Zero Administration for Windows

Support wizardry comes to NT

Have you ever grumbled about how hard reinstalling Windows NT is? Have youever noticed that Windows 95's Briefcase is a great idea trapped in a poorlyimplemented program? Have you ever wanted to remotely install applications onusers' desktops with just a few mouse clicks and no programming? If so, you'llbe happy to learn about new developments in the Zero Administration for Windows(ZAW) initiative.

After years of indifference, Microsoft has finally decided to makesupporting its operating systems easier. Microsoft is making many supportchanges under the ZAW umbrella. At first glance, ZAW seems like a huge,all-encompassing change to how NT works, but ZAW really rests on just a few keytechnologies: a new caching system, better application installers, intelligentstorage, and PCs with a mildly smarter BIOS.

IntelliMirror: A Network Caching System
A keystone of ZAW is IntelliMirror, a new caching system built into NT 5.0.Instead of the common disk cache found on all modern desktop operating systems,IntelliMirror is a network cache. Here is how network caching works:Accessing a file on a network is typically slower than accessing a file on alocal hard disk, so NT 5.0's network redirector keeps a copy of often-usednetwork files on the local hard disk. Suppose you want to access a file on thenetwork. The redirector checks whether the copy on the hard disk is the same asthe copy on the network. If the copies match, the redirector simply accesses thelocal hard disk copy, saving time. If the copies don't match, the redirectorupdates the appropriate file and then accesses the hard disk copy.

If IntelliMirror detects that the server is no longer accessible becausethe network failed or you disconnected your laptop from the network, the fileseamlessly works out of the cache. If you've ever lost a Word document becausethe network hiccuped, you'll love this feature.

You might also learn to love other IntelliMirror features because of theconvenience they offer. For example, with IntelliMirror, your users can roamand keep their data handy. Microsoft suggests you set up the system sothat applications store users' data in the My Documents folder. (You can,however, store your data anywhere you want. The My Documents folder is just thedefault). Because My Documents resides on the server, any machine you log on tocan access those documents. Once the server and a machine connect, the NT 5.0network redirector copies the documents onto the machine's local hard disk.Thus, users can quickly access those documents. Updating the documents is a bitslower because IntelliMirror is a write-through cache. When you modify and savea file, the redirector immediately writes the modified version to both the harddisk and the network.

IntelliMirror can make working with network-based files easier when you'reon the road. Suppose you connect your laptop to the network so that you can workon a file located on a server named PUBSERVER. The file's universal namingconvention (UNC) is \pubserverfinanceoct97.xls. Once you're on the road, youjust start up the laptop and open the file \pubserverfinanceoct97.xls.Although you are no longer connected to PUBSERVER, the file oct97.xls is in yourIntelliMirror cache and IntelliMirror recalls its original UNC. You can thenwork on the file and save it to the network (which is actually the IntelliMirrorcache). When you reconnect to the network, NT 5.0 will detect that you changedoct97.xls and will automatically overwrite the copy on the server with the newerversion on your laptop. If someone changed the version on the server while youwere gone, IntelliMirror asks you what to do. As one Microsoft employee wrylyexplained to me at TechEd last June, IntelliMirror is "just like theBriefcase, except it works."

IntelliMirror not only caches files ordinarily found on the network, butalso caches their network names, which again helps laptop users. Before I go onthe road, I must remember to copy those files I need onto my laptop. Then, whenI start up Word and try to access one of those documents, I have to hunt aroundmy laptop's hard disk to find that file. What was once\server1bookschapter2.doc is now d:ontheroadchapter2.doc, so I can't justpull down the File menu and select from that menu's Most Recently Used list.After returning to the office, I have to remember to reconnect my laptop to thenetwork and copy the modified files onto the server. Finally, I delete thecopies on the laptop's hard disk because I don't want several versions of a filefloating around. With IntelliMirror I don't need to worry about any ofthat.

As these examples show, IntelliMirror is a local network cache that keepscopies of your server-based files on the local hard disk. Sounds good, but whatabout security? Suppose I log on to a common machine, work on a secureserver-based file (such as a memo containing everyone's salaries), log off, andwalk away from the machine. That memo is on the common machine's hard disk.Isn't that a security hole?

