mikemol at gmail
Jun 16, 2012, 5:01 PM
Post #23 of 33
(517 views)
Permalink
|
On Sat, Jun 16, 2012 at 7:40 PM, Matthew Finkel
<matthew.finkel [at] gmail> wrote:
> On Sat, Jun 16, 2012 at 6:59 PM, Michael Mol <mikemol [at] gmail> wrote:
>>
>> On Sat, Jun 16, 2012 at 6:42 PM, Matthew Finkel
>> <matthew.finkel [at] gmail> wrote:
>> > On Sat, Jun 16, 2012 at 5:30 PM, Michael Mol <mikemol [at] gmail> wrote:
[snip]
>> >>
>> > True, and they've been working "hard" to get it to the state it is in
>> > now.
>> > In many cases, sys admins have had to unlearn relying on their mouse
>> > for complete power. The CLI provides options that are, obviously, very
>> > difficult
>> > to express in a simple GUI (I know I'm preaching to the choir).
>> > Powershell
>> > has
>> > made huge progress in this respect, but it still has a long way to go in
>> > order to
>> > compete with what we have. And I doubt the server environment would ever
>> > become stripped down to the state we're talking about.
>>
>> Actually, they're there as of Windows Server 2008. It's called
>> "Windows Server 2008 Core". According to "Windows Server 2008: The
>> Definitive Guide", you log into one of these systems and all you get
>> (by default) is a terminal window with an instance of cmd.exe. It goes
>> on to list seven server roles this configuration supports:
>>
>> * Active Directory and Active Directory Lightweight Domain Services (LDS)
>> * DHCP Server
>> * DNS Server
>> * File Services (including DFSR and NFS)
>> * Print Services
>> * Streaming Media Services
>> * Windows Server Virtualization
>>
>> (Curiously, one of the things you _can't_ do is run Managed Code.)
>
>
> Huh, I didn't know about this. It's still too limited, though. At least
> they've
> duplicated a lot of the core gui elements on cli.
I dunno. That's everything I might possibly want a Windows system for.
DNS comes with AD. Their DHCP server is probably the best on the
market right now; it's the only common one[1] which handles DDNS
updates for IPv4 and IPv6 hosts in the same domain. Everything else, I
can easily do as-well-or-better on a Linux box.
Being able to be an AD controller on a stripped-down version of the
platform is also a plus, if you need to run in an AD environment. That
makes adding redundancy and load distribution cheaper.[2]
[1] That I know of; if anyone knows of a DHCP client for Linux which
handles DDNS updates for IPv4 and IPv6 in the same domain, I'd love to
hear about it. ISC's doesn't.
[2] Samba 4 can do this too, and I'm looking forward to seeing someone
sell Shiva Plugs with Samba 4 preinstalled. And, yeah, Samba 4 has had
some big news events this year.
>> >> Not that they won't be able to bolt one in easily enough; CSRSS means
>> >> they should be able to provide, e.g. an SSH daemon, give the
>> >> connecting user a PowerShell login session[1], and give it equal
>> >> privileges and security controls as they have for any other login
>> >> session.
>> >
>> > How many years have they had? I'd given up on this years ago.
>>
>> SFU is available in the "Server Core" configuration. I imagine you
>> could run OpenSSH under there. Or some commercial entity could come
>> along and provide an SSH+screen(ish) component to snap into the CSRSS
>> framework.
>
>
> I'd actually forgotten about that, I would never trust their implement
> though.
> Apparently there's a binary available of OpenSSH that runs on SFU (so says
> wiki [1]).
> I've been out of the Windows Server environment for a few years now, so I
> guess
> I've missed out on some of the progress MS has made in this area. It's good
> they
> are pushing the CLI now. Perhaps in a few releases they'll implement their
> own
> of encrypting telnet sessions with a screen/tmux lookalike. Microsoft never
> ceases to amaze me - with the good and the bad.
Where security concerns are relevant, I'd favor the implementation
which comes with security updates pushed through the platform vendor's
channel. With Debian, that means I avoid building my own packages. On
Gentoo, that means I keep up with Portage. On Windows, that means
using things which come through Microsoft Update. (Anything which
doesn't, I could probably replace with something running on a Linux
box. Again, this is a server context we're talking about.)
Also, did you know Windows domain environments support dynamic
application of IPSec-based security policies to enforce host patching
policies? Some awesome stuff. Got me wanting to learn enough to be
able to do the same thing using, e.g. Chef.[3]
[3] http://www.opscode.com/chef/
[snip]
--
:wq
|
signature.asc
1
