This article is based on NT 5.0, Beta 2.Management infrastructure
Microsoft Management Console
Common Information Model
Windows Scripting Host
Group Policy Services
Administrators today are faced with a number
of challenges when it comes to managing their networks. Technology gets more and more
complex and a wide range of management interfaces does nothing to help lower the cost of
ownership. Different users have different needs, both in terms of applications used and
the amount of control they expect the administrator to exercise. Each application must be
made available to the appropriate users and kept away from others, and most users are
getting wise to the concept of quality of service. This means that the administrator is
expected to provide a reasonably constant performance level and degree of up-time across
the network not always an easy task. In addition, each user has a very different
set of needs. The power user is capable of taking care of himself and would prefer little
or no administrative oversight or control. The novice, or purely task-based worker, on the
other hand, requires his desktop to be locked down reasonably tight in order to prevent
wandering around the network resulting in possible accidental damage to data
or application files.
Management infrastructure components
Microsoft is looking to provide a set of management services with Windows 2000.
Specifically, the components that make up the management infrastructure are:
Directory Services a standards-based collection of resource information
that centralises the information gathering tasks of the administrator (already covered in
the Active Directory feature).
Management Presentation Services a collection of facilities including the
Microsoft Management Console (MMC) that delivers a consistent interface for all management
Instrumentation Services a standards-based range of low-level data
gathering facilities that surfaces the management information that the administrator
Scripting Services support for the execution of scripts from within the
operating system, allowing administrators easier automation of processes in their
favourite scripting language.
Group Policy Services inheriting capabilities from the Active Directory to
deliver a set of services to allow administrators to associate particular configurations
with particular groups of users.
Microsoft Management Console
The key management infrastructure technology that has been developed to offer a consistent
presentation of management information is the MMC (Microsoft Management Console). In its
bare form, the MMC does not provide any management facilities itself, it does however
provide a framework for individual management modules called "snap-ins" that can
be provided either by Microsoft or Independent Software Vendors (ISVs). A huge number of
snap-ins are provided as part of Windows 2000 out of the box, and whenever you see a
utility such as "Active Directory Site and Services Manager" you will basically
be running the MMC with the Site and Services snap-in. In future, when you add new third
party products such as backup you should expect them to be managed via the
From the toolbar at the top of the MMC, however, you can add extra snap-ins, effectively
allowing you to build your own custom management interface. For instance, if you regularly
find yourself administering DNS and DHCP in the same session, rather than switch
constantly between two separate utilities, you can easily add the two snap-ins to a new
console of your own and save this to the desktop. Another advantage of this is the ability
for an administrator to create custom management tools and distribute them to lower-level
administrators for specific task delegation. This is all designed to streamline the
administration process and lower the cost of ownership.
Although the MMC provides a common framework for the management of various network
components, the plethora of different instrumentation processes for all the different
devices used on a network makes it very difficult for these to be managed from a single
place. Windows 2000 supports the Desktop Management Task Force (DMTF) Web-Based Enterprise
Management (WBEM) standards initiative through built-in technology known as Windows
Management Instrumentation (WMI).
Common Information Model
This works at a low level, interacting with the devices on a network to gather all the
instrumentation data and present them in a single, WBEM-compliant, unified schema known as
the Common Information Model (CIM). At the kernel level, WMI manages device drivers and
collects data from the 32-bit Windows environment, data from the Registry, from the
Performance Monitor, and from SNMP and DMI. This is brought together in the CIM schema and
provides a single point of reference for all management tools operating at the user level.
This allows the various tools in use by the administrator to collect all their data from
CIM rather than make many different proprietary calls into the operating system
environment. Of course, the management tools in question need to be written specifically
to use the CIM interface, but this will surely happen as Windows 2000 is deployed and the
Microsoft marketing machine shifts into top gear. In the mean time, SMS 2.0 is the first
application to collect detailed information using this method.
Windows Scripting Host
Another way to streamline the administrative process is to automate tasks by using
scripts. We are all familiar with the DOS batch file, and some people have produced some
impressive if not particularly elegant menu and command structures based
around them. This process has been updated for the Windows 2000 platform, with Windows
Scripting Host (WSH) providing a language-independent host for ActiveX scripting engines
on 32-bit Windows platforms. It allows scripts to be written in VBScript or Jscript and it
is expected that third parties will provide additional scripting engines for other
languages such as Perl, TCL, REXX, and so on. The resulting scripts can be run either
directly on the desktop or from the command prompt.
WSH provides two ActiveX interfaces. Administrators can use the
object interfaces provided by the WSH and any ActiveX controls that expose ActiveX
automation interface to perform various administrative tasks on the Windows platform.
Automation can be provided by defining a scripted action as a result of one or more events
occurring or, in more complex situations, an action may be triggered as a result of a
number of events arriving over time and in a specific sequence.
Group Policy Services
A feature later in this series will cover some of the mobile facilities introduced with
Windows 2000, coupled with the necessary change and configuration management tools
designed to ensure that applications, data and desktop configurations follow users around
the network (and beyond). In order to support these advanced capabilities, however, it has
been necessary to include a number of Group Policy Services in Windows 2000. Policies are
managed by using the ubiquitous Group Policy Editor snap-in for the MMC. This covers
similar ground to the Group Policy Editor available under NT4 and Windows 9x, though
extended somewhat and brought within the folds of the MMC.
Group Policy settings can be created for various aspects relating to a computer or user.
For example, Policies can be created to mandate registry settings on the desktop,
including operating system components and applications. Scripts can be created that will
run at computer start-up, shut-down, logon and logoff. Security settings can be applied
for local computer, domain and network, and software installation options can be specified
that will determine which applications are available to users for installation, and which
will be installed on their desktop by default. Via the Application Deployment Editor, for
instance, administrators can install, assign, publish, update, repair and remove software
for groups of users and computers. This allows all software distribution to be controlled
from a single central point if required.
Applications can be assigned to users which means the user has no choice as
to whether or not it is installed or can be published. Users can then "subscribe"
to published applications, which will cause them to be installed automatically. Each time
an application is updated, the update is carried out once centrally, and is then pushed to
all computers and users who have subscribed to it. If an administrator wishes to remove an
application, this too can be done centrally, and will be deleted from all computers at the
earliest opportunity. This one feature alone has the capability of saving hundreds and
thousands of man hours for the Windows 2000 administrator.
Finally, the Security Settings extension of the Group Policy Editor allows the
administrator to define security configurations in areas such as account policies
(password, lockout and Kerberos policies), local policies (audit and user rights), event
log, restricted groups, system services, the registry and the file system. The security
settings extension has been designed to complement existing system security tools such as
the Access Control List (ACL) Editor, Local User Manager and Server Manager. The Security
Settings extension defines an engine that can interpret a standard security configuration
and perform the required operations automatically in the background. Administrators can
thus continue to use existing tools to change individual security settings wherever
All of these settings are stored in a Group Policy Object (GPO) which, in turn, are
associated with selected directory objects within Active Directory, such as sites, domains
or Organisational Units. This allows the administrator to take a broad-brush or granular
approach to policy application. Most of the features covered here are evolutions of
technology already available in NT 4.0, either directly, or via Service Packs or more
recent add-ons such as Option Pack 4. However, they have been brought together, tidied up
and integrated more completely to provide an excellent management infrastructure for the
Windows 2000 platform.