The management infrastructure provides the tools and capabilities to manage all aspects of the network operating system. With the focus on reducing total cost of ownership in many information technology environments, a comprehensive, easy-to-use solution is essential when making a network operating system choice. Features that should be included in any management infrastructure include the following:
Management Presentation Services, which includes easy-to-use, consistent graphical administration tools for all operating system services, user interface customization features, and an extensible API set for the addition of enhancements and new capabilities.
Management Instrumentation Services to monitor the ongoing operations of the network operating system. All implementation should include full SNMP support and an implementation of the Desktop Management Task Force’s Web-Based Enterprise Management specifications.
Management Scripting Services should include a comprehensive, multilingual scripting model on which scripts can be easily authored to provide automated administration scripts that can be executed in batch or customized management interfaces.
Group Policy Services to manage the experience for clients of the network operating system. All implementations should provide a policy editor in which an administrator can set and deploy user access policies across the network; a security configuration editor in which security policies can be set and globally enforced to restrict access to various aspects of the network operating system and its clients; and application deployment services to centrally install applications across the network and provide self-configuration and healing capabilities once packages are installed on client workstations.
Solaris 7 Implementation Details
Management services aren’t a strength of the Solaris operating system. The power of Solaris is often tied to the command-line, which is where most management utilities are executed. Solaris has an extensive set of command-line utilities for managing local and remote systems—and remote systems management is particularly strong from the command line. Unfortunately, command-line utilities are arcane. They’re often more complex than the graphical counterparts and often require considerable expertise for proper usage.
Management Presentation Services
Management presentation is handled via the Solaris Management Console 1.0. The SMC is used to view applications and servers, and to start administration tools. There are two views possible: Application View and Server View. The Application View shows the applications that are installed in the SMC and can be launched from this point. Server View shows all servers that are running the SMC application, their status and available applications. You can launch any of the visible applications on a selected server. There are few points of comparison between the Solaris Management Console and the Microsoft Management Console. There is no commonality of interface between the applications launched from the SMC (in fact, they are just the applications that would be launched from the command line or the AdminSuite), nor can the user create custom views of the available tools, short of reconfiguring the entire SMC.
Still, all Solaris administration tools can be integrated into and run from the SMC. The SMC supports single login and enterprise-wide authentication. This allows administrators to manage applications, servers and services without having to provide passwords each time. SMC also supports HTTPS and SSL for secure communications with remote systems.
Solaris Administration wizards can also be run from the SMC. The six wizards provided with Solaris 7 are:
Change Root Password.
Default Router Modification.
DNS Client Configuration.
DNS Server Configuration.
Network Connection Configuration.
Management Instrumentation Services
Solaris 7 provides solid support for the Simple Network Management Protocol (SNMP) for certain key services. In particular, the dsnmpserv and dsnmprad agents make it possible to obtain management statistics for Sun Directory Services. Solaris 7 also provides full support for the Web Based Enterprise Management (WBEM) specification set forth by the Desktop Management Task Force (DMTF). WBEM uses technologies like the Common Information Model (CIM) and Extensible Markup Language (XML) to manage servers and the operating system.
Sun’s implementation of WBEM, called Solaris WBEM Services, is Java-based and supports CIM schema and the Desktop Management Interface. Sun also provides an SDK for WBEM, called Sun WBEM SDK. Together these products provide a fairly complete set of tools for developing management applications. Client APIs and provider APIs for creating management applications are all apart of the WBEM SDK.
Management applications use the Solaris WBEM providers to communicate information between the operating system and an object manager (CIM Object Manager). Essentially, the object manager provides event handling for managed objects. These managed objects are described through Solaris Schema and placed in the CIM repository using the Managed Object Format Compiler.
Solaris WBEM Services support HTTP and LDAP as their communications protocols. Sun WBEM also supports SNMP, making it a solid management instrumentation offering.
Group Policy Services
A function similar to group policies can be created in Solaris 7 by using the creation of specific user realms with security and access policy tied to user membership within those realms.
Windows NT Server 4.0 Implementation Details
Management services in Windows NT Server 4.0 are very strong, yet Windows NT is often perceived as not having strong remote management capabilities. This perception is often the result of users having familiarity with early versions of Windows NT Server and not with the latest version. In Service Pack 4 and later, Windows NT Server supports the Microsoft Management Console for GUI-based administration, an extended command shell and the Windows Script Host—each of which can be an extremely powerful tool for managing local and remote systems.
