Check out the new USENIX Web site. USENIX - Summaries


Large Installation System Administration of Windows NT Conference

SEATTLE, WASHINGTON,
August 6-8, 1998

CONFERENCE OVERVIEW

NTnix . . . You Are There   by George M. Jones

INVITED TALK

Windows Management Roadmap

Nikhil Joshi and Tom Phillips, Microsoft Corporation

Summary by John Holmwood

This talk, which was intended to provide a roadmap of the changes Microsoft is making to the manageability of Windows NT, was broken into two parts. Tom Phillips talked about the Windows Management Architecture (WMA) and Nikhil Joshi discussed the NT File System (NTFS).

The WMA provides the management framework and structure to assist system administrators in managing Windows NT. It includes the suite of applications formerly called Web Based Environment Management (WBEM). It is based on the Windows Management Instrumentation (WMI) object model. Phillips demonstrated several applications that use the WMI:

Disk performance. Phillips demonstrated the WMI object model using a script program developed by Computer Associates. He noted that supporting the WMI interfaces is a requirement for getting device drivers certified for NT 5.

Microsoft management console. Phillips demonstrated the Common User Interface in the new management console. He noted that it was possible to group tools appropriate for a particular management function, such as database management, and save the tool set so that the administrators will have a specific set of tools appropriate to their function.

Windows Scripting Host. Phillips demonstrated the new scripting architecture, Windows Scripting Host, by resetting all network adapters in a sub-net without using the GUI. This demo drew cries of "about time" from the audience.

Automatic software installation. Using the new Policy Manager, Phillips created a policy to have an application automatically upgraded on a user's desktop. He used the Active Directory to find the file share that contained the new application. When he logged on as that user, the new application was automatically downloaded to the workstation. This drew questions regarding license management and network bandwidth requirements, which he dodged.

At this point, Nik Joshi took over the presentation. He provided some historical background on the evolution of Microsoft filesystems, then talked about the new NTFS. The biggest news was the changes between NT 5 and NT 4 NTFS. The NT 5 installation process converts the old NTFS to the new one automatically. Once the file system has been converted, it cannot be converted back to the NT 4 version. This means that the NT 5 NTFS should not be used on a dual boot (NT 4/NT5) computer. NT 5 should be installed on a separate machine.

NT 5 has incorporated the Veritas Logical Disk Manager and Eastman HSM, as well as file encryption and disk quotas. Joshi provided three demonstrations:

Volume manager. Joshi first demonstrated the Disk Manager application. The capabilities will be familiar to any UNIX system administrator; all the Unices I know now include the Veritas Logical Disk Manager. However, judging by the audience reaction, NT sysadmins will appreciate the functionality.

Plug and play. Joshi demonstrated the new plug and play capabilities by installing a PCMCIA NIC into his laptop while it was running. The system detected the new card and loaded the correct drivers and protocol stack automatically. It simply worked before our eyes.

Resource Kit. In order to demonstrate the tool set incorporated into the NT 5 Resource Kit, Joshi demonstrated the Nettest tool, which he characterized as Ipconfig on steroids. Microsoft has done significant work to make the Resource Kit easier to use.

REFEREED PAPERS

Session: Management and Monitoring

Summary by Chris Barnash

Patch32: A System for Automated Client OS Updates

Gerald Carter, Auburn University

Patch32 was created to "provide for completely automated, remotely administered updates to Microsoft's 32 bit operating systems." In addition, the goals for Patch32 included the ability to support Windows 95 and Windows NT with the same update method, and the ability to provide an update method that is free.

The Patch32 system is made up of two main components, the server and the client. The server in Carter's implementation consists of Samba running on a Sparc Ultra 170. On this server is a share that provides a central location for the distribution of client updates. The client side of Patch32 consists of a Perl for Win32 script, which is executed by the client during the boot process.

