It is now one week since the computers were installed and staff have started to use the systems. So what have I learned?
Half-baked seems to be the theme. We’ve seen it with the upcoming Longhorn — big features that have been completely axed or castrated. When you have a huge plan and then cut out core components of the system and try to stich together the remains, it doesn’t work quite right. This is my thoughts on Windows XP and Windows Server 2003. Time for some examples:
#1 — User settings configured in System settings.
Biggest offenders: certain start-up dialogs and default email/browser. The registry in Windows is divided into two parts: system configuration and user configuration. As a regular user, you do not have write access to system configuration (for good reason) but yet certain user configuration issues are located in the system configuration section of the registry!! For example, when the user logs in, if I modify some system preferences via the “msconfig” tool, it wll prompt that they made system wide changes and offer up a check box to not show this message. The problem is the user never made those changes (the administrator did) and even if they check the box, it is a system configuration setting and their selection is not saved. So until the admin logs back into the system to turn off that dialog, it will continue to appear for a user.
Even worse is the default email client and browser. Its not that far of a stretch to believe users will want to use different applications. However, Microsoft has made the defaults a *system* configuration item and not a *user* configuration item. What I find horrible about this is yet again, users are prompted to define their defaults even though they do not work. I’m sure there is many more instances of this — absolutely sloppy — Apparently Microsoft knew of the problem for years, but has not addressed the issue.
#2 — Package Management
Where do I start with MSIs? The MSIs I created (following the instructions to a tee) simply did not work. I ended up manually installing programs on each computer as needed. This is absolutely horrible. On Unix systems I have a full package management system and at worse, I can compile an app, load it in its own subfolder and compress it into a tgz file and push it out. Simple and straight forward. Microsoft has this entire MSI thing which I can see why most programs do not use it — its a joke to get configured properly. So much for lower TCO for software distribution.
#3 — Backup Software died .. not telling you why.
The included Microsoft Backup software–which *should* have worked just fine died with strange errors during backups (usually after backing up only a few hundred MBs of data). I chucked that really quick and loaded up Vertias Backup which from my understanding, is one of the better backup software products. Augh! The first attempt at using this did backup the software, but claimed it was unsuccessful due to some component not being installed. After unsuccessfully determining HOW to install this, I ended up attempting to uninstall and reinstall. The *uninstall* failed. haha.. I ended up having to disable the backup service from starting on boot and then *REBOOT* the server just to uninstall the software. Of course, after uninstall, I had to reboot again, then install ..
At this time, I moved the server into the rack and was accessing it remotely for configuration (via remote desktop). I was unable to install remotely. I had to pop the CD into the server and then install. Ok .. huge deal to me (lets say this server was remote?) but it gets better.. I wanted to configure the software remotely (well about 30 ft away on a desktop computer). I went to do the device configuration and it did *NOT* show the tape drive .. I was thinking “WTF?!?” and thought it might be a device driver issue (even though Windows device manager was showing the tape drive just fine..) — so I reinstalled the driver and umm.. rebooted and still nothing. I couldn’t figure it out. I spent a few hours just trying to figure out why it was now not showing my tape drive. I ended up going home and revisiting the issue the next day. Instead of booting up the desktop, I just logged in at the server and went to the device config — and guess what? my drive showed up!
WHAT?!!? I don’t understand. Remote Desktop from my understanding is like VNC or SSH — simply a local login but pushing the screen contents to a remote client. Needless to say — something else was going on because going back to the desktop, the drive did not show up in the program. I’m at a loss as to how admins handle this inconsistency with a server system (which should provide full remote administration capability).
Anyways .. so I configured the backup once again to *hopefully* just magically make that original error disappear .. set it to notify me via email when the backup completed and left. I was expecting an email this morning regarding the backup but did not receive anything. Great. So I have to go back to see what the deal is since apparently I can’t manage the backup software remotely.
#4 — You are the admin, but not all-mighty.
On Unix, as the admin (root) I get access to everything. I can remove anything, I can add anything, I can totally wipe my system if I so desire with a simple command. Admin is so powerful that most documentation for Unix administration advises STRONGLY against logging on directly as the root user and only access its power as needed.
Windows is different. I have found myself constantly logging in as the administrator where on UNIX running only one or perhaps two commands with elevated permissions would be adequate. Instead, on Windows, I get to run the entire GUI, browser and other untrusted components with full administrative rights.
Even as administrator, I do not have full access. Far from it. I had a few tasks that I wanted to complete but was unable to, even as the admin —
- User profiles by default are configured NOT to allow admin access. What I find odd is the ability of my backup software to backup these items even though it is logged in with the same privileges. Strangest thing. I can claim ownership over the user profile and give myself read/write access but apparently this screws up something (but have yet to discover what this is, exactly.).
