Upon completion of this chapter, you will be able to: ■ Understand the difference between service packs and hotfixes ■ Deploy service packs using Windows Update, Automatic Updates, and g
Trang 1In addition to providing users with access to multiple versions of their files, volume shadow copy also functions as an open file backup mechanism for the Windows Server 2003 Backup program By default, Backup uses volume shadow copies of files that are locked open when performing backups This enables the program to back up files that are in use by an application at the time the backup is performed You can prevent Backup from using volume shadow copy during a particular backup job by selecting the Disable Volume Shadow Copy check box in the Advanced Backup Options dialog box (as shown in Figure 4-13).
Ft04cr13.bmp
Figure 4-13 The Advanced Backup Options dialog box
Backing Up and Restoring Active Directory
As mentioned earlier in this chapter, you can back up the Active Directory database
on a Windows Server 2003 domain controller using the Backup program by ing the System State object as one of the backup targets However, restoring Active Directory to a domain controller is not so simple Before you can restore the Active Directory database from a System State backup, you must start the computer
select-in Directory Services Restore Mode You do this by pressselect-ing F8 as the system starts and selecting Directory Services Restore Mode from the Windows Advanced Options menu This starts the computer with the Active Directory database closed,
so that it is accessible to the Backup program and can be restored from a tape
Restore Mode, you must log on as an Administrator by using a valid Security
Accounts Manager (SAM) account name and password, not the Active Directory
Administrator’s name and password This is because Active Directory is offline, and account verification cannot occur The SAM accounts database is used to control access to Active Directory while Active Directory is offline You specified this password when you set up Active Directory
Once the computer is started in Directory Services Restore Mode, you can run the Backup program and restore the System State object from your tape or other medium The Windows Server 2003 Backup program supports two types of Active Directory restores:
■ Nonauthoritative restore The objects in the Active Directory database
are restored exactly as they appear in the System State object, with their
Trang 2original update sequence numbers intact Because these sequence
numbers are the same values the objects had when the backup was
per-formed, they are outdated, and the Active Directory replication process
will overwrite the objects with the newer versions from other domain
controllers You use a nonauthoritative restore when you want to rebuild
a domain controller that has been damaged with the latest Active
Direc-tory information from your other domain controllers Windows Server
2003 Backup performs nonauthoritative restores by default
■ Authoritative restore The objects in the Active Directory database are
restored with updated sequence numbers that prevent them from being
overwritten during the next replication pass You use an authoritative
restore when you want to use a System State backup to recover Active
Directory objects that have been accidentally deleted
To perform a nonauthoritative restore, you simply restore the System State object
using the Backup program while in Directory Services Restore Mode
To perform an authoritative restore, you first perform a nonauthoritative restore,
and then before restarting the computer, you use a command-line utility called
Ndsutil.exe to mark specific Active Directory objects as authoritative The
Ntdsutil.exe utility can be found in the Systemroot\System32 folder Marking
objects as authoritative changes the update sequence number of an object so it is
higher than any other update sequence number in the Active Directory replication
system This ensures that any replicated or distributed data that you have restored
is properly replicated throughout your organization
When the restored domain controller is online and connected to the network,
normal replication brings the restored domain controller up-to-date with any
changes from the additional domain controllers that were not overridden by the
authoritative restore Replication also propagates the authoritatively restored
object(s) to other domain controllers in the forest The deleted objects that were
marked as authoritative are replicated from the restored domain controller to
the additional domain controllers Because the objects that are restored have the
same object properties, security remains intact and object dependencies are
maintained
For example, suppose you back up the system on Monday and then create a new
user called Jeff Smith on Tuesday, which replicates to other domain controllers
in the domain Then, on Wednesday, you accidentally delete Nancy Anderson’s
user object To authoritatively restore the Nancy Anderson user without reentering
information and without losing the Jeff Smith account, you perform a
nonauthori-tative restore of the domain controller with the backup created on Monday Then,
using Ntdsutil.exe, you mark Nancy Anderson’s user object as authoritative and
restart the domain controller The result is that Nancy Anderson’s object is restored
without any effect on Jeff Smith
students should be able to “back up files and System State data to media.”
