ADM350 Windows Server 2003: Management Capabilities BJ Whalen Program Manager Windows Server Microsoft Corporation
Jan 16, 2016
ADM350
Windows Server 2003:Management Capabilities
BJ WhalenProgram ManagerWindows ServerMicrosoft Corporation
Windows Server 2003 Manageability Focus
Usability of management features
Management automation
Remote & headless server management
Built-in manageability for system services
Security management
Agenda
Directory & policy based management
Scripting & command line management
Role based management
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Active Directory Management Enhancements (Part 1) Removed Irreversible DecisionsRemoved Irreversible Decisions
Domain renameDomain rename DC renameDC rename Schema deleteSchema delete
Deployment improvementsDeployment improvements Improved replicationImproved replication
Delta replication for group membership changesDelta replication for group membership changes 5000 member limit removed5000 member limit removed
Install replica from mediaInstall replica from media Cross Forest TrustCross Forest Trust Improved Topology Generator (KCC) – support for 5000 Improved Topology Generator (KCC) – support for 5000
sitessites ADMT improvements: password migration, scripting & ADMT improvements: password migration, scripting &
cmd-line interfacecmd-line interface
Active Directory Management Enhancements (Part 2) Operational ImprovementsOperational Improvements
Universal group cachingUniversal group caching Cmdline access to DS: DSMod, DSAdd, DSGetCmdline access to DS: DSMod, DSAdd, DSGet Quotas on object ownershipQuotas on object ownership Replication & trust monitoring - RepAdminReplication & trust monitoring - RepAdmin
UI EnhancementsUI Enhancements Multi-object editingMulti-object editing Drag & dropDrag & drop Saved queriesSaved queries
Group Policy
Active Active DirectoryDirectory
One AdministratorOne Administrator
ActionAction
New PolicyNew Policy
Many End UserMany End User
ResultsResults
Many ComputerMany Computer
ResultsResults
Goal: Improve the Admin Experience
GPMCNew admin tool for managing Group PolicyShips via Web
Resultant Set of Policy (RSoP)WMI Filters Command Line tools
GPUpdate, GPResult 32 GPMC Sample ScriptsFull list across all operating systems at:
New Policy Settingshttp://go.microsoft.com/fwlink/?LinkId=15165
Group Policy Management Console
Improved User InterfaceBased on how customers use Group PolicyImproved security management
Integration of RSoPHTML and XML Reporting of GPOs and RSOPNew capabilities for rapid deployment of policy
Backup/restore, import/copy
ScriptabilityEnables customization and automation
Support for StagingFirst create in sandbox test environmentReplicate to production
New Scenarios with GPMC
Read only access to GPOsDocumenting all GPOs in the domain
Backing up all GPOs
Rapidly create and deploy managed configurations
Planning and Troubleshooting
Staging from test to production
Group Policy Management Console
demodemo
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Uniform management interface for distributed systems management
Common access and query capabilities and discovery via a common data modelExposes relationships between various aspects of Management domainsUniversal programmable agent for health monitoring and remote management
Out-of-the-box management for over 10,000 system objects Historically geared for developers, but that is now changing…
With WMIC, WMI becomes accessible to Admins
WMI – What is it
WMI ArchitectureWMIWMI
COM ClientCOM ClientWSHWSH
DCOM
C:\>wmic
Script Script APIAPI
Client ServicesSripting APICOM APIDCOM RemotingWMIC
Core ServicesNamespace servicesQuerySecurityEvents subscriptions
Provider SubsystemSecure provider hosting
ProvidersAbstraction of the OS services and application APIs
Core Services
Core Services
QueryService
QueryService
Pub/SubService
Pub/SubService
Repository
ViewService
ViewService
Schema RT / Provider Subsystem
Schema RT / Provider Subsystem
Event Filtering
Event Filtering
Managed applications and platform services
IPC
Provider subsystem
WMI Providers (loaded on-demand)
LOB appprovider
LOB appprovider
ActiveDirectoryActive
DirectoryWMI extfor WDM
WMI extfor WDM
NT EventLog
NT EventLog
PerfCounters
PerfCountersRegistryRegistry
COM
WMI Enhancements
New WMI Console (WMIC)Command line and console access to WMISimplified view to the WMI object model
New and updated WMI providersAD replication and trustServer clusteringDFSInternet Information ServerTerminal ServicesOthers
Benefits:WMI is now usable by adminsMore stuff is manageable through WMI
WMICEngine
XSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLTXSLT
Console
HTML
CSV
MOF
Customer defined
XMLDOM
XMLDOM
WMIWMI
ProviderProviderProviderProviderProviderProviderProviderProviderProviderProvider
WMIWMI
Direct Access(PATH/CLASS)
Direct Access(PATH/CLASS)
Access via Alias(FriendlyName)
Access via Alias(FriendlyName)
Aliasschema
Aliasschema
WMIC Architecture
Command line tools that allows writing basic script in cmd.exe
Avail on XP and Server 2003Can manage Win2k computers
Supports interactive mode – admin console for WMIEasy to learn command language