- I wanted to create a script that wiped the desktops “All Users” folder. This folder contains desktop items, start menu items, favorites, etc that are stuck on each system (end users cannot remove these items). By doing so, I wanted to keep the start menu and desktop as clean as possible. However, once again, even as Admin, I was denied the ability to completely wipe this folder and restore it with a new folder (off the network). Apparently it is considered a “system folder” that cannot be removed. So now I need to create a much more complex script to delete un-protected items and then copy my items. PITA? you betcha. A simple 5 minute task on my Unix system will probably take a few hours to test and troubleshoot to make sure it rolls out properly to my Windows clients.
final thoughts..
I just don’t get it. The mantra is pretty straight forward — Windows is easy to use! Active Directory simplifies administrative tasks! Needless to say, I have yet to see this. There are so many gotchas or complex solutions to tasks that on a Unix network equate to a single command or perhaps a small shell script. With rsnapshot, tar and ssh, I can build a much more flexible and powerful backup solution than even these super-advanced backup software packages that are available on Windows. Granted, its not all graphical but honestly, that gets in your way. When something fails, you want to be able to quickly access your configuration and logs and determine why something failed — not be presented with a sad face icon or exclamation point that says “operation failed” with no indication why it failed. On top of this, as administrator, I expect to have full access to everything, not be hand held and told that I cannot do certain things or read a Microsoft KB article that claims they know a problem existed for years but just don’t feel like fixing it.
Its been a while since I installed Windows Server 2003 evaluation on my personal computer to start learning.
Since that time, the hardware arrived (26 desktop computers (Dell Dimension 4700 units) and 1 server (Dell PowerEdge 1800)), the full versions of the software arrived and I ordered and received “The Best Damn Windows Server 2003 Book, Period”. So I guess that entitles this LAN to be considered a true “Wintell” configuration (Windows, Intel and Dell).
This past week I have been focused on the actual configuration that will be going into production, hopefully tomorrow evening (give me a whole weekend to sort it out if something is terribly wrong .. or perhaps even revert back to the old system.. contingency planning at its finest.. hehe..)
What a learning experience. As with pretty much every Windows operating system, Windows 2003 so far has been big on promises but actual implimentation of many of its core features leaves a lot to be desired.
software installation….
For example, it is recommended to deploy software via MSI files — basically a more advance, standardized format for Windows software installation. The theory is as administrator, you can put it on the server and set policy and whoever falls under that policy will get (or not get) the software.
Sounds great in theory — real similar to how I manage my FreeBSD systems (but with Ports/Packages). However, the reality is far more grim. First, a significant amount of software still does not come in MSI packaging (this is after 5 years of promoting this format never-the-less). So if you want to deploy all of your software via MSI, you need to create MSI files. Funny thing — Windows Server 2003 does not come with the ability to create these files. GREAT.
So after some digging, I found some free software that will aid in the creation of an MSI — basically it will take a snapshot of a computer, you install the software and then it will take another snapshot and put all the changed files (and registry edits) into an MSI. While this is not _too_ bad, it does require a very clean system (system that is not running any other apps at the time), and time to setup the snapshot, install the app, configure the app, take a new snapshot and then modify the resulting MSI (pulling out anything that got in there by accident) and then test it to make sure it actually works. Blech.
If that wasn’t bad enough, apps that do come with MSIs may or may not work. I have yet to determine how to push the provided MSI file that came with my Antivirus package (Symantec) — I’ll probably end up doing the above method and cross my fingers that it works (kinda scary as it seems to touch a LOT of files and services). Of course, I *could* use some other method to install the program (like umm.. manually configure it at each computer) but where is the fun in that?
Even Microsoft’s own Office suite had some issues. Even though I ordered the software well after the SP1 was released, they shipped me three CDs — one of Office 2003, one of the Service Pack and one of something else (honestly, don’t know what it is quite yet). So the Office 2003 CD had an MSI and it was easy enough to load up and push out to my clients… except for the fact when an end user opened up the application it would prompt for a really-freaking-long product key. Needless to say, I don’t think having each user enter the same volume license key is a good idea.
So come to find out, I needed to eseentially REBUILD the MSI to include the volume license key. Hmm.. ok.. no problem. Infact, it was actually quite easy (run the setup.exe file and pass a /a to build the resultant MSI). After I got that, Office would install fine.. GREAT.. so now how about the service pack?
I would figure that the service pack would be an MSI that I could put up on the server and it would install it after Office is installed .. NOPE. No MSI to be found. After hunting the internet for a while, I found a site that described a lengthy process on how to “slipstream” the service pack into the Office 2003 install and that way, when Office 2003 installs, it will be the SP1 version with the product key. Great.
What I don’t understand is ANYONE installing Office 2003 wil want to put on the service pack and ANYONE with a volume license will need to go through the same steps I did to achieve this. I am still dumbfounded as to why when placing the original MSI on my server it doesn’t have some available administrator configuration options like umm.. I dunno, the product key, available service packs and what options I want installed to the client. I still haven’t figured out quite how to specify certain options (like not installing Outlook).
