0

What would be the best approach to remotely manage hundreds of Windows 2008 R2 Servers that are not joined to a central authentication system and/or Active Directory?

In the Linux ecosystem there are tools that allow centralized configuration management like Puppet, Chef or Ansible. How can I implement similar functionality in the Windows ecosystem?

I am interested in administrative tasks such as changing firewall rules, updating Anti-Virus software or modifying a file on every server.

MichelZ
  • 11,008
  • 4
  • 30
  • 58
jideel
  • 11
  • 2
  • That would be - powershell? – MichelZ Apr 22 '14 at 15:09
  • That's what we're trying to do now but it does raise some security issues related to WinRM, the digest authentication without an AD, and i would like something more "high-level", with some kind of infrastructure, and a web interface. – jideel Apr 22 '14 at 15:14
  • Then, unfortunately: Your question needs some improvement from you. In it's current state it seems to be [off-topic](http://serverfault.com/help/on-topic) – MichelZ Apr 22 '14 at 15:17
  • Take a look at [salt](http://www.saltstack.com/). – MikeyB Apr 22 '14 at 15:46
  • `What would be the best approach to remotely manage hundreds of Windows 2008 R2 Servers that are not joined to a central authentication system and/or Active Directory?` Join them to an Active Directory domain. – HopelessN00b Apr 22 '14 at 17:17

2 Answers2

2

You're looking for Microsoft's System Center Suite, particularly Configuration Management.

Chris S
  • 77,337
  • 11
  • 120
  • 212
2

The best approach would probably be using Active Directory and Group Policy but you have stated that is not in option in your environment. Unfortunately the API oriented management model makes configuration management the Unix-way represented by tools like Puppet or Chef very difficult in the Windows ecosystem. You are not going to find a similar approach.

What you can do is the combine some technologies:

Use System Center Configuration Manager or Windows MDT to deploy a known-state base image. The base image should contain the largest possible set of configurations that are inclusive to the entire fleet. If you find that there is significant variation in your fleet to point of rendering the base image more or less useless because the configuration changes that it includes are so small consider configuring separate task sequences that get you closer to "100% configured" state for different classes of servers (IIS servers, Applications servers and so on). The idea is to get the closest a "100% configured" state, on as many servers as possible with the fewest images and/or task sequences to maintain.

Configure the remaining settings on each server with Local Group Policy templates, PowerShell, PowerShell's Desired State Configuration (if you can upgrade the Windows Management Framework) or SCCM's Configuration Items. Most likely you will want to use some combination of the three.

In short you will probably need to invest in SCCM. It will handle multiple Active Directory Forests, Domains, DMZ or Remote Clients, and Workgroup computers. SCCM is not a small topic nor is the learning curve shallow but between it, base images and PowerShell's DSC you should be able to accomplish your goals.

Community
  • 1