I want to make a central config file repository so that I can have the changes to any config under revision control (Mercurial). This will include some GNU/Linux boxes (which will use etckeeper), the network equipment's config files, printer's config files and last but not least, windows configs.
I know you can import some configurations like ISA's and DHCPs as text/xml files and even shared folders as a registry key, but for stuff like GPOs and AD, IIS, MSSql and others, are there ways to get the configs as flat files? Basically, can you have something somewhat equivalent to etckeeper under windows? Something like some powershell based commands or the like?
Also, can ACLs and other file permissions be preserved under version control (hg)?
BTW, I've already read
- What solutions exist to allow the use of revision control for server configuration files?
- What tool do you recommend to track changes on a Linux/Unix server
to no avail.
Hold them packets!
This is a script provided by Michael J Ginter that creates a backup of all DHCP scopes on a server. (Note that it will stop and restart the DHCP Server Service.):
http://gallery.technet.microsoft.com/ScriptCenter/en-us/ff25d864-6ff0-411b-b242-97fbe34f011b
You can use LDIFDE to import and export data from AD: http://support.microsoft.com/kb/237677
GPOs can be exported with ADMX.exe (provided by microsoft at http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/windowsServ/2003/all/techref/en-us/w2k3tr_gp_tools.asp
IIS Config can be exported via iiscnfg.vbs in %systemroot%\system32 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/81f04967-f02f-4845-9795-bad2fe1a1687.mspx?mfr=true
There really isn't, not for free anyway. There are commercial products that can do this, I understand that they're big and pricey. Opsware (or HP Server Automation now) can do this.
The guy who developed MRTG tried and failed on something similar about 10 years ago. The environment has changed a lot, so you might be able to build on their work and come up with something good. For example, you can dump GPOs now, which was one of their problems.
/edit - and you've always been able to dump AD to LDIF or CSV. Do a nightly export into one of those and slurp it into CSV. IIS is all in the filesystem and the metabase, which is also in the filesystem. Normal backups and/or copies of those into CSV would be good. SQL config, I'm not so sure on; I think it's all registry and PS probably has hooks to display those.
One note - you ask about backing up ACLs on files? Jeebus - please tell me that you're backing up the files, and your backup software preserves ACLs. If you're not backing up the files at all, what benefit are the ACLs to you? If you're not backing up the files with ACLs, what's wrong with your backup software? You can turn on auditing for ACL changes natively, maybe you want to do that?
I have not heard of one. While the Registry may be the home of (most) config on Windows, and it (sort of) can be represented in text form, the best you can hope for is Configuration Documentation rather than Configuration Management. There are APIs for monitoring changes to the registry, as evidenced by several System Internals tools, which would in theory allow event-based actions (revert to old config for instance). Unfortunately, there are some things (Group Policy being the biggest) that are designed to blow past any local machine based restrictions on config-change.
However, that just manages the base operating system. Once you start adding in other Microsoft products the situation gets vastly more complex. IIS has its own database, the metabase, that is not in the registry. MS-SQL has a whole bunch of config stored in the database itself among other places. AD certainly can be represented as a flat file, it's an LDIF export from LDAP, but again that's documentation not management. Group Policies themselves are directory trees filled with files on the Domain Controllers.
It is not an easy job by any stretch. This is why systems like Microsoft's System Center Configuration Manager, or Novell's Zenworks Configuration Management, are as complex as they are. In fact, so far as I know these products are the closest Windows gets to something like etckeeper.
For ACLs and file permissions, you might try PowerShell:
We bought Tripwire to do a similar function, but it suffers from feature-bloat and idiosyncratic UI to the point that it's rusting from neglect.
On Windows there is no standard way for software to store a config, therefore there can be no one method to handle those configs. Before anyone starts yammering about how there is some kind of "standard", let's look at the the Microsoft recommendations thus far.
Applications, including Microsoft's own, have no standard way or location for storing configs and use any or all the above methods, as well as a few "non-standard" ones. Welcome to the inconsistent and constantly changing world of Windows.
The code at http://gallery.technet.microsoft.com/ScriptCenter/en-us/edca4de3-642a-4a84-9884-e4035c984e31 and http://gallery.technet.microsoft.com/ScriptCenter/en-us/a3c9ad7b-6b5c-40ef-a928-3565432735ee offer some insight that there may be hope with the "netsh" command on your dhcp server. I don't have one available to me at the moment to test, but that's one avenue of approach.