The Patch32 Perl script is charged with several tasks. First, it determines what version of the operating system is running on the client. On the basis of this information, it determines the location of the patches on the server, and the method of installation. (The installation method differs between Windows 95 and Windows NT.) Next, it parses a file containing a list of patches stored on the server to determine which patches are available for installation. For each patch in the list, the Patch32 Perl script queries the client's registry to determine if the patch is already installed. If it is not installed, it installs the patch, otherwise it continues down the list. Upon completion, a message is displayed providing information on the installation. If the client is Windows 95, the patches will take effect after the next reboot. If the client is Windows NT, the Resource Kit's shutdown utility is used to reboot the system.

Documentation and source code for Patch32 can be found at <http://www.eng.auburn.edu/~cartegw/Patch32.html>.

Monitoring Utilization in an NT Workstation Lab

Paul Kranenburg, Erasmus University, Rotterdam

Paul Kranenburg discussed his solution for monitoring usage in the computer labs at Erasmus University -- a Windows NT utmp service.

The utmp service relies on NT's built-in auditing features to document LOGON and LOGOFF events. Specifically, SUCCESSFUL LOGON and SUCCESSFUL LOGOFF events are used to identify when a particular computer is being used.

The data gathered by the utmp service can be used in one of two ways. Short-term data provides for immediate notification of computers that may be down. An on-screen map displays all of the workstations with color codes that identify the status of the computers. A kiosk showing this map is also set up at the entrance of the labs to assist in finding available computers. The long-term data statistics can be graphed to provide utilization reports, which in turn are used to determine if the current number of workstations is sustaining the needs of the department.

The author can be reached at <kranenburg@few.eur.nl>.

INVITED TALKS

Summaries by John Holmwood

Windows NT -- A New O/S that Architecturally Isn't so New

Mark Russinovich, Systems Internals

Mark Russinovich maintains the Systems Internals Web site, a resource for Windows NT and Windows 9x utilities. He is also the author of the NT Internals column in Windows NT magazine. Russinovich opened his presentation with a short history of the development of UNIX and Windows NT, and then compared the core services of Windows NT and UNIX. (Russinovich carefully pointed out that he was talking about the NT exec, not the Win32 APIs that are layered on top of the exec, and that he was talking about UNIX in general, not any specific implementation.) The areas of comparison were:

Architecture overview. The main architectural difference is that UNIX does not have a HAL. Windows NT is so much like VMS that it is possible to follow what NT is doing internally by using the VMS internals documentation. He provided a Rosetta Stone for translating VMS documentation to NT.

Namespace. The Object Manager defines NT's namespace. This makes the namespace uniform. The UNIX namespace is defined in terms of the filesystem. It doesn't need an Object Manager. Russinovich believes the NT method is superior.

Process management. NT process management includes processes, threads, and a scheduler. The NT kernel mode is fully preemptive. In this category, the Unices vary significantly. A UNIX process is similar to an NT file handle. The kernel is cooperatively preemptive.

Memory Management. NT and UNIX are similar here.

Security. Both NT and UNIX are rated C2 secure systems. NT uses ACLs, users, and groups. The groups are nestable. There are about 20 different privileges. Security is handled by the Object Manager. UNIX has a simpler security model based on Users and Groups. ACLs have been added to some versions. Security is applied to files. This difference is due to the differences noted in the namespace section.

Synchronization and IPC. Similar. Russinovich moved over this area quickly.

I/O. NT I/O is centered around the file object. This allows a layered driver architecture that can support asynchronous operations including hardware interrupt support. Plug and play capability is coming in NT 5. UNIX I/O is centered around vnode/inodes. Traditional I/O is synchronous. Some versions have split interrupts to support asynchronous events.

File disk cache. NT has a single global cache. The virtual file cache is mapped into the kernel memory cache. UNIX uses disk block cache. Some of the newer versions use the same cache model as NT.

Networking. Lots of interfaces, lots of protocols. The difference is the layered model in NT. Only streams are layered in UNIX.

