13

I want to make a central config file repository so that I can have the changes to any config under revision control (Mercurial). This will include some GNU/Linux boxes (which will use etckeeper), the network equipment's config files, printer's config files and last but not least, windows configs.

I know you can import some configurations like ISA's and DHCPs as text/xml files and even shared folders as a registry key, but for stuff like GPOs and AD, IIS, MSSql and others, are there ways to get the configs as flat files? Basically, can you have something somewhat equivalent to etckeeper under windows? Something like some powershell based commands or the like?

Also, can ACLs and other file permissions be preserved under version control (hg)?

BTW, I've already read

to no avail.

6 Answers6

5

Hold them packets!

This is a script provided by Michael J Ginter that creates a backup of all DHCP scopes on a server. (Note that it will stop and restart the DHCP Server Service.):

http://gallery.technet.microsoft.com/ScriptCenter/en-us/ff25d864-6ff0-411b-b242-97fbe34f011b

You can use LDIFDE to import and export data from AD: http://support.microsoft.com/kb/237677

GPOs can be exported with ADMX.exe (provided by microsoft at http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/windowsServ/2003/all/techref/en-us/w2k3tr_gp_tools.asp

IIS Config can be exported via iiscnfg.vbs in %systemroot%\system32 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/81f04967-f02f-4845-9795-bad2fe1a1687.mspx?mfr=true

gWaldo
  • 11,887
  • 8
  • 41
  • 68
  • You're quite welcome! Unfortunately there's no free all-in-one solution for what you want, but combined with a CMS, safely redundant storage, and/or software versioning (such as Mercurial, Git, or Subversion), you can roll your own. And all of this should be scriptable! – gWaldo Aug 26 '10 at 12:13
  • Initial idea was Redmine/trac with hg (well, if I used redmine, I'd probably go with Git, better integration), etckeeper on linux machines, ssh script to get running_config from switches and routers, and voodoo along with win scripts to dump configs (maybe with OSSEC file modification "hooks") on the win machines, all going to the HG repo... prob is, windows doesn't have anything close to etc, hence this. Also, all dumped to a SAN/NAS. Have you ever setup anything like what you described? Can you give me some pointers? –  Aug 27 '10 at 11:50
  • That's a hell of a good idea, but I have not done anything like that. If you can bundle it up sufficiently, I would recommend productizing it and/or rolling a F/OSS project. I would normally advocate incorporating the date/timestamp into the filename, however this doesn't matter as much if you're rolling everything up into Version Control. – gWaldo Aug 27 '10 at 12:22
  • 1
    I think I'll have to drop the Redmine part, but I can integrate it afterwords. In any case, the rest is just a bunch of etckeeper configs, scp scripts and the like. I'll try to document it and release some scripts, but I don't think it can be a product, unfortunately. It could be a great FOSS product idea, though. –  Aug 27 '10 at 15:45
1

There really isn't, not for free anyway. There are commercial products that can do this, I understand that they're big and pricey. Opsware (or HP Server Automation now) can do this.

The guy who developed MRTG tried and failed on something similar about 10 years ago. The environment has changed a lot, so you might be able to build on their work and come up with something good. For example, you can dump GPOs now, which was one of their problems.

/edit - and you've always been able to dump AD to LDIF or CSV. Do a nightly export into one of those and slurp it into CSV. IIS is all in the filesystem and the metabase, which is also in the filesystem. Normal backups and/or copies of those into CSV would be good. SQL config, I'm not so sure on; I think it's all registry and PS probably has hooks to display those.

One note - you ask about backing up ACLs on files? Jeebus - please tell me that you're backing up the files, and your backup software preserves ACLs. If you're not backing up the files at all, what benefit are the ACLs to you? If you're not backing up the files with ACLs, what's wrong with your backup software? You can turn on auditing for ACL changes natively, maybe you want to do that?

