out-of-band, including Emergency Management Services
Text mode setup	Monitor, troubleshoot	Out-of-band, including Emergency Management Services
GUI mode setup	Monitor, troubleshoot	Out-of-band, including Emergency Management Services
Operating system fully functional	Monitor, troubleshoot, modify configuration settings	In-band
Operating system not responding on network	Troubleshoot, restart	Out-of-band, including Emergency Management Services
Stop message occurred	Troubleshoot, restart	Out-of-band, including Emergency Management Services
System extremely slow responding on network	Troubleshoot, restart	In-band and out-of-band, including Emergency Management Services

Table 5.2 Common Remote Management Tools

Tool	Key Characteristics
Telnet	Command line; efficient and versatile; provides interoperability in mixed environments; in general, not secure
Windows Management Instrumentation Command-line (WMIC)	Customized applications and command-line scripts for remote management
Windows Script Host (WSH)	Customized scripts for remote management
Microsoft Management Console (MMC)	Multiple sessions; variety of snap-ins for various administrative tasks
Remote Desktop for Administration	GUI; multiple sessions; high resource usage
Group Policy	Efficient way to manage a variety of settings for groups of servers

The Windows Server 2003 32-bit version of Telnet does not support secure logon, while the 64-bit version provides secure logon by using NTLM authentication. Some versions of Telnet provided with terminal concentrators also support secure logon. Telnet does not support encryption.

To configure a server for out-of-band management, you need to consider software, firmware, and hardware. Emergency Management Services, which is included with Windows Server 2003, is the principal out-of-band component. With only Emergency Management Services and a serial port, you can manage most Windows Server 2003 operating states. When you combine Emergency Management Services with supporting firmware and hardware components, you can also perform tasks ranging from powering up computers to recovering unresponsive systems — everything, in fact, except for replacing and installing hardware.

The following tools and components work with to support out-of-band remote management:

Firmware — BIOS for x86-based computers or EFI for Itanium-based computers — that provides console redirection
Serial ports and modems
Terminal concentrators
Service processors
Intelligent UPSs or intelligent power switches

Table 5.3 Components Required for Out-of-Band Situations

Operating State or Task	Type of Tool
Windows Server 2003 is starting	Emergency Management Services
Server fails to fully initialize	Emergency Management Services
Administrator needs to run Recovery Console	Emergency Management Services
Server is not functioning due to stop message	Emergency Management Services
System is low on resources, resulting in slow or no response to requests	Emergency Management Services
Network stack has malfunctioned or failed	Emergency Management Services
System is not responding on the network	Emergency Management Services
System is not responding on the network or to Emergency Management Services	Service processor
System is powered down	Wake-on-LAN network adapter^*, intelligent UPS, intelligent power switch, or service processor
BIOS is conducting POST	Redirecting firmware or service processor
Change firmware configuration settings	Redirecting firmware or service processor
Operating system installation by using RIS	Emergency Management Services (see "Selecting the Installation Method" later in this chapter

Some trade-offs you might experience with out-of-band components include:

Limited maximum throughput.
No GUI support.
Optionally, additional hardware requirements.

Emergency Management Services features are available when the Windows Server 2003 loader or kernel is at least partially running. You can access all Emergency Management Services output by using terminal emulator software that supports VT100, VT100+, or VT-UTF8 protocols on the management computer, although VT-UTF8 is the preferred protocol.

When Emergency Management Services is enabled:

Console redirection automatically sends output to the out-of-band port for any supported operating state, as indicated in Table 5.4.
You can use SAC to issue supported commands or switch to the command shell (cmd.exe) whenever the kernel is running.
You can view logs during the GUI-mode phase of Setup.
!SAC automatically becomes available whenever a system failure occurs.

Table 5.4 shows when you can use Emergency Management Services features for remote management, with or without special out-of-band hardware.

Table 5.4 Using Emergency Management Services Features

Task	Feature
Selecting operating system during system load	Console redirection
Running Recovery Console	Console redirection
Viewing text mode setup messages	Console redirection
Viewing GUI mode setup messages	SAC, including setup logs
Viewing RIS loading messages	Console redirection
Viewing Stop error messages	Console redirection
Monitoring and managing with out-of-band connections	SAC
Performing last-resort system recovery	!SAC

Emergency Management Services Console Redirection

Emergency Management Services console redirection redirects the output from supported Windows Server 2003 functions to the out-of-band port. When Emergency Management Services is enabled, you can perform remote management through the out-of-band port, as shown in Table 5.5.

