ADM350 Windows Server 2003: Management Capabilities BJ Whalen Program Manager Windows Server Microsoft Corporation Windows Server 2003 Manageability Focus Usability of management features Management automation Remote & headless server management Built-in manageability for system services Security management Agenda Directory & policy based management Scripting & command line management Role based management Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Active Directory Management Enhancements (Part 1) Removed Irreversible Decisions Domain rename DC rename Schema delete Deployment improvements Improved replication Delta replication for group membership changes 5000 member limit removed Install replica from media Cross Forest Trust Improved Topology Generator (KCC) – support for 5000 sites ADMT improvements: password migration, scripting & cmd-line interface Active Directory Management Enhancements (Part 2) Operational Improvements Universal group caching Cmdline access to DS: DSMod, DSAdd, DSGet Quotas on object ownership Replication & trust monitoring - RepAdmin UI Enhancements Multi-object editing Drag & drop Saved queries Group Policy Goal: Improve the Admin Experience GPMC New Policy Active Directory One Administrator Action New admin tool for managing Group Policy Ships via Web Resultant Set of Policy (RSoP) WMI Filters Command Line tools Many End User Results GPUpdate, GPResult 32 GPMC Sample Scripts Many Computer Results Full list across all operating systems at: New Policy Settings http://go.microsoft.com/fwlink/?LinkId=15165 Group Policy Management Console Improved User Interface Based on how customers use Group Policy Improved security management Integration of RSoP HTML and XML Reporting of GPOs and RSOP New capabilities for rapid deployment of policy Backup/restore, import/copy Scriptability Enables customization and automation Support for Staging First create in sandbox test environment Replicate to production New Scenarios with GPMC Read only access to GPOs Documenting all GPOs in the domain Backing up all GPOs Rapidly create and deploy managed configurations Planning and Troubleshooting Staging from test to production demo Group Policy Management Console Agenda Directory & policy based management Scripting & command line management Role based system administration Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements WMI – What is it Uniform management interface for distributed systems management Common access and query capabilities and discovery via a common data model Exposes relationships between various aspects of Management domains Universal programmable agent for health monitoring and remote management Out-of-the-box management for over 10,000 system objects Historically geared for developers, but that is now changing… With WMIC, WMI becomes accessible to Admins WMI Architecture WMI COM Client WSH C:\>wmic Client Services Sripting API COM API DCOM Remoting WMIC Core Services Namespace services Query Security Events subscriptions Script API DCOM Core Services Schema RT / Provider Subsystem Query Service Provider Subsystem Pub/Sub Service COM WMI Providers (loaded on-demand) Secure provider hosting Registry Abstraction of the OS services and application APIs Event Filtering Repository Provider subsystem Providers View Service Perf Counters NT Event Log WMI ext for WDM LOB app Active provider Directory IPC Managed applications and platform services WMI Enhancements New WMI Console (WMIC) Command line and console access to WMI Simplified view to the WMI object model New and updated WMI providers AD replication and trust Server clustering DFS Internet Information Server Terminal Services Others Benefits: WMI is now usable by admins More stuff is manageable through WMI WMIC Architecture Direct Access (PATH/CLASS) Access via Alias (FriendlyName) Alias schema WMIC Engine Provider Provider Provider Provider Provider WMI Console XML DOM XSLT XSLT XSLT XSLT XSLT XSLT HTML CSV MOF Customer defined WMIC Highlights Command line tools that allows writing basic script in cmd.exe Avail on XP and Server 2003 Can manage Win2k computers Supports interactive mode – admin console for WMI Easy to learn command language Common grammar Progressive help discovery Vocabulary driven by WMI instrumentation and aliases Can access any WMI object Simplified access to key WMI objects (80 aliases, 150 methods) Transparent remoting Multiple output formats Built-in support for: Console, HTML, CSV, MOF Customer defined formats (using XSLT) Command Line Tools Command line execution of common administration tasks Simplifies top system administration tasks Transparent remoting 60+ commands Documented in “ntcmds.chm” Agenda Directory & policy based management Scripting & command line management Role based system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Manage Your Server Roles Configure Your Server wizard Wizard based setup for server roles ‘Typical’ or standard ‘Specific’ roles Can be run multiple times Manage Your Server console