Trang 3■ Magnetic tape is the most popular storage medium for backups because
it is fast, inexpensive, and holds a lot of data Tape drives are available in
a variety of speeds, capacities, and price ranges to suit the needs of ferent installations
dif-■ The primary function of the backup software is to enable the tor to select the targets for backup and then send them to the tape drive
administra-or other device
■ Incremental and differential backup jobs save tape by backing up only the files that have changed since the last backup, based on the status of each file’s archive bit
■ A good backup software program enables you to schedule jobs to cute at any time, and it maintains both a tape version and a hard disk ver-sion of a catalog of all of the files that have been backed up
exe-■ Network backup software enables you to back up data from computers anywhere on the network, and it might also provide optional features such as live database backups
■ To back up the Windows registry, the Active Directory database, and other system resources, you must back up the System State object
■ Volume shadow copy is a Window Server 2003 feature that enables users to access multiple copies of files that they have accidentally deleted or damaged
■ When you restore the System State data in nonauthoritative mode, any component of the System State data that is replicated with another domain controller, such as the Active Directory database, is brought up-to-date by replication after you restore the data
■ When you restore the System State data in authoritative mode, changes that were made since the last backup operation are not restored; the deleted objects are recovered and replicated To perform an authoritative restore, you use the Ntdsutil.exe command-line utility
EXERCISES
Exercise 4-1: Selecting Backup Targets
In this exercise, you practice using the Backup program’s tree display to select backup targets
1. Log on to Windows Server 2003 as Administrator
Trang 42. Click Start, point to All Programs, point to Accessories, point to System
Tools, and click Backup The Welcome To The Backup Or Restore Wizard
page appears
3. Click the Advanced Mode hyperlink The Backup Utility window appears
4. Select the Backup tab
5. Expand the Local Disk (C:) object and select the check box for the
Windows folder
6. Select the System State check box
7. From the Job menu, select Exit
Exercise 4-2: Incremental and Differential Backups
1. If you back up your network by performing a full backup every
Wednes-day at 6 P.M and differential backups in the evening on the other six days
of the week, how many jobs would be needed to completely restore a
computer with a hard drive that failed on a Tuesday at noon?
2. If you back up your network by performing a full backup every
Wednes-day at 6 P.M., how many jobs would be needed if you performed
incre-mental backups in the evening of the other six days of the week and a
hard drive failed on a Tuesday at noon?
3. For a complete restore of a computer that failed at noon on Tuesday, how
many jobs would be needed if you performed full backups at 6 A.M every
Wednesday and Saturday and incremental backups at 6 A.M every other day?
Exercise 4-3: Enabling Volume Shadow Copies
In this exercise, you enable the volume shadow copy feature for your computer’s
C: drive
1. Log on to Windows Server 2003 as Administrator
2. Click Start, point to All Programs, point to Accessories, and click
Win-dows Explorer The WinWin-dows Explorer window appears
3. Expand the My Computer object in the scope pane, select Local Disk (C:),
and from the File menu, select Properties The Local Disk (C:) Properties
dialog box appears
4. Select the Shadow Copies tab, and then click Enable The Enable Shadow
Copies message box appears
5. Read the warning message and click Yes After a brief delay, the date and
time appear in the Shadow Copies Of Selected Volume list, indicating that
the system has created the first shadow copy
Trang 5REVIEW QUESTIONS
1. Why is it best to perform backups when the organization is closed?
2. Which of the following backup job types does not reset the archive bits on the files that it copies to the backup medium? (Choose all correct answers.)
a. Hard disk drives, CD-ROM drives, and magnetic tape drives
b. Incremental, differential, and full backup jobs
c. Monthly, weekly, and daily backup jobs
d. QIC, DAT, and DLT tape drives
7. Network backup devices most commonly use which drive interface?
a. IDE
b. SCSI
c. USB
d. Parallel port
8. How does Windows Backup verify the data written to the backup medium?
9. When you restart the computer in Directory Services Restore Mode, what logon must you use? Why?
Trang 6CASE SCENARIO
You are designing a backup solution for your company network To make it easier
to back up valuable company data, you have supplied each of the network’s 125
users with a home folder on a shared server drive and have instructed the users to
store all their data files in their home folder You have also created disk quotas
granting each user a maximum of 1 GB of storage space
Because of this arrangement, you will be backing up only the network servers, not
user workstations In addition to the file servers hosting the users’ home folders,
there are also six Web servers, each with a 40-GB drive containing the home page
files, a database server with an 80-GB drive hosting approximately 10 GB of
data-base files, and an e-mail server with 25 GB of mail archives
Based on this information, answer the following questions:
1. What is the approximate total amount of regularly changing data that you
might have to back up each day?
a. 60 GB
b. 160 GB
c. 360 GB
d. 480 GB
2. Assuming that you decide to perform a weekly full backup and daily
incremental backups, approximately how much data from the six Web
servers can you expect to find on each incremental backup tape? Explain
your answer
3. Based on the information shown earlier in Table 4-1, which type of
mag-netic tape drive would best be suited for this network, assuming that you
want to use only a single tape for your daily incremental backups?
