(And I'll say I'm only posting this because I've had some not-good experiences with certbot. It is essentially a big foreign environment nailed onto your host and another 'thing' to tend to. Or perhaps you would describe it as Ubuntu Linux being "network belligerent.")
- Opaque and uncommon/needlessly-unfamiliar command-line management toolkit (seriously, what is so difficult about 'output text, receive text as input' in 2017?)
- I cannot, yet, fully manage a Microsoft host from the CLI. What I consider to be 'fully managed' revolves around: installing software, updating software, adding/removing/'managing' users, setting up basic server-like features such as simple firewall rules, viewing common log-files ('user X logged in', 'software Y tried to execute Z task, the result was A'), starting/stopping/troubleshooting daemons, etc
- Pick a major config-management system (my direct experience is with Puppet/Chef/Ansible/Salt). Configuring them to play nice with Windows-anything is an order of magnitude more difficult than even the most baroque *nix-like operating system.
- Licensing. Srsly, charging for the operating system, THEN the web server, AND the 'remote desktop server', PLUS the mail server... is downright punitive. Microsoft does exactly none of these 'well', but they still think they should be able to charge money for it. Their customers, in my opinion, must be masochists.
Lest I be accused of being completely unfamiliar/anti-Microsoft, here's a couple of things I feel they do quite well:
- remote/centralized user management (seriously, Active Directory's extensions and integration of LDAP/Kerberos are quite impressive). Pity it's not even remotely open-sourced, as such any modifications (hesitant to use the word 'improvements') are effectively prohibitively difficult to bring forward unless you're a Microsoft employee, directly assigned to the Active Directory group, in good standing with your direct manager and his manager's manager.
- AAA (authentication/authorization/accounting) - given their AD prowess above, they'd have to be a special kind of stupid to foul this one up. To their credit, it is amazingly easy to assign RBAC to a group of users and apply it site/directory/'forest'-wide, then go back and bean-count exactly which users did what and when, if needed. For a lot of environments, this is a huge plus.
Still, for the vast majority of 'webby' environments, in my professional opinion, Microsoft hasn't been able to hack it for at least a decade now. The market has moved on to more powerful, less costly, more manageable/scaleable platforms. If you're running an application, or even serving basic web content, on a Windows-anything, you're needlessly wasting your business time/money/agony if you choose to implement it on a Microsoft stack.
^^^ PowerShell solves this. (AD,DNS,IIS,Exchange,DPM,Hyper-V...)
- I cannot, yet, fully manage a Microsoft host from the CLI. What I consider to be 'fully managed' revolves around: installing software, updating software, adding/removing/'managing' users, setting up basic server-like features such as simple firewall rules, viewing common log-files ('user X logged in', 'software Y tried to execute Z task, the result was A'), starting/stopping/troubleshooting daemons, etc
^^^ Solved by PowerShell (You can even install a GUI-less version of WS2016 and all these will work.)
- Pick a major config-management system (my direct experience is with Puppet/Chef/Ansible/Salt). Configuring them to play nice with Windows-anything is an order of magnitude more difficult than even the most baroque *nix-like operating system.
^^^ I use Ansible Tower to manage a mixed WS and Linux fleet with great success, I only need to run `kinit` once every day to obtain a ticket, all logins afterwards are passwordless.
...because they're all separate pieces of software?
I recently switched all clients to Linux and plan to abandon this approach as I was after proper user/authorization management between my Windows 7 clients and a Linux based NAS. With Linux the integration via ssh/sshfs is much easier and fits better to the Linux authorization model.
As a comparison: Setting up AD properly on all parts did cost me at least several weekends. Setting up sshfs only few hours. And the latter is much more responsive...
