ADM350
Windows Server 2003:
Management Capabilities
BJ Whalen
Program Manager
Windows Server
Microsoft Corporation
Windows Server 2003
Manageability Focus
Usability of management features
Management automation
Remote & headless server management
Built-in manageability for system services
Security management
Agenda
Directory & policy based management
Scripting & command line management
Role based management
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Active Directory Management
Enhancements (Part 1)

Removed Irreversible Decisions




Domain rename
DC rename
Schema delete
Deployment improvements

Improved replication






Delta replication for group membership changes
5000 member limit removed
Install replica from media
Cross Forest Trust
Improved Topology Generator (KCC) – support for 5000
sites
ADMT improvements: password migration, scripting &
cmd-line interface
Active Directory Management
Enhancements (Part 2)

Operational Improvements





Universal group caching
Cmdline access to DS: DSMod, DSAdd, DSGet
Quotas on object ownership
Replication & trust monitoring - RepAdmin
UI Enhancements



Multi-object editing
Drag & drop
Saved queries
Group Policy
Goal: Improve the Admin Experience
GPMC
New Policy
Active
Directory
One Administrator
Action
New admin tool for managing
Group Policy
Ships via Web
Resultant Set of Policy
(RSoP)
WMI Filters
Command Line tools
Many End User
Results
GPUpdate, GPResult
32 GPMC Sample Scripts
Many Computer
Results
Full list across all operating systems at:
New Policy Settings
http://go.microsoft.com/fwlink/?LinkId=15165
Group Policy Management Console
Improved User Interface
Based on how customers use Group Policy
Improved security management
Integration of RSoP
HTML and XML Reporting of GPOs and RSOP
New capabilities for rapid deployment of policy
Backup/restore, import/copy
Scriptability
Enables customization and automation
Support for Staging
First create in sandbox test environment
Replicate to production
New Scenarios with GPMC
Read only access to GPOs
Documenting all GPOs in the domain
Backing up all GPOs
Rapidly create and deploy managed
configurations
Planning and Troubleshooting
Staging from test to production
demo
Group Policy
Management Console
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
WMI – What is it
Uniform management interface for distributed
systems management
Common access and query capabilities and
discovery via a common data model
Exposes relationships between various aspects
of Management domains
Universal programmable agent for health
monitoring and remote management
Out-of-the-box management for over 10,000
system objects
Historically geared for developers, but that is
now changing…
With WMIC, WMI becomes accessible to Admins
WMI Architecture
WMI
COM Client
WSH
C:\>wmic
Client Services
Sripting API
COM API
DCOM Remoting
WMIC
Core Services
Namespace services
Query
Security
Events subscriptions
Script
API
DCOM
Core
Services
Schema RT
/ Provider
Subsystem
Query
Service
Provider Subsystem
Pub/Sub
Service
COM
WMI Providers (loaded on-demand)
Secure provider hosting
Registry
Abstraction of the OS
services and application APIs
Event
Filtering
Repository
Provider
subsystem
Providers
View
Service
Perf
Counters
NT Event
Log
WMI ext
for WDM
LOB app Active
provider Directory
IPC
Managed applications and platform services
WMI Enhancements
New WMI Console (WMIC)
Command line and console access to WMI
Simplified view to the WMI object model
New and updated WMI providers
AD replication and trust
Server clustering
DFS
Internet Information Server
Terminal Services
Others
Benefits:
WMI is now usable by admins
More stuff is manageable through WMI
WMIC Architecture
Direct Access
(PATH/CLASS)
Access via Alias
(FriendlyName)
Alias
schema
WMIC
Engine
Provider
Provider
Provider
Provider
Provider
WMI
Console
XML
DOM
XSLT
XSLT
XSLT
XSLT
XSLT
XSLT
HTML
CSV
MOF
Customer defined
WMIC Highlights
Command line tools that allows writing basic script in
cmd.exe
Avail on XP and Server 2003
Can manage Win2k computers
Supports interactive mode – admin console for WMI
Easy to learn command language
Common grammar
Progressive help discovery
Vocabulary driven by WMI instrumentation and aliases
Can access any WMI object
Simplified access to key WMI objects (80 aliases, 150 methods)
Transparent remoting
Multiple output formats
Built-in support for: Console, HTML, CSV, MOF
Customer defined formats (using XSLT)
Command Line Tools
Command line execution of common
administration tasks
Simplifies top system administration tasks
Transparent remoting
60+ commands
Documented in “ntcmds.chm”
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Manage Your Server Roles


