The state of Change and Configuration Management

Once known as Zero Administration for Windows (ZAW), Change and Configuration Management (CCM) is the set of tools and features that makes life easier for network and desktop administrators. CCM simplifies a set of basic tasks: getting an OS onto a new computer, deploying applications from a central location, protecting user data by encouraging users to store their personal data on a central server, and simplifying laptop-to-desktop or laptop-to-network synchronization for mobile users.

I explained the details of Microsoft's plans for CCM in a previous issue (see "NT 5.0 TCO/ZAW Update," December 1998). In the present article, I provide updated information about specific features: Remote Installation Service (RIS), folder redirection, and RUNAS.

Rolling Out New Desktops
CCM helps install an OS, the required applications, and an array of settings onto a new computer (or a freshly reformatted computer) with RIS technology. The first half of RIS is a program called RIPrep that copies a PC's entire disk contents into one big file called a disk image. The disk image is then stored on a RIS server. (You can make any Windows 2000—Win2K—server a RIS server by simply checking a box in Control Panel.)

The second half of RIS is a program that downloads the disk image to a new PC. RIS includes a disk image that doesn't need DOS and includes support for a variety of NICs. The disk image also has DHCP and Trivial File Transfer Protocol (TFTP) support to start the process. Just boot the new PC from the RIS disk and log on. The new PC uses Active Directory (AD) to find a local RIS server and transfers the disk image over the network. After the image transfers, the new copy of Win2K runs its Plug and Play (PnP) hardware detection process and selects the drivers it needs to customize itself to the target PC. After 15 to 30 minutes of copying, Win2K reboots and you have a configured PC. The target PC can have a different mass storage controller from the original PC. This feature is an improvement over the CCM capabilities Microsoft described in earlier briefings.

A Few Questions
The previous discussion points out several important benefits associated with CCM. However, that same discussion raises a few questions.

First, in regard to the boot disk, what will happen when new NICs appear on the scene? I suspect the disk won't support them. The CCM team says many modern PCs won't need any disk at all because the PCs have a BIOS that supports the Preboot Execution Environment (PXE) protocol. Virtually any PXE-ready system with a wake-on-LAN NIC can connect to a RIS server, without a disk. The CCM experts say that as other NICs appear, Microsoft will update the disk image on a regular basis (presumably over the Web).

Second, where would the newly copied Win2K image on the target PC find the drivers to support all its hardware? Win2K always keeps on disk a compressed file ( that contains all of Win2K's drivers. You don't need to keep the Windows NT installation CD-ROM handy or copy all the \i386 directory to your local hard disk. However, the cost for this convenience is more than 40MB added to Win2K Professional's (Win2K Pro's) on-disk footprint. If Win2K doesn't find the driver it needs in, the installation will look in the $OEM$ directory and a RIS administrator-specified location.

Third, can RIS deliver only Win2K desktop images? Yes, assert the CCM team members, but they're talking to third-party vendors to let other images (such as GHOST images) function under RIS as well.

Folder Redirection
One way the CCM team hopes to simplify user document extraction is by isolating user documents in a My Documents folder. This folder's default location is in the user's profile. CCM-compliant applications save user-generated documents in users' My Documents folders. Of course, users can override that action if necessary.

The problem is that usually the My Documents folder exists on a local hard disk. The folder centralizes users' documents, but it doesn't help with the fact that users often fail to back up their hard disks conscientiously. The answer is folder redirection. Like many other Win2K functions, folder redirection uses AD. AD contains items called Group Policy Objects (GPOs), which are basically just improved system policies. One possible GPO would force users to keep their My Documents folders on a server rather than on their local hard disks.

Of course, users might complain that they can't get to their personal documents during a network failure, and forcing everyone to put their documents on the network might slow down the network. However, one of CCM's technologies is clientside caching, which is a feature of the IntelliMirror tool. IntelliMirror uses a hidden directory on a local workstation to keep local copies of often-accessed network files. The tool doubles as a fault-tolerance mechanism, allowing users to access network files even when the network is down. Users want My Documents to be stored locally, and administrators want My Documents to be stored on the network; IntelliMirror does both. (For more information about IntelliMirror, see "Zero Administration for Windows," December 1997.)

RUNAS: SU Built In

All the folder redirection capabilities lead to a question: Will the process of logging on from a user's workstation lead to Win2K creating local copies of My Documents, my desktop, and other things that I might not need? That result would not only slow my logon process, it might be downright dangerous—Win2K doesn't clean up any old profiles or IntelliMirror-copied files when a new user logs off. An administrator could log off a user's machine and leave behind megabytes of files just waiting to be perused by the curious user—not an optimal security situation.

Microsoft suggests that you not use the folder redirection capabilities of Win2K and not allow the administrators' profiles to roam. That answer provides a valid, but not optimal, solution—certainly administrators can benefit from the my-settings-and-documents-follow-me aspects of Win2K. As an alternative, CCM Group Program Manager Dan Plastina suggested that you could just use RUNAS.

The RUNAS (i.e., run as) tool lets you start up any Win2K command under a different account. RUNAS is similar to the SU tool in the Microsoft Windows NT Server 4.0 Resource Kit. Suppose that a user you're helping is logged on under a simple user account, but you need to run an administrative task. Usually, you couldn't do so while the user is logged on to a user account. However, you can open a command line and type

runas /user:username command

Win2K will run that command under username's privilege level rather than the logged-in user's privilege level. RUNAS is a terrific tool, and I'm glad to see it emerge from the resource kit into the fully supported arena.

Application Deployment: Evolving Beyond Darwin
Another of CCM's great benefits is its application-deployment tool, which gives administrators the ability to deploy applications to users' desktops from a central location. I discussed this tool in a previous article (see "NT 5.0 TCO/ZAW Update," December 1998).

Although this tool is a great labor saver, it works for only the still-rare applications that ship with .msi files. The .msi file is essentially the Win2K replacement for setup.exe. What about older applications that come with setup.exe or the like? In the past, the answer was "too bad," but now Group Policy Editor can direct a workstation to install an application using an old-style setup program. Instead of pointing Group Policy Editor to an .msi file, you can direct it to a .zap file. A .zap file is just an ASCII text file such as the following:

FriendlyName = "WinZip Version 7.0"
SetupCommand = setup.exe
DisplayVersion = 7.0

You won't find a Win2K tool to create .zap files, but they're simple enough to build with—in the words of one Microsoft staffer—"Visual Notepad."

In the final months and weeks before Win2K's release, we probably won't see any startling revelations about new features. But even the new details that come out are appealing, particularly in the CCM area. If CCM lives up to expectations, it—not AD—might be Win2K's killer app.