Management Presentation Services
Windows NT Server 4.0 provides an extremely rich set of graphical management tools for its management presentation services implementation. The most key system management tools included with Windows NT Server 4.0 include the following:
Disk Administrator, which is used to manage storage devices on the Windows NT Server 4.0 platform. With it, drive letters can be assigned, partitions created and deleted, and stripe sets and volumes managed.
Control Panel, which provides management of system services, network configuration settings, printers, and hardware configuration settings.
Event Viewer, which is used to monitor the system’s event logs to facilitate an administrator tracking activity on the system.
User Manager, which can be used to manage user and group accounts as well as system policies.
Performance Monitor, which is used to monitor performance graphically in real-time and signal an alert when user-defined performance thresholds are met or exceeded.
Additionally, the next-generation Microsoft Management Console (MMC) technology has been ported to the Windows NT Server 4.0 platform. MMC is available with the Windows NT Option Pack, Microsoft SQL Server 7.0, and selected components in the Windows NT Server 4.0 Service Pack 4. It provides a next-generation, standardized graphical user interface to manage system services. On the Windows NT Server 4.0 platform, many core services can now be managed via MMC including the following:
Internet Information Server 4.0
Transaction Server 2.0
Index Server 2.0
SQL Server 7.0
For more details regarding the technical implementation of MMC, please see the Management Presentation Services module under the Windows 2000 Server Implementation Details in this section of this document.
Management Instrumentation Services
Out of the box, Windows NT Server 4.0 provides integrated support for SNMP. This allows any SNMP standardized management package to connect with and track the ongoing performance of systems running Windows NT Server 4.0.
Additionally, with the debut of Service Pack 4 for Windows NT Server 4.0, the full support is provided for the WBEM specification. For details on WMI, please reference the Management Instrumentation Services module under the Windows 2000 Server Implementation Details in this section of this document.
Management Scripting Services
A full management scripting implementation is provided on the Windows NT Server 4.0 platform with the debut of the Windows Script Host in the Windows NT Option Pack. The WSH feature’s implementation on the Windows NT Server 4.0 platform is essentially identical to that shipped with the included WSH functionality found in Windows 2000 Server. For specific technical details regarding the WSH implementation, please reference the Management Scripting Services module under the Windows 2000 Server Implementation Details in this section of this document.
Windows NT Server 4.0 with Service Pack 4 or later also supports an extended command shell. The command shell provides the tools you need to manage local and remote systems, such as AT for creating schedule jobs, NTBACKUP for creating backups, and the NET commands for managing user accounts, groups, services and systems. The new shell programming language supports variables, control flow, conditional statements, procedures and more, making it easy to script most administrative tasks. To script more complex tasks or to gain the benefits of a full-blown scripting language, Windows Script Host provides a full-featured alternative.
Group Policy Services
Windows NT Server 4.0, especially with the enhancements in Service Pack 4, provides rudimentary Group Policy management capabilities as part of the operating system. The solution is composed of the following elements:
System Policy Editor, included with the core Windows NT Server 4.0 product. It allows administrators to centrally define user and computer settings for Windows NT-based clients. Using System Policy Editor, administrators can create system policies to control user work environment and actions, and to enforce system configuration settings for all computers running Windows NT on the network.
Security Configuration Editor, as found in Windows 2000 Server, has been ported to the Windows NT Server 4.0 platform and released as part of the freely available Service Pack 4 update. It allows system administrators to consolidate all security related system settings into a single configuration file. These security settings may then be applied to any number of Windows NT-based machines. For more information regarding the technical details of the Security Configuration Editor implementation, please see the paragraph describing the Security Configuration Editor in the Group Policy Services module under the Windows 2000 Server Implementation Details in this section of this document.
Windows 2000 Server Implementation Details
Windows 2000 supports and extends the management services found in Windows NT. The operating system has a tightly integrated management service framework and strong support for remote management.
Management Presentation Services
The MMC is an ISV-extensible, common console framework for management applications on the Windows platform. MMC was expressly developed to provide a consistent, easy-to-use presentation of management information to system administrators in an effort to lower administrative overhead and total cost of ownership (TCO).
The console itself is a Windows-based multiple document interface (MDI) application that heavily utilizes Internet technologies. The MMC does not provide any management behavior, but it provides a common environment for snap-ins, which are written both by Microsoft and independent software vendors. The snap-ins themselves provide the actual management functionality.
The MMC interfaces permit the snap-ins to integrate with the console. These interfaces only deal with user interface extensions. The author of the snap-in determines the functionality of each snap-in. The relationship with the console is that it shares a common hosting environment and cross-application integration. Development framework to build MMC-based applications is provided as part of the Windows Software Developer Kit (SDK) and is available for general use.
Administrators can create custom management consoles by combining various snap-ins and then saving the console for later use or sharing with other administrators. This model provides the administrator with efficient tool customization and the ability to create multiple tools of different levels of complexity for task delegation, among other benefits. Administrators can define the configuration of snap-ins to manage a particular problem, save the configuration as a compound file, and then send it to others as the de facto environment in which to manage the scenario at hand.
Although it was introduced in Windows NT Server 4.0, the implementation in Windows 2000 Server contains numerous snap-ins to accomplish common management tasks. Some examples of MMC snap-ins are:
Computer Management snap-in is an administrator’s computer configuration tool. It is designed to work with a single computer, and all of its features can be used from a remote computer, allowing an administrator to troubleshoot and configure a computer from any location on the same network. It provides access to the base Windows 2000 Server tools (viewing events, creating shares, managing devices, and so forth), but also dynamically discovers what server services and applications there are to administer.
Disk Management snap-in is a graphical tool for managing disks that replaces the Disk Administrator from prior versions of Windows NT. It supports partitions, logical drives, and the new dynamic volumes. It contains shortcut menus and wizards to simplify creating volumes as well as initializing and upgrading disks. All changes are dynamic and can be implemented without rebooting the system or interrupting users.
System Service Management snap-in allows administrators to stop, start, pause, and resume services on local and remote computers, replacing the Service Control Panel application from previous versions of Windows NT. Service monitoring support is also provided to allow Windows 2000 Server to automatically restart the service, run a script or .exe, or reboot the server in the event that a mission-critical service fails.
Device Manager and Hardware Wizard provides a snap-in that allows administrators to configure devices and resources on the system. Adding new hardware, changing device properties, unplugging or ejecting devices, and resolving hardware conflicts can all be easily accomplished within this module.
Management Instrumentation Services
Windows 2000 Server supports the Desktop Management Task Force (DMTF) Web-Based Enterprise Management (WBEM) through built-in technology known as the Windows Management Instrumentation. This provides a unifying mechanism for accessing and associating information from many management sources.
WMI in Windows 2000 Server has both a Kernel-Mode and User-Mode component. WMI unifies management instrumentation from many diverse sources into a single model and expresses the information using a WBEM-compliant data schema known as the Common Information Model (CIM). Via CIM, WMI allows management applications used by the administrator to access and control all managed devices, drivers, services, and applications in a single, consistent way. At the kernel level in Windows NT, WMI is also used to manage drivers operating within the Windows Driver Model (WDM). Services also exist to collect data from the 32-bit Windows environment, data from the Registry, from the Performance Monitor and from SNMP and DMI. This data is all consolidated within WMI and then presented via CIM.
Via WMI, Windows-based management applications can use DCOM/COM-based applications to access, monitor, and control devices and applications either as discrete elements or as independent components within the enterprise. These interfaces are accessible for programs and scripts, either directly through its own API set or through ODBC, OLE DB, and ADSI. From non-Windows environments, access to the schema will also be available via popular Web based technologies such as XML, HTML, and ASP.
CIM has become widely supported by third-party vendors as a means of gathering management information via WMI. Microsoft Systems Management Server 2.0 in conjunction with third-party solutions from major players such as BMC Software, Compuware Corporation, Computer Associates International, Hewlett-Packard, and Tivoli Systems have all announced support for CIM on Windows 2000 Server.
As with Windows NT Server 4.0, a Simple Networking Management Protocol (SNMP) monitoring agent is also included, allowing any standardized SNMP management package to monitor machines running Windows 2000 Server.
Management Scripting Services
Windows 2000 Server provides a set of management scripting services in the form of the Windows Script Host (WSH) to automate complex management tasks. This provides several benefits, such as automated responses when administrators are unavailable.
WSH is a language-independent scripting host for ActiveX scripting engines running on 32-bit Windows platforms. WSH allows scripts to be run directly on the desktop or from the command prompt. Both Microsoft VBScript and Microsoft JScript development software are supported as scripting language choices as part of the Windows 2000 operating system. There is also a Perl engine available with the services for UNIX add-on pack. Third parties can also provide ActiveX scripting engines for other popular languages such as TCL, REXX, Python, and others.
Two separate ActiveX interfaces are provided. Administrators can use that object provided by Windows Script Host (WSH) and any ActiveX controls that expose ActiveX automation interfaces to perform various administrative tasks on the Windows platform.
Automation can be provided through defining a scripted action as a result of one or more events occurring, where the script acts on controllable applications either via ActiveX Automation, or indirectly via CIM. In more complex situations, an action may take place as a result of events arriving over time in a specific sequence. Administrators can also use the object interfaces provided by WSH and any ActiveX controls that expose automation interfaces to perform various administrative tasks against the operating system.
Another powerful management scripting feature of Windows 2000 is the net shell (netsh). Net shell provides a command-line interface for configuring routing, remote access, DHCP, WINS and other essential network services. Not only can administrators configure these services, but they can use netsh to create scripts to automate local and remote service management as well. The net shell also features single command configuration save and restore for routing, remote access, DHCP, WINS and other supported services.
Group Policy Services
In Windows 2000 Server, group policies define user and computer settings for groups of users and computers. Administrators can create a specific desktop configuration for a particular group of users and computers with the Group Policy Editor – an MMC snap-in. The Group Policy Settings administrators create are contained in a Group Policy Object (GPO) that is in turn associated with selected Active Directory objects, such as sites, domains, or organizational units.
Administrators can use the Group Policy Editor and its extension to define Group Policy options for managed desktop configurations for computers and users. With the Group Policy Editor, administrators can specify the following settings:
Software Policies, to mandate registry settings on the desktop, including operating system components and applications.
Scripts (such as computer startup and shutdown, logon and logoff).
Software Installation options including lists of available applications for users, and so forth.
User and Data Settings for file deployment and redirecting special folders.
Security Settings to configure access restrictions for both the local computer as well as domain and network related options.
When administrators use the Group Policy Editor, they create Group Policy settings that are contained in a Group Policy Object (GPO). These GPOs are in turn associated with selected directory objects (sites, domains, organizational units, etc).
The specifics of the Group Policy infrastructure in Windows 2000 Server can be summarized as follows:
Administrative Templates – The Group Policy Editor requires a source to create the user interface settings an administrator can set. For this purpose, the Group Policy Editor can use either an MMC extension snap-in to the Group Policy Editor snap-in or an ASCII file referred to as an administrative template. The administrative template specifies the registry settings that can be modified through the Software Policies extension of the Group Policy Editor. It consists of a hierarchy of categories and subcategories that together define how the options are displayed through the Group Policy Editor user interface. It also indicates the registry locations where changes should be made if a particular selection is made, specifies any options or restrictions (in values) that are associated with the selection, and in some cases specifies a default value to use if a selection is activated.
Group Policy Editor – The Group Policy Editor is an MMC snap-in that includes built-in features for setting Group Policy. Group policies define the various components of the user’s environment that system administrators need to manage and include software settings, application deployment options, scripts, user data and settings options, and security settings.
Application Deployment Editor – The Application Deployment Editor is an MMC snap-in extension of the Group Policy Editor that to centrally manage software distribution. With the Application Deployment Editor, administrators can install, assign, publish, update, repair, and remove software for groups of users and computers.
Security Configuration Editor – The Security Configuration Editor is used by the Group Policy Editor to define security configuration for computers within a Group Policy Object. A security configuration consists of security settings applied to each security area supported for Windows 2000 Professional or Server. This security configuration is included within a GPO and is then applied to computers as part of the Group Policy enforcement. Areas that can be configured via the Security Configuration Editor include the following:
Account Policies – Refers to computer settings for password policy, lockout policy, and Kerberos policy in Windows NT domains.
Local Policies – Includes security settings for Audit policy, user rights assignment, and security options. Local policy allows administrators to configure who has local or network access to the computer and how local events are audited.
Event Log – Controls security settings for the Application, Security, and System event logs. Administrators can access these logs using the Event Viewer.
Restricted Groups – Computer security settings for built-in groups that have certain predefined capabilities. Restricted Group policies affect the memberships of groups such as the built-in local groups including Administrators, Power Users, Print Operators, and Server Operators or global groups such as Domain Administrators.
System Services – Controls configuration settings and security options for system services such as network services, file and print services, telephony and fax services, Internet services, and so forth. The Security Settings extension directly supports general settings for each system service including startup mode and security on that service.
Registry – Used to configure and analyze settings for security descriptors (including object ownership), the Access Control List (ACL), and auditing information for each object (volume, directory, or file) in the local file system.
Windows Installer Service – The Windows Installer Service is responsible for managing application installation, modification, repairs, and removal. It includes an operating system-resident install service, a standard format for component management, and a management API for applications and tools. The elements comprising the Windows Installer Service can be summarized as follows:
Resident Install Service – Windows Installer Service is a resident feature of the Windows 2000 operating system. It will also be provided via a redistributable pack for Windows 9x and Windows NT 4.0 platforms. The Windows Installer Service Pack for those platforms will be made available to the developer community for distribution as part of their products. Once installed in the operating system, the Windows Installer Service can process installation requests from Windows installer-enabled applications. Future versions of the Designed for Microsoft Windows Logo Program will standardize on Windows Installer for setup.
