Windows Tips & Tricks UPDATE--March 14, 2005

Windows Tips & Tricks UPDATE, March 14, 2005, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

Free White Paper: Measuring the ROI of Systems Management Software
http://www.argent.com/w/whitepapers_ema.html?Source=WNT

The Competitive Advantages of Multi-Platform Remote Control: A Pathway to Increased Productivity
http://www.windowsitpro.com/whitepapers/netopia/remotecontrol/index.cfm?code=t&t0314_s


Sponsor: Free White Paper: Measuring the ROI of Systems Management Software

Argent delivers what a growing number of enterprises need today: flawless management of Windows, UNIX, and application servers; low total cost of ownership; flexible configuration; scalable architecture; modular products; positive ROI; and outstanding customer support. Every enterprise IT department wants value without sacrificing performance, and that describes Argent's value proposition. To read the entire paper, click here:
http://www.argent.com/w/whitepapers_ema.html?Source=WNT


FAQs

  • Q. How can I use Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy an application that only certain groups use?
  • Q. How can I use the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy software updates?
  • Q. How can I deploy missing patches to my Microsoft Systems Management Server (SMS) clients?
  • Q. How can I use the ADSI Edit tool to check my domain and forest modes?
  • Q. Are any tools available to help configure performance monitoring on Windows 2000 and later computers?

Commentary
by John Savill, FAQ Editor, [email protected]

This week I explain how to use Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy software updates and missing patches and to deploy an application that only certain groups use. I also tell you how to use the ADSI Edit tool to check your domain and forest modes. Finally, I discuss Performance Monitor Wizard, which helps configure performance monitoring on Windows 2000 and later computers.


Sponsor: The Competitive Advantages of Multi-Platform Remote Control: A Pathway to Increased Productivity

The largest cost component associated with computers in the workplace is "misdirected end user activities" - the amount of time wasted by end users trying to fix a problem themselves or trying to help a colleague fix a problem that is best handled by IT staff. In this free white paper discover how to achieve a faster resolution of IT-related problems, reduce end-user downtime, increase employee productivity, and operate in a more efficient manner. Learn how your company can intelligently manage their enterprise environment and possess an inherent competitive advantage.

Discover how you can outperform the competition by controlling costs and boosting productivity and download this free white paper now!
http://www.windowsitpro.com/whitepapers/netopia/remotecontrol/index.cfm?code=t&t0314_s


FAQs

Q. How can I use the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy an application that only certain groups use?

A. I've discussed in earlier FAQs how to use the SMS OS Deployment Feature Pack to deploy the core applications that every desktop uses, but deploying applications that only certain groups use requires a different procedure. To accomplish this, perform these steps:

  1. Start the Microsoft Management Console (MMC) SMS Administrator Console snap-in (Start, Programs, Systems Management Server, SMS Administrator Console.)
  2. Expand Image Packages, expand OS Package, and select Programs.
  3. Right-click OS Program and select Properties.
  4. Click the Advanced tab.
  5. Right-click Phase and from the drop-down menu select State Restore, then click Add.
  6. Select Run Software Distribution Program and click OK, as the figure at http://www.windowsitpro.com/articles/images/smsosdproginst1.gif shows. Enter a description for the program you're adding, select a package from the drop-down menu, then select a program for that package. Notice that only programs that don't require a user to be logged on are available to select; the installation must be a per-system installation. Click OK.
  7. On the Program properties page, click OK.
  8. Your new program will be listed. Notice that you can move the listed tasks up or down to set the order in which they run, as the figure at http://www.windowsitpro.com/articles/images/smsosdpackdeploy.gif shows. Click OK.

You then need to refresh the distribution points via the standard SMS distribution point procedures.

Q. How can I use the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy software updates?

A. SMS 2003 can determine the patch status of its clients and can deploy missing fixes. To take advantage of this functionality, you must download the client-side scanning tools from Microsoft. The tools aren't part of SMS because Microsoft periodically updates the tools to take advantage of new patch-listing formats and features, so you need to check back on a monthly basis for new versions of the tools. Your SMS configuration will automatically connect to Microsoft periodically to check for new patch listings so that it can confirm that systems are current with the latest updates and deploy the fixes when required. The SMS software update feature tracks not only the core OS patch status but also Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, Microsoft IIS, and other similar applications. Unlike Microsoft Software Update Services (SUS), SMS lets you download only fixes that are missing from your clients; you can't download all available fixes. Therefore, if you want to create a package with all available fixes, you need to build a reference machine that has no fixes installed. Then allow SMS to capture the machine's patch status. Afterward, you can download all fixes available for that OS to the SMS Server for client distribution purposes. To deploy software updates via the SMS OS Deployment Feature Pack, perform the following steps:

  1. Download the client-side scanning tools at http://www.microsoft.com/smserver/downloads/2003/featurepacks/suspack/default.asp
  2. Double-click the downloaded file to extract it to a specified folder (e.g., C:\temp\scantools).
  3. Open the extraction folder and double-click SecurityPatch_enu.exe to open the welcome screen of the Security Update Inventory Tool Installation. Click Next.
  4. Accept the license agreement and click Next.
  5. Accept the location for the installation (or modify the location, if required) and click Next.
  6. Click Download to download the latest version of the scanning-tool XML database. If you don't have Internet connectivity on the SMS server, manually download the mssecure.cab file at http://go.microsoft.com/fwlink/?LinkId=23190 from a machine that does have Internet connectivity. Save the file in the C:\program files\securitypatch\pkgsource\1033 folder (if you accepted the default location for the program installation), and make sure the file is named mssecure.cab (not mssecure_1033.cab). You might need to create the 1033 subfolder. Click Next.
  7. Click Next at the installation dialog box.
  8. The tool asks whether you want the installation to automatically create a collection and advertisement. Select both check boxes. You can also opt to assign the package to all distribution points. Enter a package name (e.g., Software Scanning Tools) and click Next, as the figure at http://www.windowsitpro.com/articles/images/smssus1.gif shows.
  9. Enter the name of the server that you'll use to periodically check for new versions of the update database. By default, this will be the SMS server, assuming that it has Internet connectivity. Click Next.
  10. Enter the name of a test computer--an SMS-known machine, which can't be the SMS server--and click Next. If you don't want to use this option, then you should have cleared the Create Collection check box in step 8.
  11. Click Next.
  12. Click Finish to complete the installation.

In your SMS infrastructure, you'll now notice three additional collections: Software Scanning Tools and the two new advertisements, Software Scanning Tools Sync and Software Scanning Tools. The Software Scanning Tools Sync advertisement is responsible for obtaining the current update database, so you should leave it alone. However, you can modify the Software Scanning Tools advertisement or create your own advertisement to push the scanning tool to other systems. By default, the advertisement services only the Software Scanning Tools collection, which contains your test machine. You can change this setting to point to, for example, All Systems. If you look at the advertisement in detail, you can see that it runs once a week at a specific time. By default, this is the same time that the Software Scanning Tools Sync advertisement runs, which isn't ideal because you want to download the new patch file before advertising it to clients. I usually modify the Software Scanning Tools advertisement to start a few hours after the Sync advertisement runs. You should test the updates first, so it's a good idea to leave this default test machine available for patch package deployment testing. Now repeat the entire update-deployment process for the Office Patch (officepatch_enu.exe). If you don't have connectivity, download the files at http://go.microsoft.com/fwlink/?LinkId=9158 and http://go.microsoft.com/fwlink/?LinkId=9159 and save to the C:\program files\officepatch\pkgsource folder (invcm.exe and invcif.exe). Name the package Office Scanning Tools. On client machines, you can force discovery of the software-scanning advertisement by manually initiating the Machine Policy Retrieval & Evaluation Cycle. After a few minutes, open Windows Task Manager to check whether scanwrapper.exe and mbsacli.exe execute, and you can check the scanwrapper.log file in the C:\windows\system32\ccm\logs folder for execution confirmation. Then you can force a hardware inventory cycle to report back to the SMS server the client's patch status.

Q. How can I deploy missing patches to my Microsoft Systems Management Server (SMS) clients?

A. After you scan your systems to determine missing patches, perform these steps to deploy them:

  1. Start the Microsoft Management Console (MMC) SMS Administrator Console snap-in (Start, Programs, Systems Management Server, SMS Administrator Console).
  2. Click the Software Updates branch. Doing so displays which patches are missing on your systems as well as how many systems are missing the patch and how many have it installed.
  3. Right-click Software Updates and select Distribute Software Updates from the All Tasks context menu.
  4. The Distribute Software Updates Wizard will open. Click Next. The wizard asks for the software update type. For OS fixes, the update type is MBSA.
  5. Click Next.
  6. Select an SMS package. You need to either create a new package or add fixes to an existing patch package. For our example, select New and click Next.
  7. Enter a package name. Give it an intuitive name that identifies the package contents (e.g., Windows XP fixes). Click Next.
  8. You can customize the notification that users receive (e.g., add the organization name). Click Next.
  9. Select the scanning tool you use to inventory your systems (e.g., Software Scanning Tools). Click Next.
  10. Select the fixes you want to include in the package, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy4.gif shows. Click Next.
  11. Enter a source location for the fixes. By default, this will be the root of the C drive. You might want to create a patch share and modify the default path, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy5.gif shows. You can opt to download the fixes automatically, or you can download them manually by selecting "I will download the source files myself." Click Next.
  12. You'll see a list of fixes and their ready status. Select each fix in turn and click Properties to view the properties for each fix, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy7.gif shows. You can see the path where you can download each fix in the Binary Path field. You can cut and paste this download link value to download from another box that does have Internet connectivity. You need to manually add the parameters for the fixes. The Microsoft article "Summary of command-line syntax for software updates in Systems Management Server" ( http://support.microsoft.com/?kbid=810232 ) lists the available parameters. For most fixes, you can use the /quiet /passive /norestart options, but you can confirm the required parameters on a patch-by-patch basis by opening a command line and entering the patch followed by the /? option, as the following example shows:

    WindowsXP-KB891711-x86-ENU.exe /?

