I’ve been using Windows as a network administrator for just over 6 years now. I’ve used NT4 servers, 2000 servers, and Windows 2003, and there has been a tremendous improvement with each version. There are still some things that drive me nuts in my job, though, and this is a chronicle of the top five.
First off, let me get this out of the way – none of these are going to be about security. An OS is usually a better reflection of the administrator than of the manufacturer. This recent article at InfoWorld suggests that it’s poor administration that causes many system comprimises, and I firmly believe that a good administrator can keep Windows just as secure as Linux or UNIX with the proper skill and care. System patches and updates should be applied, application updates should be diligently monitored, and the proper filtering and gateways should be activated. So, given that security is, at least in this article, more a product of the admin than the environment, I have not included any reflection of security or the politics of the company.
One: Folder Options
“Folder Options” is the name of the dialog box that controls Explorer options (Explorer is the default file manager for Windows). On a workstation, this is purposely configured to do some simple things like hide file extensions, hidden files, core OS/system files, and configure the behavior of title and address bars. On a server, however, it’s very important for an admin logged in at the console to have as much access as possible. A server is not a desktop system, or rather, should not be, and as a result, the default options should be configured for server use.
Two: Internet Connection Wizard
The concept of the “Wizard,” which walks you through a configuration in simple, easy to understand steps, has gone through some revisions. Most of the time, wizards tend to aggravate power users these days. There was a time not too long ago when wizards were very helpful and many appreciated them. Having built countless Windows workstations, I can tell you that the Internet Connection Wizard (ICW), is by far the most annoying of all wizards. As a network administrator, you should understand the concepts of gateways and proxy servers. These days, a server should expect to connect through a LAN and not need proxy authentication. The few people who need those options should know where to configure it.
As if to add insult to the matter, the ICW asks you with EVERY setup, which, incidentally, is once PER PROFILE, per machine, to setup an “internet e-mail account,” which is Hotmail/MSN based, of course. No one using a server and configuring IE for the first time should be thinking, “I wonder how to set up an e-mail account — ooh! Here’s a way!” Again, if they are, then they probably aren’t qualified to configure a server. The fact that Microsoft invites this bahvior by making Windows servers accessible to people like this does not bode well for the quality of network admins.
Three: Windows Media Player
I can swallow that IE is tied to the core code of the file manager and thus cannot be stripped out of the OS easily without sacrificing some functionality. I think the desired behavior, which I witness with Konquerer too, is that if I type a URI into my file manager that it passes it off to a browser of some kind (it should be noted though, that Konq is not a pre-requesite to installing Linux.) I’m not thrilled that I HAVE to have a browser on my servers, which shouldn’t be used for internet surfing – even Windows Update should have a stand alone piece for servers, but that aside, there’s a bigger issue.
Why must I have a media player on my server? And why are the codecs so important? How come just to install this media player, I have to reboot my server? Anyway, who out there is using WMP on their servers? This appears to be a case of using the same code base for their Server line as their workstation line. If I’m wrong, which I could be, as I’ve not audited any of Microsoft’s code nor am I qualified to review it, then I ask, WHY? And if I’m right, then why haven’t they removed the functionality? And if it’s tightly integrated, why haven’t they changed that? I don’t see a reason why multimedia capabilities should be buried and tied so deeply to the core of your operating system. Dump WMP from the server line. One way or another. Period.
Hands down the absolute worst part of using Windows Servers in a domain is the Licensing application. For a company that is to determined to stump the pirates, who makes my life a living hell with endless activations or steep entry fees for corproate licensing, this is the saddest part of their OS. There is a little known application, simply called “Licensing,” which runs on your designated Licensing server in your domain. This can be totally separate from your Terminal Services Licensing server.
Licensing is completely unintuitive and behaves unlike any other Windows application. Right clicks bring up useless menus. The terms are not well explained, the help files are useless, and here’s the best part: the microsoft.com site is mostly useless. It contains virtually no documentation. So, in an effort to get more information, I called Microsoft, whose support techs told me that if I needed help, I’d have to open an incident (for those not “in the know,” am individual support ticket, or “incident,” with Microsoft costs $245). So I replied, “I need help making sure the software I bought from you, which is properly configured as far as I can tell, is legit, something I know your company takes seriously. Your program is telling me otherwise. You have provided no documentation, and your technet site is bare.” Still, no love from Redmond. Later I fixed the problem by revoking every single license that Licensing had doled out. No service was interupted for any user. What’s the purpose of this thing?
Licensing is important to those of us who run large enterprises. There should be a really high quality, easy to use AD (Active Directory) snap-in or stand-alone app to track licensing, report problems, and help the sysadmin rectify legitimate problems. If Microsoft intends to push licensing and activation and combine that with lawsuits for corporations that don’t comply, the least they can do is provide a means for tracking the licenses when the enterprise starts getting to big to do in Excel.
Five: Updates and Maintenance
While this complaint lies much more in the architecture of the software rather than the behavior, it’s the biggest pain. If you’ve ever had to maintain more than about 3 servers at once, you’re familiar with exactly how much work goes into keeping Windows Servers updated. In fact, there’s a running joke with some of my collegues that running Windows Update is a full time job. The thing is, Windows Update, even version 5 so far, still requires a reboot the vast majority of the time.
In fact, simply installing Windows Update version 5 took two reboots for me. Then there were two reboots running the updates. Sure, it’s a nice interface, by why can’t Windows shut down just a few services yet? With their new GDI+ Detector, they used Windows update to install a piece of software that checks if you’re running apps that are vulnerable to the recent JPEG execution comprimise. Can’t Microsoft write something into Windows Update that downloads a piece of software, executes, shuts down networking, replaces/updates components, restarts the services, and resumes the Windows Update? How come a bunch of geeks have pretty much mastered distributed computing with BitTorrent, eDonkey, jigdo, GFS, etc and online updates via yum, apt-get, Red Hat Network, YAST, etc, but Windows Update still has to do one piece at a time, punctuated by several reboots?
We run terminal services via thin clients (running Windows CE) at my company. At any given time, there might be 150 active profiles on a terminal server, and the registry can bloat up to 300 megabytes. I’ve even seen it top out around 800 MBs, which is pretty crazy when it can sustain itself around 15-35 MBs on a server. Terminal servers require a nightly reboot to work well. So important is this, so much does it drain a server to handle this load multiple days, that we have scripted reboots into the normal routine just to assure that the servers get a “fresh start.” This practice has been validated by the Microsoft people I deal with. (Sidenote: investigation into our specific registry bloat was researched exhaustively by very capable higher level Microsoft techs who man their profile support department. An 800 MB registry is not typical.)
In the end, Windows still has some pretty amazing stuff. The GUI management tools for domains are unmatched by anything in the Linux/Unix world (except perhaps by Novell’s NetWare Admin, which will probably, in some form, be running on Linux for Linux soon enough). There’s no way to real standard in alternate realms for joining computers the way that Microsoft domains do. I haven’t seen failed dependances in years, save one component that required an MDAC update, something you probably wouldn’t need on most computers anyway. Furthermore, Microsoft truly offers, for better or worse, an end-to-end solution that requires very little “futzing” to make work. I could easily name dozens of things that make me crazy: buried admin tools (try to find “Remote Desktop Connection”), the “Show Files” warning in system directories, the presence of Outlook Express in servers, the painstaking effort it takes to setup lockdown policies, the lack of administrate-ability from the command line, the lack of SSH support, and until WUS is released, the lack of a good update distribution application. Despite some shortcomings and a lengthy wishlist, Windows does make an increasingly capable server product.