Component Management Format – Windows Installer views all applications as being composed of three logical building blocks – products, features, and components. A product corresponds to a single package or SKU. Features refer to parts of a product from the user’s perspective. Finally, a component refers to the parts of a product from the developer’s perspective. Each Windows installer product is described in the form of a single Windows Installer package file. This file (.msi) is in a database format that has been optimized for installation performance and describes, among other things, the relationships between features, components, and resources for a given product. At installation time, the Windows Installer service opens the package file for the product and determines the installation operations that must be performed to install that product.
Management API – The Windows Installer Service provides management API-enabling tools which allow application developers to programmatically inventory a computer’s contents, install and configure Windows Installer products, install and configure Windows Installer features, and determine the path to specific Windows Installer components on the computer. The most key feature of the management API is that it allows the Windows Installer service to manage all file paths on behalf of an application. At runtime, a Windows Installer-installed application can ask the Windows Installer service for the path to a given component. This level of indirection completely frees applications from hard dependency on static file paths.
On-Demand Installation of Products – Windows Installer supports advertisement at the product level. Both the Shell and OLE use the Windows Installer Management API in Windows 2000 Server, therefore allowing an entire product to be advertised. Advertising a product installs only the entry points to it, including desktop and Start menu shortcuts, file extensions, and OLE registration. When a user triggers the activation of the application, the operating system calls Windows Installer to install the necessary features of the advertised product. When the installation is complete, Windows Installer will automatically launch the application for the user.
On-Demand Installation from Within Applications – The on-demand install capability ensures that all application features are available to users – even those that were not previously installed. Instead of requiring users to rerun Setup to add optional components, Windows Installer is automatically called when a user makes a feature request to silently install the optional components.
Runtime Resource Resiliency – The Windows Installer management API enables dynamic repair of an application in much the same way that it enables on-demand installation. When an application calls Windows Installer to resolve a path, Windows Installer performs two checks. The first verifies that the requested component is installed. The second verifies whether or not the component is properly installed (assuming that the first check succeeded). In the case that it is not, an on-demand repair shall be performed, allowing applications to repair itself silently within the course of normal usage.
Management Infrastructure Summary
Windows 2000 Server provides a comprehensive management infrastructure. Its Group Policy services are the most comprehensive. It provides a complete software installation and management service – the Windows Installer Service coupled with the desktop application management services. Additionally, its security configuration manager, policy management services, and application deployment features provide the best directory integration, the easiest configuration tools, and the most comprehensive feature-set. Windows 2000 Server also provides an equally impressive management scripting implementation and the most capable, easiest-to-use management tools with its MMC-based configuration and management tools. Windows 2000 Server provides a complete set of management instrumentation services, which extends to full SNMP support and a complete implementation of the Desktop Management Task Force’s Web-Based Enterprise Management protocol in the form of WMI.
Windows NT Server 4.0 provides an excellent set of easy-to-use graphical management tools, although they are not integrated like Windows 2000 and definitely not as easy to use as the MMC snap-ins present in Windows 2000. Some MMC snap-ins are provided for management of certain network services such as Internet Information Server or Transaction Server, enhancing the administrator’s experience. Windows NT Server 4.0 also supports both SNMP and the DMTF’s WBEM standard with the WMI implementation contained in the Service Pack 4 update. Management scripting services are excellent – providing a solution essentially identical to that found in Windows 2000 Server when the Windows NT Option Pack is installed on Windows NT Server 4.0. However, where Windows NT Server 4.0 really falls short of Windows 2000 Server is in its group policy services implementation. Windows NT Server 4.0 user policy management implementation is not nearly as feature-complete and Windows NT Server 4.0 offers no software package administration equivalent to Windows 2000 Server Windows Installer Service.
Though Solaris 7 does provide fairly efficient management services, these services are not as feature rich or easy to use as either Windows NT 4.0 or Windows 2000 management services. Although graphical administration tools lack the integrated approach of Windows offerings, the command-line is one area where Solaris 7 is strong. The command-line tools available are both versatile and powerful. Yet they are also inherently more complex to use and require more experience to operate (even when compared to Windows command-line counterparts). Solaris 7 provides full support for WBEM and also provides an SDK for developers. The Sun WBEM implementation is Java-based and supports many industry standard technologies including Common Information Model (CIM), Extensible Markup Language (XML), SNMP and Desktop Management Instrumentation (DMI). Finally, user realms provide functions similar to Group Policy. However, user realms aren’t as dynamic or configurable as Windows 2000 group policies, making the Windows 2000 Group Policy implementation the clear leader.