a. DLT
b. 8 mm
c. QIC
d. DAT
Trang 8MAINTAINING THE OPERATING
SYSTEM
127
MAINTAINING THE OPERATING
SYSTEM
All viable software products are in a constant state of development, and the
man-ufacturers periodically release updates and upgrades Operating systems are no
exception, and it is important to keep your Microsoft Windows Server 2003 systems
up to date Updating a single computer is a simple task, but updating a large fleet
of computers in a timely and efficient fashion is much more complicated In this
chapter, you learn about the types of operating system updates that Microsoft
releases, and about some of the methods you can use to apply those updates
Upon completion of this chapter, you will be able to:
■ Understand the difference between service packs and hotfixes
■ Deploy service packs using Windows Update, Automatic Updates, and group policies
■ Integrate service packs and hotfixes into a Windows Server 2003 operating
system installation
■ Use Microsoft Baseline Security Analyzer
■ Install and configure a Microsoft Software Update Services server
■ Understand Per Server and Per Device or Per User licensing modes
■ Configure licenses using the Choose Licensing Mode tool in Control Panel and the
Licensing administrative tool
■ Create license groups
Trang 9WINDOWS OPERATING SYSTEM UPDATES
At one time, updating software was a relatively simple matter If a problem arose in
an application or operating system, the manufacturer released an update in the form
of a patch that users applied to their computers An update is a minor revision to a
software product that is usually intended to address specific performance issues rather than add new features When it came time to produce the next version of the software, the manufacturer incorporated all of the patches into an upgrade release
An upgrade is a major revision that might include new features as well as all of the
existing patches for the previous version of the product
to be able to “manage [a] software update infrastructure.”
As software products grew more complex, the number of programming problems tended to increase as well, and so did the number of patches Some products, par-ticularly operating systems, could have dozens of patch releases between upgrades Updating applications and operating systems therefore became increasingly prob-lematic for several reasons, including the following:
■ Number of patches When there are a large number of patches for a
software product, it becomes difficult to keep track of which patches have been applied and which versions of the product files are being used
in a particular installation
■ Patching order When patches are applied in different orders, the
resulting software configurations can be different, particularly if a product has multiple patches containing different versions of the same files
The result of these problems is a nightmare for technical support people trying to troubleshoot an installation of the software Determining which patches have been applied and the order in which they were applied is the only way to ascertain what versions of the program files are actually in use
Service Packs
When faced with the hundreds of patches required for its modern operating tems, Microsoft eventually chose to use a different method of releasing its updates Instead of many small patch releases, Microsoft creates larger interim releases
sys-called service packs A service pack is a collection of patches and other updates
that are tested and packaged as a single unit A single installation program applies all of the updates at once, producing a consistent software configuration on every computer to which the service pack is applied
Service packs simplify the update process for everyone involved For Microsoft, releasing updates in a service pack means that it can test the entire package as a whole rather than having to test many different patch combinations For system administrators and end users, the installation process is reduced to running a single program rather than performing many separate patch installations For technical support personnel, the troubleshooting process is simplified because they do not have to deal with large numbers of patch releases that might have been installed in
Trang 10any order It is easy to determine what service packs have been installed on a
Win-dows 2000, WinWin-dows XP, or WinWin-dows Server 2003 computer by looking at the
General tab in the System Properties dialog box (as shown in Figure 5-1)
FT05cr01
Figure 5-1 The System Properties dialog box
Microsoft service pack releases are cumulative, meaning that every service pack for
a particular product contains all of the updates since the last major release of the
product, including all previous service packs Therefore, when you perform a new
installation of a Windows operating system or other Microsoft product, you only
have to apply the most recent service pack
Service Pack Releases
Microsoft releases operating system service packs in three forms:
■ CD-ROM Service packs are available on CD-ROM directly from
Microsoft for a nominal fee The CD contains the service pack installation
files and an installation program called Update.exe The disk also
con-tains the service pack documentation, deployment tools, and updated
support tools, which aren’t included as part of a downloaded installation
■ Express download The express download consists only of the few
files needed to begin the service pack download process When you run
the installation program, the software examines your system, accesses the
Microsoft Web site, and downloads the files needed to complete the
update Because the installation program checks to see what service packs
are already installed on the computer, it can download only the files it
needs, which can significantly reduce the size of the download To run an
express installation, the computer must have access to the Internet
■ Network download The network download option consists of the
entire service pack in the form of a single executable archive file It is
intended for network administrators who have to deploy the service pack
on large fleets of computers Once you perform the initial download, you
can launch the executable to install the service pack on any computer
