Provide a detailed description of the server's policy regarding. Working with administration and routing groups

GPResult utility.exe– is a console application designed to analyze settings and diagnose group policies that apply to a computer and/or user in an Active Directory domain. In particular, GPResult allows you to obtain data from the resulting set of policies (Resultant Set of Policy, RSOP), a list of applied domain policies (GPOs), their settings and detailed information about errors in their processing. The utility has been part of the Windows OS since Windows XP. The GPResult utility allows you to answer the following questions: whether a specific policy applies to the computer, which GPO changed this or that Windows setting, and understand the reasons.

In this article, we will look at the features of using the GPResult command to diagnose and debug the application of group policies in an Active Directory domain.

Initially, to diagnose the application of group policies in Windows, the graphical console RSOP.msc was used, which made it possible to obtain the settings of the resulting policies (domain + local) applied to the computer and the user in a graphical form similar to the console of the GPO editor (you can see below in the example of the RSOP.msc console view, that the update settings are set).

However, it is not advisable to use the RSOP.msc console in modern versions of Windows, because it does not reflect settings applied by various client side extensions (CSEs), such as GPP (Group Policy Preferences), does not allow searching, and provides little diagnostic information. Therefore, at the moment, the GPResult command is the main tool for diagnosing the use of GPO in Windows (in Windows 10, a warning even appears that RSOP does not provide a complete report, unlike GPResult).

Using the GPResult.exe utility

The GPResult command is run on the computer on which you want to check the application of group policies. The GPResult command has the following syntax:

GPRESULT ]] [(/X | /H)<имя_файла> ]

To get detailed information about the group policies that apply to a given AD object (user and computer) and other settings related to the GPO infrastructure (that is, the resulting GPO policy settings - RsoP), run the command:

The results of the command are divided into 2 sections:

COMPUTER SETTINGS (Computer Configuration) – the section contains information about GPO objects acting on the computer (as an Active Directory object);
USER SETTINGS – user policies section (policies that apply to a user account in AD).

Let's briefly go over the main parameters/sections that may interest us in the GPResult output:

SiteName(Site name:) – name of the AD site in which the computer is located;
CN– full canonical user/computer for which the RSoP data was generated;
LasttimeGroupPolicywasapplied(Last applied group policy) – time when group policies were last applied;
GroupPolicywasappliedfrom(Group Policy was applied from) – the domain controller from which the latest GPO was downloaded;
DomainNameand DomainType(Domain name, domain type) – name and version of the Active Directory domain schema;
AppliedGroupPolicyObjects(Applied Group Policy Objects)– lists of active group policy objects;
ThefollowingGPOswerenotappliedbecausetheywerefilteredout(The following GPO policies were not applied because they were filtered) - not applied (filtered) GPOs;
Theuser/computerisapartofthefollowingsecuritygroups(The user/computer is a member of the following security groups) – domain groups in which the user is a member.

In our example, you can see that the user object is subject to 4 group policies.

Default Domain Policy;
Enable Windows Firewall;
DNS Suffix Search List;

If you do not want information about both user and computer policies to be displayed in the console at the same time, you can use the /scope option to display only the section you are interested in. Only resulting user policies:

gpresult /r /scope:user

or only applied computer policies:

gpresult /r /scope:computer

Because The Gpresult utility outputs its data directly to the command line console, which is not always convenient for subsequent analysis; its output can be redirected to the clipboard:

Gpresult /r |clip

or text file:

Gpresult /r > c:\gpresult.txt

To display super-detailed RSOP information, you need to add the /z switch.

HTML RSOP report using GPResult

In addition, the GPResult utility can generate an HTML report of the resulting policies applied (available on Windows 7 and higher). This report will contain detailed information about all system parameters that are set by group policies and the names of specific GPOs that set them (the resulting report structure resembles the Settings tab in the Domain Group Policy Management Console - GPMC). You can generate an HTML GPResult report using the command:

GPResult /h c:\gp-report\report.html /f

To generate a report and automatically open it in a browser, run the command:

GPResult /h GPResult.html & GPResult.html

The gpresult HTML report contains quite a lot of useful information: errors in GPO application, processing time (in ms) and application of specific policies and CSE are visible (in the Computer Details -> Component Status section). For example, in the screenshot above you can see that the policy with the 24 passwords remember settings is applied by the Default Domain Policy (Winning GPO column). As you can see, this HTML report is much more convenient for analyzing applied policies than the rsop.msc console.