    This command displays a list of the patch's options. If you manually download the fixes, you need to place them in the package source folder (e.g., E:\patchsource\mbsa - windows xp fixes\windows xp sp1\1033).

  13. After you add the parameters to all the fixes, and they're marked Ready, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy8.gif shows, click Next.
  14. The wizard displays a list of distribution points. Select the distribution points you want to deploy the fixes to and click Next.
  15. Specify the actions that the installation agent should take after installing the updates. (For example, Select "Collect client inventory immediately," if you want to send up-to-date information back to the SMS server as quickly as possible.) You can also choose how to handle system restarts (e.g., let the user postpone restarting until a convenient time). Click Next.
  16. Select Countdown options for how much time users have before execution begins and how long the patch execution can run (e.g., after 30 minutes, assume execution has failed and give up). Click Next.
  17. Select whether to notify users about the patch activity (for Advanced clients only) and whether to let users postpone the installation. If you previously selected the option to make the installation unattended, you can't chose to set a maximum postponement time. Click Next.
  18. Select whether to automatically create an advertisement for the new patch package, and if so, select a collection to target (e.g., all Windows XP Systems) and click Next.
  19. Click Finish.
Phew! Now go get a drink, you deserve it.

Q. How can I use the ADSI Edit tool to check my domain and forest modes?

A. Domain and forest modes are defined by a combination of three values: For the domain mode, you need to check the msDS-Behavior-Version and nTMixedDomain attributes of the Domain container; for the forest mode, you check the msDS-Behavior-Version attribute of the Partitions container, which you'll find in the Configuration object of the Forest root. To view these attributes perform these steps:

  1. Start ADSI Edit (Start, Run, adsiedit.msc). This tool is part of the Windows 2000 and later Support Tools so make sure you have these tools installed.
  2. Expand the Domain branch. Right-click the domain name and select Properties from the context menu. (If the domain you want isn't displayed, select "Connect to..." from the root context menu and enter the domain information, including credentials for a connection.)
  3. Click the Attribute Editor tab and scroll down to view the msDS-Behavior-Version and nTMixedDom values. These are the domain-specific values.
  4. Expand the Configuration object at the root of adsiedit and expand the Configuration container specific to your forest. Right-click the CN=Partitions container and select Properties.
  5. Click the Attribute Editor tab to view the msDS-Behavior-Version value, as the figure at http://www.windowsitpro.com/articles/images/adsieditformode.gif shows. Click OK.
  6. Close ADSI Edit.

Table 1 at http://www.windowsitpro.com/articles/images/table1.htm and Table 2 at http://www.windowsitpro.com/articles/images/table2.htm show the domain and forest mode according to the combination of values.

Q. Are any tools available to help configure performance monitoring on Windows 2000 and later computers?

A. Microsoft has released the Performance Monitor Wizard, which you can download at http://www.microsoft.com/downloads/details.aspx?FamilyID=31FCCD98-C3A1-4644-9622-FAA046D69214&displaylang=en. After you download the .zip file, extract the two files to a folder of your choice. One of the files is the license agreement for the utility, and the other is the perfwiz.exe image, which is the actual tool. The Performance Monitor Wizard isn't as sophisticated as the Windows Server 2003 Server Performance Advisor, which I discuss in the FAQ "How can I use the Windows Server 2003 Performance Advisor?" ( http://www.windowsitpro.com/articles/index.cfm?articleid=45281 ), but you can use the tool on a wider range of OSs. The Performance Monitor Wizard is a dialog-based tool that asks questions about the computing environment so that it can enable the correct Performance Monitor counters. The tool creates log files to help you troubleshoot general Windows and Microsoft Exchange Server performance problems. To use the tool, perform these steps:

  1. Start the Performance Monitor Wizard (perfwiz.exe) and click Next at the Welcome screen.
  2. Enter the name of the computer on which you want to collect the logs. The default computer is the local machine. Click Next.
  3. Select Create New Log, or if you previously defined a log or have a log running, select that log from the list. (The wizard gives you the option to start or stop the already defined log, as the figure at http://www.windowsitpro.com/articles/images/perfwiz1.gif shows.) Click Next.
  4. The wizard asks for the type of profile to use--Standard Perfmon, High CPU Usage, or Advanced Configuration. Select a profile and click Next.
  5. Enter the name of the computer you want to monitor, and if that computer is a system running Exchange Server or Windows 2000 Server Terminal Services (which means the wizard will collect additional information), select the associated check box. Click Next.
  6. Enter a name for the new log collection. Then configure the maximum size for the logs and a location to store the logs (by default C:\ perflogs). Click Next.
  7. Select how often the problem occurs, (e.g. If you enter "every 6 hours," the wizard will automatically modify how often it takes a sample.) Click Next.
  8. Click Start to begin logging and click Next.
  9. Click Finish.
    1. When you start a log collection, it runs in the background under the regular Performance Monitor services (Performance Logs and Alerts). The wizard doesn't display the logs; it simply creates the log files. To display the logs, you need to start Performance Monitor and select as the source the binary file that's created by the logging process, as the following steps illustrate:

      1. Start the Microsoft Management Console (MMC) Performance Monitor snap-in (Start, Programs, Administrative Tools, Performance).
      2. Right-click the graph section of the snap-in and select Properties.
      3. Select the Source tab.
      4. Select Log files and click Add. Navigate to the C:\perflogs folder (the default location for the log files), select the log file, and click OK, as the figure at http://www.windowsitpro.com/articles/images/permmonsourceset.gif shows.
      5. Click OK to close the System Monitor Properties dialog box.

      You can now add more counters to the log display from the data that was captured during the collection period.

      Events and Resources
      (A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

    2. Plan For or Prevent Exchange Messaging Disasters

    3. In this free Web seminar, join Exchange MVP Paul Robichaux as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability and how you can survive them with your messaging and job intact.
      http://www.windowsitpro.com/seminars/exchangedisasterrecovery/index.cfm?code=0316emailanns

    4. Get Ready for SQL Server 2005 Roadshow in a City Near You

    5. Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!
      http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0314emailanncs

    6. Empower Users and Produce Substantial ROI

    7. Join industry expert David Chernicoff in this free Web seminar to learn how to integrate and automate fax from messaging systems such as Microsoft Exchange Server and Outlook and other various applications. And learn how to improve document handling and delivery by streamlining the integration of fax services into everyday business processes.
      http://www.windowsitpro.com/seminars/faxservers/index.cfm?code=0316emailannc

    8. Achieve High Availability and Disaster Recovery for Microsoft Servers

    9. Attend this free Web seminar for your chance to win a $1000 American Express Gift Check! In this Web seminar, discover what it takes to minimize the likelihood of downtime through reliability and resilience in your Microsoft server environment, including Exchange, SQL Server, File Server, IIS, and SharePoint. Sign up today!
      http://www.windowsitpro.com/seminars/microsofthighavailability/index.cfm?code=0316emailannc

    10. New eBook--Windows Certification and Public Keys

    11. PKI services are increasingly important in today's IT environment. PKI offers strong security services to internal and external users, computers, and applications. In this free eBook you’ll discover a starting point for understanding the PKI and certificate services available in Windows Server 2003. Download it now and learn about trust relationships, validating digital certificates, and more.
      http://www.windowsitlibrary.com/ebooks/WindowsCertification/index.cfm?code=0316emailannc

      Announcements
      (from Windows IT Pro and its partners)

    12. Get Windows IT Pro at 44% Off!

    13. Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now:
      http://www.windowsitpro.com/rd.cfm?code=theu2052up

    14. Get SQL Server Magazine and Get Answers

    15. Subscribe to SQL Server Magazine today and get the latest "Top SQL Server Tips" handbook (includes over 60 helpful SQL Server tips) and free online access to every article ever published in the magazine--that's thousands of problem-solving solutions, expert tips, tricks, and the latest insider notes to help you get the most out of SQL Server. Sign up today:
      http://www.sqlmag.com/rd.cfm?code=tgeu2153ts

    16. Event Log Chat

    17. Randy Franklin Smith is one of the foremost authorities on the Windows Security Event Log and a respected trainer who teaches Monterey technology Group's "Security Log Secrets" course. In his article in the March issue of Windows IT Pro, Randy shines a light on this dark and mysterious corner of cryptic event IDs and codes and inaccurate Microsoft documentation. Here's your chance to ask Randy your questions about the Event Log and get answers Microsoft doesn't provide. Join the chat on March 16 at 4:00 p.m. EST. Visit
      http://www.microsoft.com/communities/chats/default.mspx#050316_TN_SecEv

      Contact Us
      Here's how to reach us with your comments and questions:

This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.
http://www.windowsitpro.com/rd.cfm?code=00eu205xeb

Windows Tips &amp Tricks UPDATE, March 14, 2005, —brought to you by the Windows IT Pro Network and the Windows 2000 FAQ site
http://www.windows2000faq.com

Make sure your copy of Windows Tips & Tricks UPDATE isn't mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Windows Tips & Tricks UPDATE.