Table 5.5 Emergency Management Services Console Redirection

Managed Operating State	Example Tasks
Windows Server 2003 Loader	Select the operating system to load on x86-based multiple-boot systems. Verify the load of Windows Server 2003 components before in-band tools become available.
Kernel at least partially functioning	Perform SAC commands, such as changing the priority of a process. Perform !SAC commands, such as viewing Stop messages when a system problem occurs.
Recovery Console running	Troubleshoot startup problems.
Text-mode Setup	View Windows Server 2003 Setup progress. Respond to text-mode Setup prompts.
GUI-mode Setup	Perform SAC commands and monitor setup logs.
RIS-based Setup	Respond to the F12 prompt to initiate RIS-based Setup.

Note

You must have firmware redirection to view server information before the Windows Server 2003 operating system starts.

Special Administration Console

When Emergency Management Services is enabled, SAC is always available through the specified out-of-band port, as long as the Windows Server 2003 kernel is running. You can use SAC at any time to carry out out-of-band management commands during the following system operating states:

Normal system operation
Windows Server 2003 components initialization
Safe mode
GUI-mode during Windows Server 2003 Setup

The SAC prompt appears when you connect to a server that is running Emergency Management Services. The SAC command-line environment supports a specific set of commands. For information about SAC commands, see "Special Administration Console (SAC) and SAC commands" in Help and Support Center for Windows Server 2003.

Using SAC, you can perform management tasks such as the following:

Gathering server information, such as computer name and IP address.
Changing a server’s TCP/IP networking information to resolve issues caused by incorrect parameters or a duplicate IP address.
Obtaining a list of processes and threads running on the computer to determine if they are causing a system performance problem, if you cannot perform this task by using in-band tools.
Raising or lowering the priority of a process, or ending a process that is consuming excessive server processor resources or other system resources to eliminate performance issues.
Restarting or shutting down a server as part of unplanned maintenance task, when the in-band mechanism fails.
Setting the system time and date, for example, for Kerberos authentication.
Starting a command shell and running text-based tools, and switching between the command prompt and SAC.
Viewing setup logs during GUI mode setup and switching between the setup logs and SAC.

!Special Administration Console

When Emergency Management Services is enabled and a system failure occurs, !SAC — an abbreviated form of SAC — automatically replaces SAC as the command-line environment. For information about !SAC commands, see "!Special Administration Console (!SAC) and !SAC commands" in Help and Support Center for Windows Server 2003.

Important

!SAC is not available if the debugger is running or the system is set to restart automatically when Stop errors occur.

Using !SAC, you can perform tasks such as the following:

View redirected Stop messages.
Display computer identification information.
View an abbreviated log of loaded drivers and some kernel events.
Restart the computer.

The serial port, also known as a COM port, is the most common out-of-band interface. It is the default out-of-band device for Emergency Management Services.

To use the serial port as an out-of-band device with Emergency Management Services, it must meet the following requirements:

The serial port must be a standard 16450 or 16550 Universal Asynchronous/Receive Transmit (UART) device. Windows Server 2003 tests the device for compliance before using it with Emergency Management Services.
The serial port interface must be provided by hardware, not by a Windows driver.
If the system firmware is compatible with Emergency Management Services, the firmware and the serial port must be configured to use the same serial port settings.
A kernel debugger cannot share the same COM port. To avoid this problem, disable kernel debugging on servers with Emergency Management Services enabled.
The serial port must be the only out-of-band management port. Emergency Management Services does not support one out-of-band port for outbound communication and a second port for inbound communication.

The modem (s)must be configurable and must not rely on initialization. Emergency Management Services does not initialize the modem, so you must configure the modem to answer or dial back automatically and pass all serial data through unchanged.

If your terminal concentrator does not support authentication and encryption, consider using one of the following techniques to secure the connection:

Use a secondary private management network that you can access with direct-dial remote access or with a VPN connection.
Use a router to secure the network traffic.
Use SSH, if the terminal concentrator supports it, instead of Telnet to provide authentication and encryption.