Receiving GPResult data from a remote computer

GPResult can also collect data from a remote computer, eliminating the need for the administrator to log in locally or RDP to the remote computer. The command format for collecting RSOP data from a remote computer is as follows:

GPResult /s server-ts1 /r

Similarly, you can remotely collect data from both user policies and computer policies.

User username does not have RSOP data

When UAC is enabled, running GPResult without elevated privileges displays the settings of only the user group policy section. If you need to display both sections (USER SETTINGS and COMPUTER SETTINGS) at the same time, the command must be run. If the command line is elevated to a different system than the current user, the utility will issue a warning INFO:Theuser“domain\user”doesnothaveRSOPdata ( The user "domain\user" does not have RSOP data). This happens because GPResult tries to collect information for the user who launched it, but because... This user has not logged in and there is no RSOP information for him. To collect RSOP information for a user with an active session, you need to specify his account:

gpresult /r /user:tn\edward

If you do not know the name of the account that is logged in on the remote computer, you can get the account like this:

qwinsta /SERVER:remotePC1

Also check the time(s) on the client. The time must match the time on the PDC (Primary Domain Controller).

The following GPO policies were not applied because they were filtered out

When troubleshooting group policies, you should also pay attention to the section: The following GPOs were not applied because they were filtered out. This section displays a list of GPOs that, for one reason or another, do not apply to this object. Possible ways in which the policy may not apply:

You can also understand whether the policy should be applied to a specific AD object on the effective permissions tab (Advanced -> Effective Access).

So, in this article we looked at the features of diagnosing the application of group policies using the GPResult utility and looked at typical scenarios for its use.

When installing Windows, most of the minor subsystems are not activated or installed. This is done for security reasons. Because the system is secure by default, system administrators can focus on designing a system that will perform exactly its intended functions and nothing else. To help you enable the features you need, Windows prompts you to select a Server Role.

Roles

A server role is a set of programs that, when properly installed and configured, allow a computer to perform a specific function for multiple users or other computers on a network. In general, all roles have the following characteristics.

They define the main function, purpose or purpose of using a computer. You can designate a computer to perform a single role that is used heavily in your enterprise, or to perform multiple roles if each is used only occasionally.
Roles give users throughout your organization access to resources that are managed by other computers, such as websites, printers, or files stored on different computers.
They typically have their own databases that queue user or computer requests or record information about network users and computers that are relevant to the role. For example, Active Directory Domain Services contains a database to store the names and hierarchical relationships of all computers on a network.
Once properly installed and configured, roles function automatically. This allows the computers on which they are installed to perform assigned tasks with limited user interaction.

Role Services

Role services are programs that provide role functionality. When you install a role, you can choose which services it provides to other users and computers in the enterprise. Some roles, such as DNS server, only perform one function, so there are no role services for them. Other roles, such as Remote Desktop Services, have multiple services that can be installed depending on your business's remote access needs. A role can be viewed as a collection of closely related, complementary role services. In most cases, installing a role means installing one or more of its services.

Components

Components are programs that are not directly part of roles, but support or extend the functionality of one or more roles or an entire server, regardless of which roles are installed. For example, the Failover Cluster feature extends the functionality of other roles, such as File Services and DHCP Server, by allowing them to join server clusters, providing increased redundancy and performance. Another component, the Telnet Client, provides remote communication with the Telnet server over a network connection. This feature enhances the communication capabilities of the server.

When Windows Server runs in Server Core mode, the following server roles are supported:

Active Directory Certificate Services;
Active Directory Domain Services;
DHCP server;
DNS server;
file services (including file server resource manager);
Active Directory Lightweight Directory Services;
Hyper-V;
printing and document services;
streaming media services;
web server (including a subset of ASP.NET);
Windows Server update server;
Active Directory Rights Management Server;
Routing and Remote Access Server and the following subordinate roles:
- Remote Desktop Services Connection Broker;
- licensing;
- virtualization.

When Windows Server runs in Server Core mode, the following server components are supported:

Microsoft .NET Framework 3.5;
Microsoft .NET Framework 4.5;
Windows PowerShell;
background intelligent transfer service (BITS);
BitLocker disk encryption;
BitLocker network unlock;
BranchCache
data center bridge;
Enhanced Storage;
failover clustering;
Multipath I/O;
network load balancing;
PNRP protocol;
qWave;
remote differential compression;
simple TCP/IP services;
RPC via HTTP proxy;
SMTP server;
SNMP service;
Telnet client;
Telnet server;
TFTP client;
Windows internal database;
Windows PowerShell Web Access;
Windows Activation Service;
standardized Windows storage management;
IIS WinRM extension;
WINS server;
WoW64 support.