Free White Paper: Measuring the ROI of Systems Management Software
http://www.argent.com/w/whitepapers_ema.html?Source=WNT

The Competitive Advantages of Multi-Platform Remote Control: A Pathway to Increased Productivity
http://www.windowsitpro.com/whitepapers/netopia/remotecontrol/index.cfm?code=t&t0314_s


Sponsor: Free White Paper: Measuring the ROI of Systems Management Software

Argent delivers what a growing number of enterprises need today: flawless management of Windows, UNIX, and application servers; low total cost of ownership; flexible configuration; scalable architecture; modular products; positive ROI; and outstanding customer support. Every enterprise IT department wants value without sacrificing performance, and that describes Argent's value proposition. To read the entire paper, click here:
http://www.argent.com/w/whitepapers_ema.html?Source=WNT


FAQs

  • Q. How can I use Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy an application that only certain groups use?
  • Q. How can I use the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy software updates?
  • Q. How can I deploy missing patches to my Microsoft Systems Management Server (SMS) clients?
  • Q. How can I use the ADSI Edit tool to check my domain and forest modes?
  • Q. Are any tools available to help configure performance monitoring on Windows 2000 and later computers?

Commentary
by John Savill, FAQ Editor, [email protected]

This week I explain how to use Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy software updates and missing patches and to deploy an application that only certain groups use. I also tell you how to use the ADSI Edit tool to check your domain and forest modes. Finally, I discuss Performance Monitor Wizard, which helps configure performance monitoring on Windows 2000 and later computers.


Sponsor: The Competitive Advantages of Multi-Platform Remote Control: A Pathway to Increased Productivity

The largest cost component associated with computers in the workplace is "misdirected end user activities" - the amount of time wasted by end users trying to fix a problem themselves or trying to help a colleague fix a problem that is best handled by IT staff. In this free white paper discover how to achieve a faster resolution of IT-related problems, reduce end-user downtime, increase employee productivity, and operate in a more efficient manner. Learn how your company can intelligently manage their enterprise environment and possess an inherent competitive advantage.

Discover how you can outperform the competition by controlling costs and boosting productivity and download this free white paper now!
http://www.windowsitpro.com/whitepapers/netopia/remotecontrol/index.cfm?code=t&t0314_s


FAQs

Q. How can I use the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy an application that only certain groups use?

A. I've discussed in earlier FAQs how to use the SMS OS Deployment Feature Pack to deploy the core applications that every desktop uses, but deploying applications that only certain groups use requires a different procedure. To accomplish this, perform these steps: 1. Start the Microsoft Management Console (MMC) SMS Administrator Console snap-in (Start, Programs, Systems Management Server, SMS Administrator Console.) 2. Expand Image Packages, expand OS Package, and select Programs. 3. Right-click OS Program and select Properties. 4. Click the Advanced tab. 5. Right-click Phase and from the drop-down menu select State Restore, then click Add. 6. Select Run Software Distribution Program and click OK, as the figure at http://www.windowsitpro.com/articles/images/smsosdproginst1.gif shows. Enter a description for the program you're adding, select a package from the drop-down menu, then select a program for that package. Notice that only programs that don't require a user to be logged on are available to select; the installation must be a per-system installation. Click OK. 7. On the Program properties page, click OK. 8. Your new program will be listed. Notice that you can move the listed tasks up or down to set the order in which they run, as the figure at http://www.windowsitpro.com/articles/images/smsosdpackdeploy.gif shows. Click OK.

You then need to refresh the distribution points via the standard SMS distribution point procedures.

