Roll Out Secure Servers


RIS can automatically install Win2K Server and all hotfixes

Once upon a time, I thought nothing of building a new test server without hotfixes or service packs. After all, it was just a test server; it contained no data that was important to me, so I didn't care whether the server was secure. But those were the days before the Microsoft IIS worms. Nowadays, if I put an unsecured server on the network, it could become infected and become one of the legions of machines that spend all day looking for other computers to infect.

But hotfixes are a pain to install. Microsoft has committed to writing hotfixes that don't require reboots. Until then, however, I need to apply more than a dozen hotfixes to—and reboot more than a dozen times—any post—Service Pack 2 (SP2) Windows 2000 system, if I want the system to be as secure as Microsoft knows how to make it.

I'm a fan of both scripting and Microsoft Remote Installation Services (RIS). This month, I show you how to set up a RIS server that will let you start an automated Win2K installation, walk away for a while, and return to find all the latest hotfixes installed. Although I build my example on RIS, this approach also works on a simpler network-based installation that uses a shared i386.

Assembling Tools
First, assemble the tools that you need to roll out the server. You need a RIS server and, of course, prospective server systems that can boot to RIS by using either built-in clients or RIS's generic boot disk. You also need the latest service pack (SP2 at the time of this writing) and all post—service pack hotfixes. To find the hotfixes, I suggest that you either go to or search Microsoft's site for "security bulletin." Either approach should lead you to a page that summarizes the latest hotfixes.

Hotfixes are usually .exe files with names such as q303984_w2k_sp3_x86_en.exe. The filename alone can tell you a lot: That name tells you that the Microsoft article Q303984 explains what the hotfix fixes, that the fix is for Win2K in that OS's Intel Pentium version, that the patch is destined to be incorporated into SP3, and that the patch is for the English version of the OS.

You also need one more tool. Installing hotfixes has always been a pain for (at least) two reasons. The aforementioned first reason is that when you install a hotfix, you must reboot your system. Applying the 16 hotfixes that were current as of mid-October 2001, for example, would require 16 reboots. Fortunately, most hotfixes written since mid-2000 provide two switches, -m and -z, which tell the hotfix to install quietly and not to force a reboot, respectively. But the second reason is that when you apply several hotfixes, they can conflict with one another unless you install them in the right order.

That's where Microsoft's qchain.exe tool comes in. After you use the -z switch to install multiple hotfixes and before you reboot, use Qchain: It rearranges all the hotfixes so that they don't conflict. The Microsoft article "Use QChain.exe to Install Multiple Hotfixes with Only One Reboot" (;en-us;q296861) explains the tool and provides a link to download it.

Qchain 101
To see how Qchain interacts with hotfixes, let's look at an example. Suppose we wanted to apply all post-SP2 hotfixes to several already-configured systems. We'd download qchain.exe and all the hotfixes to a network share that we'll call Patches, which is on server Srv1. Then, in Patches, create a batch file, which we'll call fixes.cmd, to apply the hotfixes and run Qchain. If we had only three hotfixes, that batch file would look something like the file that Listing 1 shows.

To apply the hotfixes, we'd simply open a command line and type


then press Enter. The batch file would apply the fixes, run Qchain, and report any problems in a file called logfile.txt in the C drive's root.

To use this batch file, replace \\srv1\patches in the file's first line with your share's Universal Naming Convention (UNC) name. Replace the second through fourth lines with a line for each of your hotfixes. Because I have 16 hotfixes, my batch file has 18 lines.

Setting Up RIS
The above procedure applies hotfixes to a machine whose OS is already installed. To use RIS to automatically install Win2K Server or Win2K Professional with preapplied hotfixes, you simply incorporate the batch file to tell Win2K's Setup routine to apply the hotfixes, then to run Qchain. To automatically apply the hotfixes, we'll use an OEM Setup feature called cmdlines.txt. For example purposes, I assume that your RIS server has two drives, C and D, and that D is the drive that's dedicated to the RIS images.