Installing server roles using Server Manager

To add, open Server Manager, and in the Manage menu click Add Roles and features:

The Add Roles and Features Wizard opens. Click Next

Installation Type, select Role-based or feature-based installation. Next:

Server Selection - select our server. Click Next Server Roles - Select roles, if necessary, select role services and click Next to select components. During this procedure, the Add Roles and Features Wizard automatically informs you if there are any conflicts on the destination server that might prevent the selected roles or features from installing or functioning properly. You are also prompted to add the roles, role services, and features that are required for the selected roles or features.

Installing roles using PowerShell

Open Windows PowerShell Enter the Get-WindowsFeature command to view a list of available and installed roles and features on the local server. The output of this cmdlet contains the command names for the roles and features that are installed and available for installation.

Type Get-Help Install-WindowsFeature to view the syntax and valid parameters for the Install-WindowsFeature (MAN) cmdlet.

Enter the following command (-Restart will restart the server if a restart is required when installing the role).

Install-WindowsFeature –Name -Restart

Description of roles and role services

All roles and role services are described below. Let's look at the advanced configuration for the most common ones in our practice: Web Server Role and Remote Desktop Services

Detailed description of IIS

Common HTTP Features - Basic HTTP components
- Default Document - allows you to set an index page for the site.
- Directory Browsing - Allows users to see the contents of a directory on a web server. Use Directory Browsing to automatically generate a list of all directories and files present in a directory when users do not specify a file in the URL and the index page is disabled or not configured
- HTTP Errors - allows you to configure error messages returned to clients in the browser.
- Static Content - allows you to post static content, for example, pictures or html files.
- HTTP Redirection - provides support for redirecting user requests.
- WebDAV Publishing allows you to publish files from a web server using the HTTP protocol.
Health and Diagnostics Features - Diagnostic components
- HTTP Logging provides logging of website activity for a given server.
- Custom Logging provides support for creating custom logs that differ from “traditional” logs.
- Logging Tools provides an infrastructure for managing web server logs and automating common logging tasks.
- ODBC Logging provides an infrastructure that supports logging of web server activity in an ODBC-compliant database.
- Request Monitor provides an infrastructure for monitoring the health of web applications by collecting information about HTTP requests in the IIS worker process.
- Tracing provides a framework for diagnosing and troubleshooting web applications. By using failed request tracing, you can track hard-to-capture events such as poor performance or authentication failures.
Performance components increase web server performance.
- Static Content Compression provides the infrastructure for setting up HTTP compression of static content
- Dynamic Content Compression provides the infrastructure for setting up HTTP compression of dynamic content.
Security security components
- Request Filtering allows you to record all incoming requests and filter them based on rules set by the administrator.
- Basic Authentication allows you to set additional authorization
- Centralized SSL Certificate Support is a feature that allows you to store certificates in a centralized location, like a file share.
- Client Certificate Mapping Authentication uses client certificates to authenticate users.
- Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. If you need a higher level of security than regular authentication, consider using Digest authentication
- IIS Client Certificate Mapping Authentication uses client certificates to authenticate users. A client certificate is a digital ID obtained from a trusted source.
- IP and Domain Restrictions allows you to allow/deny access based on the requested IP address or domain name.
- URL Authorization allows you to create rules that restrict access to web content.
- Windows Authentication This authentication scheme allows Windows domain administrators to take advantage of the domain infrastructure to authenticate users.
Application Development Features application development components
FTP Server
- FTP Service Enables FTP publishing to the web server.
- FTP Extensibility Includes support for FTP functions that extend the capabilities of
Management Tools
- IIS Management Console installs IIS Manager, which allows you to manage the Web server through a graphical interface
- IIS 6.0 Management Compatibility provides forward compatibility for applications and scripts that use the Admin Base Object (ABO) and Active Directory Directory Service Interface (ADSI) APIs. This allows existing IIS 6.0 scripts to be used by an IIS 8.0 web server
- IIS Management Scripts and Tools provide the infrastructure for managing the IIS Web server programmatically, using commands in a Command Prompt window, or by running scripts.
- Management Service provides the infrastructure for configuring the IIS Manager user interface.