Q. How can I use the Microsoft Systems Management Server (SMS) OS Deployment Feature Pack to deploy software updates?

A. SMS 2003 can determine the patch status of its clients and can deploy missing fixes. To take advantage of this functionality, you must download the client-side scanning tools from Microsoft. The tools aren't part of SMS because Microsoft periodically updates the tools to take advantage of new patch-listing formats and features, so you need to check back on a monthly basis for new versions of the tools. Your SMS configuration will automatically connect to Microsoft periodically to check for new patch listings so that it can confirm that systems are current with the latest updates and deploy the fixes when required. The SMS software update feature tracks not only the core OS patch status but also Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, Microsoft IIS, and other similar applications. Unlike Microsoft Software Update Services (SUS), SMS lets you download only fixes that are missing from your clients; you can't download all available fixes. Therefore, if you want to create a package with all available fixes, you need to build a reference machine that has no fixes installed. Then allow SMS to capture the machine's patch status. Afterward, you can download all fixes available for that OS to the SMS Server for client distribution purposes. To deploy software updates via the SMS OS Deployment Feature Pack, perform the following steps: 1. Download the client-side scanning tools at http://www.microsoft.com/smserver/downloads/2003/featurepacks/suspack/default.asp 2. Double-click the downloaded file to extract it to a specified folder (e.g., C:\temp\scantools). 3. Open the extraction folder and double-click SecurityPatch_enu.exe to open the welcome screen of the Security Update Inventory Tool Installation. Click Next. 4. Accept the license agreement and click Next. 5. Accept the location for the installation (or modify the location, if required) and click Next. 6. Click Download to download the latest version of the scanning-tool XML database. If you don't have Internet connectivity on the SMS server, manually download the mssecure.cab file at http://go.microsoft.com/fwlink/?LinkId=23190 from a machine that does have Internet connectivity. Save the file in the C:\program files\securitypatch\pkgsource\1033 folder (if you accepted the default location for the program installation), and make sure the file is named mssecure.cab (not mssecure_1033.cab). You might need to create the 1033 subfolder. Click Next. 7. Click Next at the installation dialog box. 8. The tool asks whether you want the installation to automatically create a collection and advertisement. Select both check boxes. You can also opt to assign the package to all distribution points. Enter a package name (e.g., Software Scanning Tools) and click Next, as the figure at http://www.windowsitpro.com/articles/images/smssus1.gif shows. 9. Enter the name of the server that you'll use to periodically check for new versions of the update database. By default, this will be the SMS server, assuming that it has Internet connectivity. Click Next. 10. Enter the name of a test computer--an SMS-known machine, which can't be the SMS server--and click Next. If you don't want to use this option, then you should have cleared the Create Collection check box in step 8. 11. Click Next. 12. Click Finish to complete the installation.

In your SMS infrastructure, you'll now notice three additional collections: Software Scanning Tools and the two new advertisements, Software Scanning Tools Sync and Software Scanning Tools. The Software Scanning Tools Sync advertisement is responsible for obtaining the current update database, so you should leave it alone. However, you can modify the Software Scanning Tools advertisement or create your own advertisement to push the scanning tool to other systems. By default, the advertisement services only the Software Scanning Tools collection, which contains your test machine. You can change this setting to point to, for example, All Systems. If you look at the advertisement in detail, you can see that it runs once a week at a specific time. By default, this is the same time that the Software Scanning Tools Sync advertisement runs, which isn't ideal because you want to download the new patch file before advertising it to clients. I usually modify the Software Scanning Tools advertisement to start a few hours after the Sync advertisement runs. You should test the updates first, so it's a good idea to leave this default test machine available for patch package deployment testing. Now repeat the entire update-deployment process for the Office Patch (officepatch_enu.exe). If you don't have connectivity, download the files at http://go.microsoft.com/fwlink/?LinkId=9158 and http://go.microsoft.com/fwlink/?LinkId=9159 and save to the C:\program files\officepatch\pkgsource folder (invcm.exe and invcif.exe). Name the package Office Scanning Tools. On client machines, you can force discovery of the software-scanning advertisement by manually initiating the Machine Policy Retrieval & Evaluation Cycle. After a few minutes, open Windows Task Manager to check whether scanwrapper.exe and mbsacli.exe execute, and you can check the scanwrapper.log file in the C:\windows\system32\ccm\logs folder for execution confirmation. Then you can force a hardware inventory cycle to report back to the SMS server the client's patch status.

Q. How can I deploy missing patches to my Microsoft Systems Management Server (SMS) clients?

A. After you scan your systems to determine missing patches, perform these steps to deploy them: 1. Start the Microsoft Management Console (MMC) SMS Administrator Console snap-in (Start, Programs, Systems Management Server, SMS Administrator Console). 2. Click the Software Updates branch. Doing so displays which patches are missing on your systems as well as how many systems are missing the patch and how many have it installed. 3. Right-click Software Updates and select Distribute Software Updates from the All Tasks context menu. 4. The Distribute Software Updates Wizard will open. Click Next. The wizard asks for the software update type. For OS fixes, the update type is MBSA. 5. Click Next. 6. Select an SMS package. You need to either create a new package or add fixes to an existing patch package. For our example, select New and click Next. 7.Enter a package name. Give it an intuitive name that identifies the package contents (e.g., Windows XP fixes). Click Next. 8. You can customize the notification that users receive (e.g., add the organization name). Click Next. 9. Select the scanning tool you use to inventory your systems (e.g., Software Scanning Tools). Click Next. 10. Select the fixes you want to include in the package, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy4.gif shows. Click Next. 11. Enter a source location for the fixes. By default, this will be the root of the C drive. You might want to create a patch share and modify the default path, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy5.gif shows. You can opt to download the fixes automatically, or you can download them manually by selecting "I will download the source files myself." Click Next. 12. You'll see a list of fixes and their ready status. Select each fix in turn and click Properties to view the properties for each fix, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy7.gif shows. You can see the path where you can download each fix in the Binary Path field. You can cut and paste this download link value to download from another box that does have Internet connectivity. You need to manually add the parameters for the fixes. The Microsoft article "Summary of command-line syntax for software updates in Systems Management Server" ( http://support.microsoft.com/?kbid=810232 ) lists the available parameters. For most fixes, you can use the /quiet /passive /norestart options, but you can confirm the required parameters on a patch-by-patch basis by opening a command line and entering the patch followed by the /? option, as the following example shows:

WindowsXP-KB891711-x86-ENU.exe /?

