Windows 2000 Centralized Management
Windows 2000 is a powerful operating system that can be managed remotely. The range of remote management options has been greatly increased in Windows 2000. From Windows Terminal Services to command line scripts, IT professionals now have a range of tools to administer a Windows 2000 machine remotely. This paper will describe several new remote management tools that can be used to administer Windows 2000 machines, whether they exist in the corporate data center or at a branch office.
On This Page
Windows Management Instrumentation
Windows Script Host
Microsoft Management Console (MMC)
Other remote management capabilities
Organizations manage their computer systems to maximize the productivity of the people using the systems, while minimizing the total cost of ownership (TCO) associated with these same systems. (TCO refers to all costs involved in administering distributed personal computers on networks.) The Microsoft Windows operating system has matured into a dynamic multipurpose operating system that has become the foundation for critical line-of-business systems. As customers have come to rely on Windows 2000-based systems for the success of their businesses, the need for common, built-in, management services has become obvious.
Windows 2000 provides integrated management services that reduce the costs associated with typical administrative tasks. These Windows management services form the foundation for built-in and value-added management tools that provide:
Desktop management. Through features such as Group Policy and IntelliMirror (described later), administrators can more easily manage the data, software, and settings of PCs and users within their organization. Value-add solutions such as Systems Management Server provide more advanced change and configuration management features for enterprises.
Centralized management. Administrators need to be able to manage large numbers of servers, often from remote locations. Features such as Windows Script Host and Terminal Services allow administrators to automate changes and remotely manage servers from a central location.
Easier deployment. Windows 2000 Professional is now easier to deploy with better scripting and the ability to upgrade from any computer running the Windows NT 3.51 or 4.0 operating system, Windows 95, or Windows 98. Additional features such as Remote Operating System Installation and tools to create installation images allow administrators to distribute new installations of Windows 2000 faster.
This paper will focus on the services and features that enable centralized management. These include:
Windows Management Instrumentation (WMI)
Windows 2000 supports the Windows Management Instrumentation standard. WMI lets management applications from different sources manage all of an organization's devices, drivers, services, and applications in a single, consistent way.
Windows Script Host
Windows Script Host (WSH) helps automate many administrative actions. WSH allows administrators to avoid repeating identical tasks and spend less time on automated tasks.
Terminal Services bring the Windows administrator interface to computers with limited processing capability or bandwidth, allowing administrators to manage servers remotely.
The Active Directory service centralizes the management of network users. Administrators can structure their network into an easy-to-manage hierarchy of sites (one or more TCP/IP subnets), domains, and smaller organizational units (OUs) instead of an undifferentiated list of thousands of users.
Microsoft Management Console (MMC)
The Microsoft Management Console (MMC) provides a consistent way to perform management tasks. Administrators use the same console whether they are responsible for a single workstation or an entire network of computers.
Other Remote Management Capabilities
Windows 2000 includes many other remote management services such as Secondary logon facility, the Remote Command Service, Telnet Service, Active Directory Services Interface (ADSI), and Services for UNIX.
This paper provides an overview of each of these services and features and explains how they can be used to centrally manage Windows 2000-based servers.
Windows Management Instrumentation
Total cost of ownership (or TCO)the real cost of maintaining a distributed personal computer networkextends far beyond the initial purchase of hardware and software. TCO includes the deployment and configuration expense, costs associated with deploying hardware and software updates, training and retraining, day-to-day maintenance and administration, and telephone and on-site technical support. With these escalating costs in mind, Microsoft and others are working together on several initiatives designed to lower the total cost of ownership of personal computers in the enterprise.
Key among these efforts is Web-based Enterprise Management (WBEM), an industry initiative that establishes management infrastructure standards and provides a way to combine information from various hardware and software management systems. WBEM specifies standards for a unifying architecture that allows access to data from a variety of underlying technologies and platforms, and presents that data in a consistent fashion. Management applications can then use this information to create solutions that reduce the maintenance and life cycle costs of managing an enterprise network. WBEM is based on the Common Information Model (CIM) schema, which is an industry standard driven by the Distributed Management Task Force (DMTF).
Microsoft Windows Management Instrumentation (or WMI) is WBEM-compliant, and provides a consistent and richly descriptive model of the configuration, status and operational aspects of Microsoft Windows 2000. Used in conjunction with other management services provided in Windows 2000, WMI can simplify the task of developing well-integrated management applications, allowing vendors to provide customers of Windows 2000 with scalable, effective enterprise management solutions.