Detailed description of RDS

Remote Desktop Connection Broker - Provides reconnection of the client device to programs based on desktop computer sessions and virtual desktops.
Remote Desktop Gateway - Allows authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on a corporate network or over the Internet.
Remote Desktop Licensing - RDP license management tool
Remote Desktop Session Host - Enables a server to host RemoteApp programs or a desktop-based session.
Remote Desktop Virtualization Host - allows you to configure RDP on virtual machines
Remote Desktop WebAccess - Allows users to connect to desktop resources using the Start menu or a web browser.

Let's look at installing and configuring a terminal license server. The above describes how to install roles, installing RDS is no different from installing other roles; in Role Services we will need to select Remote Desktop Licensing and Remote Desktop Session Host. After installation, the Terminal Services item will appear in Server Manager-Tools. Terminal Services has two items: RD Licensing Diagnoser, which is a diagnostic tool for remote desktop licensing, and Remote Desktop Licensing Manager, which is a license management tool.

Let's launch RD Licensing Diagnoser

Here we see that there are no licenses available yet because the licensing mode for the Remote Desktop Session Host server is not set. The licensing server is specified in local group policies. To launch the editor, run the gpedit.msc command. The Local Group Policy Editor will open. In the tree on the left, let's open the tabs:

Computer Configuration
Administrative Templates
Windows Components
"Remote Desktop Services"
"Remote Desktop Session Host"
"Licensing"

Open the parameters Use the specified Remote Desktop license servers

In the policy settings editing window, enable the licensing server (Enabled). Next, you need to determine the licensing server for Remote Desktop Services. In my example, the licensing server is located on the same physical server. Specify the network name or IP address of the license server and click OK. If you change the server name in the future, the license server will need to be changed in the same section.

After this, in RD Licensing Diagnoser you can see that the terminal license server is configured, but not enabled. To enable, launch Remote Desktop Licensing Manager

Select a licensing server with the status Not Activated. To activate, right-click on it and select Activate Server. The Server Activation Wizard will launch. On the Connection Method tab, select Automatic Connection. Next, fill in information about the organization, after which the license server is activated.

Active Directory Certificate Services

AD CS provides customizable services for issuing and managing digital certificates used in software security systems that use public key technologies. Digital certificates provided by AD CS can be used to encrypt and digitally sign electronic documents and messages. These digital certificates can be used to verify the authenticity of computer, user, and device accounts across a network. Digital certificates are used to ensure:

privacy through encryption;
integrity using digital signatures;
authentication by associating certificate keys with computer, user, and device accounts on the network.

AD CS can be used to improve security by associating a user, device, or service identity with a corresponding private key. Uses supported by AD CS include Secure Multipurpose Internet Mail Extensions (S/MIME), Secure Wireless Networks, Virtual Private Networks (VPN), IPsec, Encrypting File System (EFS), Smart Card Login, data transmission security and transport layer security protocol (SSL/TLS) and digital signatures.

Active Directory Domain Services

Using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and managed infrastructure for managing users and resources; You can also support directory-aware applications, such as Microsoft Exchange Server. Active Directory Domain Services provides a distributed database that stores and manages information about network resources and directory-enabled application data. The server that runs AD DS is called a domain controller. Administrators can use AD DS to organize network elements such as users, computers, and other devices into a hierarchical, nested structure. The hierarchical nested structure includes the Active Directory forest, the domains within the forest, and the organizational units within each domain. Security features are integrated into AD DS in the form of authentication and access control to resources in the directory. With network single sign-on, administrators can manage directory data and organization across the network. Authorized network users can also use network single sign-on to access resources located anywhere on the network. Active Directory Domain Services provides the following additional features.

A rule set is a schema that defines the object classes and attributes that are contained in a directory, the constraints and limits on instances of those objects, and the format for their names.
A global catalog that contains information about each object in the catalog. Users and administrators can use the global catalog to search for directory data, regardless of which domain in the directory actually contains the data they are looking for.
A query and indexing engine through which objects and their properties can be published and located by network users and applications.
A replication service that distributes directory data across a network. All writable domain controllers in the domain participate in replication and maintain a complete copy of all directory data for their domain. Any changes to directory data are replicated across the domain to all domain controllers.
Operations master roles (also known as flexible single-master operations, or FSMO). Domain controllers, which act as operations masters, are designed to perform specific tasks to ensure data consistency and eliminate conflicting directory entries.

