Windows Readiness for Mainframe Migration Class...
Transcript of Windows Readiness for Mainframe Migration Class...
Glenn Dent (Microsoft Architect Consultant) Stan
Murawski (Microsoft Architect Consultant)
Microsoft Services
Windows Datacenter Readiness for Mainframe Class Workloads
Stan Murawski
Hewitt Wright
Glenn Dent
The information contained in this document represents the current view of Microsoft
Corporation and is subject to change at any time without notice to you. This document and
its contents are provided AS IS without warranty of any kind, and should not be interpreted
as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS
OR IMPLIED, IN THIS DOCUMENT.
The descriptions of other companies' products in this document, if any, are provided only as a
convenience to you. Any such references should not be considered an endorsement or
support by Microsoft. Microsoft cannot guarantee their accuracy and the products may
change over time. In addition, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these
products, please consult the respective manufacturers.
This deliverable is provided AS IS without warranty of any kind and MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, OR OTHERWISE.
All trademarks are the property of their respective companies.
©2007 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, BizTalk, SQL Server, Visual Studio, Windows, Windows Media,
Windows NT, and Windows Server are trademarks of the Microsoft group of companies.
The names of actual companies and products mentioned herein may be the trademarks of
their respective owners.
Table of Contents
Table of Contents .............................................................. ii
Purpose of this Document ................................................ vi
Chapter 1. Windows Server and Readiness Principles ..... 1
Chapter 2. RAS Plus ....................................................... 3
2.1 Reliability ........................................................................................................... 3
2.2 Availability ......................................................................................................... 4
2.3 Serviceability ..................................................................................................... 5 2.3.1 Whole Computer Serviceability ..................................................................... 6
2.4 Scalability .......................................................................................................... 6 2.4.1 Scale-Up ........................................................................................................ 6 2.4.2 Scale-Out ...................................................................................................... 7
2.5 Security.............................................................................................................. 8 2.5.1 Security Development Lifecycle and the Microsoft Security Response Center9
2.6 Performance .................................................................................................... 10 2.6.1 Performance Experience of Customers ........................................................ 10 2.6.2 Performance Benchmarks ........................................................................... 12
Chapter 3. Operational Systems Management ............. 15
3.1 Microsoft Solutions Framework ....................................................................... 16
3.2 Microsoft Operations Framework .................................................................... 16
3.3 Real-Time Monitoring, Problem Determination, and Problem Correction ......... 17 3.3.1 The Health Model........................................................................................ 18 3.3.2 The Task Model ........................................................................................... 21 3.3.3 The State Model .......................................................................................... 22
3.4 Operations Manager 2007 Case Studies ........................................................... 24
3.5 Dynamic Systems Initiative (DSI) ...................................................................... 24 3.5.1 DSI Articles and White Papers ..................................................................... 25
Chapter 4. Maintenance (Systems Programming) ........ 26
4.1 The Microsoft Maintenance Process ................................................................ 26
Chapter 5. Data and Application Integration ................ 30
5.1 Approaches to Platform Interoperability .......................................................... 30 5.1.1 Network Integration.................................................................................... 31 5.1.2 Security Integration .................................................................................... 31 5.1.3 Messaging Integration................................................................................. 31 5.1.4 Data Integration .......................................................................................... 31 5.1.5 Application Transactional Integration .......................................................... 33
Chapter 6. Best Practices Applied ................................ 34
6.1 Within Microsoft ............................................................................................. 34
6.2 By Microsoft Customers ................................................................................... 35 6.2.1 Case Study .................................................................................................. 35 6.2.2 Future Expectations .................................................................................... 35
Chapter 7. Comparable Experiences ............................ 37
7.1 Online Transaction Processing ......................................................................... 37 7.1.1 London Stock Exchange ............................................................................... 37 7.1.2 NASDAQ...................................................................................................... 37
7.2 Large Batch Processing .................................................................................... 38 7.2.1 Telecommunications Company ................................................................... 38 7.2.2 Adamed / Galmed ....................................................................................... 38 7.2.3 CSC Financial Services ................................................................................. 38 7.2.4 CUNA Mutual .............................................................................................. 38
7.3 Migrations of Existing Mainframe Applications ................................................ 39 7.3.1 Simon and Schuster .................................................................................... 39 7.3.2 Washington State Department of Licensing ................................................. 39 7.3.3 Bertelsmann ............................................................................................... 39 7.3.4 Deutsche Post (DP) ..................................................................................... 40 7.3.5 SAMPENSION .............................................................................................. 40
7.4 Code Replacement of Existing Mainframe Applications .................................... 41 7.4.1 Horizon Lines .............................................................................................. 41 7.4.2 The Schwan Food Company ........................................................................ 41 7.4.3 Shinsei Bank ................................................................................................ 41
7.5 Transformation and Interoperability ................................................................ 42 7.5.1 Ceridian ...................................................................................................... 42
7.6 Medical Claims Processing ............................................................................... 42 7.6.1 Premera Blue Cross ..................................................................................... 42 7.6.2 Broadspire .................................................................................................. 43
7.7 Other Enterprise Migrations/Modernizations Involving COBOL ....................... 43 7.7.1 Ancor .......................................................................................................... 43 7.7.2 DC Thomson ............................................................................................... 43 7.7.3 Co-op Financial Services .............................................................................. 43 7.7.4 Mashreqbank .............................................................................................. 43 7.7.5 Dollar Thrifty ............................................................................................... 44 7.7.6 Stockholmshem .......................................................................................... 44 7.7.7 Retirement Systems of Alabama (RSA) ........................................................ 44
7.8 Companies Running Well-Known COTS Applications on Windows ................... 45 7.8.1 SAP on Windows ......................................................................................... 45 7.8.2 PeopleSoft on Windows .............................................................................. 45 7.8.3 Siebel on Windows ...................................................................................... 46
Appendix A. The Windows Server Platform ................... 47
A.1. Microsoft Mainframe-Related Product Capabilities Summary .......................... 47 A.1.1. Mainframe Data Access ............................................................................... 47 A.1.2. Mainframe CICS or IMS Transaction Integration .......................................... 47 A.1.3. Mainframe CICS or IMS XML Web Services SOA enablement ....................... 48 A.1.4. RACF Account Synchronization .................................................................... 48
A.2. Windows Server 2003 Core Technologies ......................................................... 48 A.2.1. Availability .................................................................................................. 48 A.2.2. Scalability .................................................................................................... 49 A.2.3. Security ....................................................................................................... 49
A.3. Productivity ..................................................................................................... 50 A.3.1. File and Print Services ................................................................................. 50 A.3.2. Active Directory .......................................................................................... 50 A.3.3. Management Services ................................................................................. 50 A.3.4. Storage Management .................................................................................. 51 A.3.5. Terminal Services ........................................................................................ 51
A.4. Staying Connected ........................................................................................... 51 A.4.1. XML Web Services ....................................................................................... 51 A.4.2. Networking and Communications................................................................ 51 A.4.3. Enterprise UDDI Services ............................................................................. 52 A.4.4. Windows Media Services ............................................................................. 52
A.5. Best Economics ................................................................................................ 52 A.5.1. Extensive ISV Ecosystem .............................................................................. 52 A.5.2. Worldwide Services ..................................................................................... 53 A.5.3. Training Options .......................................................................................... 53 A.5.4. Certified Solutions ....................................................................................... 53
A.6. XML Web Services and Microsoft .NET ............................................................. 53
Appendix B. Development Environment ........................ 54
B.1. Test and Development Environment ................................................................ 54
B.2. Team Development.......................................................................................... 55
Appendix C. Architecture ................................................ 1
Appendix D. SQL Server Management Pack Tasks .......... 57
Appendix E. Relevant Microsoft Services Summary ........ 58
E.1. Pre-Migration Services ..................................................................................... 58
E.2. Services During Migration ................................................................................ 58 E.2.1. Team-Based Software Development Architecture ....................................... 58 E.2.2. Systems Execution Architecture Definition .................................................. 59 E.2.3. Operations Management Architecture ........................................................ 59
E.3. Ongoing Services After Migration .................................................................... 60
E.4. For More Information ...................................................................................... 60
Appendix F. Microsoft Security Response Center (MSRC)61
F.1. Investigating and Resolving Vulnerability Reports ............................................ 61
F.2. Responding to Security Incidents ..................................................................... 61
Purpose of this Document
The purpose of this document is to show the readiness of the Windows Server® platform, the
computer systems on which it runs, and their supporting infrastructure to run IBM z/OS
mainframe class data center workloads—and by extension, workloads from other types of
mainframes or systems with comparable characteristics. Specifically, this paper discusses a
Windows Server operational environment within which computerized business processing for
a fictional corporation named Contoso can run with the same or better security, reliability,
and operational efficiency as has for years been delivered on MVS, OS/390, and now z/OS
platforms. The cost of ownership for this Windows Server–based computing system would be
dramatically less than for the comparable z/OS system.
This report also shows how proper systems management can address specific concerns
expressed by Contoso regarding the modernization of its applications by migration to
Windows Server. The specific concerns addressed in this report include:
Security: Contoso does not risk an increased security exposure by moving to the Windows
Server platform. This point is covered, along with how policies and procedures of a data
center determine the level of security achieved.
Systems management: There is a need for a reliable, available, serviceable, and scalable
production environment. A discussion of accomplishing this on Windows Server is included.
Performance: This report provides evidence that the Windows Server platform can handle the
data and computation load demands of Contoso. It highlights the hard facts on volume levels
similar to Contoso, which provide a comfort level that the proposed platform will support
Contoso's needs.
Integration between Windows Server and the z/OS mainframe: This area consists of
three elements:
Data file transfer, cross-platform data access, and cross-system transaction
integration with portions of the applications still on the mainframe and with other
applications still on the mainframe
Cross-platform performance and operations issues surrounding data replication and
duplication between two platforms
User account synchronization and security integration for transactions executed
partially on Windows Server and partially on z/OS
Case studies and comparable references: Case studies of other customer's experience are
discussed and referenced in this document.
This document contains many links to additional reference material available at
www.microsoft.com, or at other sites. If you are reading this document on your computer, you
can click the links to jump directly to this additional material. Please understand that some
of these links might become stale after the time of this document's writing. The authors of
this document have no control over these links.
Pa
ge
1
Chapter 1. Windows Server and Readiness Principles
The Information Technology Infrastructure Library (ITIL) guidelines, developed by an agency
in the British Government, has generally been embraced by the industry. ITIL is the de facto
global standard in the area of service management. See more about ITIL at:
www.itil.org/en/index.php
Many IBM mainframe shops have been running with policies and procedures equivalent to
the ITIL principles for many years. Some of those shops have embraced ITIL explicitly. For
example, see the IBM paper "Making ITIL Actionable in an IT service management
environment" at:
www-306.ibm.com/software/tivoli/resource-center/overall/eb-itil-it-serv-
mgmt.jsp
Microsoft has embraced ITIL and, based upon ITIL principles, has created a prescriptive
approach that is easily acted on, called the Microsoft Operations Framework (MOF). The MOF
provides operational guidance that enables organizations to achieve mission-critical system
reliability, availability, supportability, and manageability of Microsoft® products and
technologies. See more about the MOF at:
www.microsoft.com/technet/itsolutions/cits/mo/mof/
See more about the MOF and ITIL at:
www.microsoft.com/technet/itsolutions/cits/mo/mof/mofitil.mspx
Microsoft has established the Dynamic Systems Initiative (DSI), which takes the vision a step
further. DSI is a commitment from Microsoft and its partners to deliver self-managing
dynamic systems that help information technology (IT) teams capture and use knowledge to
design systems that are more manageable and automate ongoing operations. See more about
DSI at:
www.microsoft.com/windowsserversystem/dsi/
These are general principles. The next sections will get specific about both the Microsoft tools
and best practices that lead to Windows Server readiness, and how these apply to the
Contoso applications after their modernization through migration to the Windows Server
platform.