Integrated database. NT has a Configuration Manager Registry. UNIX uses config files.

Extensibility. In NT, all drivers are dynamic. There is a rich set of operating system APIs for drivers. The layered I/O allows drivers to add functionality. UNIX supports dynamically loaded extensions. The degree of operating system support services varies from very limited to a set approaching those provided by NT.

Portability. In terms of CPUs supported, UNIX is available on everything. NT is only available on x86 and Alphas.

Russinovich finished his presentation by tackling the question, "Which is better -- UNIX or NT." He put up charts of published Specweb and TCP-C benchmarks. His conclusion was that NT is as good as UNIX for small- to medium-sized servers and will get better in the larger-server space over time.

NT 5.0 Migration Strategies at Microsoft

Curtis Cummings, Microsoft Corporation

Curtis Cummings is responsible for IT support at Microsoft. He started work on Windows NT when it was the Cairo project. He is responsible for the rollout of NT 5 at Microsoft, which runs its entire company on Windows NT. He has 150 NT servers running the Beta 1 NT 5 software. The talk included a great deal of light banter between the speaker and the audience. Todd Needham of Microsoft fielded marketing questions for Cummings. Since Curt had a microphone and Todd didn't, this occasionally gave the impression of Curt acting as Todd's puppet.

Cummings started his talk by describing the Internal Technology Group's (ITG) environment, noting that his clients run "dog food," Microsoft's term for Alpha code. Two years ago, Microsoft didn't use DNS internally. In response to a question from the audience, Cummings noted that only his new administrators use the Microsoft GUI interface to DNS. Everyone else uses the command line interface.

He then described issues in migrating to NT 5 using the ITG experience as an example.

Use what you've got. Most of your infrastructure can continue to be used. You will probably have to beef up the server hardware. Cummings shared the ITG Network Plan to test NT 5 RAS services. When asked if Microsoft would be sharing the results of the ITG test, Todd stated that they would be publishing their acceptance test criteria.

Pick a migration approach. Cummings described ITG's migration plan in detail. The schedule has slipped. His slides showed ITG's rollout completing by the end of 1998. This has been changed to coincide with the official release of Windows NT 5. They plan is to have all of their servers using NT 5 in production when NT 5 is officially released.

Namespace design. Cummings devoted a quite a bit of time to the new DNS-like domain structure that Microsoft has set up for NT 5. He believes this is one of the biggest changes for people who are used to WINS.

Tools. According to Cummings, the Microsoft Management Console (MMC) is "a way cool tool." On the other hand, he uses SMS because he is not given any other choice. ITG had to build their own tools for managing NT 5. The MMC gives them a consistent interface for the tools they developed. Microsoft sent the ITG staff to Perl courses, and now most of their internal tools are written in Perl. There was a lot of support for an audience request to have access to the ITG tools.

Policy manager. Cummings believes that the policy manager in NT 5 is a "big deal" for the support staff in terms of both administrative support for it and planning and definition of appropriate policies.

Planning your Infrastructure. Cummings talked about how to plan your server infrastructure. Bandwidth requirements will be the major issue. There was a suggestion from the audience that ITG should do its bandwidth testing on the India link (ITG's slowest link, 64KB).

Migration Order. Microsoft's migration order looks backward; they're doing the most critical components first. This is required to initiate the new services. Their fallback position is "God help us!"

Security. A member of the audience from MIT confirmed that Microsoft is working closely with MIT to make Microsoft's Kerberos interoperate with the standard implementation.

Bringing the "Real" Internet to Windows NT

Bo Ahlberg, MetaInfo, Inc.

Bo Ahlberg was the chief technology officer at MetaInfo. MetaInfo has ported the IETF reference version of BIND and sendmail to Windows NT. MetaInfo was recently acquired, and Ahlberg is not staying with the new organization. He noted that the engineer who actually did the port wasn't allowed to do the presentation, so we were stuck with him. His talk was subtitled "Making NT into a Real 'Forking' OS."