Active Directory Federation Services

AD FS provides simplified and secure identity federation and web-based single sign-on (SSO) capabilities to end users who need to access applications in an AD FS-protected enterprise, federation partner, or cloud. On Windows Server, AD FS includes the role service Federation Services acting as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (applies tokens from other identity providers and then provides security tokens to applications that trust AD FS).

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is an LDAP protocol that provides flexible support for directory applications without the dependencies and domain limitations of Active Directory Domain Services. AD LDS can be run on member or standalone servers. You can run multiple instances of AD LDS on a single server with independently managed schemas. By using the AD LDS service role, you can provide directory services to directory-aware applications without the overhead of domains and forests and without requiring a single forest-wide schema.

Active Directory Rights Management Services

AD RMS can be used to enhance an organization's security strategy by protecting documents using information rights management (IRM). AD RMS allows users and administrators to assign access permissions to documents, workbooks, and presentations using IRM policies. This helps protect confidential information from being printed, forwarded, or copied by unauthorized users. Once file permissions are restricted using IRM, access and use restrictions are enforced regardless of the location of the information because the file permission is stored in the document file itself. With AD RMS and IRM, individual users can apply their own personal preferences regarding the sharing of personal and sensitive information. They will also help the organization apply corporate policies to govern the use and dissemination of confidential and personal information. IRM solutions supported by AD RMS services are used to provide the following capabilities.

Persistent usage policies that remain with information regardless of whether it is moved, sent, or forwarded.
An additional layer of privacy to protect sensitive data - such as reports, product specifications, customer information and email messages - from falling into the wrong hands, either intentionally or accidentally.
Prevent authorized recipients from unauthorized forwarding, copying, modification, printing, faxing, or pasting of restricted content.
Prevent copying of restricted content using the PRINT SCREEN feature in Microsoft Windows.
Support for file expiration, which prevents the contents of documents from being viewed after a specified period of time.
Implement enterprise policies that govern the use and distribution of content within the organization

Application Server

Application Server provides an integrated environment for deploying and running custom server-based business applications.

DHCP Server

DHCP is a client-server technology in which DHCP servers can assign or lease IP addresses to computers and other devices that are DHCP clients. Deploying DHCP servers on a network automatically provides client computers and other network devices based on IPv4 and IPv6 valid IP addresses and additional configuration parameters required by these clients and devices. The DHCP Server service in Windows Server includes support for policy-based assignments and DHCP failure handling.

DNS Server

The DNS service is a hierarchical, distributed database containing mappings of DNS domain names to various types of data, such as IP addresses. DNS allows you to use friendly names, such as www.microsoft.com, to make it easier to locate computers and other resources on TCP/IP-based networks. Windows Server DNS provides additional, enhanced support for DNS Security Extensions (DNSSEC), including online registration and automated settings management.

FAX Server

The fax server sends and receives faxes, and also gives you the ability to manage fax resources such as jobs, settings, reports, and fax devices on your fax server.

File and Storage Services

Administrators can use the File and Storage Services role to configure multiple file servers and their storage, and to manage those servers using Server Manager or Windows PowerShell. Some specific apps include the following features.

Work folders. Use to allow users to store and access work files on personal computers and devices other than corporate PCs. Users get a convenient place to store work files and access them from anywhere. Organizations control corporate data by storing files on centrally managed file servers and optionally setting user device policies (such as encryption and screen lock passwords).
Data deduplication. Use to reduce disk space requirements for storing files, saving on storage costs.
iSCSI target server. Use to create centralized, software and hardware-independent iSCSI disk subsystems in storage area networks (SAN).
Disk Spaces. Use to deploy highly available storage that is resilient and scalable using cost-effective, industry-standard disks.
Server Manager. Use to remotely manage multiple file servers from one window.
Windows PowerShell. Use to automate the management of most file server administration tasks.

Hyper-V

The Hyper-V role allows you to create and manage a virtualized computing environment using the virtualization technology built into Windows Server. Installing the Hyper-V role installs prerequisites as well as optional management tools. Required components include the Windows hypervisor, Hyper-V Virtual Machine Management Service, WMI virtualization provider, and virtualization components such as VMbus, Virtualization Service Provider (VSP), and Virtual Infrastructure Driver (VID).