So that was umm.. fun. Surprisingly, most of my software ended up working after a while (still need to work on the Antivirus and a few poorly written apps that want to write files to the program files folder instead of the user’s home folder).
backing up the server …
Windows 2003 includes backup software. GREAT. Since I am configuring clients to work off the server exlusively (roaming profiles) I figured a simple backup app that would backup the server hard drives to a tape would be all I need. Unfortunately after backing up a random amount of data (sometimes a few hundred MB .. sometimes a GB or so..) it just aborts with an error .. the error tells me to check a log.. the log says there was an error. Very informative.
So luckily I didn’t know the system came with backup software, so I ended up purchasing the quick start edition of Veritas Backup Exec. Funny thing — same exact files, same exact tape, same exact tape drive and it umm.. works. Atleast something works. hehe..
However, I am slightly concerned, apparently Microsoft still believes in Floppy Disks because it wants a floppy disk to store certain fundamental configuration options (ie partition layout, etc..) — why they still ONLY allow floppies to be used for this purpose, I don’t know. I didn’t order a floppy drive nor do I have a floppy disk. So I think I need to harvest one from one of the old systems so in the event my server dies a horrible death, I should be able to restore it (hehe..).
fun with services…
It was brought to my attention that a Windows network REQUIRES a web server to be installed to distribute software. Why this is, I have absolutely NO idea. Of course, not any ol’ web server will do, but only Microsoft’s Internet Information Server. Talk about beautiful tie-in with a horrible app. Just for the record, I never ever needed to install a web browser to distribute software on a Unix machine.
default configs …
I found it rather interesting. Even though I ordered a server and Windows XP Pro (the version you *NEED* to order to setup a domain), my desktops came configured to not join a domain during the initial setup. Infact, I had to create not only an administrator account but a second administrator-level account on the local computer BEFORE I was able to log into the system and reconfigure it to join my domain. I honestly don’t know why a computer ordered from Dell’s Small Business division would be configured in such a way. In addition to this, they preloaded tax software (H&R Block) even though these systems were ordered after tax day as well as QuickBooks even though I didn’t request it. So a drop-in install that would have taken perhaps 15 minutes per station instantly doubled (easily) if not tripled due to these bone head defaults.
fun with transferring user files..
Microsoft has a utility (The Files and Settings Transfer) that came with Windows XP. In theory, you run this on your old computer and it bundles up all your settings and loads them on your new computer. Besides the fact it is selective on WHAT it backs up (funny, it doesn’t back up my Mozilla Firefox or Thunderbird settings among other things..), even though everyone is working off the server (roaming profiles), I have to backup from the old system to the server, then turn around, install the new computer, log in as the user, download the data from the server to the new computer and then on log out, the data is moved from that computer BACK to the server in a slightly different location.
Apparently if I wanted to simply move the files from one folder on the server to another folder on the server, it would wreck havoc. Efficiency at its finest (just for the record, on Unix, you can type in a one-liner that would transfer all the accounts on a given system to another system, preserve EVERYTHING and after you start it, you can walk away and it will manage just fine.. from what I can tell, the Microsoft version needs to be run for each user and requires babysitting as well as a second step to restore)
Other silly stuff..
The customer is upgrading from Windows 98. Given the tech-phobic nature of many of the employees, I thought installing a new system would be traumatic enough so I wanted to default everyone to the “classic” look with the classic start menu. Users that already have XP on their home systems could then adjust the settings if they like the fisher-price look. But apparently, Microsoft doesn’t think that should be an option. In their overly complex group policy system, I can either have the fisher price setting as default (and allow the user to change) or make the classic look mandatory. Thanks for giving me a whole range of options. Of course, I could probably do some registry hack to make the default classic but I dunno, spending thousands of dollars on software and have artifical limitations like this just seems wrong. For the record, the KDE interface (and I am assuming other graphical interfaces on Unix) does allow for making virtually anything a default, anything mandatory and anything customizable that I want. Simple straight forward text document outlines what happens for who and its a piece of cake to override when necessary which brings me to the next point..
adminsitrator on Windows is not a super user.
Its true. As the administrator I do not have full access to my system. What do I mean? Well of course, I don’t have access to the source code like I do on my FreeBSD box but thats not what I am talking about —- certain critical folders (like ummm.. user folders) are configured to NOT allow administrator access, period, end of story. I really have a hard time understanding this. First, as the administrator, I can change the users password and access their account and therefore, their profile. So if I am intent on accessing someone’s files, then I have ample access to do so. Second, how do I back up these files? If I cannot access them, I’d have to believe that my backup software can’t access them either — so I am really confused. Thats the most important data on the server so it seems like access would be critical.
Need to figure this out because at this point in time, I don’t know what is getting backed up and its bugging me a LOT (new operating system, new desktops .. unsure of the backup .. not a good situation).
Anyways … lots of work to do until deployment starts happening in about 24 hours from now. Its going to be FUN, I can just tell.