Novell Documentation: ZENworks for Servers 3.0.2

Understanding Server Policies

In ZfS 3.0.2, most policies are enforced through the distribution of policy packages. However, a few policies used by the Distributor are enforced by being associated with Novell eDirectory^TM containers. Prior to ZfS 3.0.2, all policies were enforced through container and object associations.

Review the following sections to understand polices in ZfS 3.0.2:

Configuration and Behavioral Management through Server Policies

The Server Policies component provides configuration and behavioral management of your servers. Server policies are divided into three packages for the convenience of scheduling policies and distributing the policies to their applicable servers:

Container Package: Holds the Search policy that determines how Policy and Distribution Services searches eDirectory for objects associated with policies.
Server Package: Has a generic set of policies that can be applied to all servers, as well as policy package sets for servers on specific platforms. This package is provided for backwards compatibility with ZfS 2 and for certain components that require policies to be associated for enforcement.
Distributed Server Package: Has a generic set of policies that can be applied to all servers, as well as policy package sets for servers on specific platforms. This package is new for ZfS 3.0.2 and provides policies that are distributed for enforcement.
Service Location Package: Holds policies specific to running Policy and Distribution Services.

Configuration policies hold information in eDirectory that creates a similar type of configuration on a server, such as enforcing selected SET parameters. Behavioral policies hold a set of rules to be followed under certain situations, such as when a server goes down.

Through server policies you can automate the management of your servers, and through ConsoleOne^® and the ZfS Management role in Novell iManager you can configure policies and manage your servers from a single workstation.

Server Policies and Packages

Server policies provide you with the ability to set, standardize, and automate configuration parameters on any given set of servers. You can control the behavior of servers in given situations, such as downing a server.

To use server policies, you must first create the appropriate Policy Package objects in ConsoleOne, configure the policies you need, enable them, and distribute the package to the applicable Subscriber servers where the package's policies are enforced.

When you set up server policies, you can individually schedule them to run daily, weekly, monthly, yearly, by an event, at a specific date and time, relative to a date and time, by an interval of time, or even immediately. The schedule individual policies use is the default for their policy package's schedule, which you can change.

Any or all of the Policy and Distribution Services policies can be implemented in a policy package. You can also create a Policy Package object for each different configuration set that you need. For example, you could want some of your servers to be brought down differently.

All policies enabled in a package will be enforced on any servers where the Policy Package type Distribution has been received and extracted.

Plural and Cumulative Policies

Policy packages can contain both plural and cumulative policies. All plural policies are also cumulative, but cumulative policies are not necessarily plural. For more detail, review:

Plural Policies

Plural policies are those where there can be more than one per policy package per platform.

For example, in the same policy package, you can add and configure a Scheduled Down policy and name it "Scheduled Down for Time A." Then you could add and configure another Scheduled Down policy, this time naming it "Scheduled Down for Time B."

You can tell if a policy is plural by viewing the Policies tab and clicking Add, because all plural policies are listed in the Add dialog box.

Cumulative Policies

Cumulative policies are those that allow multiples of the same policy to be in effect when multiple policy packages are distributed to a server. For example, a Text File Changes policy distributed to Server A could be accumulated with a differently configured Text File Changes policy distributed to Server A. All of the text file changes from both policies would be effective for Server A.

Configuration and Behavioral Policies

A single configuration policy can affect the configuration of a single server or many servers. For example, a policy can be scheduled to run at regular intervals to ensure that the server's configuration continues to be set correctly.

Behavioral policies hold a set of rules to be followed in certain situations. The policy engine carries out these rules, along with any of its supporting modules. For example, the Server Down Process policy defines criteria that must be met before the server can be brought down, such as:

How soon before the server is brought down should users be notified
Who is notified when the policy is being enforced
Which peer server will send SNMP alerts if the server does not come back up

Behavioral policies are designed to make servers act more intelligently, to handle situations an administrator might not even be aware of, and to reduce complexity for administrators.

In summary, the benefits of configuration and behavioral policies include:

Automating tasks that an administrator would normally perform
Notifying specified users through e-mail messages that a server is going down
Allowing a server down process to abort on certain conditions

Server Policies Architecture

To understand how server policies are used to manage your servers, you must understand its eDirectory objects and its agent:

eDirectory Schema Extensions for Server Policies

The eDirectory schema extensions included in the Server Policies component define the class of eDirectory objects that can be created in your eDirectory tree, including which information is required or optional at the time the object is created. Every object associated with the Server Policies component in an eDirectory tree has a class defined for it in the tree's schema.