The answer is yes and no. First, files are person-specific because NT 5.0relies on NTFS. So when Joe logs on to the common machine after I get off, hewon't have file permissions to access the memo. In addition, files in the cachedon't have ordinary names. Instead, they have names like M75%193746229127.CHC.So Joe isn't likely to just happen across a file named payroll memo.doc, even ifJoe feels inclined to poke around the cache. However, if Joe has anadministrator-level account on that workstation, he can certainly take ownershipof the file and modify the permissions so that he could read the memo.

You have two ways to protect your NT 5.0 system against this type ofsecurity breach. First, don't freely hand out administrative accounts. Comparedwith previous NT versions, NT 5.0 administrative accounts let people do a lotmore because NT 5.0 can do a lot more. Second, you can tell IntelliMirror not tocache a particular account's profile and other files. However, this solution isa bit troublesome because you must forgo all the benefits of IntelliMirror.IntelliMirror would have been better if Microsoft had designed it so that youcould tag certain files as noncacheable.

At this point, you might be thinking that IntelliMirror offers convenience,but not really support. IntelliMirror's code-signing verification andself-healing applications might change your mind.

Installing and fixing applications cause many headaches for supportspecialists. You might need to fix an application for several reasons, but acommon reason is overwritten DLLs. Most programs ship with not only an EXE file,but also at least one DLL. (Some programs have as many as 30 DLLs.) Applicationsshould store their DLLs in their application directories (e.g., DLLsthat Word uses ought to go in the Word program file directory), but manyvendors, including Microsoft, are in the habit of dumping their DLLs into thesystem32 directory. As a result, if you load an application that needs a DLLnamed stuff.dll, the chances are good that the application will copy the DLL tothe system32 directory. If you load another application that also happens toneed a DLL called stuff.dll, the second application's installer will probablygleefully overwrite the first application's stuff.dll file. Consequently, thenewer application will run perfectly, but the older application won't work.

Microsoft is trying to fix the overwritten DLL problem by asking vendors tokeep their DLLs out of common areas. In fact, in about a year, any vendorwanting to put the Designed for Windows logo on its software must put its DLLsin the proper place.

In addition, Microsoft will offer code-signing verification to preventintentional overwriting of DLLs. In code-signing verification, a public-keyauthentication method lets the operating system verify at runtime that the codeabout to run is the code signed by Microsoft, Lotus, or whomever. Code-signingverification is built-in protection from viruses and program file corruption.(Because code-signing verification will probably be a bit costly CPU-wise, thisfeature will probably be optional on NT 5.0.)

An erased file is another common cause of headaches for supportspecialists. For example, suppose that you accidentally erase a program file forWord, but you don't realize it. If users try to subsequently open Word withprevious NT versions, they will get an error message. With NT 5.0, however, Wordwill just reinstall itself. Microsoft refers to this concept as self-healingapplications. A new installer technology, the Microsoft Installer (MSI), makesself-healing applications possible.

MSI: A Better Installer
With MSI, applications will not only perform self-diagnoses to detectinternal failures, but will also fix those failures through reinstallation.Based on your past experiences with reinstallation, you might expect a screenthat says something like, "Welcome to Setup for Word for Windows" andthen be bombarded with the usual 15 dialog boxes that accompany setup programs.Fortunately, the application performs a silent install. MSI doesn't assail youwith the usual setup questions because you pre-answer all of them.

To be self-healing, applications will need to be MSI compatible. In otherwords, an application must include a file with the extension .msi that containsall the information necessary to install that application. MSI reads thisinformation and reinstalls the application.

The MSI file is also called a package, a term familiar to MicrosoftSystems Management Server (SMS) administrators. SMS administrators use packagesfor hands-free (i.e., installs without asking the user any questions) remoteinstallation of applications.

With packages, however, you must write a script that automates thekeystrokes and mouse clicks that a user ordinarily makes when installing thesoftware. Most scripts are not much fun to write and tend to be fragile. A fewvendors have made this task easier by designing their applications' setupprograms to accept simple ASCII files that contain the answers to Setup programquestions. Thus, you just create an ASCII file rather than messing around withscripting languages. But no two vendors use the same kinds of scripts, so ifyour enterprise uses 10 packages, the best you can hope for is learning 10 setupfile formats so that you can create 10 application-specific ASCII files. Theworst case is if none of the vendors use setup files, forcing you to write 10different script programs.