This command displays a list of the patch's options. If you manually download the fixes, you need to place them in the package source folder (e.g., E:\patchsource\mbsa - windows xp fixes\windows xp sp1\1033). 13. After you add the parameters to all the fixes, and they're marked Ready, as the figure at http://www.windowsitpro.com/articles/images/smssusfixdeploy8.gif shows, click Next. 14. The wizard displays a list of distribution points. Select the distribution points you want to deploy the fixes to and click Next. 15. Specify the actions that the installation agent should take after installing the updates. (For example, Select "Collect client inventory immediately," if you want to send up-to-date information back to the SMS server as quickly as possible.) You can also choose how to handle system restarts (e.g., let the user postpone restarting until a convenient time). Click Next. 16. Select Countdown options for how much time users have before execution begins and how long the patch execution can run (e.g., after 30 minutes, assume execution has failed and give up). Click Next. 17. Select whether to notify users about the patch activity (for Advanced clients only) and whether to let users postpone the installation. If you previously selected the option to make the installation unattended, you can't chose to set a maximum postponement time. Click Next. 18. Select whether to automatically create an advertisement for the new patch package, and if so, select a collection to target (e.g., all Windows XP Systems) and click Next. 19. Click Finish. Phew! Now go get a drink, you deserve it.

Q. How can I use the ADSI Edit tool to check my domain and forest modes?

A. Domain and forest modes are defined by a combination of three values: For the domain mode, you need to check the msDS-Behavior-Version and nTMixedDomain attributes of the Domain container; for the forest mode, you check the msDS-Behavior-Version attribute of the Partitions container, which you'll find in the Configuration object of the Forest root. To view these attributes perform these steps: 1. Start ADSI Edit (Start, Run, adsiedit.msc). This tool is part of the Windows 2000 and later Support Tools so make sure you have these tools installed. 2. Expand the Domain branch. Right-click the domain name and select Properties from the context menu. (If the domain you want isn't displayed, select "Connect to..." from the root context menu and enter the domain information, including credentials for a connection.) 3. Click the Attribute Editor tab and scroll down to view the msDS-Behavior-Version and nTMixedDom values. These are the domain-specific values. 4. Expand the Configuration object at the root of adsiedit and expand the Configuration container specific to your forest. Right-click the CN=Partitions container and select Properties. 5. Click the Attribute Editor tab to view the msDS-Behavior-Version value, as the figure at http://www.windowsitpro.com/articles/images/adsieditformode.gif shows. Click OK. 6. Close ADSI Edit.

Table 1 at http://www.windowsitpro.com/articles/images/table1.htm and Table 2 at http://www.windowsitpro.com/articles/images/table2.htm show the domain and forest mode according to the combination of values.

Q. Are any tools available to help configure performance monitoring on Windows 2000 and later computers?

A. Microsoft has released the Performance Monitor Wizard, which you can download at http://www.microsoft.com/downloads/details.aspx?FamilyID=31FCCD98-C3A1-4644-9622-FAA046D69214&displaylang=en. After you download the .zip file, extract the two files to a folder of your choice. One of the files is the license agreement for the utility, and the other is the perfwiz.exe image, which is the actual tool. The Performance Monitor Wizard isn't as sophisticated as the Windows Server 2003 Server Performance Advisor, which I discuss in the FAQ "How can I use the Windows Server 2003 Performance Advisor?" ( http://www.windowsitpro.com/articles/index.cfm?articleid=45281 ), but you can use the tool on a wider range of OSs. The Performance Monitor Wizard is a dialog-based tool that asks questions about the computing environment so that it can enable the correct Performance Monitor counters. The tool creates log files to help you troubleshoot general Windows and Microsoft Exchange Server performance problems. To use the tool, perform these steps: 1. Start the Performance Monitor Wizard (perfwiz.exe) and click Next at the Welcome screen. 2. Enter the name of the computer on which you want to collect the logs. The default computer is the local machine. Click Next. 3. Select Create New Log, or if you previously defined a log or have a log running, select that log from the list. (The wizard gives you the option to start or stop the already defined log, as the figure at http://www.windowsitpro.com/articles/images/perfwiz1.gif shows.) Click Next. 4. The wizard asks for the type of profile to use--Standard Perfmon, High CPU Usage, or Advanced Configuration. Select a profile and click Next. 5. Enter the name of the computer you want to monitor, and if that computer is a system running Exchange Server or Windows 2000 Server Terminal Services (which means the wizard will collect additional information), select the associated check box. Click Next. 6. Enter a name for the new log collection. Then configure the maximum size for the logs and a location to store the logs (by default C:\ perflogs). Click Next. 7. Select how often the problem occurs, (e.g. If you enter "every 6 hours," the wizard will automatically modify how often it takes a sample.) Click Next. 8. Click Start to begin logging and click Next. 9. Click Finish.