ZfS objects for the eDirectory schema are:

   Container Package
   Server Package
   Service Location Package
   Distributed Server Package
   ZENworks Database

Note the following concerning policy enforcement:

All of the policies in the Distributed Server Package must be distributed to be enforced (ZfS 3.0.2 servers only)
All of the policies in the Container Package, Server Package, and Service Location Package must be associated to be enforced (ZfS 2 and ZfS 3.0.2 servers)

The Server Package provides backwards compatibility that allows you to run ZfS 3.0.2 and ZfS 2 concurrently, such as during upgrading.

Existing eDirectory classes that are modified with the addition of ZfS attributes are:

   Country
   Group
   Locality
   Organization
   Organizational Unit
   Server

The following sections summarize the primary eDirectory objects that are added to eDirectory from the schema extensions provided with the Server Policies component:

For basic information about the types of objects in an eDirectory tree, see the Novell Documentation Web site and select Procedures > Planning > Directory Services > eDirectory Planning.

Container Package Object

The Container Package object is an eDirectory object that manages the Search policy object. This policy is used by the Distributor and Subscriber objects for all versions of ZfS, and must be associated to be enforced.

Server Package Object

The Server Package object is an eDirectory object that manages the following policy objects for ZfS 2 backwards compatibility and one policy for ZfS 3.0.2 Server Inventory:

   Copy Files (ZfS 3.0.2 only)
   NetWare Set Parameters
   Scheduled Down
   Scheduled Load/Unload
   Server Down Process
   Server Scripts
   SNMP Community Strings
   SNMP Trap Target Refresh (ZfS 2 only)
   Text File Changes
   ZENworks Database (ZfS 3.0.2 Server Inventory only)
   ZENworks for Servers

Server Package policies are used for configuring servers and controlling server behavior.

All policies in this package must be associated to be enforced.

Service Location Package Object

The Service Location Package object is an eDirectory container object that manages the following policy objects:

   SMTP Host
   SNMP Trap Targets
   Tiered Electronic Distribution
   ZENworks Database
   ZENworks for Servers License (ZfS 2 only)

Service Location Package policies provide general Policy and Distribution Services configuration and location information.

All policies in this package must be associated to be enforced.

All policies except ZENworks for Servers License are used by ZfS 3.0.2 Distributors and Subscribers.

Distributed Server Package

The Distributed Server Package object is an eDirectory object that manages the following policy objects (ZfS 3.0.2 only):

   Copy Files
   NetWare Set Parameters
   Scheduled Down
   Scheduled Load/Unload
   Server Down Process
   Server Scripts
   SMTP Host
   SNMP Community Strings
   SNMP Trap Targets
   Text File Changes
   ZENworks Database
   ZENworks for Servers

Distributed Server Package policies are used for configuring servers, controlling server behavior, and providing general ZfS configuration and location information.

All policies in this package must be distributed to be enforced.

ZENworks Database Object

Provides the location of the ZFSLOG.DB file for logging reporting information. The database file can be installed on NetWare^® and Windows servers.

The ZENworks Database object can exist multiple times in a tree, each with its own associated database file; however, there can only be one database file installed per server.

The Server Policies component writes policy information to the ZENworks database (ZFSLOG.DB). Because every server in your network can be running the Policy/Package Agent, they can each write to the database, even across WAN links. If you do not need consolidated server policies reports on all servers, you can install a database to each WAN segment.

If you require consolidated server policies reports, you can have just one ZFSLOG.DB file where all servers running the Policy/Package Agent will log information. The amount of data a Policy/Package Agent writes to the database might not create excessive WAN traffic, depending on the number of servers and speeds of the WAN links.

Because you can install the ZENworks database to multiple servers, to minimize WAN traffic you should coordinate the placement of Policy Package and ZENworks Database objects in containers on the WAN segments.

Policy/Package Agent

Policy and Distribution Services allows you to manage your network servers using the Policy/Package Agent. This agent is installed on each server where you select the Subscriber/Policies installation option.

The Policy/Package Agent does the following:

Extracts (installs) a software package's contents.
Extracts the policy information from a Policy Package Distribution.
Enforces the enabled policies from the extracted policy information based on their enforcement schedules.

There are a number of server policies that provide configuration and behavioral management of your servers. The Policy/Package Agent must be running on each server you want to manage with policies or have software packages to extract and install.

The Policy/Package Agent should be installed to every server in your network. Exceptions might be servers where you do not need to distribute software packages, or servers that you do not want to manage using policies.

Enforcing Policies

Most ZfS 3.0.2 policies are enforced by creating the policy package, enabling and configuring the policy, scheduling the package, distributing the package, and extracting the policies on servers.

Some ZfS 3.0.2 policies are enforced by creating the policy package, enabling and configuring the policy, scheduling the package, and associating the package with the containers where the Distributor or Subscriber objects reside.

For more information, review the following:

Scheduling Policies

Some server policies must be scheduled before they can be enforced.

