ADM350 Windows Server 2003: Management Capabilities BJ Whalen Program Manager Windows Server Microsoft Corporation.

ADM350

Windows Server 2003:Management Capabilities

BJ WhalenProgram ManagerWindows ServerMicrosoft Corporation

Windows Server 2003 Manageability Focus

Usability of management features

Management automation

Remote & headless server management

Built-in manageability for system services

Security management

Agenda

Directory & policy based management

Scripting & command line management

Role based management

Remote and headless system administration

Deployment solutions

Resource management

Security management

Backup & Restore

Summary of manageability enhancements

Active Directory Management Enhancements (Part 1) Removed Irreversible DecisionsRemoved Irreversible Decisions

Domain renameDomain rename DC renameDC rename Schema deleteSchema delete

Deployment improvementsDeployment improvements Improved replicationImproved replication

Delta replication for group membership changesDelta replication for group membership changes 5000 member limit removed5000 member limit removed

Install replica from mediaInstall replica from media Cross Forest TrustCross Forest Trust Improved Topology Generator (KCC) – support for 5000 Improved Topology Generator (KCC) – support for 5000

sitessites ADMT improvements: password migration, scripting & ADMT improvements: password migration, scripting &

cmd-line interfacecmd-line interface

Active Directory Management Enhancements (Part 2) Operational ImprovementsOperational Improvements

Universal group cachingUniversal group caching Cmdline access to DS: DSMod, DSAdd, DSGetCmdline access to DS: DSMod, DSAdd, DSGet Quotas on object ownershipQuotas on object ownership Replication & trust monitoring - RepAdminReplication & trust monitoring - RepAdmin

UI EnhancementsUI Enhancements Multi-object editingMulti-object editing Drag & dropDrag & drop Saved queriesSaved queries

Group Policy

Active Active DirectoryDirectory

One AdministratorOne Administrator

ActionAction

New PolicyNew Policy

Many End UserMany End User

ResultsResults

Many ComputerMany Computer

ResultsResults

Goal: Improve the Admin Experience

GPMCNew admin tool for managing Group PolicyShips via Web

Resultant Set of Policy (RSoP)WMI Filters Command Line tools

GPUpdate, GPResult 32 GPMC Sample ScriptsFull list across all operating systems at:

New Policy Settingshttp://go.microsoft.com/fwlink/?LinkId=15165

Group Policy Management Console

Improved User InterfaceBased on how customers use Group PolicyImproved security management

Integration of RSoPHTML and XML Reporting of GPOs and RSOPNew capabilities for rapid deployment of policy

Backup/restore, import/copy

ScriptabilityEnables customization and automation

Support for StagingFirst create in sandbox test environmentReplicate to production

New Scenarios with GPMC

Read only access to GPOsDocumenting all GPOs in the domain

Backing up all GPOs

Rapidly create and deploy managed configurations

Planning and Troubleshooting

Staging from test to production

Group Policy Management Console

demodemo

Agenda



Role based system administration



Resource management

Security management

Backup & Restore


Uniform management interface for distributed systems management

Common access and query capabilities and discovery via a common data modelExposes relationships between various aspects of Management domainsUniversal programmable agent for health monitoring and remote management

Out-of-the-box management for over 10,000 system objects Historically geared for developers, but that is now changing…

With WMIC, WMI becomes accessible to Admins

WMI – What is it

WMI ArchitectureWMIWMI

COM ClientCOM ClientWSHWSH

DCOM

C:\>wmic

Script Script APIAPI

Client ServicesSripting APICOM APIDCOM RemotingWMIC

Core ServicesNamespace servicesQuerySecurityEvents subscriptions

Provider SubsystemSecure provider hosting

ProvidersAbstraction of the OS services and application APIs

Core Services

Core Services

QueryService

QueryService

Pub/SubService

Pub/SubService

Repository

ViewService

ViewService

Schema RT / Provider Subsystem

Schema RT / Provider Subsystem

Event Filtering

Event Filtering

Managed applications and platform services

IPC

Provider subsystem

WMI Providers (loaded on-demand)

LOB appprovider

LOB appprovider

ActiveDirectoryActive

DirectoryWMI extfor WDM

WMI extfor WDM

NT EventLog

NT EventLog

PerfCounters

PerfCountersRegistryRegistry

COM

WMI Enhancements

New WMI Console (WMIC)Command line and console access to WMISimplified view to the WMI object model

New and updated WMI providersAD replication and trustServer clusteringDFSInternet Information ServerTerminal ServicesOthers

Benefits:WMI is now usable by adminsMore stuff is manageable through WMI

WMICEngine

XSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLT

Console

HTML

CSV

MOF

Customer defined

XMLDOM

XMLDOM

WMIWMI

ProviderProviderProviderProviderProviderProviderProviderProviderProviderProvider

WMIWMI

Direct Access(PATH/CLASS)