Console redirection provided by system firmware (either BIOS for x86-based computers or EFI for Itanium-based computers) provides out-of-band access to server information before the Windows Server 2003 operating system starts. Firmware console redirection works together with Emergency Management Services console redirection to provide out-of-band support for any operating state.

If your firmware does not provide console redirection — and you do not have a service processor that provides console redirection, as described later in this chapter — you cannot remotely manage servers during the time between system restart and the initial loading of the Windows Server 2003 operating system.

Firmware console redirection typically redirects only during text mode, not during GUI mode.

By using firmware console redirection, you can perform the following out-of-band tasks from a remote computer:

View server status before the operating system starts up. For example, you can view POST status or disk-related error messages. Firmware console redirection typically allows the POST to complete without a local keyboard, mouse, or monitor.
View and make modifications to firmware settings, such as disabling a peripheral device or changing boot sequence, with the built-in firmware configuration program.
View master boot record (MBR) errors.
Start a RIS-based setup by responding to the F12 network boot prompt. This support is required only if the F12 prompt is presented by the firmware.
Boot the computer from the CD drive by responding to the Press Any Key to Boot from CD prompt.

When assessing firmware console redirection for use in conjunction with Emergency Management Services, verify that the firmware meets the following criteria:

Shares the serial port with Emergency Management Services and releases control to Emergency Management Services after the Windows operating system starts.
Supports VT-UTF8, VT100+, or, at minimum, VT100 terminal emulator conventions.

Consider a service processor if you need a high degree of reliability and availability for your servers or you decide to configure your servers for headless operation.

Typically, service processors are integrated into the system motherboard or into an add-in PCI adapter. Servers that have on-board service processors might offer higher out-of-band throughput by using higher-speed serial or Ethernet connections. Service processors operate independently from the main processor, use their own custom firmware, and sometimes include their own power supply. When you connect to a server through an out-of-band connection, you can communicate directly with the service processor.

If you plan to use the service processor with Emergency Management Services, it is recommended that the service processor support these functions:

Console redirection
Remote power on and power off
Remote reset
Access to Emergency Management Services at all times

To be compatible with Emergency Management Services, make sure that the service processor also meets the following requirements:

If the service process uses the serial port as its interface, it must share the serial port with Emergency Management Services and must release control to Emergency Management Services after the operating system has started.
The UART interface must be described in the SPCR table, or in the EFI console device path for the 64-bit versions of Windows Server 2003.
It supports VT-UTF8, VT100+, or, at minimum, VT100 terminal emulator conventions

If the intelligent UPS or intelligent power switch shares the same management channel with Emergency Management Services, the UPS or power switch must passively monitor the serial data stream and respond only when it detects VT-UTF8, VT100+, or VT100 escape sequences that apply to it.

If you plan to use an intelligent UPS or intelligent power switch with Emergency Management Services, the server running Windows Server 2003 must be configured to start automatically when power is applied.

Typically, you use terminal emulation software on the management computer to connect to and communicate with a server through an out-of-band connection. The two most common methods are the following:

Use Telnet — or a secure alternative such as SSH — to connect to a terminal concentrator through an in-band connection, which then connects to the server through an out-of-band connection.
Use HyperTerminal to connect directly to the server.

If you use a service processor, it might require specific software to work with it and to interact with Emergency Management Services. For example, manufacturers might provide a Web browser or custom software.

Make sure that the terminal emulation software you use supports serial port and terminal definition settings that are compatible with Emergency Management Services, as well as with your service processor or system firmware. If possible, use terminal emulation software that supports the VT-UTF8 protocol because VT-UTF8 support for Unicode provides for multilingual versions of Windows. If English is the only language you need to support, the VT100+ terminal definition is sufficient. At minimum, you can use the VT100 definition, but this terminal definition requires that you manually enter escape sequences for function keys and so forth.

When you edit the Unattend.txt files, insert the parameters in the [Data] section, as shown in the following table:

[Data] Parameter	Possible values
EMSPort={com1\|com2\|usebiossettings}	com1 or com2 (where 1 or 2 specifies serial port serial port An interface on the computer that allows asynchronous transmission of data characters one bit at a time. Also called a communication port or COM port. 1 or 2). This option is valid for x86-based systems only. usebiossettings This is the default value. This parameter instructs the operating system to detect and use SPCR settings. If you use this parameter and an SPCR table is not present, Emergency Management Services is not enabled.