The following schedules can be used:

Activate by the Default Package Schedule (which can be set to any of the schedules)
Activate on a specified event (such as running at system startup or shutdown)
Activate once relative to a period of time
Activate at a specified date and time
Activate once per year at a specified time
Activate once each month at a specified time
Activate on one or more days of the week at specified times
Activate on one or more days of the week, repeating at a specified interval of time
Continuously repeat at a specified interval of time
Run immediately
Run immediately, repeating at a specified interval of time

IMPORTANT: If you enable a policy, but do not schedule it, it will activate according to the schedule currently specified in the Default Package Schedule.

The Default Package Schedule provides a default for unscheduled policies in the policy package. The default schedule is the Run At System Startup event.

Distributing Policies

Once you have enabled and configured a policy contained in the Distributed Server Package, you must distribute its policy package to the Subscriber servers where the enabled policies can be placed into effect. In other words, configuring and enabling a policy only sets up the policy. It is enforced through its distribution to and extraction on the applicable servers that are running Policy and Distribution Services.

Associating Policies

Once you have enabled and configured a policy contained in the Server Package or Service Location Package, you must associate its policy package with the containers where Distributor or Subscriber objects reside so that the enabled policies can be placed into effect. This association can be directly with a container where the Distributor or Subscriber objects reside, or with a container higher in the tree from where the container holding these objects reside.

Because configuring and enabling a policy only sets up the policy, it is enforced through its association with the applicable servers that are running Policy and Distribution Services.

Server Policy Descriptions

The following tables list the server policies by policy package. The second column indicates whether a policy is a configuration or behavioral policy, and whether it is cumulative, plural, or both.

Container Package

This policy description only applies to ZfS 3.0.2. See your ZfS 2 documentation for details on how the Search policy might be used differently for ZfS 2 servers running concurrently with ZfS 3.0.2.

Policy Name	Policy Type Keys	Policy Function
Search	Behavioral	If you don't set a Search policy, the default is to search from the parent container to the root every hour. This can create unnecessary search traffic. Therefore, we recommend that you make effective use of the Search policy. This Search policy can only be administered in ConsoleOne. A Search policy created in NetWare Administrator for ZENworks will not be recognized in ZfS.

Policy Name

Policy Type Keys

Policy Function

Behavioral

If you don't set a Search policy, the default is to search from the parent container to the root every hour. This can create unnecessary search traffic. Therefore, we recommend that you make effective use of the Search policy.

This Search policy can only be administered in ConsoleOne. A Search policy created in NetWare Administrator for ZENworks will not be recognized in ZfS.

Because most policies in ZfS are distributed rather than associated for enforcement and a Distributor does not receive Distributions, the Search policy is used in ZfS to enable the Distributor Agent to locate and use policies in the Service Location Package. For example, the Distributor Agent uses the package's ZENworks Database policy to write reporting information to the ZfS Database file.

Also, Distributors read the Service Location Package policies for their Subscribers. That means Subscribers receive their Service Location Package policies through associations, as well.

Service Location Package

This policy package is used by both ZfS 2 and ZfS 3.0.2.

Policy Name	Policy Type Keys	Policy Function
SMTP Host	Configuration	Sets the TCP/IP address of the relay host that processes outbound Internet e-mail. This policy must be enabled if you select the E-Mail option for notifying or logging messages in any of the other policies.
SNMP Trap Targets	Configuration	Sets SNMP trap targets for associated eDirectory objects. In ZfS 3.0.2, this policy can be scheduled for when you want it to be refreshed. In ZfS 2, the SNMP Trap Targets Refresh policy contained in the Server Package must be used for scheduling this policy. IPX^TM addresses are not supported for SNMP trap targets. Only IP addresses and DNS names can be used.
Tiered Electronic Distribution	Configuration	Sets defaults for the Distributor and Subscriber objects, including: I/O rates Maximum concurrent Distributions Connection time-out in minutes Working directory Parent Subscriber Messaging levels for a server's console, SNMP traps, log files, and e-mail notification Extraction Schedule Refresh Schedule Variables Note that any defaults set here override unchanged defaults in a TED object. However, if a TED object's properties are modified, those modifications have precedence over any defaults set in the TED policy.
ZENworks Database	Configuration	Sets the DN for locating the ZENworks Database object. This policy must be in effect for Policy and Distribution Services to locate a database for logging successes and failures that are used in creating reports. If a database object is not identified with this policy, Policy and Distribution Services will not use the database to log reporting information. Therefore, you should create this policy to identify the database. The Policy/Package Agent and the Distributor Agent both write to ZFSLOG.DB. For information on having these agents write to different database files, see Coexisting Databases.
ZENworks for Servers License	Configuration	ZfS 2 only. Identifies the NLS object, otherwise ZfS 2 Policy and Distribution Services will not work.