As shown in Figure 1 below, enterprise management usually has been tied to different protocols and interfaces for different disciplinesfor example, Simple Network Management Protocol (SNMP) has been used for network management, and the Desktop Management Interface (DMI) has been used for desktop systems management. WBEM assumes that enterprise network management problems require tools that work together to provide a single, shared model for the collection of management information. WBEM provides this common model and data source, and can be extended to work with existing network components, tools, and protocols.
Figure 1: Enterprise Management Configuration
WMI is a key component of Microsoft Windows management services. Windows management services also include the location and policy service of the Active Directory, the presentation services of the Microsoft Management Console (MMC), and the automation capabilities of Windows Script Host (WSH).
As the core of Microsoft's management infrastructure, WMI helps to reduce the maintenance and cost of managing components in a Windows NT enterprise network. WMI provides:
A rich and consistent model of operation, configuration, and status for the Windows 98 and Windows 2000 operating systems. (Note that WMI downloadable core components are also available for Windows NT 4.0 SP 4 and for Windows 95.)
A COM API that supplies a single point of access to all management information.
Interoperability with other Windows 2000 management services, which will simplify vendors' efforts to create well-integrated management applications.
A flexible architecture that allows vendors to extend the information model to cover new devices, applications, and other enhancements by writing code modules (WMI providers).
A powerful event architecture that allows changes in management information to be identified, aggregated, compared to and associated with other management information, and forwarded to local or remote management applications.
A rich query language that enables detailed queries of the information model.
A scriptable API, which enables management application developers to use Visual Basic or Windows Script Host (WSH).
For example, local and remote eventing combined with a rich query language to the information model provides the means to create solutions to complex management problems. The ability to easily script these solutions in Visual Basic or using WSH (described later) adds an often-requested dimension to Windows 2000 management.
Terminal Services is a component that is included with each member of the Windows 2000 Server family: Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server. It provides the Windows graphical user interface to remote devices over LAN, WAN, or Internet connections. All of the application processing is performed at the server and only data from devices such as the display monitor, keyboard, and mouse are transmitted between the server and the Terminal Services client.
Terminal Services may be enabled in one of two modes: Application Server or Remote Administration. Application server mode allows multiple remote clients to simultaneously access Windows-based applications that run on the server. This is the traditional Terminal Server deployment.
Remote administration mode is a new feature in Terminal Services for Windows 2000. It is designed to provide operators and administrators with remote access to typical BackOffice-based servers and domain controllers. The administrator has access to the graphical user interface-based tools that are available in the Windows environment, even if he or she is not using a Windows-based computer to administer the server.
Note: Terminal Services Client software for 16-bit and 32-bit Windows-based computers is included with Windows 2000 Server. Non-Windows-based computers require a third-party add-on.
Remote administration mode allows this without affecting server performance or application compatibility. Up to two remote administration sessions are supported, in addition to the console session. Since this is meant as a single-user remote access solution, no Terminal Server Client Access License (CAL) is required to use Remote Administration.
Summary of Features and Benefits
The Remote administration mode of Terminal Services includes the following features and benefits:
Graphical administration of Windows 2000 servers from any Terminal Services client. Clients are available for computers running Windows for Workgroups, Windows 95, Windows 98, Windows CE 2.11, Windows NT, and Windows 2000.
Remote upgrades, reboots, and promotion and demotion of domain controllers.
Access to servers over low-bandwidth connections, with up to 128-bit encryption (56-bit outside of North America).
Roaming disconnect support, allowing data-sensitive or time-consuming tasks to be completed successfully if the remote session is disconnected deliberately or due to network problems.
Remote application installation and execution, with fast access to local disks and media (for example, when copying large files and virus scans).
Console session is left unaffected while remote administration takes place, eliminating eavesdropping.
Negligible performance impact on the server and no impact on application compatibility.
No Terminal Services Client Licensing requirements.
Two remote administrators can share a session for collaboration purposes.
Remote Desktop Protocol (RDP) feature set, including local printing, clipboard mapping (cut, copy and paste), and support for any RDP virtual channel applications such as local drive mapping (available in the Windows 2000 Resource kit).
Windows Script Host
The Windows Script Host (WSH) is a language-independent scripting host for 32-bit Windows platforms. WSH provides a low-memory scripting host that is ideal for non-interactive scripting needs such as logon scripting, administrative scripting, and so on. Microsoft provides both Visual Basic Script and Java Script scripting engines with WSH. WSH can be run from either the Windows-based host (WSCRIPT.EXE), or the command shell-based host (CSCRIPT.EXE).
Previously, the only native scripting language supported by the Windows operating system was the MS-DOS command language. Although it is fast and small, MS-DOS has limited features compared to Visual Basic Script and Java Script. Today, ActiveX scripting architecture allows users to take advantage of powerful scripting languages such as Visual Basic Script and Java Script. And MS-DOS command scripts are still supported.