With MSI, however, the process is much simpler. You just need to answerseveral questions to create a setup package and then save it as an MSI file. Thesetup file format will most likely be the same in all vendors' applicationsbecause Microsoft created a unified table-driven method for answering setupquestions. Microsoft developed this method with other software developers, somost new applications will be MSI compliant.

Why are independent software vendors supporting MSI? Because MSI supportsZAW, and a lot of big clients want ZAW. In addition, vendors' applications won'tqualify for the Designed for Windows logo without MSI support.

Besides using MSI for self-healing applications, you can use MSI forinstalling and removing programs. Suppose you want to distribute a new wordprocessor, WordBlaster, to your users, but you want to spend as little time andshoe leather as possible. With MSI, all you do is assign the application to anNT group, such as Everyone.

What does assign mean? Under NT 5.0, you can centrally modify the StartPrograms menus of all your users to include particular applications, even ifthose applications aren't on those users' systems. (Currently, you can centrallycontrol people's Start Programs menus with system policies. Just like many otherZAW features, the assign feature is just an enhancement of existingtechnologies.) When users log on, they'll see a menu option for WordBlaster eventhough you have not installed WordBlaster on their systems. When they try tostart WordBlaster, the operating system realizes that WordBlaster isn't properlyinstalled and the self-healing application process kicks in.

At this point, you might be wondering about what permissions you'll haveto give users--after all, users must have a fair amount of power over theirworkstations to install applications, right? Not quite, because the user doesn'tinstall the software, MSI does. But don't be surprised if a whole new class ofNT security holes develops once hackers figure out how to build a command promptthat runs in MSI space.

Besides assigning an application, you can get an application into the ZAWworld in two other ways. You can make an application generally available bypublishing it in the Active Directory (AD). The application doesn't go into theAD. Rather, the AD contains the instructions about where to find it. When usersstart the Install New Programs wizard in the Control Panel, they'll see thatlist of programs. Another way to make an application generally available isthrough the Class Store. For information on how the Class Store works, see myarticle "NT 5.0 Gets Better and Better--Mostly," page 124.

Removing a program is as simple as installing one. Suppose you want todiscard a current application of Word because you want new settings. But if youremove and then reinstall an application, it remembers all your settings fromthe first installation. Clearly, the removal process doesn't include cleaningout the Registry settings relevant to Word.

With MSI, this situation changes. When removing a program, MSI will deleteall files relevant to an application and all Registry entries.

MSI and IntelliMirror work well together. Suppose Sally, a WordBlasteruser, tries to run WordBlaster, but it's not yet on her machine. NT 5.0 uses theMSI package you prepared to install WordBlaster quickly and silently. You set upWordBlaster with a network installation option, so no files go on Sally'smachine. Instead, they're all on her space on the network, so the data can roamwith her more easily. Despite working on the network, WordBlaster runs quicklyfor Sally because her workstation is running from the program files in the localIntelliMirror cache. Furthermore, if the server's down, Sally can still get workdone because her workstation is using the local cache. In the meantime, you canupdate and install patches on WordBlaster more easily because the application ison the server.

SIS: A Smart Idea
If 2000 users all install WordBlaster and it's a network install, will youend up with 2000 copies of WordBlaster on the server? Don't run to yourstockbroker to buy Seagate stock just yet. ZAW avoids having 2000 copies withthe Server Intelligent Storage (SIS) server-side program. With SIS, youdesignate a section of a server's storage as an SIS area. When a user saves afile to that server, the server checks the file against the other files in theSIS area. If that new file is identical to an existing file, SIS doesn't save asecond copy of the file. Rather, SIS just stores a directory entry for thatfile.

SIS sounds like a very cool technology, but I wonder about how CPUintensive it'll be. My guess is that adjusting SIS sizes will be one of thegreat tuning pastimes of NT 5.0 Server administrators.

What does SIS mean for laptops? Suppose you are a PowerPoint user and youset up PowerPoint to run from the network. What happens when you take yourPowerPoint on the road?