EMSBaudRate=value	The default value is 9600 baud, with the values of 19200, 57600, and 115200 possible, depending on the capabilities of the serial port. This must be used with EMSPort= or the parameter is ignored.

Boot Parameters to Enable EMS Redirection

Notes When a boot entry is configured for EMS on a computer with BIOS firmware, the boot loader appends a bracketed phrase, [ems enabled], to the friendly name that appears on the boot menu. However, the boot loader omits the bracketed phrase from the boot menu when the friendly name and the bracketed phrase together exceed 70 characters. To restore the bracketed phrase, shorten the friendly name.

To determine whether a computer has ACPI firmware, use Device Manager (devmgmt.msc). In Device Manager, expand the Computer node. On computers with ACPI firmware, the name of node under Computer includes the word, ACPI.

Enabling EMS on a computer without an ACPI SPCR table

To enable EMS console redirection on a computer that has BIOS firmware, but does not have an ACPI Serial Port Console Redirection (SPCR) table, add the redirect=COMx and the redirectbaudrate= parameters to the [boot loader] section of the boot.ini file. These parameters set the port and transmission rate for EMS console redirection. Use the same port and transmission rate that are established for out-of-band communication in the BIOS. Then, add the /redirect parameter to a boot entry.

The following Bootcfg command enables EMS console redirection on the first boot entry in the list. It sets the port for COM2 and sets the transmission rate to 115,200 kilobits per second (Kbps). These are the same port and baud rate settings that the administrator set in the BIOS for the out-of-band port.

bootcfg /ems ON /port COM2 /baud 115200 /id 1

The following Bootcfg display shows the result of the command. The newly added parameters are displayed in bold type.

Boot Loader Settings
--------------------
timeout:          3
default:          multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
redirect:         COM2
redirectbaudrate: 115200

Boot Entries
------------
Boot entry ID:   1
Friendly Name:   "Windows Server 2003, Standard with EMS"
Path:            multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
OS Load Options: /fastdetect /redirect

The following sample shows the result of the same command on a sample boot.ini file.

[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
redirect=COM2
redirectbaudrate=115200
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="EMS boot" /fastdetect /redirect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows Server 2003, Standard" /fastdetect

Enabling EMS on a computer with an SPCR table

To enable EMS on a computer with ACPI BIOS firmware and an ACPI SPCR table, you can either use the redirect=USEBIOSSETTINGS parameter or the redirect=COMx and redirectbaudrate= parameters. Then, you can add the /redirect parameter to a boot entry.

The following example demonstrates use of the redirect=USEBIOSSETTINGS parameter. The following Bootcfg command enables EMS console redirection on the first boot entry in the list.

bootcfg /ems ON /port BIOSSET /id 1

The following Bootcfg display shows the result of the command. The newly added parameters are displayed in bold type.

Boot Loader Settings
--------------------
timeout: 1
default: multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
redirect:USEBIOSSETTINGS

Boot Entries
------------
Boot entry ID:    1
OS Friendly Name: EMS boot
Path:             multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
OS Load Options:  /fastdetect /redirect

Boot entry ID:    2
OS Friendly Name: Windows Server 2003, Standard
Path:             multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
OS Load Options:  /fastdetect

The following sample shows the result of the same command on a sample boot.ini file.

[boot loader]
timeout=1
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
redirect=USEBIOSSETTINGS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="EMS boot" /fastdetect /redirect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows Server 2003, Standard" /fastdetect

Enabling EMS on a computer with EFI firmware

To enable EMS on a computer with EFI firmware, use Bootcfg to add the /redirect parameter to a boot entry. Windows finds the out-of-band port and its settings in the firmware by reading the SPCR table and uses the same port and rate for EMS console redirection.

The following Bootcfg command enables EMS redirection on an Itanium-based computer. It uses the Bootcfg /ems switch with the ON argument to add the /redirect parameter to the boot entry. The /id switch identifies the boot entry.

bootcfg /ems ON /id 1

The following Bootcfg display of boot options in EFI NVRAM shows the result of the Bootcfg command. The first boot entry is configured to load the operating system with EMS console redirection enabled.

