SP1 RC2 Passes the Test

Network engineer Peter Chang gives the final Windows Server 2003 SP1 beta an A-

Many sites tried out Windows Server 2003 Service Pack 1 (SP1) in beta prior to SP1's release in late March. Early this year, Peter Chang, network systems engineer for the City of Redmond, Washington, installed Windows 2003 SP1 Release Candidate 2 (RC2), the final SP1 beta, on 10 servers in the city's 36-server network. In a recent conversation with Windows IT Pro senior editor Anne Grubb, Peter shared his thoughts about the city's experience installing and running SP1 RC2. Here are the highlights.

No-Surprises Installation
Peter and the network services staff installed SP1 RC2 on various file and print servers and other machines, including domain controllers (DCs) running Remote Authentication Dial-In User Service (RADIUS), DNS, DHCP, and WINS; a Windows Media Server system; several Microsoft Internet Information Services (IIS) 6.0 Web servers, and a system running Microsoft Systems Management Server 2003 (SMS 2003). Upgrading each dual-processor Pentium 3 and 4 server to SP1 RC2 took 15 to 20 minutes (excluding installing and running the Security Configuration Wizard—SCW—component). Peter says that the SP1 upgrade was significantly faster than upgrading a client system to Windows XP SP2. "We didn't have to add anything to our servers \[e.g., disk, memory\], and we didn't see any additional load placed on our servers as a result of the service pack upgrade."

Security Configuration Wizard Rocks!
Peter praises SP1's new Security Configuration Wizard (SCW), which is installed separately from the OS upgrade. As part of its security-configuration tasks, SCW identifies all the services that are running on a Windows 2003 server and lets you shut off individual services that you don't need. "You need to make sure that all the applications and services provided by the server are up and running at the time you run SCW," Peter says. "As long as they're running when you run SCW, it does a pretty good job of identifying open ports, open executables, services that are listening for requests, and so on, which makes my job a lot easier."

According to Peter, SCW is a boon for network administrators. "It's much easier to use than Security Configuration Editor (SCE)," he says. "What's great about SCW is that it helps you identify services that aren't required, which until now has been kind of a hit-or-miss undertaking. SCW checks service dependencies and tells you whether anything (e.g., an application or service) is dependent on this service, or whether the service is dependent on anything else," says Peter.

If you need more information about a particular service, you can find it in SCW's built-in knowledge base, an XML file that contains descriptions of the various services. "Because the knowledge base is in XML format, it's extendable, so we can customize it for the third-party applications we use," Peter says.

Another SCW plus is that you can use it to preconfigure services and even Windows Firewall on a Windows 2003 server. "SCW does a good job of analyzing what's currently running on the machine," says Peter. Administrators, he says, can use this knowledge to decide what services should run on a server and then configure the server accordingly via SCW, instead of using a security template or Group Policy Objects (GPOs) to set policies. "I'd like to see Microsoft offer this capability on the client side as well."

Performance Boost
Running SCW provided an unexpected performance benefit for several of the SP1 servers. "We found that, in some cases, memory and CPU utilization actually went down because we were shutting off so many unnecessary services," says Peter, who was able to stop five to 10 services on the various test servers. "Now, granted, because these are built-in services, you don't save a whole lot. But the point is, you save, and when you're trying to squeeze out as much performance as possible from your servers, that's definitely a plus," he says.

A Few "Gotchas"
Peter and his staff encountered several less-welcome surprises from the upgrade, although these gotchas were fairly easy to resolve. "Before the upgrade, we were distributing XP SP2 Windows Firewall settings via our default domain policy," says Peter. However, after IT had installed Windows 2003 SP1 on the first server and turned on the firewall on the server, something strange happened. "The first server that we put the firewall on sucked in all the firewall settings from Group Policy, which automatically blocked the server! It was available for remote administration, but all the services it provided were gone." he says. It turns out that a configured GPO setting related to remote administration was effectively blocking services for the rest of the network. At the time the GPO was configured, IT didn't anticipate adding a Windows-server­based firewall. Solving the problem simply required creating separate firewall settings for servers through a different GPO.

The second gotcha is really more of a constraint imposed by SP1 security. As you might expect, you can roll back any setting that you configure through SCW. However, says Peter, "If you export a configuration so it can be pushed out through Group Policy, you can't automatically roll back to a previous configuration setting."

Finally, Peter discovered an SMS-specific gotcha: SP1 makes changes to Distributed COM (DCOM), such as creating a new local DCOM group on the SMS server. "When we deployed SP1 to our SMS 2003 server, the SMS Administration Console could no longer connect to the server because the SMS administrators hadn't yet been added to the newly created local Distributed COM Users group," he says. "Other applications might also be affected, but we haven't found any yet. We're looking at the new DCOM security settings because they might affect new and existing applications."

Wish List
Of course, there are a few features that Peter would like to see in the SP1 release. "We're hoping that File Replication Service (FRS) version 2 will be an improvement over FRS version 1," he says. He especially would like Microsoft to add support for print services to FRS and Dfs. He also hopes that the new GPO wireless-networking settings in SP1 will make it easier for the city to provide secure wireless services to its employees.

Overall, Peter and the IT staff are satisfied with the improvements they've seen in SP1 and look forward to the final release. "There's a lot of nice new functionality, especially securitywise," he says. "The gotchas are basically the result of improved security, and we can live with that."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.