Windows Server Hosting: Service Guide
The Windows Server Hosting service provides professionally-managed Windows servers for University academic, research and administrative units.
The Windows Server Hosting service is supported by the Microsoft Platform and Tools Team
(T3 Microsoft in ServiceNow).
This Service Guide covers:
Support Services Provided
The support services provided to Windows Server Hosting customers include:
Operating System (OS) Support
- We install, configure, and maintain the operating system.
- New installations must still be within Microsoft’s mainstream support phase.
- We maintain all server administration applications such as backup agents, monitoring agents, patching agents, anti-virus, etc.
- We provide and maintain the Microsoft operating system license.
OIT uses System Center Operations Manager (SCOM) to monitor the OS according to Microsoft best practices. Notifications are sent to OIT staff for these specific items:
Page / email
Less than 6 GB on system drive
> 95% for extended period of time
Customers are encouraged to set up application layer monitoring through Zabbix as needed.
Events are forwarded to the University’s Enterprise Log Management solution (Splunk) in accordance with University policy.
Backup and Restores
- We perform backups of server data and will facilitate restores upon request.
- The standard schedule includes weekly full backups performed over weekends and daily incrementals.
- The typical backup retention is 30 days.
- There is weekly scanning of all systems to ensure that systems have current patches installed. OIT staff will review and remediate any outstanding issues for the OS based on the result of the security scans.
- Customers are responsible for remediation of applications.
- A software firewall will be enabled on all hosts via group policy (GPO).
- Exceptions can be made to allow specific inbound data to bypass the software firewall by allowing defined IP, port, or application data flows.
- By default, all systems are on publicly available networks and come with a world addressable IPv6 address.
- There is an option to get an IP address in private (RFC 1918) space (UMN IP addresses only) which requires a business case review.
File System configuration
- The C: drive is dedicated to the OS and is maintained by OIT staff. No customer data or applications should be installed or stored on the C: drive.
- If necessary, a data drive can be added for storing customer data (up to 256GB depending on the capacity needed).
Administrative Users & Service Accounts
- All servers will be bound to central Active Directory in the OIT-Server Organizational Unit (OU).
- OIT staff require admin access through the group AD\OIT-Server-OUAdmins.
- Use of local admin accounts is discouraged, but exceptions can be made after review by OIT.
- Departments maintain their own Active Directory group that controls admin access to the server.
- Customers are expected to create and manage any service or vendor accounts.
Accessing a Virtual Host
- To access the server using Remote desktop (RDP), customers must connect to the main University VPN pool whether on or off campus.
- More restrictive access can be employed by customers, but OIT staff will still need access through our administrative VPN pool. Contact firstname.lastname@example.org for details.
- OIT staff needs WinRM access from our utility server oit-mpt-tools16.oit.umn.edu.
Customers are responsible for maintenance and support of specific application software. These include, but are not limited to, MySQL, MS-SQL, Oracle, IIS, etc.
- Most systems are patched the first Saturday or Sunday of the month between the hours of 5 am and noon.
- Dev servers are patched the Tues. of patch week between noon and 3 pm and test servers are patched the Wed. of patch week between noon and 3 pm.
- Holidays may impact the routine maintenance cycle.
- Notifications will be available via the Change Calendar and the System Status page.
- Patching is done using System Center Configuration Manager (SCCM).
- Note: critical patches may be applied sooner if the patch is deemed necessary to ensure the security of the system. Under this scenario, customers will be allowed to control reboot times as much as possible.