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • I'm not mentioning backups per se. Almost all backup sw preserves ACLs. Revision control, however, most of the times doesn't even preserve permissions. Mercurial, for instance, only saves the eXecutable permission on unix. You need a hook for that, an addon or a "trick" like savinf ACLs/permissions in a separate metafile. Also, I'm gonna look it up but... can you tell me how to export AD to LDIF, for instance? –  Aug 19 '10 at 08:29
  • EDIT: Aparently, with the ldifde - http://technet.microsoft.com/en-us/library/bb727091.aspx –  Aug 19 '10 at 08:36
1

I have not heard of one. While the Registry may be the home of (most) config on Windows, and it (sort of) can be represented in text form, the best you can hope for is Configuration Documentation rather than Configuration Management. There are APIs for monitoring changes to the registry, as evidenced by several System Internals tools, which would in theory allow event-based actions (revert to old config for instance). Unfortunately, there are some things (Group Policy being the biggest) that are designed to blow past any local machine based restrictions on config-change.

However, that just manages the base operating system. Once you start adding in other Microsoft products the situation gets vastly more complex. IIS has its own database, the metabase, that is not in the registry. MS-SQL has a whole bunch of config stored in the database itself among other places. AD certainly can be represented as a flat file, it's an LDIF export from LDAP, but again that's documentation not management. Group Policies themselves are directory trees filled with files on the Domain Controllers.

It is not an easy job by any stretch. This is why systems like Microsoft's System Center Configuration Manager, or Novell's Zenworks Configuration Management, are as complex as they are. In fact, so far as I know these products are the closest Windows gets to something like etckeeper.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • The "metabase" is just an XML file on the filesystem - pretty simple to grab that nightly and version it. Now granted, that's not the same as triggering a diff every time someone manually changes the configs, that would be a whole other kettle of fish. It depends on how much granularity Ascendant needs. – mfinni Aug 18 '10 at 18:06
  • 1
    Spent some time on Microsoft's System Center Configuration Manager's webpage. It is something like "pretty diagram, buzzword, buzzword, synergy, self-congratulations, vague promises, buzzwords". Still don't know exactly what it does, but with sentences such as "connecting people, processes, and tools—by evaluating dependencies and optimizing business process performance from deep inside the operating system, applications, and composite services and workflows in both physical and virtual environments." it seems to be enterprisy. Is it any good? –  Aug 19 '10 at 08:41
  • If you have a budget in mind for this, it's helpful to mention that when you're asking for product recommendations. – mfinni Aug 19 '10 at 19:57
1

For ACLs and file permissions, you might try PowerShell:

get-acl c:\temp | format-list
get-acl -path hklm:\ | format-list

We bought Tripwire to do a similar function, but it suffers from feature-bloat and idiosyncratic UI to the point that it's rusting from neglect.

AndyN
  • 1,739
  • 12
  • 14
1

On Windows there is no standard way for software to store a config, therefore there can be no one method to handle those configs. Before anyone starts yammering about how there is some kind of "standard", let's look at the the Microsoft recommendations thus far.

  • First we were told to create all configs in win.ini.
  • Next were were told win.ini is getting too large, so place the configs in an .ini file in the Windows directory.
  • Nope, the Windows directory is getting cluttered. Use the application directory.
  • Look, we have this new central configuration repositry we're going to call "The Registry". Put all you stuff in there.
  • Oops, the registry is getting too large. Place the configs in the user profile.
  • Guess what, the profile thingy isn't working out very well....
  • etc., etc.

Applications, including Microsoft's own, have no standard way or location for storing configs and use any or all the above methods, as well as a few "non-standard" ones. Welcome to the inconsistent and constantly changing world of Windows.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
  • Yes. I know how slow Unixes can get with their cluttered /etc. Oh, wait... –  Aug 25 '10 at 14:05
0

The code at http://gallery.technet.microsoft.com/ScriptCenter/en-us/edca4de3-642a-4a84-9884-e4035c984e31 and http://gallery.technet.microsoft.com/ScriptCenter/en-us/a3c9ad7b-6b5c-40ef-a928-3565432735ee offer some insight that there may be hope with the "netsh" command on your dhcp server. I don't have one available to me at the moment to test, but that's one avenue of approach.

gWaldo
  • 11,887
  • 8
  • 41
  • 68