Windows Script Host enables scripts to be executed directly on the Windows desktop or command console. Scripts can be run directly from the desktop simply by clicking on a script file, or from the command console.
The Active Directory service is a sophisticated, adaptive directory service that allows a high degree of customer modification to meet specific business and organizational needs.
Administrators and end-users have different requirements for user interfaces. Many properties and actions have no meaning to end-users and yet are important for administrators. Moreover, Active Directory has a fine-grained security model that allows permissions to be defined down to an individual attribute level and administration tasks to be delegated to different users. Thus, Active Directory supports a UI that adapts to meet the needs of administrators and end-users, extends to support modifications to the schema, and reflects the fine-grained security model.
The administrative UI is presented through different Microsoft Management Console (MMC) snap-ins, specifically the Active Directory Manager, Active Directory Sites and Services Manager, Active Directory Tree Manager, and Active Directory Schema Manager.
The end-user, however, sees the directory through the Windows operating system shell. Users can browse for objects stored in Active Directory from either the Network Neighborhood on the Desktop or through the Find dialog boxes available in the Start menu.
Although their user interfaces and their experience with the Active Directory will differ, both administrators and users will require that directory service objects be displayed in the user interface. Therefore, a flexible UI mechanism is needed to meet the needs of the various user groups while still meeting the more general UI goals of localization, extensibility, and ease of customer modification.
Gaining an understanding of the Active Directory service is the first step in understanding how the Windows2000 operating system functions and what it can do to help you meet your enterprise goals.
Active Directory hierarchically stores information about network objects and makes this information available to administrators, users, and applications
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.
Because Active Directory is based on standard directory access protocols, it can interoperate with other directory services and can be accessed by third-party applications that follow these protocols
The introduction of Active Directory in the Windows 2000 operating system provides the following benefits:
Integration with DNS. Active Directory uses the Domain Name System (DNS). DNS is an Internet standard service that translates human-readable computer names (such as mycomputer.microsoft.com) to computer-readable numeric Internet Protocol (IP) addresses (four numbers separated by periods). This lets processes running on computers in TCP/IP networks identify and connect to one another.
Flexible querying. Users and administrators can use the Search command on the Start menu, the My Network Places icon on the desktop, or the Active Directory Users and Computers MMC snap-in to quickly find an object on the network using object properties. For example, users can find another user by first name, last name, e-mail name, office location, or other properties of that person's user account. Finding information is easier with the global catalog.
Extensibility. Active Directory is extensible, which means that administrators can add new classes of objects to the schema and can add new attributes to existing classes of objects. The schema contains a definition of each object class, and each object class's attributes, that can be stored in the directory. For example, an administrator could add a Purchase Authority attribute to the User object and then store the amount of each user's purchase authority limit as part of the user's account.
Policy-based administration. Group Policies are configuration settings applied to computers or users as they are initialized. All Group Policy settings are contained in Group Policy Objects (GPOs) applied to Active Directory sites, domains, or organizational units. GPO settings determine access to directory objects and domain resources, what domain resources (such as applications) are available to users, and how these domain resources are configured for use.
Scalability. Active Directory includes one or more domains, each with one or more domain controllers, enabling the administrator to scale the directory to meet any network requirements. Multiple domains can be combined into a domain tree and multiple domain trees can be combined into a forest. In the simplest structure, a single-domain network is simultaneously a single tree and a single forest.
Information Replication. Active Directory uses multimaster replication, which lets you update the directory at any domain controller. Deploying multiple domain controllers in one domain provides fault tolerance and load balancing. If one domain controller within a domain slows, stops, or fails, other domain controllers within the same domain can provide necessary directory access, since they contain the same directory data.
Information security. Management of user authentication and access control, both fully integrated with Active Directory, are key security features in the Windows 2000 operating system. Active Directory centralizes authentication. Access control can be defined not only on each object in the directory, but also on each property of each object. In addition, Active Directory provides both the store and the scope of application for security policies.
Interoperability. Because Active Directory is based on standard directory access protocols, such as Lightweight Directory Access Protocol (LDAP), it can interoperate with other directory services employing these protocols. Several application programming interfaces (APIs) such as Active Directory Service Interfaces (ADSI)give developers access to these protocols.
Microsoft Management Console (MMC)
Microsoft Management Console (MMC) is an ISV-extensible, common console framework for management applications.
MMC itself does not supply any management behavior, but instead provides a common environment for Snap-Ins, which are written by both Microsoft and independent software vendors (ISVs). Snap-ins are administrative components integrated into a common host (MMC) that define the actual management behavior. The MMC environment provides a centralized interface for seamless integration between Snap-Inseven those provided by different vendors.
