[an error occurred while processing this directive]


Exploring 2000 - Red tape
(May 1999)
Bob Walder looks at administration and management.

This article is based on NT 5.0, Beta 2.

Administrators today are faced with a number of challenges when it comes to managing their networks. Technology gets more and more complex and a wide range of management interfaces does nothing to help lower the cost of ownership. Different users have different needs, both in terms of applications used and the amount of control they expect the administrator to exercise. Each application must be made available to the appropriate users and kept away from others, and most users are getting wise to the concept of quality of service. This means that the administrator is expected to provide a reasonably constant performance level and degree of up-time across the network – not always an easy task. In addition, each user has a very different set of needs. The power user is capable of taking care of himself and would prefer little or no administrative oversight or control. The novice, or purely task-based worker, on the other hand, requires his desktop to be locked down reasonably tight in order to prevent ‘wandering’ around the network resulting in possible accidental damage to data or application files.

Management infrastructure components

Microsoft is looking to provide a set of management services with Windows 2000. Specifically, the components that make up the management infrastructure are:

Directory Services
– a standards-based collection of resource information that centralises the information gathering tasks of the administrator (already covered in the Active Directory feature).

Management Presentation Services
– a collection of facilities including the Microsoft Management Console (MMC) that delivers a consistent interface for all management operations.

Instrumentation Services
– a standards-based range of low-level data gathering facilities that surfaces the management information that the administrator needs.

Scripting Services
– support for the execution of scripts from within the operating system, allowing administrators easier automation of processes in their favourite scripting language.

Group Policy Services
– inheriting capabilities from the Active Directory to deliver a set of services to allow administrators to associate particular configurations with particular groups of users.

Microsoft Management Console

The key management infrastructure technology that has been developed to offer a consistent presentation of management information is the MMC (Microsoft Management Console). In its bare form, the MMC does not provide any management facilities itself, it does however provide a framework for individual management modules called "snap-ins" that can be provided either by Microsoft or Independent Software Vendors (ISVs). A huge number of snap-ins are provided as part of Windows 2000 out of the box, and whenever you see a utility such as "Active Directory Site and Services Manager" you will basically be running the MMC with the Site and Services snap-in. In future, when you add new third party products – such as backup – you should expect them to be managed via the MMC.

From the toolbar at the top of the MMC, however, you can add extra snap-ins, effectively allowing you to build your own custom management interface. For instance, if you regularly find yourself administering DNS and DHCP in the same session, rather than switch constantly between two separate utilities, you can easily add the two snap-ins to a new console of your own and save this to the desktop. Another advantage of this is the ability for an administrator to create custom management tools and distribute them to lower-level administrators for specific task delegation. This is all designed to streamline the administration process and lower the cost of ownership.

Although the MMC provides a common framework for the management of various network components, the plethora of different instrumentation processes for all the different devices used on a network makes it very difficult for these to be managed from a single place. Windows 2000 supports the Desktop Management Task Force (DMTF) Web-Based Enterprise Management (WBEM) standards initiative through built-in technology known as Windows Management Instrumentation (WMI).

Common Information Model

This works at a low level, interacting with the devices on a network to gather all the instrumentation data and present them in a single, WBEM-compliant, unified schema known as the Common Information Model (CIM). At the kernel level, WMI manages device drivers and collects data from the 32-bit Windows environment, data from the Registry, from the Performance Monitor, and from SNMP and DMI. This is brought together in the CIM schema and provides a single point of reference for all management tools operating at the user level. This allows the various tools in use by the administrator to collect all their data from CIM rather than make many different proprietary calls into the operating system environment. Of course, the management tools in question need to be written specifically to use the CIM interface, but this will surely happen as Windows 2000 is deployed and the Microsoft marketing machine shifts into top gear. In the mean time, SMS 2.0 is the first application to collect detailed information using this method.

Windows Scripting Host

Another way to streamline the administrative process is to automate tasks by using scripts. We are all familiar with the DOS batch file, and some people have produced some impressive – if not particularly elegant – menu and command structures based around them. This process has been updated for the Windows 2000 platform, with Windows Scripting Host (WSH) providing a language-independent host for ActiveX scripting engines on 32-bit Windows platforms. It allows scripts to be written in VBScript or Jscript and it is expected that third parties will provide additional scripting engines for other languages such as Perl, TCL, REXX, and so on. The resulting scripts can be run either directly on the desktop or from the command prompt.

WSH provides two ActiveX interfaces. Administrators can use the object interfaces provided by the WSH and any ActiveX controls that expose ActiveX automation interface to perform various administrative tasks on the Windows platform. Automation can be provided by defining a scripted action as a result of one or more events occurring or, in more complex situations, an action may be triggered as a result of a number of events arriving over time and in a specific sequence.

Group Policy Services

A feature later in this series will cover some of the mobile facilities introduced with Windows 2000, coupled with the necessary change and configuration management tools designed to ensure that applications, data and desktop configurations follow users around the network (and beyond). In order to support these advanced capabilities, however, it has been necessary to include a number of Group Policy Services in Windows 2000. Policies are managed by using the ubiquitous Group Policy Editor snap-in for the MMC. This covers similar ground to the Group Policy Editor available under NT4 and Windows 9x, though extended somewhat and brought within the folds of the MMC.

Group Policy settings can be created for various aspects relating to a computer or user. For example, Policies can be created to mandate registry settings on the desktop, including operating system components and applications. Scripts can be created that will run at computer start-up, shut-down, logon and logoff. Security settings can be applied for local computer, domain and network, and software installation options can be specified that will determine which applications are available to users for installation, and which will be installed on their desktop by default. Via the Application Deployment Editor, for instance, administrators can install, assign, publish, update, repair and remove software for groups of users and computers. This allows all software distribution to be controlled from a single central point if required.

Applications can be assigned to users – which means the user has no choice as to whether or not it is installed – or can be published. Users can then "subscribe" to published applications, which will cause them to be installed automatically. Each time an application is updated, the update is carried out once centrally, and is then pushed to all computers and users who have subscribed to it. If an administrator wishes to remove an application, this too can be done centrally, and will be deleted from all computers at the earliest opportunity. This one feature alone has the capability of saving hundreds and thousands of man hours for the Windows 2000 administrator.

Security Settings

Finally, the Security Settings extension of the Group Policy Editor allows the administrator to define security configurations in areas such as account policies (password, lockout and Kerberos policies), local policies (audit and user rights), event log, restricted groups, system services, the registry and the file system. The security settings extension has been designed to complement existing system security tools such as the Access Control List (ACL) Editor, Local User Manager and Server Manager. The Security Settings extension defines an engine that can interpret a standard security configuration and perform the required operations automatically in the background. Administrators can thus continue to use existing tools to change individual security settings wherever necessary.

All of these settings are stored in a Group Policy Object (GPO) which, in turn, are associated with selected directory objects within Active Directory, such as sites, domains or Organisational Units. This allows the administrator to take a broad-brush or granular approach to policy application. Most of the features covered here are evolutions of technology already available in NT 4.0, either directly, or via Service Packs or more recent add-ons such as Option Pack 4. However, they have been brought together, tidied up and integrated more completely to provide an excellent management infrastructure for the Windows 2000 platform.