If you already use RIS, you probably know that it's designed to deliver only Win2K Pro images. But you can easily fool RIS into accepting Win2K Server images (for details, see Douglas Toombs, "Superior RIS: Deploying Alternative OSs," July 2001, InstantDoc ID 21131). First, copy the i386 folder from a Win2K Server installation CD-ROM onto the RIS server's hard disk—let's say that you copy the folder to D:\i386. Then, copy the SP2 program, w2ksp2.exe, onto the RIS server's hard disk, and slipstream the files into the i386 folder.

To slipstream the files, first expand w2ksp2.exe into its component files by opening a command line and typing

w2ksp2 -x

After you press Enter, w2ksp2.exe will ask you where to put the expanded files. Any directory name will do, but let's specify directory D:\sp2. After SP2 has extracted itself into D:\sp2, slipstream SP2 into the D:\i386 folder by typing


Note that you don't point update.exe to D:\i386, but instead to D:\. Update.exe assumes that a folder named i386 exists on that drive.

Because RIS doesn't like Win2K Server installation files, the next step is to make the i386 folder acceptable to RIS. Use Notepad to open the txtsetup.sif file in the D:\i386 directory, then search the file for a line that contains the string ProductType=1. Change the 1 to a 0 and save the file. Then, tell RIS to create a new image: Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in on the RIS server, and find the icon that represents the server's machine account. By default, the icon will be either in the Computers folder or the Domain Controllers organizational unit (OU). Right-click the icon, choose Properties, then click the Remote Install tab.

On the resulting page, click Advanced Settings. On the properties page that appears, click the Images tab. Click Add, and RIS will ask whether you're adding a new answer file or incorporating a whole new image. Click Add a new installation image, then click Next. The Add Installation Image Wizard will appear; click Next to activate it. The subsequent panel will ask you where the image is; type


and click Next. You then need to name the folder where RIS will store this image—let's call the folder Fixed2000—and click Next. Supply the requested image-description information and click Next. On the next screen, click Use the old client installation screens, then click Next and Finish. RIS will copy the files to the folder whose name you chose and will place that folder in \remoteinstall\setup\english\images.

Next, you need to undo your changes to txtsetup.sif. The file will be in the \i386 folder inside your image's folder—in our case, the path is D:\remoteinstall\setup\english\images\fixed2000\i386\txtsetup.sif. Change the ProductType=0 line back to ProductType=1, and save the file.

Deploying Win2K Server
At this point, you've done the basic setup and you're ready to deploy a copy of Win2K Server with SP2 preloaded. After a few more steps, RIS will install those hotfixes for you.

First, tell RIS to use Setup's OEMPreinstall features. Inside the image's i386 folder is a folder named Templates, which contains a file named ristdnrd.sif—in our sample scenario, this file would be D:\remoteinstall\setup\english\images\fixed2000\i386\templates\ristdnrd.sif. Use Notepad to open that file and change OEMPreinstall=No to OEMPreinstall=Yes. Save the file.

Now, create a folder named $OEM$ in the image's folder at the same directory level as the i386 folder. For example, you'd create D:\remoteinstall\setup\english\images\fixed2000\$oem$. Copy the hotfix files and qchain.exe to that folder.

The OEMPreinstall=Yes command tells Win2K Setup, working under RIS's direction, to look for the $OEM$ folder. But without some direction, Setup doesn't know what to do with that folder. That's where our final piece, cmdlines.txt, fits in. Cmdlines.txt is very much like a batch file, although in a different format. Using Notepad, create a text file called cmdlines.txt inside the $OEM$ directory. For the file's first line, type


In subsequent lines, type the commands that you want RIS to execute, in order, just as you would for a batch file. However, use quotation marks around the commands. So, for example, if I had copied the three hotfix files from my earlier example into $OEM$ and wanted RIS to apply them to every new server that it built, my cmdlines.txt file would look like this:

"q302755_w2k_sp3_x86_en.exe -m -z"
"q303984_w2k_sp3_x86_en.exe -m -z"
"q301625_w2k_sp3_x86_en.exe -m -z"
"qchain c:\logfile.txt"

From now on, when you roll out a new system, whether a production or test system, you won't need to remember to include the hotfixes or do all those reboots.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.