When you start a log collection, it runs in the background under the regular Performance Monitor services (Performance Logs and Alerts). The wizard doesn't display the logs; it simply creates the log files. To display the logs, you need to start Performance Monitor and select as the source the binary file that's created by the logging process, as the following steps illustrate: 1. Start the Microsoft Management Console (MMC) Performance Monitor snap-in (Start, Programs, Administrative Tools, Performance). 2. Right-click the graph section of the snap-in and select Properties. 3. Select the Source tab. 4. Select Log files and click Add. Navigate to the C:\perflogs folder (the default location for the log files), select the log file, and click OK, as the figure at http://www.windowsitpro.com/articles/images/permmonsourceset.gif shows. 5. Click OK to close the System Monitor Properties dialog box.

You can now add more counters to the log display from the data that was captured during the collection period.

Events and Resources
(A complete Web and live events directory brought to you by Windows IT Pro: http://www.windowsitpro.com/events )

  • Plan For or Prevent Exchange Messaging Disasters

  • In this free Web seminar, join Exchange MVP Paul Robichaux as he describes some operational scenarios in which "disaster recovery" takes a back seat to "business continuance." Learn how to be prepared for events that might otherwise wipe out your messaging capability and how you can survive them with your messaging and job intact.
    http://www.windowsitpro.com/seminars/exchangedisasterrecovery/index.cfm?code=0316emailanns

  • Get Ready for SQL Server 2005 Roadshow in a City Near You

  • Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!
    http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0314emailanncs

  • Empower Users and Produce Substantial ROI

  • Join industry expert David Chernicoff in this free Web seminar to learn how to integrate and automate fax from messaging systems such as Microsoft Exchange Server and Outlook and other various applications. And learn how to improve document handling and delivery by streamlining the integration of fax services into everyday business processes.
    http://www.windowsitpro.com/seminars/faxservers/index.cfm?code=0316emailannc

  • Achieve High Availability and Disaster Recovery for Microsoft Servers

  • Attend this free Web seminar for your chance to win a $1000 American Express Gift Check! In this Web seminar, discover what it takes to minimize the likelihood of downtime through reliability and resilience in your Microsoft server environment, including Exchange, SQL Server, File Server, IIS, and SharePoint. Sign up today!
    http://www.windowsitpro.com/seminars/microsofthighavailability/index.cfm?code=0316emailannc

  • New eBook--Windows Certification and Public Keys

  • PKI services are increasingly important in today's IT environment. PKI offers strong security services to internal and external users, computers, and applications. In this free eBook you’ll discover a starting point for understanding the PKI and certificate services available in Windows Server 2003. Download it now and learn about trust relationships, validating digital certificates, and more.
    http://www.windowsitlibrary.com/ebooks/WindowsCertification/index.cfm?code=0316emailannc

    Announcements
    (from Windows IT Pro and its partners)

  • Get Windows IT Pro at 44% Off!

  • Windows & .NET Magazine is now Windows IT Pro! Act now to get an entire year for just $39.95--that's 44% off the cover price! Our March issue shows you what you need to know about Windows Server 2003 SP1, how to get the best out of your IT staff, and how to fight spyware. Plus, we review the top 10 features of Mozilla Firefox 1.0. This is a limited-time, risk-free offer, so click here now:
    http://www.windowsitpro.com/rd.cfm?code=theu2052up

  • Get SQL Server Magazine and Get Answers

  • Subscribe to SQL Server Magazine today and get the latest "Top SQL Server Tips" handbook (includes over 60 helpful SQL Server tips) and free online access to every article ever published in the magazine--that's thousands of problem-solving solutions, expert tips, tricks, and the latest insider notes to help you get the most out of SQL Server. Sign up today:
    http://www.sqlmag.com/rd.cfm?code=tgeu2153ts

  • Event Log Chat

  • Randy Franklin Smith is one of the foremost authorities on the Windows Security Event Log and a respected trainer who teaches Monterey technology Group's "Security Log Secrets" course. In his article in the March issue of Windows IT Pro, Randy shines a light on this dark and mysterious corner of cryptic event IDs and codes and inaccurate Microsoft documentation. Here's your chance to ask Randy your questions about the Event Log and get answers Microsoft doesn't provide. Join the chat on March 16 at 4:00 p.m. EST. Visit
    http://www.microsoft.com/communities/chats/default.mspx#050316_TN_SecEv

    Contact Us
    Here's how to reach us with your comments and questions:

    This email newsletter is brought to you by Windows IT Pro, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.
    http://www.windowsitpro.com/rd.cfm?code=00eu205xeb

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish