Xem mẫu

  1. Expert Reference Series of White Papers Changes in Windows Server 2008 and Group Policy Architecture 1-800-COURSES www.globalknowledge.com
  2. Changes in Windows Server 2008 and Group Policy Architecture Glenn Weadock, MCSE, MCSA, A+, Instructor and Course Developer Introduction Now that now that new Windows technology (in the dual garb of Windows Vista and the Windows 2008 Server) has arrived on the scene, many network planners are taking a closer look at some of the architectural changes that Microsoft has made to the Group Policy structure. The underlying concept of Group Policy hasn't changed – it's still fundamentally a Great Big Network Registry Editor. Make a setting, and Group Policy enforces it for you from that point forward. (Of course, Group Policy goes beyond Registry settings to include a variety of security and software installation capabilities, too.) Having said that, the implementation of Group Policy has evolved in several useful and interesting ways: • New status as an operating system Service • Network Location Awareness • Improved log file viewing • New source file format (ADMX) • New migration/editing utility • Central-store management • Dynamic source file loading • Multi-language support • Multiple local Group Policy Objects (GPOs) This paper takes a look at these nine structural changes. (If you'd like to read about some of the new Group Policy settings that Windows Vista and Windows 2008 Server are bringing to the table, check out my white paper titled Windows 2008 Server and New Group Policy Settings.) New Status as a Service Under previous versions of Windows, Group Policy ran in the context of the Winlogon process. In Vista and Windows Server 2008, Group Policy is its own operating system service, running under SVCHOST. OK, but that sounds a bit academic. Just what are the implications of Group Policy's newfound status? For one thing, Group Policy security is enhanced. The service requires administrative rights to stop (even if you're logged in as a local admin, you'll see an elevation prompt). For another, like all services, you can configure how you would like Group Policy to behave in a failure sce- nario. For example, you can specify that the service should automatically restart. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 2
  3. Figure 1. Group Policy now appears in the Services list. Finally, shutdowns should be smoother. Windows' Service Control Manager (SCM) provides certain services (including Group Policy) with a "pre-shutdown notification" so they can finish up whatever housekeeping chores they need to do before Windows shuts down. As long as such services remain responsive, the SCM will wait until they finish – even if it takes well over the old 20-second time limit. Network Location Awareness In Windows XP/2003/2000, the Group Policy agent on the client didn't pay a whole lot of attention to whether the computer on which it was running was connected to the network or not. If a policy refresh cycle failed, for example, because the laptop was disconnected or no domain controller was available, Windows would simply wait another cycle (90 minutes plus a random value from 0 to 30 minutes) and try again. Furthermore, when it did try to pay attention to network conditions, it sometimes did so clumsily. For example, Group Policy would attempt to detect slow links using ping (ICMP), which many organizations block at the firewall or router level. Windows Server 2008/Vista is now more network-aware when it comes to policy processing. If a policy refresh cycle fails when a computer is offline, and the computer (or domain controller) goes online, Vista doesn't wait around; instead, it attempts to perform a policy refresh as soon as it can. It also uses a different mechanism than ping to determine the speed of the network connection. These enhancements fall under (of course) a new acronym: NLA, for Network Location Awareness. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 3
  4. Figure 2. Slow link detection no longer depends on PING. Improved Log File Viewing Before Vista and Windows Server 2008, if you wanted to perform detailed logging of Group Policy events beyond what you could get in the RSOP console (Resultant Set of Policy), you had to turn on the debug feature in the USERENV.DLL module, which would generate a file USERENV.LOG in the \windows\debug\usermode folder. With the new Windows Server 2008 operating systems, the System event log contains "actionable" Group Policy events, which is certainly more convenient. (This is one more side effect of the shift to Group Policy being implemented as a service.) These events are now more English-like and more informative. The source is "Group Policy Service" and Microsoft promises to keep making the logs better, for example, with links to online knowledge base articles. The Operational event logs (you have to dig down further in the Event Viewer to see these) contain a lot of the detail that the old USERENV.LOG file would provide. These log entries provide details that you could use to examine policy processing performance from the speed standpoint, for example. (If you still want to view the USERENV trace log, you can, but the Registry key is now HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics, the DWORD value is GpSvcDebugLevel, and you can set it to 10002. Oh, and the filename is now named GPSVCLOG.LOG instead of USERENV.LOG.) Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 4
  5. Figure 3. Group Policy events now appear with other system events. A downloadable tool from Microsoft (search on GPLogView.MSI) is handy for collecting Group Policy related events from the event logs and exporting those events into TXT, HTML, or XML formats. (This tool requires that your system participate in the Genuine Windows program before you can download it.) Finally, if you want to view Group Policy events from multiple computers in one place (e.g., on your own Vista workstation), you can do it, as long as you and those other systems are running Vista or Windows server 2008 Server. I don't have room to go through all the details here, but in a nutshell, you activate the Windows Remote Management service on all the relevant machines, and then you set up a "subscription" in the Event Viewer console (EVENTVWR.MSC). Note that when you do this, you must provide administrative credentials with which to authenticate to the remote systems. New Source File Format (ADMX/ADML) Those readers who remember Windows NT may recall that .ADM files were present way back then, as part of the old System Policy (POLEDIT) architecture which represented the klutzy beginnings of today's Group Policy design. Even though Group Policy in Windows XP/2003/2000 is much more sophisticated than it was in the NT days, the .ADM file format persisted, providing text-based files that acted as the "source code" feeding the Group Policy console. In other words, the ADM files laid out which Registry keys and values to modify, and they provided the user-interface information ("explain" text, data entry format, minimum supported OS revision, etc.) that the console needs in order to present appropriate options to GP administrators. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 5
  6. Figure 4. ADMX files bring several advantages over ADM files. The good news was that ADM files provided extensibility to the Group Policy architecture. Want to use GPOs to control Microsoft Office? The ADM files were all you needed. The bad news was that ADM files had to be imported into each GPO, causing GPOs to be much bigger than we'd like them to be (remember that they have to replicate between domain controllers), and wreaking a fair amount of havoc when Microsoft provided updated ADM files (e.g., with Windows XP SP2). Plus, of course, the unique ADM syntax was just one more weird text file format that network admins had to deal with. Finally, if you needed multilanguage capability, ADMs did not provide it. The Windows Server 2008 platform retains backwards-compatibility with ADM files but provides a new file for- mat, ADMX, with a number of important advantages, which the following sections look at more closely. But before we get to those, we should mention two things. First, the new format is (as so many things on the Windows server 2008 platform) based on XML. If you haven't boned up on XML yet, now would be a good time to do so, because it crops up all over the place in Windows server 2008 and Vista. And second, ADMX files now have multilingual capability. The ADMX files contain language-neutral information; their associated ADML files contain language-specific information. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 6
  7. New Migration/Editing Utility Figure 5. The ADMX migration tool will help during the transition to Windows server 2008. Before we get into some of the good things that the new ADMX files do for us, I should point out that Windows server 2008 and Vista can continue to use the old ADM files. For example, if your organization has created some ADM templates with custom Registry settings, you can still import them into your GPOs as always, using the Administrative Templates node in the Group Policy Object Editor (GPOE). However, you may want to consider converting your ADM templates into the newer format, to take advantage of central store management, dynamic loading/unloading, and multilanguage support. Originally, Microsoft had said that they didn't intend to provide an ADM-to-ADMX migration tool, but enough people howled and hollered that they changed their mind, and ADMXMigrator.MSI is the result. The tool is only available to those whose Windows installations are validated as part of the "genuine Microsoft Windows" program. It can handle converting multiple ADM files at one time. Just be aware that you will lose any comments in your ADM files when you convert them. A nice side benefit to this download is the inclusion of an ADMX file editor that makes the process of tweak- ing ADMX files significantly easier. Central Store Management The old ADM files could be anywhere on the network, and if you didn't have the latest set on your system, then you might not be seeing all available Group Policy settings. Even with Vista, you get a set of ADMX files on the local hard drive. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 7
  8. Figure 6. The local ADMX store on a Vista system. However, for domain-based GPOs, Windows server 2008 and Vista use a network-based central store to keep all ADMX files: it's on domain controllers, in sysvol\policies\policydefinitions. Once you set up the central store (TechNet has the details), the GPOE and Group Policy Management Console (GPMC) consoles will use it from that point forward in lieu of the local store. Having a central store for ADMX templates is great, because it means that administrators only need to update the templates one time, and Active Directory replication will take care of propagating the updates to all the domain controllers in the network. No more asking yourself if your ADMs are the latest and greatest. Dynamic Source File Loading Although the option remains to manually install ADM files by right-clicking the Administrative Templates node in the GPOE, you won't be using that feature nearly as much after migrating to Windows server 2008/Vista. The reason is that these operating systems automatically load ADMX files from the central store when you open the GPOE. This solves a major headache for network administrators. To prove this, you can conduct an experiment with a Vista or Windows server 2008 Server machine. Take own- ership of one of the ADMX files in the central store, and relocate it to a different folder. Then run the GPOE and look for the settings contained in that ADMX file. They will have disappeared. Finally, reinstate the ADMX file into its rightful location, and run the GPOE again. You will see the settings magically reappear. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 8
  9. Figure 7. You can still import ADM files manually. Multi-Language Support When you open the PolicyDefinitions folder in the central store, you will see a folder (typically named en-US for U.S. English systems) containing the relevant language-specific ADML files. In these files, you will find all the data that the Group Policy Object Editor needs in order to present the user interface to the administrator in the language of his or her choice. For example, all the "explain" text (online help for specific policy settings) is contained in these ADML files. Figure 8. An example of an ADML file, with US English data for APPCOMPAT.ADMX. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 9
  10. Multiple Local GPOs Figure 9. Click the Browse button here to configure the new local GPOs. Windows XP and 2000 offer only one local Group Policy Object. The thinking here may have been that "hey, everybody's on a domain anyway, one local GPO should be enough." However, not everybody's on a domain – and even in a predominantly Active Directory world, one has an occasional need for a non-connected PC. Vista and Windows server 2008 provides new flexibility for that situation. Not only can you create GPOs on a per-user basis, which is nice but not exactly practical if you have a lot of local user accounts to manage, you can create a GPO for local administrators, and another GPO for everybody else (local non-administrators). (Going in the reverse direction, a new policy setting lets you turn off all local GPO processing.) By the way, the sequence of processing for these new GPOs is as follows: 1) machine GPO, 2) non-admins GPO, 3) admins GPO, and 4) individual-user GPO. Remember, as always in Group Policy, the default behavior is Last Write Wins. Conclusion In Microsoft's Windows server 2008 technologies, both client and server, Group Policy is the same, but differ- ent. It still delivers the biggest "bang-for-your-buck" of just about any other Active Directory feature. It still lets you configure settings for your domains, organizational units, sites, and (if you like) individual computers. And it still has that convenient "set it once and let it run" character. But Microsoft has made a number of welcome evolutionary enhancements to the way that Active Directory implements Group Policy. These enhancements make the technology more stable; more secure; faster in operation; and easier to manage, maintain, and trou- bleshoot. Is Group Policy now perfect? I'll withhold even thinking of using language like that until we see "undo" and "search" commands in the Group Policy Object Editor! But in the meantime, Group Policy has definitely grown out of most of its teenage awkwardness and is starting to look like mature software. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 10
  11. Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out our complete Microsoft curriculum at www.globalknowledge.com/microsoft. For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and management training needs. About the Author Glenn Weadock is a longtime instructor for Global Knowledge and co-course-director with Mark Wilkins of the seminars "Implementing and Maintaining Microsoft Windows Vista," "Migrating to Windows Vista," and "Deploying Group Policy." He also consults through his Colorado-based company Independent Software, Inc. and is the author of 18 computer books. Copyright ©2007 Global Knowledge Training LLC. All rights reserved. Page 11
nguon tai.lieu . vn