Direct Access(PATH/CLASS)

Access via Alias(FriendlyName)

Access via Alias(FriendlyName)

Aliasschema

Aliasschema

WMIC Architecture

Command line tools that allows writing basic script in cmd.exe

Avail on XP and Server 2003Can manage Win2k computers

Supports interactive mode – admin console for WMIEasy to learn command language

Common grammarProgressive help discovery

Vocabulary driven by WMI instrumentation and aliasesCan access any WMI objectSimplified access to key WMI objects (80 aliases, 150 methods)

Transparent remotingMultiple output formats

Built-in support for: Console, HTML, CSV, MOFCustomer defined formats (using XSLT)

WMIC Highlights

Command Line Tools

Command line execution of common administration tasks

Simplifies top system administration tasks

Transparent remoting

60+ commands

Documented in “ntcmds.chm”

Agenda





Resource management

Security management

Backup & Restore


Manage Your Server Roles

Key BenefitsKey Benefits Easy to configure, discover, and Easy to configure, discover, and

manage server rolesmanage server roles

Confidence that server roles are Confidence that server roles are correctly set upcorrectly set up

Easy to find configuration and Easy to find configuration and management tools and resourcesmanagement tools and resources

Configure Your Server wizardConfigure Your Server wizard Wizard based setup for server rolesWizard based setup for server roles

‘‘Typical’ or standard ‘Specific’ rolesTypical’ or standard ‘Specific’ roles

Can be run multiple timesCan be run multiple times

Manage Your Server consoleManage Your Server console Central place to find configuration Central place to find configuration

and management toolsand management tools

Server role discovery, removal, Server role discovery, removal, and managementand management

Role-based Server Management

demodemo

Agenda






Resource management

Security management

Backup & Restore


Remote Management Using Terminal Services

RDPRDPTCP/IPTCP/IP

Terminal ServerTerminal Server

ClientClient

Remote Management ScenariosRemote Management Scenarios HelpDeskHelpDesk

Remote Assistance to view and Remote Assistance to view and interact with remote user’s desktopinteract with remote user’s desktop

IT Pro AdministrationIT Pro Administration

Remote Desktop for Administration – Remote Desktop for Administration – remotely manage serversremotely manage servers

Remote access to console (session 0)Remote access to console (session 0)

““Remote Desktops” MMC snap-in – Remote Desktops” MMC snap-in – for managing multiple computers for managing multiple computers from single interface from single interface

Remote Mgmt of Terminal ServersRemote Mgmt of Terminal Servers Group Policy settings – computer and Group Policy settings – computer and

user setting, permissions, etc.user setting, permissions, etc.

TS WMI provider – scriptable interface TS WMI provider – scriptable interface for managing TS settingsfor managing TS settings

Emergency Management Services (EMS)

What it does:Provides ‘out of band’ capabilities to bring distressed system back to ‘in-band’ management state

Customer Scenarios:Remote emergency management of Windows computers when traditional methods not avail.Headless (no KVM) and data centers

Key OS Scenarios:BootSystem CrashSystem setup

How it works: Enables console redirection of boot loader, textmode setup, blue screens for headless server supportSecure Administration Console (SAC) provides limited set of powerful commands to return system to ‘in-band’ state

Agenda






Resource management

Security management

Backup & Restore


Windows Pre-Installation Environment* (Windows PE)

Target ServerTarget Serveror Desktopor Desktop

Minimal footprint subset of Minimal footprint subset of Windows Server 2003/Windows Windows Server 2003/Windows XPXP TCP/IP networking supportTCP/IP networking support Scriptable disk configuration Scriptable disk configuration

toolstools

Replaces DOS as pre-Replaces DOS as pre-installation environmentinstallation environment

Hardware independentHardware independent

ScriptableScriptable

CustomizableCustomizable

1)1) Boot target with Windows PEBoot target with Windows PE

2)2) Prepare disk withPrepare disk withDiskpart (scriptable)Diskpart (scriptable)

3)3) Format disk withFormat disk withFormat (scriptable)Format (scriptable)

4)4) Apply image or runApply image or runscripted install fromscripted install fromdistribution pointdistribution point

File ShareFile Share

*Windows PE is available to Enterprise Agreement, *Windows PE is available to Enterprise Agreement, Select, and Software Assurance customer only Select, and Software Assurance customer only

Remote Installation Services (RIS)

DesktopsDesktops or Serversor Servers

DHCPDHCPServerServer

RISRISServerServer

AD

Automated network install of OS or Automated network install of OS or OS + AppsOS + Apps

For bare metal/full refresh deploymentsFor bare metal/full refresh deployments

Initiated by PXE or floppy bootInitiated by PXE or floppy boot

Scripted or imaged deploymentsScripted or imaged deployments

Key EnhancementsKey Enhancements Supports all version of Windows 2000 & Supports all version of Windows 2000 &

Windows Server 2003 + Windows XP ProWindows Server 2003 + Windows XP Pro

Fully automated deployment enabledFully automated deployment enabled

Support for headless server deploymentSupport for headless server deployment

Security – password encryption, secure Security – password encryption, secure domain join, etc.domain join, etc.