A system administrator can create tools from various Snap-Ins, and then save these tools for later use or for sharing with other administrators. This approach allows the administrator to efficiently create custom tools with different levels of complexity for task delegation, task coordination, and workflow management. For example, an administrator can combine simple tasks into one tool, and then give that tool to a subordinate or trainee. The same administrator can also design different tools for daily, weekly, and monthly administrative tasks.
MMC is a core part of Microsoft's management strategy. Most Microsoft development groups use MMC for management applications in all versions of Windows and in all of the BackOffice family of applications. MMC has the following benefits:
Provide a single host for all management tools: MMC does not replace existing enterprise console and management applications; it allows them to be packaged as Snap-Ins so that they can be accessed from a single interface.
Facilitates task delegation: Using MMC, a system administrator can group subsets of administrative tasks into tools, and forward those tools to other administrators or to subordinates for task completion.
Lowers total cost of ownership for the desktop: Task delegation, logical grouping of tools and processes, and management through a single interface allows systems administrators to better organize their tools and tasks and simplify remote administration.
Because MMC itself provides the windowed environment, MMC is well suited to the ISV who wants to spend more time building real management functionality and less time building and rebuilding a respectable windowing framework for their tools. By writing to the MMC specifications, an ISV will save development time, build in compatibility with other management tools, be able to extend existing management tools written for MMC, and offer an integrated look and feel.
Other remote management capabilities
The Windows 2000 architecture has been expanded to include more remote management capabilities, including the Secondary logon facility (Run As), the Remote Command Service, the Telnet Service, and Active Directory Service Interfaces.
The Secondary logon (Run As) allows administrators to avoid having to log on with an administrative account for each task. Instead, secondary logon enables administrators to log on with an ordinary user account and then start trusted administrative tools in the context of the administrator's account without logging off. This feature can be used to start applications under different credentials without needing to log off.
Remote Command Service
The Remote Command Service (Rcmd.exe) provides a secure, robust way to remotely administer and run command-line programs. Remote Command Service consists of client and server components. The client is a command-line program, Rcmd.exe. The server end, Rcmdsvc.exe, is installed and run as a service. A command session, or "virtual console," is created when a client connects to the server. It is not visible on the desktop, and does not in any way interfere with it. Up to 10 clients may be simultaneously connected to the remote command server on a computer, all operating securely and independently of each other.
The telnet service allows command-line access to the Windows 2000 server. A default installation of Windows 2000 installs a telnet services that will permit two simultaneous connections. The telnet service must be started before any connections can be made to the server. Once connected to the telnet service, an administrator can use command line tools and scripts to administer the server.
Active Directory Service Interfaces
Active Directory Service Interfaces (ADSI) abstract the capabilities of different directory services from different network vendors to present a single set of directory service interfaces for managing network resources. Administrators and developers can use Active Directory Service Interfaces to manage the resources in a directory service, no matter which network environment contains the resource. ADSI enables administrators to automate common tasks such as adding users and groups, managing printers, and setting permissions on network resources. ADSI scripts can be written in several different languages including Visual Basic, Java, and Perl script.
Services for UNIX
Services for UNIX is designed to address the problems of interoperability between the Microsoft Windows operating system and UNIX operating systems. Customers are looking for solutions that will help them move between systems on the same network without re-learning common tasks. The primary objective of Services for UNIX is to provide a comprehensive set of tools to help the bridge the gap between UNIX and Windows for users and administrators. Services for UNIX implements the following features to meet that objective.
File sharing between UNIX and Windows via NFS by providing NFS client, NFS server, and NFS gateway functionality
Remote command line access between Windows-based and UNIX computers or between two Windows-based computers via Telnet client and server
Korn Shell and the ability to run familiar UNIX command line utilities like ls, vi, chmod, and grep, natively from Windows NT or Windows 2000
Common network administration by providing NIS server functionality using the Active Directory service
Password synchronization between Windows and UNIX
Administration of Services for UNIX components and services via MMC
Management of Services for UNIX components using WMI
Microsoft Windows Services for UNIX 2.0 provides a set of additional features to Windows 2000 that allow for greater interoperability with existing UNIX-based systems in the enterprise. SFU 2.0 provides a full range of supported and fully integrated interoperability components that make it easy for customers to integrate Windows 2000 operating systems into their existing UNIX environments. SFU 2.0 provides interoperability components that leverage existing UNIX network resources and knowledge within organizations and provides manageability components that enable organizations to simplify network administration and account management across both platforms.
For More Information
For the latest information on Windows 2000 Server, please see http://www.microsoft.com/windows2000/default.asp.