Is there a etckeeper equivalent for Windows? AKA Windows config revision-control

Solution 1:

Hold them packets!

This is a script provided by Michael J Ginter that creates a backup of all DHCP scopes on a server. (Note that it will stop and restart the DHCP Server Service.):

http://gallery.technet.microsoft.com/ScriptCenter/en-us/ff25d864-6ff0-411b-b242-97fbe34f011b

You can use LDIFDE to import and export data from AD: http://support.microsoft.com/kb/237677

GPOs can be exported with ADMX.exe (provided by microsoft at http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/windowsServ/2003/all/techref/en-us/w2k3tr_gp_tools.asp

IIS Config can be exported via iiscnfg.vbs in %systemroot%\system32 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/81f04967-f02f-4845-9795-bad2fe1a1687.mspx?mfr=true

Solution 2:

There really isn't, not for free anyway. There are commercial products that can do this, I understand that they're big and pricey. Opsware (or HP Server Automation now) can do this.

The guy who developed MRTG tried and failed on something similar about 10 years ago. The environment has changed a lot, so you might be able to build on their work and come up with something good. For example, you can dump GPOs now, which was one of their problems.

/edit - and you've always been able to dump AD to LDIF or CSV. Do a nightly export into one of those and slurp it into CSV. IIS is all in the filesystem and the metabase, which is also in the filesystem. Normal backups and/or copies of those into CSV would be good. SQL config, I'm not so sure on; I think it's all registry and PS probably has hooks to display those.

One note - you ask about backing up ACLs on files? Jeebus - please tell me that you're backing up the files, and your backup software preserves ACLs. If you're not backing up the files at all, what benefit are the ACLs to you? If you're not backing up the files with ACLs, what's wrong with your backup software? You can turn on auditing for ACL changes natively, maybe you want to do that?

Solution 3:

I have not heard of one. While the Registry may be the home of (most) config on Windows, and it (sort of) can be represented in text form, the best you can hope for is Configuration Documentation rather than Configuration Management. There are APIs for monitoring changes to the registry, as evidenced by several System Internals tools, which would in theory allow event-based actions (revert to old config for instance). Unfortunately, there are some things (Group Policy being the biggest) that are designed to blow past any local machine based restrictions on config-change.

However, that just manages the base operating system. Once you start adding in other Microsoft products the situation gets vastly more complex. IIS has its own database, the metabase, that is not in the registry. MS-SQL has a whole bunch of config stored in the database itself among other places. AD certainly can be represented as a flat file, it's an LDIF export from LDAP, but again that's documentation not management. Group Policies themselves are directory trees filled with files on the Domain Controllers.

It is not an easy job by any stretch. This is why systems like Microsoft's System Center Configuration Manager, or Novell's Zenworks Configuration Management, are as complex as they are. In fact, so far as I know these products are the closest Windows gets to something like etckeeper.

Solution 4:

For ACLs and file permissions, you might try PowerShell:

get-acl c:\temp | format-list
get-acl -path hklm:\ | format-list

We bought Tripwire to do a similar function, but it suffers from feature-bloat and idiosyncratic UI to the point that it's rusting from neglect.