Common grammarProgressive help discovery
Vocabulary driven by WMI instrumentation and aliasesCan access any WMI objectSimplified access to key WMI objects (80 aliases, 150 methods)
Transparent remotingMultiple output formats
Built-in support for: Console, HTML, CSV, MOFCustomer defined formats (using XSLT)
WMIC Highlights
Command Line Tools
Command line execution of common administration tasks
Simplifies top system administration tasks
Transparent remoting
60+ commands
Documented in “ntcmds.chm”
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Manage Your Server Roles
Key BenefitsKey Benefits Easy to configure, discover, and Easy to configure, discover, and
manage server rolesmanage server roles
Confidence that server roles are Confidence that server roles are correctly set upcorrectly set up
Easy to find configuration and Easy to find configuration and management tools and resourcesmanagement tools and resources
Configure Your Server wizardConfigure Your Server wizard Wizard based setup for server rolesWizard based setup for server roles
‘‘Typical’ or standard ‘Specific’ rolesTypical’ or standard ‘Specific’ roles
Can be run multiple timesCan be run multiple times
Manage Your Server consoleManage Your Server console Central place to find configuration Central place to find configuration
and management toolsand management tools
Server role discovery, removal, Server role discovery, removal, and managementand management
Role-based Server Management
demodemo
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Remote Management Using Terminal Services
RDPRDPTCP/IPTCP/IP
Terminal ServerTerminal Server
ClientClient
Remote Management ScenariosRemote Management Scenarios HelpDeskHelpDesk
Remote Assistance to view and Remote Assistance to view and interact with remote user’s desktopinteract with remote user’s desktop
IT Pro AdministrationIT Pro Administration
Remote Desktop for Administration – Remote Desktop for Administration – remotely manage serversremotely manage servers
Remote access to console (session 0)Remote access to console (session 0)
““Remote Desktops” MMC snap-in – Remote Desktops” MMC snap-in – for managing multiple computers for managing multiple computers from single interface from single interface
Remote Mgmt of Terminal ServersRemote Mgmt of Terminal Servers Group Policy settings – computer and Group Policy settings – computer and
user setting, permissions, etc.user setting, permissions, etc.
TS WMI provider – scriptable interface TS WMI provider – scriptable interface for managing TS settingsfor managing TS settings
Emergency Management Services (EMS)
What it does:Provides ‘out of band’ capabilities to bring distressed system back to ‘in-band’ management state
Customer Scenarios:Remote emergency management of Windows computers when traditional methods not avail.Headless (no KVM) and data centers
Key OS Scenarios:BootSystem CrashSystem setup
How it works: Enables console redirection of boot loader, textmode setup, blue screens for headless server supportSecure Administration Console (SAC) provides limited set of powerful commands to return system to ‘in-band’ state
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Windows Pre-Installation Environment* (Windows PE)
Target ServerTarget Serveror Desktopor Desktop
Minimal footprint subset of Minimal footprint subset of Windows Server 2003/Windows Windows Server 2003/Windows XPXP TCP/IP networking supportTCP/IP networking support Scriptable disk configuration Scriptable disk configuration
toolstools
Replaces DOS as pre-Replaces DOS as pre-installation environmentinstallation environment
Hardware independentHardware independent
ScriptableScriptable
CustomizableCustomizable
1)1) Boot target with Windows PEBoot target with Windows PE
2)2) Prepare disk withPrepare disk withDiskpart (scriptable)Diskpart (scriptable)
3)3) Format disk withFormat disk withFormat (scriptable)Format (scriptable)
4)4) Apply image or runApply image or runscripted install fromscripted install fromdistribution pointdistribution point
File ShareFile Share
*Windows PE is available to Enterprise Agreement, *Windows PE is available to Enterprise Agreement, Select, and Software Assurance customer only Select, and Software Assurance customer only
Remote Installation Services (RIS)
DesktopsDesktops or Serversor Servers
DHCPDHCPServerServer
RISRISServerServer
AD
Automated network install of OS or Automated network install of OS or OS + AppsOS + Apps
For bare metal/full refresh deploymentsFor bare metal/full refresh deployments
Initiated by PXE or floppy bootInitiated by PXE or floppy boot
Scripted or imaged deploymentsScripted or imaged deployments
Key EnhancementsKey Enhancements Supports all version of Windows 2000 & Supports all version of Windows 2000 &
Windows Server 2003 + Windows XP ProWindows Server 2003 + Windows XP Pro
Fully automated deployment enabledFully automated deployment enabled
Support for headless server deploymentSupport for headless server deployment
Security – password encryption, secure Security – password encryption, secure domain join, etc.domain join, etc.