HAL filtering for RIPrepHAL filtering for RIPrep

Automated Deployment Services (ADS)

CommandCommandLine Line ToolsTools

MMCMMCUIUI

CustomerCustomerScriptsScripts

WMI InterfaceWMI Interface

NetworkNetworkBoot Boot

ServiceService

Image Image DistributionDistribution

ServiceService

Controller ServiceController Service

Target ServerTarget Server

ADS Deployment ADS Deployment AgentAgent

DBDB(MSDE (MSDE /SQL)/SQL)

Target ServerTarget Server

ADS AdminADS Admin Agent Agent

ADS Imaging ADS Imaging ToolsTools

Post-OS StagePost-OS Stage

AD

S C

on

tro

ller

AD

S C

on

tro

ller

Key BenefitsKey Benefits Rapid automated bulk deployment Rapid automated bulk deployment

of serversof servers New powerful, flexible imaging New powerful, flexible imaging

format and tools from Microsoftformat and tools from Microsoft Deployment and script based Deployment and script based

administration of 1000 servers as administration of 1000 servers as easily as oneeasily as one

Designed for high bandwidth Designed for high bandwidth datacenter environmentdatacenter environment

Framework for mass server Framework for mass server administration – deployment administration – deployment and scriptingand scripting

New flexible Microsoft imaging format New flexible Microsoft imaging format and toolsand tools

Initiated by PXE bootInitiated by PXE boot Multicast, multi-server deploymentsMulticast, multi-server deployments Deploys Windows 2000 and Deploys Windows 2000 and

Windows Server 2003 serversWindows Server 2003 servers

*ADS provided with Enterprise & *ADS provided with Enterprise & Datacenter Editions of Windows Server 2003 Datacenter Editions of Windows Server 2003

AgendaDirectory & policy based management





Resource management

Security management

Backup & Restore


Windows System Resource Manager (WSRM)

What it doesWSRM facilitates consolidation of applications onto a single instance of WindowsLets you throttle individual processes based on:

% CPUReal memoryVirtual memory

How it worksIdentify processes, what to manageCreate resource management policies to define capsApply policies based on a date/time scheduleCreate, store, view and export accounting records

AvailabilityWSRM ships with Windows Server 2003, Enterprise and Datacenter Editions

Consolidation with WSRM

BenefitsFacilitates server consolidation in poor use of resources scenarios

Increases availability of critical applications in mixed workload scenarios

Results in improved understanding of application resource utilization behavior

ScenariosSingle or multiple important LOB apps with other applications or servicesManage Users on a large Terminal Server systemMultiple SQL Server instancesManage resource usage of individual IIS6 Application Pools on a serverSQL Server and IIS6 running on the same machine

WSRM ScreenshotsA

dmin

istr

atio

n G

UI

Adm

inis

trat

ion

GU

I

Accounting reportsAccounting reports

Impact of resource Impact of resource allocation changesallocation changes

Policy sche

duling calendar

Policy sche

duling calendar

Agenda






Resource management

Security management

Backup & Restore


Security Management Security configuration & policy enforcementSecurity configuration & policy enforcement

Group Policy is key deployment mechanismGroup Policy is key deployment mechanism Strong password enforcement by defaultStrong password enforcement by default Software restriction policiesSoftware restriction policies

Security auditingSecurity auditing Per user and operation based auditingPer user and operation based auditing Logon/logoff & account management auditingLogon/logoff & account management auditing

Vulnerability assessment & security updatesVulnerability assessment & security updates Windows Update ServiceWindows Update Service Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer Software Update ServicesSoftware Update Services SMS with Feature PackSMS with Feature Pack

Upcoming Security Tools* Security Configuration Editor (SCE)*Security Configuration Editor (SCE)*

Server role based security configurationServer role based security configuration In-the-box server rolesIn-the-box server roles Wizard will allow construction of customized server role Wizard will allow construction of customized server role

security configurationssecurity configurations Lockdown testing to verify system functions as expectedLockdown testing to verify system functions as expected