Central place to find configuration and management tools Server role discovery, removal, and management Key Benefits Easy to configure, discover, and manage server roles Confidence that server roles are correctly set up Easy to find configuration and management tools and resources demo Role-based Server Management Agenda Directory & policy based management Scripting & command line management Role based system administration Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Remote Management Using Terminal Services Remote Management Scenarios Terminal Server Client HelpDesk RDP TCP/IP Remote Assistance to view and interact with remote user’s desktop IT Pro Administration Remote Desktop for Administration – remotely manage servers Remote access to console (session 0) “Remote Desktops” MMC snap-in – for managing multiple computers from single interface Remote Mgmt of Terminal Servers Group Policy settings – computer and user setting, permissions, etc. TS WMI provider – scriptable interface for managing TS settings Emergency Management Services (EMS) What it does: Provides ‘out of band’ capabilities to bring distressed system back to ‘inband’ management state Customer Scenarios: Remote emergency management of Windows computers when traditional methods not avail. Headless (no KVM) and data centers Key OS Scenarios: Boot System Crash System setup How it works: Enables console redirection of boot loader, textmode setup, blue screens for headless server support Secure Administration Console (SAC) provides limited set of powerful commands to return system to ‘in-band’ state Agenda Directory & policy based management Scripting & command line management Role based system administration Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Windows Pre-Installation Environment* (Windows PE) Target Server or Desktop 1) 2) 3) 4) Boot target with Windows PE Prepare disk with Diskpart (scriptable) Format disk with Format (scriptable) Apply image or run scripted install from distribution point Minimal footprint subset of Windows Server 2003/Windows XP TCP/IP networking support Scriptable disk configuration tools Replaces DOS as preinstallation environment Hardware independent Scriptable Customizable File Share *Windows PE is available to Enterprise Agreement, Select, and Software Assurance customer only Remote Installation Services (RIS) DHCP Server Desktops or Servers Automated network install of OS or OS + Apps For bare metal/full refresh deployments Initiated by PXE or floppy boot Scripted or imaged deployments Key Enhancements RIS Server AD Supports all version of Windows 2000 & Windows Server 2003 + Windows XP Pro Fully automated deployment enabled Support for headless server deployment Security – password encryption, secure domain join, etc. HAL filtering for RIPrep Automated Deployment Services (ADS) MMC UI ADS Controller Command Line Tools Customer Scripts ADS Imaging Tools WMI Interface Controller Service Network Boot Service DB (MSDE /SQL) Image Distribution Service Designed for high bandwidth datacenter environment Framework for mass server administration – deployment and scripting New flexible Microsoft imaging format and tools Initiated by PXE boot Multicast, multi-server deployments Deploys Windows 2000 and Windows Server 2003 servers Key Benefits ADS Deployment Agent Target Server ADS Admin Agent Target Server Post-OS Stage *ADS provided with Enterprise & Datacenter Editions of Windows Server 2003 Rapid automated bulk deployment of servers New powerful, flexible imaging format and tools from Microsoft Deployment and script based administration of 1000 servers as easily as one Agenda Directory & policy based management Scripting & command line management Role based system administration Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Windows System Resource Manager (WSRM) What it does WSRM facilitates consolidation of applications onto a single instance of Windows Lets you throttle individual processes based on: % CPU Real memory Virtual memory How it works Identify processes, what to manage Create resource management policies to define caps Apply policies based on a date/time schedule Create, store, view and export accounting records Availability WSRM ships with Windows Server 2003, Enterprise and Datacenter Editions Consolidation with WSRM Benefits Facilitates server consolidation in poor use of resources scenarios Increases availability of critical applications in mixed workload scenarios Results in improved understanding of application resource utilization behavior Scenarios Single or multiple important LOB apps with other applications or services Manage Users on a large Terminal Server system Multiple SQL Server instances Manage resource usage of individual IIS6 Application Pools on a server SQL Server and IIS6 running on the same machine Impact of resource allocation changes Administration GUI WSRM Screenshots Policy scheduling calendar Accounting reports Agenda Directory & policy based management Scripting & command line