Configure Your Server wizard

Wizard based setup for server roles

‘Typical’ or standard ‘Specific’ roles

Can be run multiple times
Manage Your Server console

Central place to find configuration
and management tools

Server role discovery, removal,
and management
Key Benefits

Easy to configure, discover, and
manage server roles

Confidence that server roles are
correctly set up

Easy to find configuration and
management tools and resources
demo
Role-based Server
Management
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Remote Management Using Terminal
Services
Remote Management Scenarios
Terminal Server
Client

HelpDesk

RDP
TCP/IP

Remote Assistance to view and
interact with remote user’s desktop
IT Pro Administration

Remote Desktop for Administration –
remotely manage servers
Remote

access to console (session 0)
“Remote Desktops” MMC snap-in –
for managing multiple computers
from single interface
Remote Mgmt of Terminal Servers

Group Policy settings – computer and
user setting, permissions, etc.

TS WMI provider – scriptable interface
for managing TS settings
Emergency Management Services
(EMS)
What it does:
Provides ‘out of band’ capabilities to bring distressed system back to ‘inband’ management state
Customer Scenarios:
Remote emergency management of Windows computers when
traditional methods not avail.
Headless (no KVM) and data centers
Key OS Scenarios:
Boot
System Crash
System setup
How it works:
Enables console redirection of boot loader, textmode setup, blue screens
for headless server support
Secure Administration Console (SAC) provides limited set of powerful
commands to return system to ‘in-band’ state
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Windows Pre-Installation
Environment* (Windows PE)
Target Server
or Desktop

1)
2)
3)
4)
Boot target with Windows PE
Prepare disk with
Diskpart (scriptable)
Format disk with
Format (scriptable)
Apply image or run
scripted install from
distribution point
Minimal footprint subset of
Windows Server 2003/Windows
XP


TCP/IP networking support
Scriptable disk configuration
tools

Replaces DOS as preinstallation environment

Hardware independent

Scriptable

Customizable
File Share
*Windows PE is available to Enterprise Agreement,
Select, and Software Assurance customer only
Remote Installation Services (RIS)
DHCP
Server
Desktops
or Servers

Automated network install of OS or
OS + Apps

For bare metal/full refresh deployments

Initiated by PXE or floppy boot

Scripted or imaged deployments
Key Enhancements
RIS
Server
AD

Supports all version of Windows 2000 &
Windows Server 2003 + Windows XP Pro

Fully automated deployment enabled

Support for headless server deployment

Security – password encryption, secure
domain join, etc.

HAL filtering for RIPrep
Automated Deployment
Services (ADS)


MMC
UI
ADS Controller
Command
Line
Tools
Customer
Scripts
ADS Imaging
Tools

WMI Interface

Controller Service
Network
Boot
Service
DB
(MSDE
/SQL)
Image
Distribution
Service


Designed for high bandwidth
datacenter environment
Framework for mass server
administration – deployment
and scripting
New flexible Microsoft imaging format
and tools
Initiated by PXE boot
Multicast, multi-server deployments
Deploys Windows 2000 and
Windows Server 2003 servers
Key Benefits
ADS Deployment
Agent
Target Server
ADS Admin
Agent
Target Server
Post-OS Stage
*ADS provided with Enterprise &
Datacenter Editions of Windows Server 2003



Rapid automated bulk deployment
of servers
New powerful, flexible imaging
format and tools from Microsoft
Deployment and script based
administration of 1000 servers as
easily as one
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Windows System Resource
Manager (WSRM)
What it does
WSRM facilitates consolidation of applications onto a single
instance of Windows
Lets you throttle individual processes based on:
% CPU
Real memory
Virtual memory
How it works
Identify processes, what to manage
Create resource management policies to define caps
Apply policies based on a date/time schedule
Create, store, view and export accounting records
Availability
WSRM ships with Windows Server 2003, Enterprise and
Datacenter Editions
Consolidation with WSRM
Benefits
Facilitates server consolidation in poor use of resources
scenarios
Increases availability of critical applications in mixed workload
scenarios
Results in improved understanding of application resource
utilization behavior
Scenarios
Single or multiple important LOB apps with other applications or
services
Manage Users on a large Terminal Server system
Multiple SQL Server instances
Manage resource usage of individual IIS6 Application Pools on a
server
SQL Server and IIS6 running on the same machine
Impact of resource
allocation changes
Administration GUI
WSRM Screenshots
Policy scheduling calendar
Accounting reports
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Security Management