Microsoft Audit Collection Services (MACS)Microsoft Audit Collection Services (MACS) Real-time security event collection tool for servers & desktopsReal-time security event collection tool for servers & desktops Events encrypted, signed, compressed & collected in SQL Events encrypted, signed, compressed & collected in SQL

database allowing as-needed reportingdatabase allowing as-needed reporting Separates administrator and auditor rolesSeparates administrator and auditor roles Subscriber API allows intrusion detection applications to get Subscriber API allows intrusion detection applications to get

real-time filtered eventsreal-time filtered events Release planned at same time as WS2003 SP1Release planned at same time as WS2003 SP1

*Planned for release in H2 2003*Planned for release in H2 2003

Software Update Services (SUS)

Corporate solution for Windows Corporate solution for Windows OS critical and security patch OS critical and security patch managementmanagement

Supports critical and security Supports critical and security (critical and medium) patches and (critical and medium) patches and security patch rollups todaysecurity patch rollups today

SUS server automatically SUS server automatically downloads patches from Windows downloads patches from Windows Update ServiceUpdate Service

Target computers can be centrally Target computers can be centrally configured (via GP) to synchronize configured (via GP) to synchronize with either SUS server or WU with either SUS server or WU ServiceService

Various download and patch Various download and patch application configuration optionsapplication configuration options

Microsoft Windows Update ServiceMicrosoft Windows Update Service

Geographically Distributed EnterpriseGeographically Distributed Enterprise

IntranetIntranet

SUS ServerSUS Server

Target computers withTarget computers withAutomated Updates (AU)Automated Updates (AU)

Agenda






Resource management

Security management

Backup & Restore


Shadow Copy Backup & Restore

Administrators can Administrators can configure point-in-time configure point-in-time backups of user databackups of user data

Incremental backup Incremental backup minimized disk space minimized disk space consumptionconsumption

Self-service document Self-service document restore for usersrestore for users

Reduces administrator Reduces administrator workload and user workload and user frustration & downtimefrustration & downtime

Client sideClient side

Server side Server side

AgendaDirectory & policy based management





Resource management

Security management

Backup & Restore


Summary of Manageability Enhancements

Usability of management featuresAD enhancements, GPMC, server role based management, WMIC

Management automationRIS, ADS, WMIC, Command line utilities, New WMI providers, new GP settings, GP scripting, SFU 3.0

Remote & headless server managementEMS + RIS + Terminal Server enhancements provide full support for remote, headless system management

Built-in manageability for system servicesIIS manageability, Server Cluster & Network Load Balancing management, WSRM, monitoring, tracing & diagnostics enhancements

Security managementSecurity Templates, Software Restriction Policies, Security Configuration Editor, MACS, SUS, Network Quarantine, etc.

*Delivered after initial release of Windows 2000*Delivered after initial release of Windows 2000

††Available via Microsoft Services for Unix productAvailable via Microsoft Services for Unix product

Management Capabilities:WS2003 vs. WinNT 4.0 and Win2K

Area Windows NT 4.0

Windows 2000 Server

Windows Server 2003

Overall manageability

Directory services

Policy-based management

Security Management

Update / patch management *

Remote & headless server support

Wizard & GUI based administration

Storage and data management

Services management (clusters, IIS, etc.)

Managing mixed Unix / Windows environments †

*

More Information at

Windows Server Management page: http://www.microsoft.com/windowsserver2003/technologies/management/default.mspx

Windows Server Management at Technet: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/management/default.asp

Microsoft Management page: http://www.microsoft.com/management

Microsoft Solutions for Management page: http://www.microsoft.com/solutions/msm

http://www.microsoft.com/windowsserver2003/technologies/management/default.mspx

http://www.microsoft.com/windowsserver2003/technologies/management/default.mspx

Community Resources

Community website: http://www.microsoft.com/windowsserver2003/community/centers/management/default.asp

Windows Server Management Support: http://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003mgmt

Group Policy Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/windows_grouppolicy.asp

Software Update Services Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/softwareupdatesvcs.asp

Windows Server Scripting Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/windows_server_scripting.asp

Suggested Reading And Resources

Visit the Microsoft Press Kiosk today to receive 40% off books purchased from Amazon.com

Microsoft Press books are available at the TechEd Bookstore and also at the Ask the Experts area in the Expo Hall

The tools you need to put technology to work!The tools you need to put technology to work!

TITLETITLE AvailableAvailable

Active DirectoryActive Directory®® for for MicrosoftMicrosoft®® Windows Windows®® Server 2003 Server 2003 Technical ReferenceTechnical Reference

TodayToday

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

ADM350 Windows Server 2003: Management Capabilities BJ Whalen Program Manager Windows Server Microsoft Corporation.

Documents

box management

console access

group policyships

system administrationremote

system objects

new policy settingshttp

wmi object modelnew

adm350windows server