management Role based system administration Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Security Management Security configuration & policy enforcement Security auditing Group Policy is key deployment mechanism Strong password enforcement by default Software restriction policies Per user and operation based auditing Logon/logoff & account management auditing Vulnerability assessment & security updates Windows Update Service Microsoft Baseline Security Analyzer Software Update Services SMS with Feature Pack Upcoming Security Tools* Security Configuration Editor (SCE)* Server role based security configuration In-the-box server roles Wizard will allow construction of customized server role security configurations Lockdown testing to verify system functions as expected Microsoft Audit Collection Services (MACS) Real-time security event collection tool for servers & desktops Events encrypted, signed, compressed & collected in SQL database allowing as-needed reporting Separates administrator and auditor roles Subscriber API allows intrusion detection applications to get real-time filtered events Release planned at same time as WS2003 SP1 *Planned for release in H2 2003 Software Update Services (SUS) Microsoft Windows Update Service Corporate solution for Windows OS critical and security patch management Supports critical and security (critical and medium) patches and security patch rollups today SUS server automatically downloads patches from Windows Update Service Target computers can be centrally configured (via GP) to synchronize with either SUS server or WU Service Various download and patch application configuration options Intranet SUS Server Target computers with Automated Updates (AU) Geographically Distributed Enterprise Agenda Directory & policy based management Scripting & command line management Role based system administration Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Shadow Copy Backup & Restore Server side Client side Administrators can configure point-in-time backups of user data Incremental backup minimized disk space consumption Self-service document restore for users Reduces administrator workload and user frustration & downtime Agenda Directory & policy based management Scripting & command line management Role based system administration Remote and headless system administration Deployment solutions Resource management Security management Backup & Restore Summary of manageability enhancements Summary of Manageability Enhancements Usability of management features AD enhancements, GPMC, server role based management, WMIC Management automation RIS, ADS, WMIC, Command line utilities, New WMI providers, new GP settings, GP scripting, SFU 3.0 Remote & headless server management EMS + RIS + Terminal Server enhancements provide full support for remote, headless system management Built-in manageability for system services IIS manageability, Server Cluster & Network Load Balancing management, WSRM, monitoring, tracing & diagnostics enhancements Security management Security Templates, Software Restriction Policies, Security Configuration Editor, MACS, SUS, Network Quarantine, etc. Management Capabilities: WS2003 vs. WinNT 4.0 and Win2K Area Windows NT 4.0 Windows 2000 Server Windows Server 2003 Directory services Policy-based management * Overall manageability Security Management Update / patch management Remote & headless server support Wizard & GUI based administration Storage and data management Services management (clusters, IIS, etc.) * Managing mixed Unix / Windows environments † *Delivered after initial release of Windows 2000 †Available via Microsoft Services for Unix product More Information at Windows Server Management page: http://www.microsoft.com/windowsserver2003/technologi es/management/default.mspx Windows Server Management at Technet: http://www.microsoft.com/technet/prodtechnol/windowsse rver2003/management/default.asp Microsoft Management page: http://www.microsoft.com/management Microsoft Solutions for Management page: http://www.microsoft.com/solutions/msm Community Resources Community website: http://www.microsoft.com/windowsserver2003/community/centers/managem ent/default.asp Windows Server Management Support: http://support.microsoft.com/default.aspx?scid=fh;EN-US;winsvr2003mgmt Group Policy Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/windo ws_grouppolicy.asp Software Update Services Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/softw areupdatesvcs.asp Windows Server Scripting Newsgroup: http://www.microsoft.com/windowsserver2003/community/newsgroups/windo ws_server_scripting.asp Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Active Directory® for Microsoft® Windows® Server 2003 Technical Reference Today Visit the Microsoft Press Kiosk today to receive 40% off books purchased from Amazon.com Microsoft Press books are available at the TechEd Bookstore and also at the Ask the Experts area in the Expo Hall evaluations © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.