Network Policy and Access Services

Network Policy and Access Services provides the following solutions for network connections:

Network Access Protection is a technology for creating, enforcing, and repairing client health policies. With Network Access Protection, system administrators can set and automatically enforce health policies that include software requirements, security updates, and other settings. Client computers that do not meet the health policy requirements can be restricted from accessing the network until their configuration is updated to meet the health policy requirements.
If you have deployed 802.1X-enabled wireless access points, you can use Network Policy Server (NPS) to deploy certificate-based authentication methods, which are more secure than password-based authentication. Deploying 802.1X-enabled hardware with an NPS server allows intranet users to be authenticated before they can connect to the network or obtain an IP address from a DHCP server.
Instead of configuring a network access policy on each network access server, you can centrally create all policies that define all aspects of network connection requests (who can connect, when the connection is allowed, the level of security that must be used to connect to the network ).

Print and Document Services

Print and Document Services allows you to centralize print server and network printer tasks. This role also allows you to receive scanned documents from network scanners and upload documents to network shares such as a Windows SharePoint Services site or via email.

Remote Access

The Remote Access Server role is a logical grouping of the following network access technologies.

DirectAccess
Routing and remote access
Web Application Proxy

These technologies are role services Remote access server roles. When you install the Remote Access Server role, you can install one or more role services by running the Add Roles and Features Wizard.

In Windows Server, the Remote Access Server role provides the ability to centrally administer, configure, and monitor DirectAccess remote access services and VPN with Routing and Remote Access Service (RRAS). DirectAccess and RRAS can be deployed on the same edge server and managed using Windows PowerShell commands and the Remote Access Management Console (MMC).

Remote Desktop Services

Remote Desktop Services accelerates and expands the deployment of desktops and applications on any device, increasing remote worker productivity while securing critical intellectual property and simplifying regulatory compliance. Remote Desktop Services includes virtual desktop infrastructure (VDI), session-based desktops, and applications, giving users the ability to work from anywhere.

Volume Activation Services

Volume Activation Services is a server role in Windows Server starting in Windows Server 2012 that automates and simplifies the issuance and management of volume licenses for Microsoft software in a variety of scenarios and environments. Along with Volume Activation Services, you can install and configure Key Management Service (KMS) and Active Directory activation.

Web Server (IIS)

The Web Server (IIS) role in Windows Server provides a platform for hosting Web sites, services, and applications. Using a web server makes information available to users on the Internet, intranet, and extranet. Administrators can use the Web Server (IIS) role to configure and manage multiple websites, web applications, and FTP sites. Accessibility features include the following.

Use Internet Information Services Manager to configure IIS components and administer websites.
Uses FTP to allow website owners to send and download files.
Use website isolation to prevent one website on a server from affecting others.
Customization of web applications developed using various technologies such as Classic ASP, ASP.NET and PHP.
Use Windows PowerShell to automatically manage most web server administration tasks.
Combine multiple web servers into a server farm that can be managed using IIS.

Windows Deployment Services

Windows Deployment Services allows you to deploy Windows operating systems over a network, which means you don't have to install each operating system directly from a CD or DVD.

Windows Server Essentials Experience

This role allows you to solve the following tasks:

protect server and client data by creating backup copies of the server and all client computers on the network;
manage users and user groups through a simplified server dashboard. Additionally, integration with Windows Azure Active Directory *provides users with easy access to online Microsoft Online Services (such as Office 365, Exchange Online, and SharePoint Online) using their domain credentials;
store company data in a centralized location;
integrate the server with Microsoft Online Services (such as Office 365, Exchange Online, SharePoint Online, and Windows Intune):
Use ubiquitous access features on the server (for example, remote web access and virtual private networks) to access the server, network computers, and data from remote locations with a high degree of security;
access data from anywhere and from any device using the organization's own web portal (via remote web access);
Manage mobile devices that access your organization's email using Office 365 via the Active Sync protocol from the dashboard;
Monitor network health and receive custom health reports; reports can be generated on demand, customized and emailed to specific recipients.

Windows Server Update Services

The WSUS server provides the components that administrators need to manage and distribute updates through the management console. In addition, the WSUS server can be the source of updates for other WSUS servers in the organization. When you implement WSUS, at least one WSUS server on your network must be connected to Microsoft Update to receive information about available updates. Depending on your network security and configuration, your administrator can determine how many other servers are directly connected to Microsoft Update.