One of the areas of managing Windows servers that has always been a
little problematical is that of discovering so-called “best practices.”
One can debate the extent to which it is the operating system vendor’s
responsibility to advise as to how best to use its products, but just as
the manufacturer of an automobile is in a uniquely well-informed
position to advise its customers as to best practices in safety and
reliability and performance, so too is the OS manufacturer uniquely
positioned to help customers understand the “typical best way” of
operating; on the understanding that informed customers may depart from a
specific “best practice” as specific needs may dictate. The need for
expert guidance on best practices increases as the complexity of the
tool increases; we can use a bit more advice when driving a Prius than
when riding a bicycle.
Windows Server 2008 took some steps towards helping customers with
best practices by increasing the default security of roles installed via
Server Manager. In addition, Server Manager became more intelligent,
prompting us for example to install needed subsidiary roles (“role
services”) when advisable or necessary. Windows Server 2008 R2 goes
further and contains something called the “Best Practices Analyzer,”
which is not exactly one thing but a combination of things built around
something called the BPA “engine.”
The BPA engine interfaces with administrators in several ways. You
can access it through Server Manager, of course; but you can also do so
via PowerShell (and thereby Server Core). Clients can access BPA through
the Remote Server Administration Tools (RSAT). As Microsoft refines its
best-practices “advice,” and adds topic areas (initial ones include AD,
DNS, Certificate Service, and IIS), updates to the BPA system will be
made available through Windows Update. You can set up proactive BPA
monitoring and reporting by creating an event log subscription that
gathers BPA out-of-compliance events from multiple systems, and collects
them on a central computer.
The BPA is not a new idea. In fact there have been BPA’s for other
Microsoft products. But given the complexity and depth of Server 2008,
it will be interesting to see how effective the BPA can be. It’s a good
idea, but its usefulness will ultimately come down to how much time and
effort Microsoft puts into the knowledge base that drives the engine,
and how accurate the detection scenarios (and resulting bits of advice)
are.
0 comments:
Post a Comment