alphaspirit - Fotolia


These Windows configuration management tools can prevent mishaps

It's a challenge to limit downtime and speed up deployments in the data center. Configuration management tools can help IT maintain control.

You can't go very far in IT without stumbling over the term configuration management. It's a hot topic because most businesses now expect IT services to be available without interruption and to perform with high efficiency. To satisfy these requirements, systems administrators must apply a formal methodology to configure and maintain servers.

Configuration management also refers to how the business maintains its hardware and software. Most organizations need Windows configuration management to handle Windows Server, but the management tool also must support the rest of the heterogeneous environment such as Linux, Unix and mobile operating systems. A number of vendors created configuration management utilities to help administrators maintain order in the infrastructure and lock systems into optimal settings.

There are many configuration management methodologies and frameworks, but most tools address the following questions:

  • What are our hardware and software assets?
  • How do we control deployment and change within our infrastructure?
  • When should we account for and audit our managed resources?

Many configuration management offerings help IT see what resources it has, where updates are -- and are not -- needed based on applications a user needs for work, and ways to roll out needed changes. First, we'll point out common configuration management features.

Basic elements of configuration management

A big concern for systems administrators is configuration drift. This occurs when different administrators make tweaks to servers without notifying the rest of the team. With each change, infrastructure servers gradually fall out of compliance. And this is especially a problem for a business that must pass industry audits.

Configuration management systems can run on a dedicated on-premises server, in the cloud or in both locations at the same time. Many configuration management systems require agent software on all managed servers. Periodically, each managed server sends its configuration settings to its manager. If that configuration doesn't match policy, the configuration management server and its agent work together to remediate the problem.

Configuration management software also helps systems administrators deploy operating systems and standardize the computing and desktop experience for end users and servers.

Finally, the better configuration management applications will document configuration policy and changes for easy review. Corporate help desks often interact with the configuration management system to log and process all change management requests.

Chef and Puppet

Systems administrators often talk about Chef and Puppet as if they are synonymous, but they are products of separate companies and direct competitors. While both Chef and Puppet can be used for Windows configuration management, neither runs on the Windows operating system. Using each tool requires that a company has at least a few Unix/Linux servers and some experienced administrators to manage them.

However, Chef and Puppet have some similarities. Both are client/server configuration management tools written in Ruby; although Chef and Puppet have thousands of prebuilt configurations, administrators must know Ruby programming basics to work with either system effectively. Both Chef and Puppet are free and open source (FOSS), and offer paid enterprise versions. Finally, the tools have the same features in mind: administrative automation and they support the DevOps methodology.

Administrators use a web browser to access the administrative interface, as shown in the Puppet Enterprise console in Figure 1.

Puppet Enterprise web console
Figure 1. The Puppet Enterprise web console tracks node changes in AWS.

In my experience, Chef has a deeper relationship with Microsoft; it integrates with Windows PowerShell Desired State Configuration. For example, instead of learning Perl and authoring Chef recipes to configure SharePoint Server, you can use Microsoft's SharePoint DSC resources and run them in Chef.

You can download free, open source versions of Chef and Puppet, but you don't get support or any of the add-on products -- such as reporting and auditing -- that make the licensed enterprise versions so versatile.

Ansible and SaltStack

Ansible is a FOSS configuration management platform with roots in the Unix/Linux ecosystem; its server also runs on macOS. Ansible uses Secure Shell for client-server communications instead of an agent. This eliminates the need to deploy and update the agent software on all the systems an admin must configure and monitor.

As of version 1.7, Ansible can manage Windows computers. Ansible uses YAML, a language similar to XML that is easier to read. And although the Ansible server is free, there is a charge to use its Tower management layer (Figure 2).

Ansible Tower web console
Figure 2. The Ansible Tower web console. Image courtesy of Ansible.

SaltStack is a collection of orchestration/automation tools that relies on a core server called Salt. The core offering is free and open source. It is available in both agent and agentless deployment models. SaltStack Enterprise is the proprietary commercial product built on Salt.

There are benefits to going with a proprietary system. For example, the server runs on nearly any operating system, including Windows. Some organizations prefer the security of a software license and service-level agreement with a commercial product. With open source projects, there is typically little to no formal support and the projects can disappear with little to no prior notice.

Questions for configuration management shoppers

In the market for a new configuration management tool? Ask these questions to narrow the list of contenders.

  • Do I have expertise with managing Linux/Unix-based servers?
  • What is the composition of my managed server pool? On premises? Cloud? Hybrid? Windows? Linux?
  • How comfortable am I with programming/scripting languages?
  • What are my auditing/compliance/reporting needs?
  • Is there any resistance from others in the IT department with a particular configuration-management tool?
  • How much money can I spend?

Microsoft configuration management tools

Microsoft shops have a huge assortment of first-party configuration management tool choices, the least expensive of which Windows PowerShell Desired State Configuration (DSC).

DSC is included in Windows PowerShell version 4 or later, which means functionality is already present on any modern Windows server or client system. For administrators who know PowerShell, it's easy to create configuration scripts. The DSC push/pull model adds flexibility to environments that require a particular mode to maintain proper configurations.

Additionally, administrators can deploy DSC in a hybrid scenario with Microsoft Azure. For example, an administrator sets up a cloud-based DSC pull server for managed nodes to retrieve configuration settings. DSC does not have a polished front end that is present in other configuration management tools, so there is no auditing or reporting.

Microsoft System Center Configuration Manager, which is part of the System Center suite, is another tool option. System Center streamlines OS deployment, patch management and desktop/server standardization.

But System Center has some drawbacks. It may be too expensive for some organizations  -- costing $1,323 for the Standard edition and $3,607 for the Datacenter edition. And System Center applications have a steep learning curve.

In the Azure cloud, there are two additional configuration management options. Microsoft Intune is a subscription-based cloud service aimed at small office/home office customers who need an easy way to manage a few desktop computers and mobile devices. Microsoft licenses Intune per user at $6 per month.

Microsoft Intune
Figure 3. The Microsoft Intune web console. Image courtesy of Microsoft.

Larger companies can use Microsoft Operations Management Suite (OMS), which essentially is a cloud version of the System Center suite. Anything you can do with System Center you can do with OMS, including IT automation, backup and recovery, security and compliance, and log analytics.

For companies with Software Assurance and System Center Standard licenses, OMS costs $45.40 per month. For companies with Software Assurance and System Center Datacenter licenses, OMS costs $226.90 per month.

Next Steps

PowerShell DSC helps solidify the infrastructure

System Center gives administrators way to tame sprawl

Azure monitoring made simple with System Center Operations Manager

Dig Deeper on Windows Server OS and management

Cloud Computing
Enterprise Desktop
Virtual Desktop