The first third of this talk was on the general problems MetaInfo encountered in porting UNIX applications to NT: a fork is not a thread, a file descriptor is not a handle, there are no common tools, and a daemon is not a service.

He then briefly described porting tactics:

Start from the beginning and design with the other architecture in mind.

Fix what you've got; this teaches you your design weaknesses.

Starting over is sometimes cheaper than using what you've got; you can design in portability.

In the final section of the talk Ahlberg described the port of BIND and sendmail -- or, more accurately, the mistakes, the successes, and the lessons learned.

BIND. They created a service wrapper for BIND to make it fit the NT architecture, and modified the error code to use the Event Log. This allowed the BIND daemon to run as a child process. The lessons learned were that NT-ifying UNIX code is wrong; maintaining compatibility with the "owner" of the code is a "good thing";you shouldn't mix MFC with services; and sometimes it's easier to fix the environment than it is to fix the program.

sendmail. Sendmail would not work without a fork architecture, which NT didn't have. After several tries, the project team created a fork environment for NT.

Ahlberg ran out of time before competing all of his slides. He rushed through the conclusion that it is possible to port UNIX applications to NT but the work needs to be planned and scoped very carefully; then you need to "UNIX-ify" NT, not the reverse.

PANEL

Windows NT Tips and Tricks

Robert O'Brien, Microsoft Corporation; Brian O'Neil, Mike Wei, and Andie O'Brien, Collective Technologies

Summary by Chris Barnash

The Windows NT graphical user interface often leads system administrators to believe that it is impossible to run headless, remotely managed, NT servers. But according to Robert O'Brien, it is possible to deploy NT servers in this fashion.

O'Brien's talk, entitled "Windows NT Lights Out Operation," focused on the setup and update of remotely managed NT servers. O'Brien outlined five major steps for deployment: (1) Choose a system console solution. Several hardware vendors, such as Compaq, DEC, HP, and Intel, offer Integrated Remote Console Boards. (2) Choose a telnet/secure shell solution. Microsoft is working on Services for UNIX, which will include this. Also, several third-party vendors offer telnet/secure shell services, including Seattle Lab and DataFellows. (3) Choose a remote Win32 solution, such as Carbon Copy (Compaq), PCAnywhere (Symantec), Remote Possible (CA Associates), and Virtual Network Computing (ORL). (4) Develop an OEM-unattended installation process. Two options exist for this step. Microsoft has developed a process for unattended installs, which can be found at <http://www.microsoft.com/ntworkstation/ntwnew/info/deployguide.htm>. The other option is to use a disk cloning technique, like Ghost. (5) Choose a network management/monitoring solution. This can be accomplished with Microsoft Systems Management Server, Tivoli, Computer Associates Unicenter TNG, or Hewlett Packard OpenView.

O'Brien's paper on the Windows NT Lights Out Operation, slides from the presentation, and tools to assist administrators with deployment can be found at <ftp://ftp.msftlabs.com/loop>. Additional information on Windows NT management can be found at <http://www.microsoft.com/management>.

Brian O'Neil discussed Windows NT Terminal Server, a redesign of Windows NT Server backend that supports thin clients. Windows NT Terminal Server can provide the use of Windows NT on clients that cannot run Windows NT. The idea is very similar to Xterms in the UNIX world. Thin clients (such as a 386) can run the Windows GUI without the need to actually run the full-blown Windows NT on the desktop. More information on Windows NT Terminal Server can be found at <http://www.microsoft.com/NTServer/Basics/TerminalServer/default.asp>.

Mike Wei discussed UNIX and Windows NT filesharing with respect to interoperability, performance, security, and name-space consistency. The most interesting part of the discussion was that of Microsoft's Distributed File System (DFS) for Windows NT. DFS is similar to NFS under UNIX. It allows an administrator to set up mount points instead of shares assigned to different drive letters. DFS will be included in Windows NT 5.0 and is available as a download for Windows NT 4.0. For more information on DFS, see <http://backoffice.microsoft.com/downtrial/moreinfo/dfs.asp>.