HAL filtering for RIPrepHAL filtering for RIPrep
Automated Deployment Services (ADS)
CommandCommandLine Line ToolsTools
MMCMMCUIUI
CustomerCustomerScriptsScripts
WMI InterfaceWMI Interface
NetworkNetworkBoot Boot
ServiceService
Image Image DistributionDistribution
ServiceService
Controller ServiceController Service
Target ServerTarget Server
ADS Deployment ADS Deployment AgentAgent
DBDB(MSDE (MSDE /SQL)/SQL)
Target ServerTarget Server
ADS AdminADS Admin Agent Agent
ADS Imaging ADS Imaging ToolsTools
Post-OS StagePost-OS Stage
AD
S C
on
tro
ller
AD
S C
on
tro
ller
Key BenefitsKey Benefits Rapid automated bulk deployment Rapid automated bulk deployment
of serversof servers New powerful, flexible imaging New powerful, flexible imaging
format and tools from Microsoftformat and tools from Microsoft Deployment and script based Deployment and script based
administration of 1000 servers as administration of 1000 servers as easily as oneeasily as one
Designed for high bandwidth Designed for high bandwidth datacenter environmentdatacenter environment
Framework for mass server Framework for mass server administration – deployment administration – deployment and scriptingand scripting
New flexible Microsoft imaging format New flexible Microsoft imaging format and toolsand tools
Initiated by PXE bootInitiated by PXE boot Multicast, multi-server deploymentsMulticast, multi-server deployments Deploys Windows 2000 and Deploys Windows 2000 and
Windows Server 2003 serversWindows Server 2003 servers
*ADS provided with Enterprise & *ADS provided with Enterprise & Datacenter Editions of Windows Server 2003 Datacenter Editions of Windows Server 2003
AgendaDirectory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Windows System Resource Manager (WSRM)
What it doesWSRM facilitates consolidation of applications onto a single instance of WindowsLets you throttle individual processes based on:
% CPUReal memoryVirtual memory
How it worksIdentify processes, what to manageCreate resource management policies to define capsApply policies based on a date/time scheduleCreate, store, view and export accounting records
AvailabilityWSRM ships with Windows Server 2003, Enterprise and Datacenter Editions
Consolidation with WSRM
BenefitsFacilitates server consolidation in poor use of resources scenarios
Increases availability of critical applications in mixed workload scenarios
Results in improved understanding of application resource utilization behavior
ScenariosSingle or multiple important LOB apps with other applications or servicesManage Users on a large Terminal Server systemMultiple SQL Server instancesManage resource usage of individual IIS6 Application Pools on a serverSQL Server and IIS6 running on the same machine
WSRM ScreenshotsA
dmin
istr
atio
n G
UI
Adm
inis
trat
ion
GU
I
Accounting reportsAccounting reports
Impact of resource Impact of resource allocation changesallocation changes
Policy sche
duling calendar
Policy sche
duling calendar
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Security Management Security configuration & policy enforcementSecurity configuration & policy enforcement
Group Policy is key deployment mechanismGroup Policy is key deployment mechanism Strong password enforcement by defaultStrong password enforcement by default Software restriction policiesSoftware restriction policies
Security auditingSecurity auditing Per user and operation based auditingPer user and operation based auditing Logon/logoff & account management auditingLogon/logoff & account management auditing
Vulnerability assessment & security updatesVulnerability assessment & security updates Windows Update ServiceWindows Update Service Microsoft Baseline Security AnalyzerMicrosoft Baseline Security Analyzer Software Update ServicesSoftware Update Services SMS with Feature PackSMS with Feature Pack
Upcoming Security Tools* Security Configuration Editor (SCE)*Security Configuration Editor (SCE)*
Server role based security configurationServer role based security configuration In-the-box server rolesIn-the-box server roles Wizard will allow construction of customized server role Wizard will allow construction of customized server role
security configurationssecurity configurations Lockdown testing to verify system functions as expectedLockdown testing to verify system functions as expected
Microsoft Audit Collection Services (MACS)Microsoft Audit Collection Services (MACS) Real-time security event collection tool for servers & desktopsReal-time security event collection tool for servers & desktops Events encrypted, signed, compressed & collected in SQL Events encrypted, signed, compressed & collected in SQL