Security configuration & policy enforcement




Security auditing



Group Policy is key deployment mechanism
Strong password enforcement by default
Software restriction policies
Per user and operation based auditing
Logon/logoff & account management auditing
Vulnerability assessment & security updates




Windows Update Service
Microsoft Baseline Security Analyzer
Software Update Services
SMS with Feature Pack
Upcoming Security Tools*

Security Configuration Editor (SCE)*





Server role based security configuration
In-the-box server roles
Wizard will allow construction of customized server role
security configurations
Lockdown testing to verify system functions as expected
Microsoft Audit Collection Services (MACS)





Real-time security event collection tool for servers & desktops
Events encrypted, signed, compressed & collected in SQL
database allowing as-needed reporting
Separates administrator and auditor roles
Subscriber API allows intrusion detection applications to get
real-time filtered events
Release planned at same time as WS2003 SP1
*Planned for release in H2 2003
Software Update Services (SUS)
Microsoft Windows Update Service

Corporate solution for Windows
OS critical and security patch
management

Supports critical and security
(critical and medium) patches and
security patch rollups today

SUS server automatically
downloads patches from Windows
Update Service

Target computers can be centrally
configured (via GP) to synchronize
with either SUS server or WU
Service

Various download and patch
application configuration options
Intranet
SUS Server
Target computers with
Automated Updates (AU)
Geographically Distributed Enterprise
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Shadow Copy Backup & Restore
Server side
Client side

Administrators can
configure point-in-time
backups of user data

Incremental backup
minimized disk space
consumption

Self-service document
restore for users

Reduces administrator
workload and user
frustration & downtime
Agenda
Directory & policy based management
Scripting & command line management
Role based system administration
Remote and headless system administration
Deployment solutions
Resource management
Security management
Backup & Restore
Summary of manageability enhancements
Summary of Manageability
Enhancements
Usability of management features
AD enhancements, GPMC, server role based management, WMIC
Management automation
RIS, ADS, WMIC, Command line utilities, New WMI providers,
new GP settings, GP scripting, SFU 3.0
Remote & headless server management
EMS + RIS + Terminal Server enhancements provide full
support for remote, headless system management
Built-in manageability for system services
IIS manageability, Server Cluster & Network Load Balancing management,
WSRM, monitoring, tracing & diagnostics enhancements
Security management
Security Templates, Software Restriction Policies, Security Configuration
Editor, MACS, SUS, Network Quarantine, etc.
Management Capabilities:
WS2003 vs. WinNT 4.0 and Win2K
Area
Windows
NT 4.0
Windows
2000 Server
Windows
Server 2003



Directory services


Policy-based management




*



Overall manageability

Security Management
Update / patch management
Remote & headless server support
Wizard & GUI based administration



Storage and data management



Services management (clusters, IIS, etc.)



*

Managing mixed Unix / Windows
environments †
*Delivered after initial release of Windows 2000
†Available via Microsoft Services for Unix product
More Information at
Windows Server Management page:
http://www.microsoft.com/windowsserver2003/technologi
es/management/default.mspx
Windows Server Management at Technet:
http://www.microsoft.com/technet/prodtechnol/windowsse
rver2003/management/default.asp
Microsoft Management page:
http://www.microsoft.com/management
Microsoft Solutions for Management page:
http://www.microsoft.com/solutions/msm
Community Resources
Community website:
http://www.microsoft.com/windowsserver2003/community/centers/managem
ent/default.asp
Windows Server Management Support:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003mgmt
Group Policy Newsgroup:
http://www.microsoft.com/windowsserver2003/community/newsgroups/windo
ws_grouppolicy.asp
Software Update Services Newsgroup:
http://www.microsoft.com/windowsserver2003/community/newsgroups/softw
areupdatesvcs.asp
Windows Server Scripting Newsgroup:
http://www.microsoft.com/windowsserver2003/community/newsgroups/windo
ws_server_scripting.asp
Suggested Reading And Resources
The tools you need to put technology to work!
TITLE
Available
Active Directory® for
Microsoft® Windows® Server 2003
Technical Reference
Today
Visit the Microsoft Press Kiosk today to receive 40% off books
purchased from Amazon.com
Microsoft Press books are available at the TechEd Bookstore and
also at the Ask the Experts area in the Expo Hall
evaluations
© 2003 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.