Andie O'Brien discussed several mechanisms for monitoring multiple NT servers. The Performance Monitor can be used to monitor several aspects of a computer, including processor, memory, and page file utilization. Another built-in NT tool is the Event Log. Keeping an eye on the logs can help pinpoint problems. O'Brien also gave pointers to several third-party monitoring programs from HP, NetiQ, and Heroix.

INVITED TALK

NT 5 Administration: Change and Configuration Management

Dan Plastina and Mike Cherry, Microsoft Corporation

Summary by John Holmwood

This presentation, the final session of the conference, was meant to be a demonstration and discussion of the behind-the-scenes technology that supported the new Change and Configurations Management in Windows NT 5. Predictably, most of the demonstrations did not work the first time.

Unfortunately, most attendees missed some or all of the talk, which was liberally interspersed with lively audience discussion after each demo. In fact, Remy Evard, co-chair of the conference, had to ask the audience to hold off on questions so that the formal part of the talk could be completed in two hours. When I left after three hours to catch my plane home, Plastina and Cherry were still fielding questions from the few people left in the audience.

NetPC boot. The first demonstration was the NetPC network boot. This failed the first time they tried it, but eventually, with Cherry working in the background while Plastina talked, they managed to get it working. The functionality requires a special NIC card that supports the PXWE protocol (NetPC & PC98) on the client and the new Active Directory, DNS, and DHCP services on the server. The functionality is automatic with NT 5 DHCP; other DHCPs should work with the new NIC cards.

The boot sequence starts by running fdisk on the client hard drive. Dual boot configurations are not compatible with this feature. Plastina solicited feedback from the audience on the need to support dual-boot systems; the response was mixed.

Application management capabilities. During this demonstration, Cherry was able to automatically install an application by selecting the application. However, his attempt to demonstrate that the application could be installed simply by invoking a document created by the application failed.

A request came from the audience for this capability to be included in NT 4.5. Mike and Dan pointed out that half the problem was in the client and half in the server. On the server side, the solution relies heavily on NT 5 technologies such as Active Directory, Kerberos, and caching. There is little chance of these functions appearing in an NT 4 service pack.

Policy management. The policy management user interface is likely to change before NT 5 ships. Policy will became part of the property of the container. Much of Policy Editor functionality is not scriptable. (Plastina regrets this decision). Policies are more consistent than in NT 4, but user permissibles aren't interfered with.

Synchronization manager. The synchronization manager manages the client-side cache. Plastina tried, unsuccessfully, to demonstrate the system synchronizing a file. He did demonstrate the synchronization options available on the system. The synchronization function requires Windows NT 5 server as the fileserver. It uses the SMB redirector so won't work with NFS or Novell. The speakers dodged the question of testing the functionality with Samba.

Roaming profiles. Plastina commented on the effort that has gone into Office 2000 to make it an "awesome" roaming application. The application now understands the difference between user data (e.g., my dictionary) and application data. During the questions after this demo, a lot of hostility regarding roaming profiles came up. This appeared to be a case of killing the messenger. Plastina handled the shots very well. Roaming profiles are useful for the segment of user environments where users can add their own applications. For more locked-down environments, policies in NT 5 can redirect where files are obtained from without using roaming profiles.

There was also a lot of hostility over Microsoft not following its own application guidelines with respect to DLLs. Plastina's response was that Microsoft application groups could no longer change O/S DLLs. This will eliminate some of the problem of applications interfering with each other.

Plastina would really like samples of real login scripts so that Microsoft can understand what workarounds for NT 4 people are using. This will help make the NT 5 functionality better. Send scripts with commentary to <danpl@microsoft.com>.


?Need help? Use our Contacts page.
Last changed: 15 Mar. 1999 jel
Conference index
Proceedings index
USENIX home