Boot Options
------------
Timeout:             30
Default:             \Device\HarddiskVolume3\WINDOWS
CurrentBootEntryID:  1

Boot Entries
------------
Boot entry ID:    1
OS Friendly Name: Windows Server 2003, Enterprise with EMS
OsLoadOptions:     /fastdetect /redirect
BootFilePath:     \Device\HarddiskVolume1\EFI\Microsoft\WINNT50\ia64ldr.efi
OsFilePath:       \Device\HarddiskVolume3\WINDOWS

Changing EMS settings on a computer with BIOS firmware

When you configure EMS on a single boot entry, add the redirect= parameter to the [boot loader] section of the boot.ini file. However, when you enable EMS on additional boot entries, you do not need to add the redirect= parameter again. Like all entries in the [boot loader] section, redirect= (and redirectbaudrate=) applies to all boot entries on the computer.

The following Bootcfg command enables EMS on the second boot entry. Because the port and baud rate are already set, there are no /port or /baud switches in the command.

bootcfg /ems ON /id 2

To change the port and baud rate settings, use the Bootcfg /ems switch with the EDIT argument. The following command changes the EMS port to COM1 and changes the baud rate to 57,600 Kbps.

bootcfg /ems EDIT /port COM1 /baud 57600

To disable EMS on a boot entry, use the Bootcfg /ems switch with the OFF argument. The following command disables EMS on the first boot entry.

bootcfg /ems OFF /id 1

If EMS is not enabled on any other boot entries, Bootcfg also deletes the EMS port and baud rate settings from the [boot loader] section of the boot.ini file.

Troubleshooting EMS

Important

You can use the approaches provided in this topic to troubleshoot Emergency Management Services components, not to troubleshoot your system. For information about using Emergency Management Services to troubleshoot your system, see How to.

What problem are you having?

The out-of-band port is briefly unavailable; no status information appears.

Cause: The Windows Server 2003 family components that provide Emergency Management Services load and unload as part of the startup process, which causes components to become briefly disabled. This is called a "black-out period."

Solution: If Special Administration Console (SAC) or !Special Administration Console (!SAC) do not respond, wait for operating system components to initialize before restarting or stopping the system using whatever means are available, such as a service processor or uninterruptible power supply (UPS)

uninterruptible power supply (UPS)

A device that connects a computer and a power source to ensure that electrical flow is not interrupted. UPS devices use batteries to keep the computer running for a period of time after a power failure. UPS devices usually provide protection against power surges and brownouts as well.

. If a service processor is present, consult your documentation to determine other diagnostic tools that it provides.

Status information appears, but Emergency Management Services does not respond to terminal input.

Cause: The Windows Server 2003 family components that provide Emergency Management Services load and unload as part of the startup process, which causes components to provide limited functionality. This is called a "gray-out period."

Solution: Gray-out periods might become interactive if the component provides !Special Administration Console (!SAC) functionality. If !SAC does not respond, however, wait for operating system components to initialize before restarting or stopping the system using other means, such as a service processor or uninterruptible power supply (UPS)

uninterruptible power supply (UPS)

. If a service processor is present, consult your documentation to determine other diagnostic tools that it provides.

The kernel debugger disables !Special Administration Console (!SAC). Garbled characters might appear.

Cause: The kernel

kernel

The core of layered architecture that manages the most basic operations of the operating system and the computer's processor. The kernel schedules different blocks of executing code, called threads, for the processor to keep it as busy as possible and coordinates multiple processors to optimize performance. The kernel also synchronizes activities among Executive-level subcomponents, such as I/O Manager and Process Manager, and handles hardware exceptions and other hardware-dependent functions. The kernel works closely with the hardware abstraction layer.

debugger and !SAC cannot use the same serial portsimultaneously. In addition, when a kernel debugger is running, !SAC becomes unavailable because the debugger takes control of the system if a Stop erroroccurs.

Solution: Use different serial ports for the kernel debugger and !SAC. It is important to specify the correct COMx parameters in the Boot.ini file. You should also disable kernel debuggers on servers during normal operations.