database allowing as-needed reportingdatabase allowing as-needed reporting Separates administrator and auditor rolesSeparates administrator and auditor roles Subscriber API allows intrusion detection applications to get Subscriber API allows intrusion detection applications to get
real-time filtered eventsreal-time filtered events Release planned at same time as WS2003 SP1Release planned at same time as WS2003 SP1
*Planned for release in H2 2003*Planned for release in H2 2003
Software Update Services (SUS)
Corporate solution for Windows Corporate solution for Windows OS critical and security patch OS critical and security patch managementmanagement
Supports critical and security Supports critical and security (critical and medium) patches and (critical and medium) patches and security patch rollups todaysecurity patch rollups today
SUS server automatically SUS server automatically downloads patches from Windows downloads patches from Windows Update ServiceUpdate Service
Target computers can be centrally Target computers can be centrally configured (via GP) to synchronize configured (via GP) to synchronize with either SUS server or WU with either SUS server or WU ServiceService
Various download and patch Various download and patch application configuration optionsapplication configuration options
Microsoft Windows Update ServiceMicrosoft Windows Update Service
Geographically Distributed EnterpriseGeographically Distributed Enterprise
IntranetIntranet
SUS ServerSUS Server
Target computers withTarget computers withAutomated Updates (AU)Automated Updates (AU)
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Shadow Copy Backup & Restore
Administrators can Administrators can configure point-in-time configure point-in-time backups of user databackups of user data
Incremental backup Incremental backup minimized disk space minimized disk space consumptionconsumption
Self-service document Self-service document restore for usersrestore for users
Reduces administrator Reduces administrator workload and user workload and user frustration & downtimefrustration & downtime
Client sideClient side
Server side Server side
AgendaDirectory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Summary of Manageability Enhancements
Usability of management featuresAD enhancements, GPMC, server role based management, WMIC
Management automationRIS, ADS, WMIC, Command line utilities, New WMI providers, new GP settings, GP scripting, SFU 3.0
Remote & headless server managementEMS + RIS + Terminal Server enhancements provide full support for remote, headless system management
Built-in manageability for system servicesIIS manageability, Server Cluster & Network Load Balancing management, WSRM, monitoring, tracing & diagnostics enhancements
Security managementSecurity Templates, Software Restriction Policies, Security Configuration Editor, MACS, SUS, Network Quarantine, etc.
*Delivered after initial release of Windows 2000*Delivered after initial release of Windows 2000
††Available via Microsoft Services for Unix productAvailable via Microsoft Services for Unix product
Management Capabilities:WS2003 vs. WinNT 4.0 and Win2K
Area Windows NT 4.0
Windows 2000 Server
Windows Server 2003
Overall manageability
Directory services
Policy-based management
Security Management
Update / patch management *
Remote & headless server support
Wizard & GUI based administration
Storage and data management
Services management (clusters, IIS, etc.)
Managing mixed Unix / Windows environments †
*
More Information at
Windows Server Management page: http://www.microsoft.com/windowsserver2003/technologies/management/default.mspx
Windows Server Management at Technet: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/management/default.asp
Microsoft Management page: http://www.microsoft.com/management
Microsoft Solutions for Management page: http://www.microsoft.com/solutions/msm
Community Resources
Community website: http://www.microsoft.com/windowsserver2003/community/centers/management/default.asp
Windows Server Management Support: http://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003mgmt
Group Policy Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/windows_grouppolicy.asp
Software Update Services Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/softwareupdatesvcs.asp
Windows Server Scripting Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/windows_server_scripting.asp
Suggested Reading And Resources
Visit the Microsoft Press Kiosk today to receive 40% off books purchased from Amazon.com
Microsoft Press books are available at the TechEd Bookstore and also at the Ask the Experts area in the Expo Hall
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Active DirectoryActive Directory®® for for MicrosoftMicrosoft®® Windows Windows®® Server 2003 Server 2003 Technical ReferenceTechnical Reference
TodayToday
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.