In the networked world, the greater part of management is client management and in today’s plug ‘n play world, the greater part of client management is actually client rights management.
Seeing as we’re talking about the Microsoft Windows Server family, you already know what “client rights management” really means. It means “Group Policies”, and in most networks, “Group Policies” means “Security Templates”. Just like Windows Server 2000, Windows Server 2003 pops out of the box with a stack of security templates applied, along with others that are ready-configured and sitting waiting in the <%SYSTEM%>\Security\Templates folder. In Windows Server 2003, there are more pre-configured templates. Now that security has been wound up tighter than the IT job market, you’ll need some of those templates to make things work the way you expect.
Compatws.inf, for example, will allow applications that require members of the Users group to be able to write to parts of the Registry to do so – just like they used to be able to in the good old days.
Many of the other templates also have the same names as their Windows Server 2000 predecessors but they configure a wider range of settings and tune many of the old settings differently.
Is there a quick way of identifying the differences in settings? No. You are going to have to run the security template analyzer tool to extract their settings in Windows Server 2003. Erm… I’ll be waiting for you in the pub.
Windows Server 2003 now makes it easy to apply security updates to remote servers and to clients without having to lay on an administrator with requisite rights at each machine. That’s a handy new feature because – cough, cough – we do seem to be applying a lot of security updates these days. Even more so than when they were called “security fixes”. The tool that enabled this ascent into security Paradise is Software Update Services – a free download that turns a non-domain controller Windows Server 2003 into a corporate Windows Update server. It also lets you control which updates to apply so you can skip the consumer stuff.
But SUS has its flaws. If you appreciate a plump, healthy-looking wallet, they are pretty big flaws. For example, no matter how prevalent Active Directory is on your network, it can’t force clients to install updates from an SUS server in the same way that AD can help publish or “advertise” new application software. No, clients have to be manually configured to talk to a SUS server. Nor can SUS squeal on clients that failed to download or properly apply its updates. You can work around this using Microsoft’s free hfnetchk.exe tool if you only need to monitor successful security patch updates. But for driver updates (the most common class of update) and for service packs, you need Microsoft’s Systems Management Server. If this matters, draw up a savings plan today.
For remote server management, the installation by default of Terminal Services in remote administration mode will bring back not-so-fond memories of that dark and buggy night that you first discovered that Windows Server 2000 required you to deliberately install Terminal Services in administration mode.
Windows Server 2003 now also includes tools that let you control server attributes from the command line using Windows Management Instrumentation. Use them interactively or call them from scripts for true automation. WMI was there in Windows Server 2000 but the command line tools to talk to it were mostly locked away in the $110 plus Windows Server Resource Kit. Worse yet – if anything can be worse than having a software vendor pick your pocket for tools that come free as standard in other operating systems – the support story around the Windows Server 2000 WMI tools was so confused that even Microsoft support staff had little idea whether they actually worked, whether customers should use them and whether it was worth investing time in trying to learn them. The WMI DNS Provider is a great example of this. Available since Windows Server 2000, it offered a way to automate DNS zone and record creation, inspection, management and deletion. Microsoft briefly published sample scripts for it but abandoned them when ISPs reported having trouble making the tool work to specification.
That poor documentation problem arose from Microsoft’s server marketing team never fully integrating with – or even understanding the value of – its scripting experts. Now known as MSDN’s Scripting Guys, the scripting team were part of the Windows Resource Kit’s “technical writers” and were therefore considered both by Microsoft developers and managers to be unburdened with useful attributes like intelligence.
That, by the way, is the key to the often-asked question: why has Microsoft never tried to compete with the *nix world’s automation-through-scripting story? Answer: the groups that knew that scripting mattered were simply never brought together with the groups that made decisions about Windows Server development.
Back to the WMI DNS Provider… for the last few months, the internal story at Microsoft has been that the tool is being supported. You have to be careful with Microsoft’s definition of “supported”. It can mean: “This ships in the server (ie it’s supported) and not in a Resource Kit (ie it’s unsupported)” without necessarily meaning: “and we’ll fix it if it is broken”.
As of early this January, Microsoft PSS had assigned a headcount – well, a few hours from the busy working day of a single headcount – to write sample scripts for it.
Nevertheless, WMI is still horribly close to being the Quasimodo of computer management. Under Windows Server 2000, this mute cripple could only change about one percent of the 4,000 resource properties it could monitor. Under Windows Server 2003, it can change more than 140 properties and can monitor around 6,000. Quasimodo is learning to speak. Let’s hope he achieves full sentences before he dies.
However, his bell-ringing skills have improved: in Windows Server 2003, WMI’s deeper integration with Active Directory now allows it to monitor that pesky – but frequent cause of Windows network issues – replication. And new disk property-setting skills include the ability to set user quotas and manage Volume Shadow Copies.
Windows Server 2003 features too many changes to WMI’s parent – the Windows Scripting Host – to detail here but if you are still more comfortable writing batch scripts around built-in, shell tools there’s a lot more available to you in Windows Server 2003 than in Windows Server 2000.