In theory, SIS will work effectively because when you run PowerPoint on thenetwork, IntelliMirror copies the PowerPoint program files into the localIntelliMirror cache. So when you're on the road, the program files will beavailable. In reality, however, you can run into trouble two ways.

If you've never used PowerPoint's Rehearse Timings feature before, youmight get into trouble the first time you use PowerPoint on the road. PowerPointwill request the file rehearse.dll--and it will not be in the cache because yoursystem never requested the file before. Your laptop will respond by trying toreinstall (i.e., self-heal) PowerPoint because you originally installed theapplication from the network. From this point, the problems will escalate.

Another way in which you might get into trouble is if you used numerousnetwork files before leaving the office, causing IntelliMirror to flush thePowerPoint files from the cache. (If you use more files from the server than youhave hard disk space for, IntelliMirror determines which files are important. Itkeeps the important files and lets the others expire out of the cache.)

You can avoid both problems by pinning PowerPoint in the cache. Ifyou know that you're going to need a particular application, you pin it, whichtells IntelliMirror to collect all the files that the application might need andkeep those files in the cache. In other words, pinning a file tellsIntelliMirror not to let that particular file expire out of the cache.

BIOS: The Pièce de Résistance
With ZAW, you can perform clever client-side caching (IntelliMirror), easilyinstall and remove applications (MSI), and minimize the amount of space used onthe server (SIS), all from a central location. Could it get any better? What ifyou could install an entire operating system from a central location?Microsoft envisions that ZAW will be able to provide this capability. Considerthe following scenario:

It's 8:00 a.m. You come to work and turn on your computer, Sparky. A funnynoise comes from the hard disk, and smoke comes out the back. A quick inspectionof the melted SIMMs and cratered CPU inside leads you to believe that Sparky'scomputing days are over. You were planning to get some work done, butinstalling and configuring NT Workstation, the Office Suite, and assorted otherapplications will now occupy most of your day.

With ZAW, the day will proceed differently. After your quick inspection ofSparky, you tell your network administrator about the casualty. You then saygood-bye to Sparky and search for a computer that no one is using. You find avacant computer and log on. Because all your applications are ZAW compliant andyou keep your data in My Documents, all of your applications and data areavailable. MSI performs a couple of silent installs, and you are back inbusiness in a half-hour.

Meanwhile, the network administrator takes a new computer out of the boxand assigns it to you. She tells the network that you have a new computer,identifying it to the network. She then brings this computer to your office,plugs it into Sparky's old Ethernet jack, and turns it on.

The new computer is either a NetPC or a regular PC that follows the PC98specification, so it has a smarter BIOS than most PCs have. The PC BIOS includessupport for network cards, the Dynamic Host Configuration Protocol (DHCP), andthe Trivial File Transfer Protocol (TFTP). When the PC powers up, the BIOS knowsenough about the network card to use it to get the PC an IP address via theDHCP. With the other DHCP information, the new computer gets the address of aninstall server. The new computer then sends a request for configurationto the install server. The install server checks a database to determine whichoperating and system applications this computer needs and assembles thenecessary files. The install server then uses TFTP to transfer the files to thenew PC. In no time, the new computer works as well as old Sparky did, maybe evenbetter.

How did the install server know that this new computer was your computer?PCs with the improved BIOS have a globally unique ID (GUID), which anadministrator can use to identify that PC to the install server. With GUID, youcan configure systems on a user-specific basis. For example, instead ofspecifying that a particular machine gets Windows 98 (Win98), youspecify that a particular user gets Win98. When that user logs on, thesystem installs Win98.

In fact, each time users log on to a system, that system will do afresh install of their operating system and applications. A fresh install mightsound like a lot of work, but 999 out of 1000 of these installations will takealmost no time because all the files will already be in the local IntelliMirrorcache.

Fortunately, you don't need new PCs to run the improved BIOS. You just needa bootstrap floppy to get the process rolling the first time.

Good Things Come to Those Who Wait
Computer support specialists have waited a long time for an initiative suchas ZAW. But ZAW will be worth the wait because it includes some terrific andexciting capabilities. Central control of machine and application installationand configuration is just plain wonderful.

But central control and all of ZAW's other features will work only if theapplications vendors go along with ZAW. More important, ZAW will work only withone operating system. For ZAW to work, you must be running NT 5.0 on allyour desktops.