Pa
ge
2
One specific principle is that good procedures and processes that follow the ITIL standards
are the key to the achievement of good results. This is true for IT systems availability,
security, and more, with any operating system and computing platform.
Pa
ge
3
Chapter 2. RAS Plus
In the early decades of the mainframe systems that became the zSeries and now System z
computers running z/OS, IBM established a motto of "Reliability, Availability, and
Serviceability," or RAS, as three pillars of system excellence. Microsoft recognizes IBM's
reliability, availability, and serviceability requirements as valid pillars, plus Microsoft adds
Scalability, Security, and Performance as key attributes of a production Windows Server
operating system environment.
2.1 Reliability
Reliability is measured as the mean time between failures for the hardware and software
components of the system and its applications. The reliability of entire systems is dependent
upon the reliability of these individual components, or redundant component sets.
The issues concerning reliability are the same for both the mainframe and Windows Server.
Windows Server 2003 (the fourth major release of the operating system that started as
Microsoft Windows NT® 3.1 over ten years ago, in 1992) is mature, and hardware companies
that built mainframes in the past now build data center–class computers for Windows Server.
These companies include Hewlett-Packard, Unisys, Fujitsu, and even Sun Microsystems with
its Sun Fire line of AMD processor–based servers, and IBM with its xSeries line of servers.
The release progression of the Windows Server operating system has been Windows NT 3.1,
Windows NT 3.5, Windows NT 4.0, Windows NT 5.0 (branded as Windows 2000), and
Windows NT 5.2 (branded as Windows Server 2003). To view this version number on your
system, use the VER command at an operating system command-line prompt.
The reliability of the Windows Server operating system should be judged by the reliability of
the current release (Windows Server 2003 at the time of this writing) when it is properly
managed as a z/OS mainframe typically is managed. The technology has significantly
matured in the course of its four major releases and should be judged in its current form
when used as prescribed, as IBM mainframe system software would be judged. Likewise,
someone should not judge the reliability of the Windows Server operating system by
experience on the desktop. The environments are markedly different. Even more notably, one
cannot effectively evaluate the reliability of the Windows Server operating system by the
experience of shops lacking mature processes, such as those practiced in most z/OS shops
and codified by ITIL.
Pa
ge
4
One should assess the reliability of Windows by the experience of data centers that
follow best practices and use tools that enable those practices to be followed.
The reader is also referred to "Reliability with Windows Server 2003, Enterprise Edition,"
published at the time Windows Server 2003 was released, and as of this writing available at:
g.msn.com/9SE/1?http://download.microsoft.com/download/c/9/2
/c929a358-01f5-45dc-8b14-4e85555af2e0
/Reliability.doc&&DI=6066&IG=c17cb912e8e3421ab8d081de48f92c67&POS=8&
CM=WPU&CE=8&CS=AWP&SR=8
2.2 Availability
High availability derives from good operations policies, and procedures that implement those
policies. High availability also derives from redundancy and failover. Availability is not the
same as reliability. For example, a system that can quickly recover from an application
program failure, such as z/OS Customer Information Control System (CICS) or Microsoft
Internet Information Services (IIS) on Windows Server 2003, can provide high availability even
for applications that are not in themselves reliable. Multiple systems operating in parallel,
such as Parallel Sysplex and CICSplex offered by IBM, or Microsoft's scale-out architecture,
can also deliver high availability for unreliable applications.
Redundant identical systems deployed in a scale-out or failover cluster have become the
regularly chosen alternative for organizations deploying critical e-commerce and line-of-
business applications, because they provide significant improvements in availability,
scalability, and manageability at an easily justified cost. Clustering installation and setup is
robust in Windows Server 2003 R2, while enhanced network features in the product provide
failover capabilities for high system uptime. Two types of clustering are part of Microsoft's
best practices tiered architecture:
Windows Server 2003 supports server clusters for up to eight nodes. If one of the nodes
in a cluster becomes unavailable because of failure or due to scheduled maintenance,
another node immediately begins to provide service, a process known as a clustered
server failover.
Windows Server 2003 also supports network load balancing (NLB), which balances
incoming Internet protocol (IP) traffic across identical nodes in a cluster.
See Appendix A for more information about the Windows Server operating system.
As a point of reference, as of June 2006, the universe of all Unisys ES-7000 servers deployed
using Windows Server 2003 Datacenter Edition has had an aggregate availability of 99.996
Pa
ge
5
percent, and 78 percent of those servers have shown 100 percent uptime for over one year.
For more information, see:
www.unisys.com/products/enterprise__servers/high_d_end__servers/availability
/index.htm
2.3 Serviceability
Hardware and software serviceability are distinct. This paper does not discuss hardware
serviceability except to say that mainframe-class capabilities are built into Windows Server
2003 Datacenter Edition–class hardware systems from companies like IBM, Hewlett-Packard,
Fujitsu, and Unisys.
Software serviceability comes down to the classic triad of problem determination, problem
correction, and the application of problem corrections.
Microsoft provides tools for problem determination and correction of applications for
Windows, for example the options of just-in-time debugging of the application in its failure
state, or post-mortem (dump) debugging that in an interactive debugger recreates the
application's state at the time of failure. These capabilities are delivered primarily by the
Microsoft Visual Studio® development system. A discussion of Visual Studio is beyond the
scope of this paper, but a short summary of the Visual Studio development environment is
provided in Appendix B. Microsoft partners provide additional tools for systems management
which aid in problem determination, for example AVIcode with their Intercept Studio product
and their Management Pack for Microsoft System Center Operations Manager 2007.
Descriptions of the AVIcode products are available at:
www.avicode.com/
Windows Server is deployed for specific server roles. A Manage Your Server role wizard allows
you to easily select a server configuration that deactivates components (programs) that are
unnecessary for that role. This reduced footprint not only enhances Windows Server security
but also provides more flexibility for changes and patches to the deactivated services. Today,
many Windows Server maintenance changes (QFEs) can be applied to a running server
without the need to restart the operating system. Windows Server 2008 delivers enhanced
componentization and allows for most maintenance changes to be applied without restarting
the operating system.
Both Windows Server and mainframes have advanced processes for the distribution of and
automatic application of problem corrections. The IBM process derives from their System
Management Procedure (SMP), which they introduced in the 1980s. Microsoft provides
Microsoft Systems Management Server (SMS) and Operations Manager for a system
Pa
ge
6
administrator or systems programmer to centralize the application management and server
serviceability from the perspective of patching, problem determination, and resolution.
2.3.1 Whole Computer Serviceability
Serviceability at the level of a whole computer must be included in the serviceability
discussion of a scale-out cluster of identically configured computers. In this architecture, an
individual computer member of the cluster is simply a unit of computing capacity. The
removal of a unit—a server computer—due to failure or for planned service is simply a
reduction of capacity inversely proportional to the number of units in the cluster. Removing
one unit in a four-server cluster reduces capacity by 25 percent, while adding a unit to a
four-server cluster increases capacity by 20 percent.
When a new server computer is added to a cluster that is under Microsoft System Center
provisioning, then the operating system, applications, and any other required software will be
automatically installed even on a "bare metal" machine with no preinstalled software. For
more information on Remote Installation Services (RIS) technology, see:
technet2.microsoft.com/windowsserver/en/library
/640be2c6-5028-4ba5-a4fc-87729b71f8391033.mspx
After a RIS-based operating system installation, Microsoft System Center Configuration
Manager can install any applications, configure application settings, or make other server
provisioning.
2.4 Scalability
Scale is the ability to increase (or decrease) processing power in proportion to the addition (or
deletion) of hardware. Scalability is a measure of how well a system scales up or down.
Windows scales at small increments of cost (and power), making it economical to grow the
system as needs grow, and to reduce capacity and related costs should needs decline.
Microsoft has engineered Windows Server to fill both scale-up and scale-out business
requirements, and both are used within Microsoft preferred deployment architecture.
2.4.1 Scale-Up
From the hardware perspective, scale up is the addition of more hardware—more processors,
memory, and I/O bus paths—to a single computer. From an operating systems perspective,
scale-up is the ability to gain better performance from a single instance of the operating
Pa
ge
7
system when more hardware and power are added to a single system. The simplest example
of scale-up is the addition of more processors to a single system. As of June 2006, the largest
z/OS mainframe can have 54 processors and the largest Windows Server configuration can
have 64 processors. This is not to imply that a Windows Server operating system can have
more capacity, but is a clear statement that both types of operating system can address and
schedule use of many processors for a large workload requirement.
While there are many well-known exceptions, typically as hardware resources are doubled,
less than twice an increase in performance is achieved. Microsoft SQL Server™ is an example
of a server designed and programmed to make effective use of a large multi-processor server.
Servers in this category cost more money per processor than the same number of processors
configured on separate servers. Most applications do not require many processors on one
single server, and are not programmed to use multiple processors. Typically there is a non-
linear declining curve of improved performance versus added hardware on a single system.
For these reasons of cost and return, the preferred approach is generally to scale out
hardware when possible and scale up only when necessary (for example, only for a monolithic
workload that cannot be distributed among multiple machines).
It is worth noting that the use of multiple processors within a single application is relatively
new to the z/OS programming space. Historically CICS programs were written as "single
user" programs, and in fact this simplicity was called out as one of CICS' advantages. Only
recently has popular guidance emerged to encourage CICS programs to be written to
accommodate multiple threads of concurrent execution (on multiple processors).
2.4.2 Scale-Out
Scale-out is the ability to add power by adding more systems to a cluster of (generally
identical) systems configured in a parallel cluster. The scalability of scale-out is often nearly
linear: add twice as many systems, and get twice as much power and performance. Scale-out
clusters of identical systems can be managed as if they were a single system. Windows Server
provides network load balancing (NLB) cluster support; an NLB array can have up to 32
nodes of any server size. Properly configured, NLB nodes can be added or deleted from the
array with no impact on application availability. Both Microsoft .NET-based applications and
other applications can run in this configuration via the IIS service or using Windows
Component Services to run applications written to the older COM+ development architecture.
Windows Server scales near or at the top with the major line-of-business commercial off-the-
shelf applications. For example, Windows Server scales near the top with SAP, PeopleSoft,
and Siebel. Some examples are specifically referenced later in this document. Windows Server
is also near or at the top in commercial benchmarks published by the Transaction Processing
Council, such as TPC-C. For more information, see:
Pa
ge
8
www.tpc.org/
To read an executive summary of our scalability, and for full configuration and benchmarks
from TPC, see:
tpc.org/results/individual_results/HP/hp_orca1tb_win64_ex.pdf
2.5 Security
Computing system security has become important since the time that IBM established RAS
as a key set of system attributes. Security was designed into the Windows Server operating
system (named Windows NT at the time) from its inception. The predecessor versions of z/OS
did not have a security mechanism until Remote Access Control Facility (RACF) and third-
party alternatives such as CA's ACF2 and Top Secret were added onto the IBM mainframe
operating system in the late 1970s.
Windows Server 2003 is currently certified by the Computer Emergency Response Team
(CERT) standards at EAL level 4+. These are the standards defined by 27 of the largest federal
governments in the world, and shared as a common basis of requirements for creating secure
operating system code. The previous release of Windows Server, Windows 2000, also was
certified at EAL 4+. In the past, IBM did not participate in the CERT certification process with
z/OS (OS/390 or MVS), but did finally receive EAL 4 certification in Q2 2006. There are no
commercial operating systems certified at EAL 5 and above. Open-source operating systems
like Linux are certified at EAL 3.
Every object in the Windows Server operating system can be protected, and only authorized
users or groups of users are allowed to access those objects. Examples of objects are the file
system directories and files (including program files), database views, and online applications
(running under IIS). Using the role-based security provided by Windows Authorization
Manager (generally comparable to RACF user security under CICS), one can authorize users
to only certain functions (such as reads versus updates, create accounts versus change) and
authorize access to only certain database data.
To validly compare the security of any two platforms, one must compare systems with
equivalent functionality installed. Therefore to compare the security of Windows Server 2003
to z/OS one needs to look at the kernel operating system and the basic facilities needed to
run operating system processes. For example, if one includes IIS (which provides transaction
monitoring and management on Windows Server) then one must also include CICS on z/OS.
If one considers a Windows HTTP server's security, one must compare that to z/OS running
an HTTP server both behind the same firewall and not behind firewalls, and exposed to the
same attacks.
Pa
ge
9
Very few z/OS systems have been exposed to the variety and volume of attacks that are made
when a computer system is exposed on the Internet. At least tens of thousands of Windows
Server operating systems have survived this level of attack because they are on the Internet
and continually exposed to these attacks.
Security in Windows is compared to security in CICS in a paper available at:
g.msn.com/9SE/1?http://download.microsoft.com/download/5/d/6
/5d6eaf2b-7ddf-476b-93dc-7cf0072878e6/RACF-
CICS.doc&&DI=6066&IG=46a4990ff5b846abb5fe5d2e0d5a9b87&POS=1&CM=W
PU&CE=1&CS=AWP&SR=1
2.5.1 Security Development Lifecycle and the Microsoft Security Response Center
The Security Development Lifecycle (SDL) is a process Microsoft designed to develop software
that will withstand malicious attacks. The process adds a series of security-focused activities
and deliverables to each phase of the Microsoft software development process, including the
development of threat models during software design, the use of static analysis code-
scanning tools during implementation, and the conducting of code reviews and security
testing. Before software subject to the SDL can be released, it must undergo a final security
review by a team independent from its development group. Software that has undergone the
SDL has a significantly reduced rate of external discovery of security vulnerabilities when
compared to software that has not been subject to the SDL. Best practices and knowledge
gained by the Microsoft Security Response Center (MSRC) through its security response
processes are regularly integrated into the SDL process. For more about the SDL, see:
msdn2.microsoft.com/en-us/library/ms995349.aspx
The MSRC is the hub of a carefully designed and frequently refined worldwide security
response system created to protect Microsoft customers from vulnerabilities discovered in
Microsoft software after it is released. Established in 1996, the MSRC pursues its mission in
two ways:
It proactively seeks information about software vulnerabilities, and then provides
security bulletins and updates that specifically address those vulnerabilities.
It constantly monitors evidence that a security incident is underway, and responds
quickly and aggressively to help protect customers from security threats when they
emerge.
The MSRC is part of Microsoft's overall security effort and its commitment to build software
and provide services that will help better protect customers, the industry, and critical
Pa
ge
1
0
infrastructures. The MSRC is focused specifically on Microsoft's security response efforts; it
takes part in the later stages of the vulnerability management life cycle.
The MSRC is described in more detail in Appendix F. Here, you will see reference to the U.S.
Computer Emergency Response Team (US-CERT) summary of 5198 vulnerabilities for 2005
as follows:
812 Windows operating system vulnerabilities
2328 Unix/Linux operating system vulnerabilities
2058 multiple operating system vulnerabilities
As of the writing of this document, US-CERT has not posted summary numbers for 2006.
However, a brief visit to www.us-cert.gov/cas/bulletins/ reveals that vulnerabilities on
Windows are not dominant. Unfortunately, the number of vulnerabilities by operating system
is no longer easy to identify.
2.6 Performance
Performance can be illustrated by many methods. This section focuses on the experience of
customers and line-of-business or industry benchmarks.
2.6.1 Performance Experience of Customers
A number of major enterprises depend on the performance of Windows Server and the data
center–class hardware on which it runs, in order to "run the business." Several examples of
those are included in this section.
London Stock Exchange
The London Stock Exchange needed a solution to meet their demanding real-time
environment with the reliability, performance, and scalability that would last them for many
years. With Windows Server, they achieved the lowest transaction latency of any stock
exchange in the world:
3,000-plus transactions per second, with 300-millisecond latency
Sub-second hot failover between servers, with no client disruption
Half the time–to-market, compared to that of other platforms
Pa
ge
1
1
Danske Bank
Danske Bank needed to establish new lines of business that their current environment could
not sustain. They added a SQL Server data warehouse to solve the requirement for rapid
response for 300 concurrent clients.
Scottish and Southern Energy
Scottish and Southern Energy created a new financial reporting system to generate internal
reports and to meet the demands of investors and owners. They achieved:
Improved report performance
Lowered total cost of ownership (TCO)
A scalable solution for future growth
Bovespa Stock Exchange
Bovespa needed a modern structure for clearing and depository operations in Brazil. By using
Windows Server, they were able to:
Handle 1.6 million messages per day with 99 percent having a response time below
0.5 seconds
Create a highly available and scalable platform that allows scaling out and scaling up
as needed
Pa
ge
1
2
2.6.2 Performance Benchmarks
The performance capability of Windows Server is also indicated by industry standard
benchmarks. Vendors of business applications publish benchmarks that are used for
hardware sizing. The Windows Server operating system consistently performs at or near the
top in these measures. This section shows the results for Windows Server, as published on
Microsoft.com as of the time this document was written.
Application Vendor Benchmarks
E-Business
Workload/Application Result Rank
Siebel eBusiness
Applications
30,000 concurrent
users
#1
SAP R/3 Sales and
Distribution (three-tier)
26,000 concurrent
users
#3
SAP R/3 Sales and
Distribution (32-way two-
tier)
2,750 concurrent users #3
SAP APO-DP (4-way two-
tier)
157,555 planned
combinations/hour
#1
Pa
ge
1
3
Industry Benchmarks
The Transaction Processing Council offers an industry standard benchmark of a simulated
warehousing application. This is a heavily contested benchmark even by IBM. In recent
history, IBM has never submitted any result on z/OS; IBM has submitted results only from
its pSeries and xSeries (Windows-based) machines.
Online Transaction Processing (OLTP)
Workload/Application Result Rank
TPC-C (non-clustered
all systems)
786,646 transactions
per minute, type C
(tpmC)
#4
TPC-C (non-clustered 8-way) 175,366 tpmC #3
TPC-C (non-clustered 2-way) 44,942 tpmC #1
TPC-W (10,000 item count) 21,139 Web
interactions per second
(WIPS)
#1
Decision support benchmarks measure analytical database processing, such as in a data
warehouse.
Decision Support
Workload/Application Result Rank
TPC-H (300-gigabyte [GB]
non-clustered)
6,551 queries per hour,
type H (QphH) at 300 GB
#1
TPC-H (100-GB non-
clustered)
5,618 QphH at 100 GB #1
Source:
www.microsoft.com/windowsserver2003/evaluation/performance/benchmarks
/default.mspx
Pa
ge
1
4
Pa
ge
1
5
Chapter 3. Operational Systems Management
Mainframe systems management is a highly evolved discipline, especially in IBM z/OS
systems management. In a large z/OS shop, systems management has subspecialties such as
performance management for service level attainment, direct attached storage device (DASD)
space management for disk usage, and overall computing capacity management and
planning. The tools used in these areas are generally unique to the z/OS environment. There
are many advanced tools available from IBM and third-party vendors. Network management
is usually managed separately, generally in a manner and with tools in common between the
mainframe, Windows Server, and other systems areas, especially since organizations have
moved to IP-based networks.
Management of Windows Server operating systems is also now greatly evolved, and is
discussed in this section. Most importantly, the discipline that is commonplace in a z/OS
mainframe shop is formally applied to Windows Server through the adoption of ITIL
principles, which Microsoft has implemented within the Microsoft Operations Framework
(MOF). Many z/OS shops follow the principles encoded by ITIL, though the principles are not
usually identified as such. The issues and solutions related to management of Windows
Server operating systems are described within this section below.
Pa
ge
1
6
3.1 Microsoft Solutions Framework
The Microsoft Solutions Framework (MSF) provides people and process guidance—the proven
practices of Microsoft—to help teams and organizations become more successful in delivering
business-driven technology solutions. The MSF is described at:
www.microsoft.com/technet/itsolutions/msf/default.mspx
3.2 Microsoft Operations Framework
Microsoft has long recognized the value of industry best practices and standards for IT
operations. In particular, guidance provided through ITIL has been globally acknowledged as
providing a sound basis and the de facto standard for IT service management.
In keeping with ITIL's philosophy of "adopt and adapt," Microsoft has chosen to provide
additional specific guidance via the Microsoft Operations Framework (MOF). The MOF is
applicable to customers using Microsoft technologies within their environments. Microsoft
created the first version of the MOF in 1999. The MOF was designed to complement the well-
established Microsoft Solutions Framework (MSF) for solution and application development.
Together, the MSF and MOF frameworks provide guidance throughout the IT life cycle.
The Microsoft Operations Framework provides
operational guidance that enables organizations to
achieve mission-critical system reliability, availability,
supportability, and manageability of Microsoft products
and technologies. With its Process Model, the MOF
provides guidance with which to assess current IT service
management maturity, prioritize processes of greatest
concern, and apply proven principles and best practices
to optimize the management of a Windows Server
operating system.
In addition to the Process Model, the MOF provides the Team Model and the Risk
Management Discipline, which together are its core components. The MOF is described at:
www.microsoft.com/MOF
The "MOF Executive Overview" is available at:
www.microsoft.com/technet/solutionaccelerators/cits/mo/mof/mofeo.mspx
Pa
ge
1
7
Microsoft also embraces continuous improvement. The MOF continuous improvement
roadmap is a vehicle to help make continuous improvement of IT services easier to act on and
more achievable.
3.3 Real-Time Monitoring, Problem Determination, and Problem Correction
Microsoft System Center Operations Manager 2007 (named Microsoft Operations Manager or
MOM in its prior releases) is a key component of the Dynamic Systems Initiative (DSI)
described below. It provides manageability as part of the design and implementation of
Windows Server technologies. By delivering operational knowledge and subject expertise
directly from the application developers, Operations Manager helps simplify identification of
issues, streamlines the process for determining the root cause of problems, and facilitates
quick resolution to restore services and to prevent potential IT problems.
Organizations deploy monitoring technologies in an effort to reduce costs associated with the
complexity and effort of managing large numbers of servers and server-based applications in
their enterprise environment. Operations Manager assists customers to achieve IT service
level commitments through the use of management packs. Operations Manager management
packs specific to Microsoft operating systems can be seen at the following link:
www.microsoft.com/technet/prodtechnol/mom/catalog
/catalog.aspx?kw=&vs=2007&ca=&co=All
The difference between Operations Manager management packs and similar management
technology lies in:
Development of the management packs by the product groups that developed the
products to which the packs apply
The methodology by which management packs are developed
As the first stage of delivering on the DSI vision, Operations Manager management packs
provide built-in product-specific operational intelligence, encapsulating knowledge from the
individual Microsoft product teams developing the applications, Microsoft Consulting
Services, and Microsoft Support Services—and these management packs make it available
out of the box. Secondly, and most notably, is the Design for Operations methodology that is
used to first analyze and then design the management of applications and services for
Windows.
The Design for Operations methodology of managing applications contrasts sharply to the
typical way in which application management is developed. As opposed to an outside-in
Pa
ge
1
8
approach, where outside consultants define management, Design for Operations requires
developers of Microsoft applications or services to adopt an inside-out approach based on
their personal knowledge of the application or service. Instead of only monitoring processes or
services for an up/down status and generating an alert to a console, Design for Operations
requires that developers analyze and break down an application or service into a framework
that will describe the application from a management perspective.
The Design for Operations methodology initially uses three models as the basis for
implementing management for a service or application:
The Health Model
The Task Model
The State Model
The models are meant to provide a prescriptive mechanism for ensuring that management is
built for every service and application, and that the management is aligned with the needs of
the administrators who will be running the services. As of 2005, all Microsoft applications
and operating system subservices, such as Domain Name System (DNS), Dynamic Host
Configuration Protocol (DHCP), and File/Print, must be developed using the modeling of
Design for Operations methodology.
3.3.1 The Health Model
The Health Model defines what it means for a system to be healthy or unhealthy, and it
defines how a system transitions in and out of such states. Good information on a system's
health is necessary for the maintenance and diagnosis of running systems. The content of the
Health Model becomes the basis for system events and instrumentation on which monitoring
and automated recovery is built. Often, system information is supplied in a developer-centric
way, which does not give the administrator or systems support staff operational visibility into
the applications. The Health Model seeks to guide both what kinds of information should be
provided, and how the system or the administrator should respond to the information.
The Health Model has the following goals:
Document all management instrumentation exposed by an application or service.
Document all service health states and transitions that the application can
experience when running.
Determine the instrumentation (events, traces, performance counters, and WMI
objects/probes) necessary to detect, verify, diagnose, and recover from bad or
degraded health states.
Pa
ge
1
9
Document all dependencies, diagnostics steps, and possible recovery actions.
Identify what conditions will require intervention from an administrator.
For example, the Microsoft SQL Server Management Pack has been developed using the
Health Model, to provide administrators with an understanding of the health of a SQL Server
system as a whole, as well as the health of the services upon which SQL Server depends.
Specifically, the SQL Server Management Pack uses complex monitoring rules to indicate
health of the following scenarios:
Scenario Elements Monitored Configurable Elements
Block analysis Modify the time threshold,
which by default is one
minute
Database
availability
Database
configuration
monitoring
Enable this monitoring feature
and configure the database
configuration settings that you
want to apply to your
environment
Database growth
Database health
monitoring
Availability
Performance
Security
Modify the list of high-severity
databases; in addition to
triggering unhealthy alerts,
databases that are defined as
high-severity databases will
trigger a service-unavailable
alert
Database space
monitoring
Modify the threshold values
that are used to trigger both
warning and error events
Disable space monitoring for
specific types of databases
Database file
monitoring
Database group
monitoring
Pa
ge
2
0
Scenario Elements Monitored Configurable Elements
Excluding
databases from
monitoring
Create a text file list of
databases to exclude from the
following monitoring
scenarios:
Database space monitoring
Transaction log space monitoring
Database health
Excluding
database
instances from
monitoring
Create a text file list of
database instances to exclude
from the following monitoring
scenarios:
Database space monitoring
Transaction log space monitoring
Database health
Excluding
database engine
instances from
monitoring
Excluding long-
running agent
jobs from
monitoring
Create a text file list of agent
jobs to exclude from
monitoring for long-running
agent jobs
Long-running
agent jobs
Modify the time threshold,
which is by default 60
minutes
Configure to discover each
specific job instead of the
aggregate of jobs (available
only for SQL Server 2005)
Performance
thresholds
Modify the thresholds for
performance alerting
Enable rules that are disabled
by default and modify
thresholds for these rules
Publication
component
monitoring
Pa
ge
2
1
Scenario Elements Monitored Configurable Elements
Service Pack
compliance
Specify which Service Pack
version to check for (you must
manually configure Service
Pack 2)
Generate success events, in
addition to failure events
Subscription
component
monitoring
SQL Server
replication
performance
collection
Enable replication
performance rules to collect
data for public views
SQL Server Role
availability
Database engine
SQL Server 2005
Reporting Services (only)
SQL Server 2005 Analysis
Services (only)
SQL Server 2005
Integration Services (only)
Enable monitoring of the Full
Text Search service, which is
disabled by default
Using the concept of health modeling, the SQL Server Management Pack provides more than
simple monitoring. It ensures that the correct components of the application are being
managed; gives system operators and administrators a clear understanding of how a detected
problem affects the health of the service; and finally provides local automation, prescriptive
guidance, and tasks to diagnose and remedy the problem.
If a management technology is monitoring an application or service without a deep
understanding of the Health Model, IT operators will be required to invest time and resources
to analyze the relevance of an alert to the operations of their organization.
3.3.2 The Task Model
Microsoft developers use the Task Model of the Design for Operations methodology to
enumerate the activities that are performed in managing the system. These may be
maintenance tasks performed on a routine basis, such as backup, event-driven tasks (such
as adding a user), or diagnostic tasks performed to correct system failures. Defining these
tasks guides the development of administration tools and interfaces, and it becomes the basis
for automation. Used in conjunction with the Health Model and ensuing instrumentation, the
Task Model also drives self-correcting systems.
Pa
ge
2
2
The Task Model is utilized by management pack developers in the creation of product- or
service–specific management, rules, and administrator tasks. Management packs make use of
the Task Model to understand which error situations can be corrected on the managed
system by using self-correcting rules, and which will require human intervention. Likewise,
the Task Model provides IT administrator with preconfigured, remotely launched tasks from
within the Operations Manager console that will assist in either error diagnosis or correction.
A list of SQL Server Management Pack tasks that can be performed from the Operations
Manager console can be found in Appendix E.
The concept of the Task Model ensures that the Operations Manager management packs
assist in reducing the operations burden of an application or service by offering developer-
provided best practices for resolving error situations, either through local automation or
through Operations Manager console–run administrator tasks.
Without the concept of a Task Model, most monitoring applications rely on the IT
organization to write complex scripts and rules that can determine how to resolve error
situations locally, or to determine the correct diagnostic procedures or tools needed to remedy
a problem remotely.
3.3.3 The State Model
The State Model of the Design for Operations methodology will be increasingly used by the
future Windows Server platforms and applications, to provide administrators with a
comprehensive means of managing both the availability and configuration of systems and
applications. State modeling catalogs the state and settings associated with an application,
and define the scope and type for each. State may be associated with the computer or the
user, it may be temporary or permanent, and it might be user data or operational parameters.
Having a strict association of every state entity with its scope and category allows the
administrator flexibility in deployment and provides a powerful tool for control.
Operations Manager management packs provide administrators with health and state
information from views within the Operations Console. In addition to alert views found in
other management applications, the State view in the Monitoring pane provides Operations
Manager operators with a quick overview of server health. Each computer shown in the State
view receives a rating in critical categories. The rated categories include memory, operating
system, and Microsoft Active Directory® as well as specific application categories, such as
SQL Server and Microsoft Exchange Server. The operator can expand a particular category to
view server status shown in subcategories.
Pa
ge
2
3
Operations Manager provides users with a variety of topological views that show the
automatic discovery of nodes and relationships. With topological views, IT operators can
access node status, navigate to other views, and launch context-sensitive actions. This helps
reduce resolution time for complex problems from tens of hours to tens of minutes,
significantly reducing cost and improving service levels. For example, when something
happens to an application such as SQL Server, the name of that application turns red in the
State view. By double-clicking the red application, a more detailed view opens, showing one
or more trouble spots in red. The operator can continue drilling down in detail until the
cause is uncovered. The Operations Manager console tasks and prescriptive guidance are
then available to help resolve the issue.
By combining health and state with alert information, IT operators no longer have to perform
research to understand the organizational impact of alerts. By maintaining awareness of
system and service availability, IT staff is better able to identify, address, and resolve IT
reliability and performance issues before they become serious problems and have a negative
impact on business applications. Through the use of state modeling and directly monitoring
the event, health, and performance information of the Windows Server operating system,
Operations Manager helps highlight relevant and important information that can be
captured, evaluated, and presented to operators, helping prevent issues from going unseen.
Figure 1. Operations Manager 2007 SQL Server Database Health
Pa
ge
2
4
3.4 Operations Manager 2007 Case Studies
Listed here are some case studies about customers who use Operations Manager 2007, or the
prior release, named Microsoft Operations Manager or MOM.
Carnival Cruise Lines Video at
mms://wm.microsoft.com/ms/systemcenter/opsmgr/Carnival_Cruise_2Mbps.wmv
Virgin Megastores Video at
mms://wm.microsoft.com/ms/systemcenter/opsmgr/VirginMegastore_2Mbps.wmv
General Dynamics Advanced Information Systems, "Information System Provider
Moves from Reactive to Proactive Server Management"
3.5 Dynamic Systems Initiative (DSI)
The Dynamic Systems Initiative (DSI) is a commitment from Microsoft and its partners to help
IT teams capture and use knowledge to design more manageable systems and automate
ongoing operations. Using the DSI results in reduced costs and more time to proactively focus
on what is most important to the organization.
From a core technology perspective, the DSI is about building software that enables
knowledge of an IT system to be created, modified, transferred, and operated on throughout
the life cycle of that system. Knowledge of the designers' intent for those systems, knowledge
of the environment in which the systems operate, knowledge of IT policies that govern those
systems, and knowledge of the user experience associated with those systems is all included.
Today, monitoring rules that encode the health and structural aspects of hardware and
software can be created in the form of management packs for Operations Manager. Longer
term, all facets (software, hardware, network, components) and the configurations and
behaviors of the application as a whole will be modeled using a schema called the System
Definition Model (SDM).
By delivering software and solutions that enable knowledge of an IT system to be captured in
these models and operated on across the life cycle, the DSI will result in:
Increased productivity and reduced costs across the entire IT organization
Reduced time and effort required to troubleshoot and maintain systems
Improved system compliance with business and IT policies
Increased responsiveness to changing business demands
Pa
ge
2
5
In support of the goals of the DSI, Microsoft has pioneered partnerships with leading
hardware and software vendors to increase the manageability of IT infrastructure. On July 31
2006, BEA Systems, BMC Software, Cisco Systems, Dell, EMC, Hewlett-Packard, IBM, and
Intel joined Microsoft in publishing a draft of a specification that defines a consistent way to
express how computer networks, applications, servers and other IT resources are described,
or modeled, in XML, so businesses can more easily manage the services that are built on
these resources.
As a result of joint collaboration, the open, industry-wide specification defines a common
language for expressing information about IT resources and services. Called the Service
Modeling Language, the specification enables a hierarchy of IT resource models to be created
from reusable building blocks, rather than requiring custom descriptions of every service,
thereby reducing costs and system complexity for customers. The group plans to submit the
draft specification to an industry standards organization later in 2007.
3.5.1 DSI Articles and White Papers
Following are links to various articles and white papers about the Dynamic Systems
Initiative.
Core DSI principles are noted at
www.microsoft.com/windowsserversystem/dsi/dsicore.mspx
"Dynamic Systems Initiative Overview White Paper" at
www.microsoft.com/windowsserversystem/dsi/dsiwp.mspx
"Service Modeling Language Specification" at
www.microsoft.com/windowsserversystem/dsi/serviceml.mspx
"Enabling Heterogeneous Systems Management Using DSI" at
www.microsoft.com/windowsserversystem/dsi/heterogeneity.mspx
"Health Modeling: A Key Step to DSI-Enabled Applications" at
www.microsoft.com/windowsserversystem/dsi/designwp.mspx
Pa
ge
2
6
Chapter 4. Maintenance (Systems Programming)
In a mainframe shop, the application of systems maintenance is a highly evolved and
automated process. This process is evolved from the IBM Systems Maintenance Process
(SMP), introduced over 20 years ago, before which maintenance was a difficult and time-
consuming task. Before SMP, systems maintenance was also prone to human error. Ongoing
maintenance on the mainframe is through application of a program temporary fix (PTF).
In the Windows and UNIX cultures, making temporary fixes is usually referred to as patching
the system. Microsoft has an automated process to manage and apply such patches—in other
words, to apply system maintenance.
4.1 The Microsoft Maintenance Process
Within Microsoft itself, the Microsoft Information Technology group (Microsoft IT) is
responsible for managing IT services and a challenging computing environment for more than
55,000 employees and more than 300,000 devices that span over 400 sites worldwide. Over
300 of the sites are sales and marketing offices distributed in major worldwide cities.
Microsoft IT-managed infrastructure exists at over 200 of those sites.
Because Microsoft is a large enterprise that develops and markets software, the Microsoft IT
infrastructure is much larger than is typical of other corporations with a similar number of
employees, contractors, and vendors. For example, Microsoft has two to three times more
computers and other devices (such as Smartphones and Pocket PC devices) than personnel.
Microsoft IT manages more than 120,000 desktop computers and portable computers spread
among the production, product development, test, and support organizations.
Microsoft IT consists of more than 3,500 staff members who are responsible for managing the
IT utility for the company. In addition, Microsoft IT plays a key role in helping the company
meet its main business objective of software development and marketing. Microsoft IT serves
as an early adopter of new Microsoft software releases, such as Windows Server, SQL Server,
Microsoft Office, and our Microsoft System Center products. The early deployment of
technology and continual growth at Microsoft result in a highly dynamic environment. The
environment houses more than 6,000 servers that provide essential services. These services
include 1,600 line-of-business applications that range from a single SAP R/3 instance to
specialized departmental or even workgroup applications for groups such as research,
product support, and product development in four different Active Directory service forests.
Pa
ge
2
7
Servers in the primary production data center provide many mission-critical functions with
service level agreements (SLAs) for uptime greater than 99.9 percent. Minimizing unplanned
server downtime is a key operational and server patch management requirement. Strictly
managing the timing for planned downtime is also a key requirement, specifically for the
many clustered servers. In addition, Microsoft IT manages to a goal of around 200 servers per
administrator and budgets no additional headcount for the rising trend in the number of
server updates.
Additional challenges in the Microsoft security environment include the following:
As many as 2,500 unique attacks, probes, and scans occur on a daily basis.
Each month, Microsoft probes, scans, and quarantines over 125,000 virus-infected e-
mail messages.
Unique IT environments for product development, testing, support, and research
require special security.
Most Microsoft employees are highly technology-literate and routinely explore the
limits of the tools available to them in order to improve product quality. For example,
more than 95 percent of Microsoft employees have local administrator rights to their
desktops. Some employees even run server operating systems on their desktop
computers for various development, testing, and product support purposes. For
security patch management purposes, these computers are managed the same way
as client (desktop) computers are.
This combination of factors—an evolving security landscape full of potential vulnerabilities
operating across a large, dynamic, and demanding IT environment—presents a challenging
array of variables for the server management IT function to manage.
In addition, making sure that an update—specifically a security update—reaches only its
intended targets is absolutely essential so that conflicts do not arise between the update and
other software versions for which it was not intended. Microsoft IT requires that patch
installation must be able to fix the problem without creating side effects or negative
interactions.
Pa
ge
2
8
To help address these issues, Microsoft IT turned to Microsoft Systems Management Server
(now Microsoft System Center Configuration Manager) to help manage the computing
environment at Microsoft. Configuration Manager provides Microsoft IT with:
Inventory functions to determine how many computers have been deployed, their
locations, their roles, and the software applications and updates that have been
installed
Scheduling functions that allow scheduled deployment for updates outside regular
working hours, or at a time that has the least impact on business operations
The Distribution Software Update Wizard, which enables administrators to rapidly
select and deploy software distributions, such as security updates, to specific groups
of computers, such as servers
Status reporting that enables patch administrators to monitor the progress and
assess the success of installation
Figure 2 is a Configuration Manager example showing a view of Billing Application Servers.
Figure 2. Systems Management Server, View of Billing Application Servers
Pa
ge
2
9
For detailed information on the patch management process at Microsoft, see:
www.microsoft.com/technet/itsolutions/MSIT/Security/SMS03SPM.mspx
For detailed information on how Microsoft IT uses SMS technology, see:
www.microsoft.com/technet/itsolutions/msit/sms.mspx
For detailed information on Microsoft System Center Configuration Manager, see:
www.microsoft.com/smserver/
Pa
ge
3
0
Chapter 5. Data and Application Integration
Integration is needed between mission-critical data and applications that are still hosted on
IBM mainframe zSeries and midrange iSeries computers, and the applications now running
on Windows Server or on Windows desktop computers. Organizations also want Web-based
and Windows Server–based access to mainframe data and applications for everyday
productivity and line-of-business solutions. Organizations generally find the Web and
Windows solutions to be easier to learn and quicker to implement than comparable
mainframe-based applications. To preserve their time and capital investments in mainframe
applications and data, organizations must integrate their host-based resources with more
efficient Windows-based and Web-based solutions.
Microsoft Host Integration Server and Microsoft BizTalk® Server business process
management server offer integration components and orchestrations that help achieve those
goals.
To help its customers achieve these benefits, Microsoft launched Communication Server 1.0
in 1990, specifically to address mainframe integration. Microsoft SNA Server 2.0, which
followed in 1992, allowed system administrators to send local area network (LAN) and
systems network architecture (SNA) networking traffic across the same network
infrastructure. Today, Microsoft offers both Host Integration Server 2006 and BizTalk Server
2006 for integrating technologies between Windows Server and the IBM mainframe.
Today, BizTalk Server provides the key enabling technologies that allow enterprises to
integrate their mission-critical host applications, data sources, messaging, and security
systems with new solutions developed using the Windows Server platform.
5.1 Approaches to Platform Interoperability
When reviewing platform interoperability, it is useful to break up solutions into the five
common approaches to integration, or layers of technology. Host Integration Server and
BizTalk Server offer layers of technology, allowing organizations to integrate their host
networks, security technologies, messaging, data, and applications with new solutions based
on Windows Server and Microsoft .NET connection software.
Pa
ge
3
1
5.1.1 Network Integration
Network integration components allow SNA devices and programs to connect efficiently to
Windows-based desktop computers and servers across routable IP networks. With Host
Integration Server, enterprises can continue to consolidate their network infrastructure, while
supporting the same level of SNA-compatible applications and services.
5.1.2 Security Integration
Security integration components provide enterprise single sign-on and password
synchronization to integrate the IBM mainframe security systems, such as IBM Resource
Access Control Facility (RACF), with Windows and Active Directory. This allows
administrators and developers to deploy SNA applications on Windows-based desktop
computers and servers, and publish vital host data and applications as XML Web services
more securely. Host Integration Server and BizTalk Server offer simple password pass-
through to the mainframe environment for identity validation. The Microsoft Identity Lifecycle
Manager (ILM) 2007 (formerly called Microsoft Identity Integration Server or MIIS 2003)
directory integration product offers an additional option for synchronizing changes and
profiles between Active Directory and the identity profiles stored on the mainframe.
5.1.3 Messaging Integration
Messaging integration components allow enterprises that have standardized on IBM's cross-
platform messaging, WebSphereMQ (MQSeries) to be efficiently integrated with solutions
based on Microsoft Message Queuing (MSMQ) technology. Host Integration Server and
BizTalk Server provide an MSMQ-to-MQSeries bridge that allows seamless messaging
between the two, with the application programming interface (API) native to the queue
mechanism being used on either end.
5.1.4 Data Integration
Data integration components offer direct access to vital record data stored in IBM z/OS and
OS/400 systems, from Windows-based desktop applications or server-based applications.
Host Integration Server and BizTalk Server provide a comprehensive set of data providers and
adapters for access to IBM DB2 databases and VSAM, PDS, and conventional files. These
data providers work with IBM and industry standards and popular data access architectures,
including the Microsoft .NET Framework.
Pa
ge
3
2
Figure 3 illustrates BizTalk adapter access to SAM, VSAM, and PDS data.
HIS or BizTalk Server 2006
IBM Host Data Center
z/OS
IBM zSeries
Mainframe System
DFSMS (Tivoli)
DDM
Commands
SAM, VSAM, PDS/E
Windows Server System
SNA LU6.2 TCP/IP
Distributed
File
Manager
DDM RLIO
over SNA LU6.2
Message Box
Data Adapter
Windows Server 2003
XML
DocumentData Consumer
ADO.NET
XSD
Schema
.NET Data Provider for Host Files
DDM RLIO Client
Enterprise SSO
Windows Server
Computer
.NET
Assembly
TCP/IP for z/OSCommunications Manager for z/OS
DLC HPR/IP-DLC IP
RACF, Top Secret, ACF/2 Security
Figure 3. VSAM, PDS and Conventional Sequential File Data Integration
Figure 4 illustrates BizTalk adapter access to DB2 data.
Figure 4. DB2 Data Integration
Pa
ge
3
3
5.1.5 Application Transactional Integration
Application integration components of Windows Server enable enterprise developers to
publish and extend business rules in mainframe applications as XML Web services, while
allowing host developers to access and update Windows Server programs using familiar
programming models.
Figure 5 illustrates CICS transaction integration with BizTalk Server.
Figure 5. Transaction Integration between Windows and IBM Mainframe
Pa
ge
3
4
Chapter 6. Best Practices Applied
This section presents the experience of data centers where Microsoft best practices have been
applied. This section discusses how those best practices have delivered high security,
reliability, availability, and operational efficiency on Windows Server operating systems.
6.1 Within Microsoft
Microsoft IT is responsible for building, operating, and managing the global Microsoft IT
infrastructure. From this position, Microsoft IT can provide valuable feedback on the
application and implementation of new Microsoft products to any enterprise business
process. As a result, Microsoft expects Microsoft IT to be its first and best customer.
Microsoft IT is an early adopter of Microsoft products, technologies, and processes, using beta
releases to provide feedback to improve the quality and functionality of released solutions and
products. By implementing and testing new products within the Microsoft business
processes, the business values can be documented to provide prescriptive guidance and
advice to customers. Microsoft IT creates IT Showcase documentation that describes the
business scenarios they've used, and provides implementation and management guidance to
ensure that customers can effectively use the new products they adopt. The guidance and
best practices provided by showcasing new products within the Microsoft IT business
processes can help to reduce implementation and deployment costs for all customers. As part
of its ongoing commitment to utilize Microsoft technologies and practices, Microsoft IT has
made a CIO-level commitment to ensure that all operations processes are based on the MOF.
The MOF provides improvements in consistency and maturity for diverse operations
processes. In return, Microsoft IT documents both its own and customers' data to improve
and enhance prescriptive guidance for future MOF and product releases.
Microsoft IT conducted a MOF assessment of its operations in six of the MOF service
management functions to identify redundant processes and optimize on best practices,
following MOF guidelines to improve process maturity. Although the assessment
demonstrated that Microsoft IT generally had practices and processes in place for most
common tasks, in many cases they were not well documented or coordinated. For example,
different groups within the organization had different ways to handle change management,
using multiple change management tools. Microsoft IT ran service improvement projects
based on the recommendations from the MOF assessment, with dramatic results.
Other Microsoft operations groups, for example MSN and Microsoft.com, have also embraced
MOF principles in structuring and managing their operations. These relationships between
Pa
ge
3
5
Microsoft operations groups and the MOF development group have assisted in ongoing MOF
development, through the ability to rapidly evaluate and capture feedback relating to MOF
guidance. As Microsoft rolls out next-generation infrastructure for in-house beta testing prior
to release, MOF guidance to deploy, operate, support, and optimize that infrastructure is
developed in parallel.
6.2 By Microsoft Customers
6.2.1 Case Study
Garanti Technology
Garanti Technology Deploys Monthly Security Updates to 13,000 Computers in One
Week
Publication Date: 9/21/2005 Language: English
Garanti Technology of Istanbul is the IT arm of the Doğuş Group, one of Turkey's
largest private-sector conglomerates. The Doğuş Group owns companies in financial,
construction, retail, tourism, automotive, and other sectors. Garanti Technology was
eager for a more efficient, accurate, and predictable process for deploying security
updates to more than 13,000 Windows-based client and server computers. The
company deployed Microsoft Systems Management Server 2003 and took advantage
of the Microsoft monthly security update process. With a consistent, stable, orderly
process in place, Garanti is able to update as many as 13,000 computers in just one
week and use a fraction of the personnel required before. Garanti can also measure
the success of updates. The Doğuş companies have been virtually virus-free for 18
months since implementing the new tools and process.
Click for further details
6.2.2 Future Expectations
Windows Server 2008 introduces a new concept called the Server Core role.
Pa
ge
3
6
Server Core
With the release of Windows Server 2008, administrators can choose to install Windows
Server with only the services required to perform the DHCP, DNS, file server, or domain
controller roles. This new installation option will not install non-essential services and
applications, and will provide base server functionality without any extra overhead. Although
the Server Core installation option is a fully functioning mode of the operating system
supporting one of the designated roles, it does not include the server graphic user interface
(GUI).
Because the Server Core installations include only what is required for the designated roles, a
Server Core installation will typically require less maintenance and fewer updates with fewer
components to manage. In other words, because there are fewer programs and components
installed and running on the server, there are fewer attack vectors exposed to the network,
resulting in a reduced attack surface. If a security flaw or vulnerability is discovered in a
component that is not installed, a patch is not required.
With Windows Server 2008 componentization, Microsoft can now eliminate the user
mode attack surface on the Windows Server operating system platform, by deciding
not to install the GUI. This is where 80 percent of today's attacks are focused.
Now that Microsoft has roles, patches can be targeted at components. What this
means for security is that if you install only a Web role, then a non-required patch,
such as one for AD or DHCP, will not need to be applied to the server because the
other applications, DLLs, and services are not on the physical disk. This leads to less
downtime, it's easier to manage patches, and there is a reduced number of patches
per machine. Also with the dynamics of making features like AD a service, patches
can be applied without rebooting the server.
Pa
ge
3
7
Chapter 7. Comparable Experiences
Many substantial companies run mission-critical core business applications on the Windows
Server operating system. Many public case studies can be found at:
www.Microsoft.com/CaseStudies/
Selected studies that may be particularly relevant to Contoso are presented in this section.
7.1 Online Transaction Processing
7.1.1 London Stock Exchange
To provide the most current value-added price and trading data available, the London Stock
Exchange wanted to process 500 messages per second, with an average latency of less than
300 milliseconds. To build a system that could do this, the Exchange worked with Accenture,
Windows Server 2003, and the Microsoft Visual Studio .NET 2003 integrated development
environment (IDE). For details about this case study, see:
members.microsoft.com/customerevidence/search
/EvidenceDetails.aspx?EvidenceID=1989&LanguageID=1&PFT=Microsoft%20Vis
ual%20Studio%20.NET%202003&TaxID=20324
7.1.2 NASDAQ
In order to retire its aging Tandem mainframes, NASDAQ deployed SQL Server 2005 on two
4-node Dell PowerEdge 6850 clusters to support its Market Data Dissemination System
(MDDS).
Every trade that is processed in the NASDAQ marketplace goes through the MDDS system,
with SQL Server 2005 handling some 5,000 transactions per second at market open. SQL
Server 2005 simultaneously handles about 100,000 queries a day, using SQL Server 2005
snapshot isolation to support real-time queries against the data without slowing the
database. For details about this case study, see:
members.microsoft.com/customerevidence/search
/EvidenceDetails.aspx?EvidenceID=13793&LanguageID=1&PFT=Microsoft%20S
QL%20Server%202005&TaxID=20363
Pa
ge
3
8
7.2 Large Batch Processing
7.2.1 Telecommunications Company
The customer billing system proof-of-concept from a telecommunications company showed
that six AMD-based computers on a Windows Server operating system could run a
mainframe batch workload in 27 minutes, which normally took approximately 2.5 hours to
run on a 3000-million instructions per second (MIPS) mainframe. During this time, over 17
million billing records were processed (over 10,000 records per second).
7.2.2 Adamed / Galmed
Adamed / Galmed, a steel company in Spain, moved 8 million lines of code from MVS to
Windows Server using zBatch and Fujitsu's NetCOBOL. For details about this case study,
see:
www.mainframemigration.org/blogs/adamed/archive/category/1677.aspx
7.2.3 CSC Financial Services
CSC Financial Services Group showed that their insurance products, VANTAGE-ONE and
PerformancePlus, run better on Windows Server and at a lower cost. A private CSC
benchmark shows that Windows Server can scale equally with the mainframe (up to 1 million
policies, the maximum with which CSC tested).
7.2.4 CUNA Mutual
CUNA Mutual Group migrated everything off an IBM System/390 mainframe, including
PeopleSoft Financials and Walker Interactive (now Evelon). PeopleSoft Enterprise Performance
Management (EPM) was added to the new Microsoft solution based on Windows Server 2003
and SQL Server 2000.
Financials is run on one 4-way server, EPM on a second 4-way, and a third 4-way
runs batch and acts as a failover server for the first two.
Two 2-way servers run the application tier and the Web front end.
In a proof of concept (POC), Windows Server outperformed the mainframe by 47
percent on accounts payable and 37 percent on general ledger.
Pa
ge
3
9
For details about this case study, see:
members.microsoft.com/customerevidence/search
/EvidenceDetails.aspx?EvidenceID=13554&LanguageID=1&PFT=Microsoft%20Wi
ndows%20Server%202003&TaxID=20106
7.3 Migrations of Existing Mainframe Applications
7.3.1 Simon and Schuster
Simon and Schuster has moved all of their distribution center inventory and order processing
to Windows and eliminated their IBM z/OS mainframe.
7.3.2 Washington State Department of Licensing
The State of Washington Department of Licensing moved to .NET with NetCOBOL from a
Unisys mainframe and saved $1 million annually. For details about this Fujitsu case study,
see:
www.netcobol.com/info/WADOL_Technical_Case_Study.htm
There is also a WADOL video case study, which can be found at:
www.microsoft.com/casestudies
/casestudy.aspx?casestudyid=49060www.netcobol.com/info
/WA_DOL_Compact_Version.wmv
7.3.3 Bertelsmann
Bertelsmann moved all of its IT processing from an IBM mainframe to Windows Server using
Micro Focus technologies, saving more than €900,000 per year. They report that, "As regards
to stability, there is no significant difference from the mainframe." For details about this case
study, see:
members.microsoft.com/customerevidence/search
/EvidenceDetails.aspx?EvidenceID=14309&LanguageID=1&PFT=Microsoft%20Wi
ndows%20Server%202003&TaxID=20106
To view a video version of the case study, see:
Pa
ge
4
0
wm.microsoft.com/ms/resources/bertelsmann/bertelsmann_300k.wmv
7.3.4 Deutsche Post (DP)
Deutsche Post (DP) migrated its SAP implementation to a Windows Server platform. They
predicted that, "The Microsoft/SAP combination can lead to savings of as much as 30 to 70
percent on hardware and software acquisition costs." The transition to SAP R/3 was fully
realized in just 19 months. Accenture advocates the Microsoft platform as a "robust platform
option for SAP applications." For details about this case study, see:
www.accenture.com/Global/Services/By_Subject/Microsoft_Solutions
/ConsideringMicrosoft.htm
7.3.5 SAMPENSION
SAMPENSION closed down its mainframe. Now the company runs all its applications on a
Windows Server platform. This better supports SAMPENSION's business strategy and gives
the company the necessary agility for continued success. For details about this case study,
see:
members.microsoft.com/customerevidence/search
/EvidenceDetails.aspx?EvidenceID=1534&LanguageID=1&PFT=Connected%20Sy
stems&TaxID=25531
To view a video version of the case study, see:
www.microsoft.com/casestudies/resources/files/51314/sampension__300k.wvx
Pa
ge
4
1
7.4 Code Replacement of Existing Mainframe Applications
7.4.1 Horizon Lines
Horizon Lines moved its 50 business applications to a Microsoft solution based on the .NET
Framework and Windows Server, and eliminated an IBM OS/390 mainframe. In addition to
saving $2.5 million per year, total cost of ownership (TCO) is down 85 percent.
Horizon Lines can now deliver software changes, reports, and new applications with the
speed, ease, and cost-effectiveness that it needs to boost its competitiveness. Horizon Lines
claims that developer productivity is up 500 percent, enabling faster software updates and
the creation of new applications that developers didn't have time for previously.
For details about this case study, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49060
7.4.2 The Schwan Food Company
The Schwan Food Company, one of the world's leading branded frozen food manufacturers,
needed an alternative to a mainframe, which was complex, costly, and unable to support the
company's aggressive growth. Its solution: migrate its custom business applications to
Windows Server 2003 and the .NET Framework. With the help of solution provider Cognizant
Technology Solutions, Schwan eliminated its mainframe in a complete mainframe-to-
Windows Server migration that will add more than $1 million to its bottom line each year. For
details about this case study, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=1000003892
7.4.3 Shinsei Bank
At Shinsei Bank of Japan (formerly Long Term Credit Bank), newly written applications
running on a Windows Server platform replaced IBM and Fujitsu mainframes and AS/400s,
to create the first major bank in the world to rely on Windows Server for the bulk of its core
applications.
Pa
ge
4
2
7.5 Transformation and Interoperability
7.5.1 Ceridian
Using a Microsoft solution, Ceridian built a Web-based front end for its mainframe-based
payroll processing system in just four months. Called ResponsePlus.net (RPN), the company's
new solution replaces six front-end applications and 200 databases with a single, user-
friendly interface in a single SQL Server 2000 database that contains all customer
information. Capable of supporting all customer-facing users throughout the entire account
life cycle, RPN is expected to increase productivity for its 3,000 daily users by 20 percent—
equivalent to a savings of several million dollars per year. Furthermore, offloading all online
processing and user interaction from the host systems to the Microsoft solution enabled
Ceridian to consolidate 24 mainframes down to 4, resulting in an additional savings of $12
million per year in mainframe-related costs.
members.microsoft.com/CustomerEvidence/Search
/EvidenceDetails.aspx?EvidenceID=1642&LanguageID=1
7.6 Medical Claims Processing
Many leading health plans are running their claims management systems on a SQL Server-
based platform. These include Horizon Blue Cross/Blue Shield, Schaller Anderson
Healthcare, HMSA, Molina Health Systems, and Blue Cross Blue Shield of Montana, to name
a few. Two other examples are described in this section.
7.6.1 Premera Blue Cross
Premera Blue Cross (and about ten other health plans) runs Facets by TriZetto. Premera
moved membership and claims processing from mainframe OS/390 IMS and DB2 to
Windows 2000 Datacenter Server and SQL Server on two Unisys ES7000 server systems and
eight commodity servers, plus clients.
For details about this case study, see:
www.unisys.com/products/enterprise__servers/clients/featured__case__studies
/premera__blue__cross.htm
Pa
ge
4
3
7.6.2 Broadspire
Broadspire (formerly Kemper) moved the database for its mission-critical claims-processing
solution from DB2 on an IBM mainframe running z/OS to SQL Server 2000 running on
Windows Server 2003, and reduced operational costs by 98 percent, which yielded a two-
month ROI. ROI was achieved due to the elimination of a complex UNIX-based gateway. The
implementation and long-term costs were less than half, compared to a UNIX migration
option presented by IBM. For details about this case study, see:
www.microsoft.com/resources/casestudies/CaseStudy.asp?CaseStudyID=15949
7.7 Other Enterprise Migrations/Modernizations Involving COBOL
7.7.1 Ancor
For details about how Ancor Information Management, a Six Sigma shop, moved from its
mainframe to Windows Server, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49679
7.7.2 DC Thomson
For details about how a prominent U.K. publisher made significant productivity gains with a
Microsoft integrated solution, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200900
7.7.3 Co-op Financial Services
For details about how Co-op Financial Services' move to Windows Server eliminated a $2.3
million mainframe cost for a large credit union network, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=200539
7.7.4 Mashreqbank
For details about how Mashreqbank migrated from its mainframe system to better align its IT
resources with its business objectives, see:
Pa
ge
4
4
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=1000003975
7.7.5 Dollar Thrifty
For details about how the Dollar Thrifty Automotive Group car rental agency accelerated its
success by using a cutting-edge programming model from Microsoft, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=1000003883
7.7.6 Stockholmshem
When the Stockholmshem property firm migrated from a mainframe system to Windows
Server, it cut its costs by 60 percent, while increasing its speed. For details about this case
study, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=1000003741
7.7.7 Retirement Systems of Alabama (RSA)
The Retirement Systems of Alabama pension agency recently streamlined its workflow and
enhanced service by moving to a Microsoft integration solution. For details about this case
study, see:
www.microsoft.com/casestudies/casestudy.aspx?casestudyid=52581
Pa
ge
4
5
7.8 Companies Running Well-Known COTS Applications on Windows
Many companies run well-known commercial off-the-shelf (COTS) applications on a Windows
Server platform. Some of these companies are listed below.
7.8.1 SAP on Windows
The following companies run SAP R/3 on Windows:
CompUSA
FEMSA
Lyndell
Minolta
Pilgrim's Pride
Shell Oil
7.8.2 PeopleSoft on Windows
The following companies run PeopleSoft on Windows:
ANZ
El Paso (gas)
Hilton Hotels
State of Indiana
SMEAD
USDA
Pa
ge
4
6
7.8.3 Siebel on Windows
The following companies run Siebel on Windows:
Air Products
Altera
APC
Canadian Citizenship and Immigration
KeyBank
MCI
Unilever
U.S. Defense Intelligence Agency
XEROX
Pa
ge
4
7
Appendix A. The Windows Server Platform The Windows Server platform takes the best of Windows Server technology and makes it
easier to deploy, manage, and use. The result: a highly productive infrastructure that helps
make your network a strategic asset for your organization. Windows Server provides
enhanced security, increased reliability, and a simplified administration to help enterprise
customers across all industries.
A.1. Microsoft Mainframe-Related Product Capabilities Summary
This section provides a summary of the Microsoft products, or major components of products,
that provide functionality that is valuable to migrated mainframe applications and systems.
A.1.1. Mainframe Data Access
Programs running on Windows Server can access data that is resident on an IBM mainframe
using the following Microsoft data providers:
Data provider for DB2 included in SQL Server 2005 Feature Pack and in BizTalk
Server 2006
Data provider for host files for VSAM and PDS, and sequential file access provided in
BizTalk Server 2006 (and Host Integration Server)
DB2 or mainframe host file data provider integrated use within SQL Server
Integration Services or SQL Server Reporting Services
Visual Studio designers to assist in the development of applications that use the DB2
or mainframe host file data providers
A.1.2. Mainframe CICS or IMS Transaction Integration
Microsoft Transaction Integrator, provided in Host Integration Server and BizTalk Server
2006, allows programs running on Windows to call IBM Customer Information Control
System (CICS) or Information Management System (IMS) programs and also the inverse, and
IMS or CICS programs can call a program running on Windows Server. This allows business
transactions to be composed of programs running on both Windows Server and the
mainframe, which is especially valuable during periods of partial migration.
Pa
ge
4
8
A.1.3. Mainframe CICS or IMS XML Web Services SOA enablement
Using the capabilities of the Transaction Integrator mentioned above, and using Transaction
Integration Designer within Visual Studio, one can easily develop XML Web services. These
services enable a service-oriented architecture (SOA) that runs on Windows Server and serve
as proxies to mainframe transaction programs or collections of transactions. All EBCDIC-
ASCII conversation and XML formation and decomposition is performed on Windows using
processor cycles and memory that are dramatically less expensive than if this processing
were done on the mainframe directly.
A.1.4. RACF Account Synchronization
The Microsoft transaction integration facilities and host data access products provide for
integrated security including the Windows security domain and RACF single sign-on and
password change synchronization. These capabilities are also available for ACF2, Top Secret,
and AS/400.
Microsoft Identity Lifecycle Manager (formerly Identity Integration Server) can be used to fully
synchronize identities in Windows and on the mainframe, and can be used to transfer RACF
account information and supporting information into Active Directory.
A.2. Windows Server 2003 Core Technologies
Windows Server 2003 core technologies deliver a cost-effective server operating system.
Windows Server 2003 has the reliability, availability, scalability, and security that make it a
highly dependable platform.
A.2.1. Availability
The Windows Server 2003 operating system provides high availability through enhanced
clustering support. Clustering services have become essential for organizations deploying
critical e-commerce and line-of-business applications, because they provide significant
improvements in availability, scalability, and manageability. Clustering installation and setup
are easier and more robust in Windows Server 2003, while enhanced network features in the
product provide increased failover capabilities and high system uptime. Windows Server 2003
supports server clusters for up to eight nodes. If one of the nodes in a cluster becomes
unavailable because of failure or maintenance, another node immediately begins providing
service, a process known as failover. Windows Server 2003 also supports network load
balancing (NLB), which balances incoming IP traffic across nodes in a cluster.
Pa
ge
4
9
A.2.2. Scalability
Windows Server 2003 provide scalability through scale-up, enabled by symmetric
multiprocessing (SMP), and scale-out, enabled by clustering. Windows Server 2003 scales
from single-processor solutions all the way up to 64-way systems. It supports both 32-bit and
64-bit processors.
A.2.3. Security
Businesses have extended the traditional local area network (LAN) by combining intranets,
extranets, and Internet sites. As a result, increased system security is now more critical than
ever before. As part of the Microsoft commitment to reliable, secure, and dependable
computing, the company has reviewed Windows Server 2003 to identify possible failure
points and exploitable weaknesses. Windows Server 2003 provides many important new
security features and improvements, including the common language runtime and Internet
Information Services 6.0.
The Common Language Runtime
The common language runtime is a software engine that provides a key element of Windows
Server 2003 to improve reliability and to help ensure a safe computing environment. It
reduces the number of bugs and security holes caused by common programming mistakes.
As a result, there are reduced vulnerabilities for attackers to exploit. The common language
runtime also verifies that applications can run without error, and checks for appropriate
security permissions, making sure that code performs only appropriate operations.
Internet Information Services 6.0
To increase server security, Internet Information Services (IIS) 6.0 is configured for maximum
security out of the box. IIS 6.0 and Windows Server 2003 provide the most dependable,
productive, connected, and integrated Web server solution with fault tolerance, request
queuing, application health monitoring, automatic application recycling, caching, and more.
These are among the many new features in IIS 6.0 that enable you to conduct business
securely on the Web.
In Windows Server 2008, IIS 7.0 matures into an even more adaptable transaction monitor
that is able to take requests from many sources other than just a HTTP (Web) request.
Pa
ge
5
0
A.3. Productivity
Windows Server 2003 has capabilities in numerous areas that can make your organization
and employees more productive.
A.3.1. File and Print Services
At the heart of any IT organization is the ability to efficiently manage file and print resources
while keeping them available and secure for users. As the network expands with more users
located onsite, in remote locations, or even at partner companies, IT administrators face an
increasingly heavy burden. Windows Server 2003 delivers intelligent file and print services
with increased performance and functionality, allowing you to reduce your total cost of
ownership.
A.3.2. Active Directory
Active Directory is the directory service for Windows Server 2003. It stores information about
objects on the network and makes this information easy for administrators and users to find,
providing a logical, hierarchical organization of directory information. Windows Server 2003
provides a versatile, dependable, and economical high-performance scalability directory and
Lightweight Directory Access Protocol (LDAP) server. It also allows flexibility to design, deploy,
and manage an organization's directory.
Active Directory Application Mode (ADAM) is an LDAP directory service that runs as a user
service, rather than as a system service. ADAM is used independent of any Windows Server
security domain, and can be thought of as the Microsoft "LDAP server."
A.3.3. Management Services
While computing has proliferated on desktop computers, laptops, and portable devices, the
real cost of maintaining a distributed personal computer network has grown significantly.
Reducing day-to-day maintenance through automation is the key to reducing operating costs.
Windows Server 2003 contains several important new automated management tools,
including Windows Server Update Services (WSUS) and server configuration wizards.
Managing Group Policy is made easier with the Group Policy Management Console (GPMC),
enabling more organizations to better utilize the Active Directory service and take advantage
of its powerful management features. In addition, command-line tools let administrators
perform most tasks from the command console. GPMC is available as a separate component.
Pa
ge
5
1
A.3.4. Storage Management
Windows Server 2003 introduces new and enhanced features for storage management,
making it easier and more reliable to manage and maintain disks and volumes, back up and
restore data, and connect to storage area networks (SANs).
A.3.5. Terminal Services
The Terminal Services component of Windows Server 2003 lets you deliver Windows-based
applications, or the Windows desktop itself, to virtually any computing device—including
those that cannot run Windows. When used to provide a remote desktop, Terminal Services
allows remote administration of Windows Server using the full administration graphical user
interface.
A.4. Staying Connected
Windows Server 2003 contains new features and improvements to make sure your
organization and users stay connected.
A.4.1. XML Web Services
Internet Information Server (IIS) 6.0 is an important component of Windows Server 2003.
Administrators and Web application developers demand a fast, reliable Web platform that is
both scalable and secure. Significant architectural improvements in IIS include a new process
model that improves reliability, scalability, and performance. IIS is installed by default in a
locked-down state. Security is increased because the system administrator enables or
disables system features based on application requirements. In addition, direct editing
support of the XML metabase improves management.
A.4.2. Networking and Communications
Networking and communications have never been more critical for organizations faced with
the challenge of competing in the global marketplace. Employees need to connect to the
network wherever they are and from any device. Partners, vendors, and others outside the
network need to interact efficiently with key resources, and security is more important than
ever. Networking improvements and new features in the Windows Server 2003 operating
system extend the versatility, manageability, and dependability of network infrastructures.
Pa
ge
5
2
A.4.3. Enterprise UDDI Services
Windows Server 2003 includes Enterprise Universal Description, Discovery, and Integration
(UDDI) services, a dynamic and flexible infrastructure for XML Web services. This standards-
based solution enables companies to run their own internal UDDI service for intranet or
extranet use. Developers can easily and quickly find and reuse the Web services available
within the organization. IT administrators can catalog and manage the programmable
resources in their network. With Enterprise UDDI services, companies can build and deploy
smarter, more reliable applications.
A.4.4. Windows Media Services
Windows Server 2003 includes the industry's most powerful digital streaming media services.
These services are part of the latest version of the Microsoft Windows Media® technologies
platform that also includes the new Windows Media Player 11, Windows Media Encoder 9,
audio and video codecs, and Windows Media Services 9 Series Software Development Kit.
A.5. Best Economics
PC technology provides the most cost-effective chip platform, a considerable economic
incentive for adopting Windows Server 2003. But that is only the beginning of the story.
Windows Server 2003 provides the best economics for both scale-up and scale-out purposes,
and provides an IT infrastructure that runs 30 percent more efficiently. With multiple
essential services and components already included in Windows Server 2003, organizations
can quickly benefit from an integrated platform that is easy to deploy, manage, and use.
When you adopt Windows Server 2003, you become a part of the global network that has
helped make the Windows platform so productive. This network of global services and
support provides the benefits noted in this section.
A.5.1. Extensive ISV Ecosystem
Microsoft has a large number of independent software vendors (ISVs) worldwide who support
Microsoft applications and build certified custom applications on the Windows Server
platform.
Pa
ge
5
3
A.5.2. Worldwide Services
Microsoft is supported by over 450,000 Microsoft Certified Systems Engineers (MCSEs)
worldwide, plus vendors and partners.
A.5.3. Training Options
Microsoft offers a wide range of IT training, enabling IT staff to continue developing their
skills at a reasonable price.
A.5.4. Certified Solutions
Windows has thousands of certified hardware drivers and software applications from third-
party ISVs, making it easy to add new devices and applications. In addition, prescriptive
guidance from Microsoft Solutions Offerings (MSOs) helps organizations build proven
solutions that help solve difficult business challenges.
This ecosystem of products and services reduces TCO, helping your organization be more
productive and efficient.
A.6. XML Web Services and Microsoft .NET
Microsoft .NET is deeply integrated into Windows Server 2003. The .NET Framework enables
an unprecedented level of software integration using XML Web services: discrete, building-
block applications that connect to each other—as well as to other, larger applications—via the
Internet.
Pa
ge
5
4
Appendix B. Development Environment Software development and maintenance for Windows
Server operating systems can be and usually is much more
productive than mainframe development. This increased programmer productivity is one of
the primary benefits of migration to a more modern platform. This higher productivity derives
not only from the tools themselves, but also from the development and test methodologies
that the platform enables and by following best practices for Windows Server development.
Many of these practices are distinctly different from those found in the mainframe
development environment. For example:
All developers can have a copy of the test database on their individual development
machines, can change any data without affecting each other, and can quickly restore
the data at any time.
The application server environment can be deployed on servers that belong to any or
to many development teams for distributed testing, without any inter-group
dependencies or interference. One group's activity, or lack of activity, does not affect
another group's productivity.
The application server environment can be built in a virtual machine that can be run
under either Microsoft Virtual Server on a team or staging or test system server, or
under Microsoft Virtual PC on the developer's desktop computer or laptop.
Developers can take the application server environment from one lab to another, from
one or location to another, or even home for off-hours, weekend, or telecommuting
work.
B.1. Test and Development Environment
A model application server and database built in a virtual machine can be easily copied to
and run on any development computer (or a group server), which can positively affect
development productivity. For pre-production testing, it can be useful to have a fairly large
multi-processor server computer on which to run high-volume system tests and performance
tests of new application releases before they are put into production. This is, however, only
an occasional activity, and most of this time this same server could host many virtual
machines representing the test systems for various development groups, or various
concurrently running applications or system software release levels. This would be similar to
running test and pilot versions in separate mainframe logical partitions (LPARs).
Pa
ge
5
5
B.2. Team Development
Visual Studio 2005 Team System includes architects, designers, project managers, and
testers, as well as programmers. Visual Studio Team Foundation Server allows all team
members to work together effectively, even on a large project. Team members include not only
developers but also testers, designers, and product management. Team System provides a
collaborative environment for their work managed from a "team server."
Visual Studio 2005 Team System can load test at least "Web applications," with the added
benefit of test case and test result integration with the project management and testing
facilities of Visual Studio 2005.
Pa
ge
5
6
Appendix C. Architecture
System Architecture for Running z/OS Applications Migrated to Windows
Report Management
and Distribution Server
SQL Server 2005
Failover Cluster
SQL Server 2005
(Standby)
SQL Server 2005
(relational data)
SQL Server 2005
(VSAM data)
Application
Server
Machine
Cluster
System Operator,
System Administrator
TN 3270
Existing z/OS Mainframe
TN-3270
End-Users
(hundreds)
Primary
Systems Management Server
Incl. Batch Job Scheduling
and Backup
Security Domain Controller
SQLSAM VQL
SAN
BOX
Architecture for z/OS Applications Migrated to Windows
Version 310507 01May07 by [email protected]
System Operator,
System Administrator
(Alternate)Secondary
Systems Management Server
Incl. Batch Job Scheduling
and Primary
Security Domain Controller
Heavier lines
identify dedicated
gigabit links
Lighter lines
identify probably
standard shared
network
Mental Model of “PPAR” for each z/OS LPAR
MQ Traffic
TCP/IOP Traffic
NOT required to
be on dedicated
machines.
Could, e.g., be on
appserver(s) NOT required to
be on dedicated
machines.
Could, e.g., be on
any two
appservers
Mainframe
Gateway cluster
Multiple NICs
Standby
Multiple HBAs
Outside Systems
Online
AppServer
Online
Application Server
Batch Box
Batch Box
Pa
ge
5
7
Appendix D. SQL Server Management Pack Tasks
Using SQL Server as an example, the SQL Server Management Pack tasks provide increased
manageability by enabling administrators to manage Active Directory directly from the
Operations Manager console. The SQL Server Management Pack tasks that can be performed
from the Operations Manager console are shown in Figure 7.
Operations Manager Console
Pa
ge
5
8
Appendix E. Relevant Microsoft Services Summary
This section provides a summary of the Microsoft services that are available to assist with the
migration of mainframe applications and systems.
E.1. Pre-Migration Services
The migration of large numbers of user accounts from RACF to Active Directory can be
accomplished using the Microsoft directory provisioning capabilities of the Identity Lifecycle
Manager (formerly named Microsoft Identity Integration Server or MIIS).
E.2. Services During Migration
E.2.1. Team-Based Software Development Architecture
The development environment and best practices for high developer productivity for Windows
Server are distinctly different from those commonly used for mainframe development. This
development architecture plan specifies the development and test environment, including:
The developer's desktop computer
Unit and systems testing methodology
Collaborative team-based development and maintenance using Team System
Versioning source code control using Team Foundation Server
Team-based project management, task assignment, progress tracking, and status
reporting
The staging process for promotion of applications into production
Concurrent with this service, a developer education program is often recommended.
Pa
ge
5
9
E.2.2. Systems Execution Architecture Definition
The Execution Architecture Definition ensures that the configuration of the Windows Server
operating system production environment, based on customer and application requirements,
conforms to established best practices and Microsoft architectural guidance. This execution
architecture will define the specific system settings for the execution environment, including:
DOMAIN accounts and the use of Windows role-based security
The security context in which the applications will run
Use of database connection pooling
Definition of transaction execution application pools in IIS
Level of SQL Server security authorization
Application manageability requirements
The intent is to ensure that known best practices are followed, and to document
optimum system configuration and why those options were selected.
E.2.3. Operations Management Architecture
This Operations Architecture Design provides specific recommendations on how a particular
customer should manage their operations environment, including but not limited to:
Routine operations and operations management
Problem detection and determination troubleshooting
Systems maintenance and recovery
Backup and restore procedures
Service-level tracking and reporting
The recommendations delivered by this service will follow the principles established in the
Microsoft Operations Framework (MOF), which conforms to ITIL principles.
Pa
ge
6
0
E.3. Ongoing Services After Migration
Enterprise Strategy Consulting
Application Development Consulting
Infrastructure establishment and management assistance
Microsoft Services Premier Support, including custom and migrated application
support
E.4. For More Information
For more information about consulting offerings and support available from Microsoft
Services, see:
www.microsoft.com/microsoftservices/
www.microsoft.com/mainframe/
Pa
ge
6
1
Appendix F. Microsoft Security Response Center (MSRC)
F.1. Investigating and Resolving Vulnerability Reports
Individuals, teams, and groups at Microsoft make up the Microsoft Security Response Center
(MSRC), which provides a single point of coordination and communications for Microsoft
partners, government agencies, law enforcement, security vendors and researchers, and
others. To learn about new security vulnerabilities that affect Microsoft products, the MSRC
staffs a public e-mail reporting center around the clock, monitors e-mail sent to
[email protected], and monitors security lists and other sources of information. The
MSRC encourages security researchers to report security vulnerabilities responsibly, and
collaborates with industry partners to identify threats and find solutions.
The MSRC uses state-of-the-art technologies and a well-refined response protocol to analyze,
develop, and deliver quality security updates, tools, and prescriptive guidance. Through its
enhanced, simplified monthly release process, the MSRC prepares and releases security
bulletins. These bulletins include answers to anticipated questions and details about possible
workarounds, as well as other information, to help customers minimize risk from security
vulnerabilities. For example, together with Microsoft product teams, the MSRC investigated
the impact of the LSASS vulnerability that was later exploited by Sasser, generated a fix, and
put it through several levels of rigorous and extensive testing before releasing the update and
information about it to the public. The MSRC releases security updates on the second
Tuesday of each month, with unscheduled releases possible any time customers are at
immediate risk from a malicious attack.
F.2. Responding to Security Incidents
When a security incident, such as the Blaster or Slammer worm, is detected, the MSRC
immediately begins evaluating the situation and working on potential solutions. The team
drives a worldwide response process to quickly and actively investigate and analyze security
incidents. The Software Security Incident Response Process (SSIRP) includes the following:
Pa
ge
6
2
The MSRC mobilizes teams across Microsoft and around the globe to evaluate the
severity of the situation and gain a quick and thorough understanding of the
problem.
The teams work to provide authoritative guidance to customers, partners, and press,
as well as to the internal Microsoft worldwide Sales, Marketing, and Services
organization. They also provide appropriate tools as quickly as possible to restore
normal operations.
The process also includes interacting with law enforcement and influential industry
representatives, and creating a community that includes the security researchers who find
and report vulnerabilities.
How has this helped? Microsoft has been working diligently to ensure that security is at the
core of what they do, through the implementation of these processes concerning the
Trustworthy Computing Initiative. This entire framework concerning security that has been
put in place has led to more secure products being released over the past several years.
Here is external proof that shows the results of all the work.
The US Computer Emergency Response Team (US-CERT) released their 2005 year report on
vulnerabilities. This bulletin provides a year-end summary of software vulnerabilities that
were identified between January 2005 and December 2005. The information is presented only
as an index, with links to the US-CERT Cyber Security Bulletin in which the information was
published. There were 5198 reported vulnerabilities: 812 Windows operating system
vulnerabilities; 2328 Unix/Linux operating system vulnerabilities; and 2058 multiple
operating system vulnerabilities.
www.us-cert.gov/cas/bulletins/SB2005.html