In my experience, Windows tooling for serious admin work is either terrible or massively expensive/enterprise.
For instance, a key problem I had in a prior gig was that I needed to automatically log into a Windows machine, run a job, and then log out. Pretty bog standard; didn't need careful error recovery or anything particularly sophisticated.
In Linux, you configure your SSH keys, then ssh automatedjob@server -c "./run-my-thing", and that's that. I literally could not find any identical analog in Windows besides telnet (if anyone knows of a solution here that approximates the Linux one for simplicity, I'd love to know about it). Today I'd probably just requisition a copy of a Windows SSH server and be done with the sorry mess. Better yet, throw Windows out and go full Linux. ;-)
Windows has advanced in a lot of ways over the past several years. We hired Steven Murawski a little while back (Powershell MVP) and he has been able to automate just as much as would expect in the Unix world.
He is also priming out infrastructure for Desired State Configuration (configuration management (like Puppet/Chef) for Windows).
Not at all. The Windows OS now has command line accessible management points that are similar to Linux. There is still a great deal of difference in their management models (I blogged about this a while back - http://blog.serverfault.com/2013/06/03/cross-platform-config...)
That I was hired as a Windows specialist was so that we can go deeper on the OS side and the PowerShell side, just as we have a Linux expert to go deeper on the Linux side. Our sysadmin team was just more tilted with experience on the Linux side (though you wouldn't know it - as almost everyone I work with would qualify as a senior admin in any Windows shop in the world).
I am glad to see that there are comparable capabilities in the modern Windows world and will dig into the WMI side of things next time Windows admin tasks come up.
That's a good question. The best answer is that the configuration needs to be a version controllable artifact just as much as your code is. Further, Windows Scheduler is known to drop jobs from time to time[1].
What was happening is that there was a job controller running on Linux that needed to contact the Windows machine and boot the job into action. One solution would have been to install a Jenkins slave instance, which turned out to be the solution eventually adopted.
[1] It's been a few years since I studied this, but it was a known issue in '08/09 or so.
Ah, PsExec. Yes, I reviewed that. However, the issue with PsExec has to do with credentials. If you don't bother with the user/password, it impersonates your account, which has certain restrictions[1]. That was not feasible due to most interesting things living on network drives. If you do bother with the username/password, you have to store those somewhere (remember, automated system). So now instead of running psexec directly, you have to have a tool that grabs the password file, hopefully decrypts it, then runs psexec.
Also, iirc, using the psexec interface from Linux in a Linux->Windows connection does not work (a wrinkle in the original story is that it was a Linux->Windows connection).
What, in practice, is the difference between creating an account and SSH key that gives passwordless sudo (or other authorization) and creating an account and password that gives appropriate authorization?
I can generate a unique pair of ssh keys for each client that has to remote into a system; I have to have a consistent password for the same user across all systems (assuming integrated login).
Supposing that a keyfile is copied, the multiplicity of ssh files limits the damage.
This kind of thing is easily handled with Kerberos. Joining Unix servers to AD doesn't require that you manage your entire Posix user database there. You can just use a Service Principal for this.
For instance, a key problem I had in a prior gig was that I needed to automatically log into a Windows machine, run a job, and then log out. Pretty bog standard; didn't need careful error recovery or anything particularly sophisticated.
In Linux, you configure your SSH keys, then ssh automatedjob@server -c "./run-my-thing", and that's that. I literally could not find any identical analog in Windows besides telnet (if anyone knows of a solution here that approximates the Linux one for simplicity, I'd love to know about it). Today I'd probably just requisition a copy of a Windows SSH server and be done with the sorry mess. Better yet, throw Windows out and go full Linux. ;-)