Server Package

The Server Package exists in ZfS 3.0.2 for backwards compatibility with ZfS 2, such as when upgrading incrementally. This package also exists to provide polices that must be associated, such as for ZfS 3.0.2 Server Inventory or ZENworks for Desktops (ZfD) 3.x or 4.0.1. ZfD would add its own policies to this package when installed.

From a ZfS perspective, this package can display different policies, depending on whether ZfS 2 and ZfS 3.0.2 exist in a mixed environment. For example:

The ZENworks Database policy did not exist in ZfS 2, yet it is displayed in this package. Only ZfS 3.0.2 Server Inventory can use this policy.
The Copy Files policy did not exist in ZfS 2, yet it is displayed in this package as a policy that can be added. Only ZfS 3.0.2 servers can use this policy.
The SNMP Trap Target Refresh policy will not display if only ZfS 3.0.2 is installed. If the ZfS 2 snap-ins are also present, this policy will then be displayed. Only ZfS 2 servers can use this policy.
There are several policies that are used in ZfS 2 that the ZfS 3.0.2 version of the package will not display, unless the ZfS 2 snap-ins are also present.

In order to manage ZfS 2 servers using the ZfS 3.0.2 Server Package, you must have done the following during upgrading:

Updated the ConsoleOne version that ZfS 2 is using by installing version 1.3.5 over it from the ZENworks for Servers Companion CD or ZENworks 6 Companion 1 CD.
Installed the ZfS 3.0.2 snap-ins to the updated version of ConsoleOne.

After you have done this, you will be able to manage your ZfS 2 servers using the ZfS 3.0.2 version of the Server Package. You will not need to re-create any Server Packages that you created in ZfS 2, because by installing ZfS 3.0.2 snap-ins to the same instance of ConsoleOne where the ZfS 2 snap-ins reside, the existing Server Packages are effectively updated for management using ZfS 3.0.2.

Although the ZENworks Database policy did not exist in ZfS 2, it will be displayed in this package. Only the ZfS 3.0.2 Server Inventory component uses the ZENworks Database policy. For more information, see Configuring the Database Location Policy.

The following table only lists the ZENworks Database policy. For information on the other policies in the Server Package, see the ZfS 2 documentation on the Novell Documentation Web site.

Policy Name	Policy Type Keys	Policy Function
ZENworks Database	Configuration	Sets the DN for locating the ZENworks Database object. This policy must be in effect for Server Inventory to locate a database for logging inventory data.

Distributed Server Package

This package contains the policies the must be distributed to ZfS 3.0.2 servers to be enforced on them.

Policy Name	Policy Type Keys	Policy Function
Copy Files	Plural Cumulative Configuration	Enables copying of files on a server from one location to another by using policy configurations.
NetWare Set Parameters	Plural Cumulative Configuration	Specifies and optimizes selected Set Parameters for a server or group of servers. For the NetWare platform only.
Scheduled Down	Plural Cumulative Configuration Behavioral	Schedules when a server should go down, and whether it should be automatically brought back up. The policy includes which command to use in bringing it down (RESET, RESTART, or DOWN).
Scheduled Load/Unload	Plural Cumulative Configuration	For automating the loading and unloading order of NLM^TM and Java Class processes for the selected servers, and for starting and stopping Windows services. NLM files that require user input to unload cannot be automated.
Server Down Process	Behavioral	For controlling which processes to follow and which conditions to meet before downing a server.
Server Scripts	Plural Cumulative Configuration	For automating script usage on your servers.
SMTP Host	Configuration	Sets the TCP/IP address of the relay host that processes outbound Internet e-mail. This policy must be enabled if you select the E-Mail option for notifying or logging messages in any of the other policies.
SNMP Community Strings	Configuration	Allows you to receive and respond to SNMP requests.
SNMP Trap Targets	Configuration	Sets SNMP trap targets for associated eDirectory objects. This policy can be scheduled for when you want it to be refreshed. IPX addresses are not supported for SNMP trap targets. Only IP addresses and DNS names can be used.
Text File Changes	Plural Cumulative Configuration	For automating changes to text files.
ZENworks Database	Configuration	Sets the DN for locating the ZENworks Database object. This policy must be in effect for Policy and Distribution Services to locate a database for logging successes and failures that are used in creating reports. If a database object is not identified with this policy, Policy and Distribution Services will not use the database to log reporting information. Therefore, you should create this policy to identify the database. The Policy/Package Agent and the Distributor Agent both write to ZFSLOG.DB. For information on having these agents write to different database files, see Coexisting Databases.
ZENworks for Servers	Configuration	Basic configuration parameters for Policy and Distribution Services, such as status logging, defining the server console prompt for the Policy/Package Agent, setting its working path, and setting a database purging limit. This policy can be enabled on each server where you want to enforce server policies. However, if you do not enable the policy, Policy and Distribution Services will work from pre-programmed defaults.