running the operating system No additional Internet access is needed
However, because this version contains all of the service pack files, the
download can be extremely large, often 100 MB or more
Trang 11One-Time Installation
When you install a service pack on a computer running one of the Windows ating systems, the installation program applies only the updates for the components installed on the system For example, if you have Microsoft Internet Information Services (IIS) and Certificates Services installed on a computer running Windows Server 2003, installing a service pack will apply any updates for those two compo-nents but not updates for other components that are not installed
oper-At one time, if you modified the hardware or software configuration on a puter running Windows NT, you had to reapply the latest service pack to install the updated software for the components you just installed However, starting with Windows 2000, this is no longer necessary The service pack installation pro-gram now stores the location of a cabinet (.cab) file containing all of the updated drivers to the computer, as well as an information file called Layout.inf This ensures that whenever you install a new operating system component, whether it
com-is a device driver, an application, or a service, the system uses the latest version of the files from the service pack release
Hotfixes
Although the schedule for service pack releases is fluid, the updates appear relatively infrequently, usually no more than once a year However, it is not unusual for oper-ating system issues to arise that require immediate attention and cannot wait for the next service pack release For these occasions, Microsoft also releases individual
patches, which it calls hotfixes A hotfix is a software update that addresses one
spe-cific issue Like service packs, hotfixes are released as a single executable file that installs the patch on the computer on which you run it Microsoft typically releases hotfixes in conjunction with a Knowledge Base article that explains the problem and the circumstances in which users or administrators should apply the update
library of articles providing support information for all Microsoft products You
can access the Knowledge Base at http://support.microsoft.com.
Unlike service packs, which Microsoft recommends that you install on all ers, hotfixes are often intended only for systems experiencing a particular problem
comput-or running a particular hardware comput-or software configuration You should always familiarize yourself with the function of a hotfix and the conditions of its use before installing it on a computer
When to Update?
The question of when to apply service packs and hotfixes has been hotly debated among system administrators over the years Not every update release has turned out to be rock solid, and some administrators are leery of applying them until they are shown to be stable In fact, some people prefer to wait for Service Pack 3 to be released before they install Service Pack 2
While this prudence might have once been practical, today it is not Service packs and particularly hotfixes are often released to address specific security issues such
Trang 12as new viruses or other threats, and it is often important to deploy these updates in
a timely fashion However, this is not to say that everyone should immediately
install every update as soon as it is released
For a stand-alone computer, the Windows Update Web site makes the process of
downloading and applying updates easy, and in most cases you can uninstall
Microsoft updates when necessary Therefore, most users can safely apply updates
as they are released However, in a network environment, the decision about
which updates to install and when to install them should not be left up to the
indi-vidual user Administrators must be responsible for obtaining updates when they
are released, and for deploying them on the network in a timely manner However,
network administrators should not immediately install every update that appears It
is important to test the update releases first, and this is one of the reasons why an
enterprise should have a set of well-defined update policies in place
Software update policies are designed to aid the network administrator in
perform-ing the followperform-ing tasks:
■ Remain aware of new update releases Microsoft frequently releases
software updates that might or might not be applicable to the systems on
your network Network administrators must be aware of new releases
when they occur and must understand the specific issues each release
addresses
■ Determine which computers need to be updated In some cases, a
new update release might apply only to computers performing a
spe-cific function, using a spespe-cific application or feature, or containing a
particular hardware device Network administrators must understand
each release’s specific function and determine which computers require
the update
■ Test update releases on multiple system configurations A
soft-ware update that causes a malfunction might be just an annoyance on a
single computer, but on a large network, it can be a catastrophe Network
administrators must perform their own tests of all updates before
deploy-ing them on the entire network
■ Deploy update releases on large fleets Manually installing software
updates on hundreds or thousands of computers requires enormous
amounts of time, effort, and expense To deploy updates on a large
net-work efficiently, the process must be automated
Microsoft offers tools that help the administrator accomplish these tasks, such as
those discussed in the following sections
Testing Security Updates
Before you deploy software updates on a network, you must test them to make
sure they are compatible with all your system configurations The amount and type
of testing depends on the nature of the updates and the complexity of your
net-work For a major update such as a service pack, testing should be extensive You
might want to test the release on an isolated lab network first, and then do a pilot
Trang 13deployment on a part of your production network before proceeding with the eral deployment For smaller, minor updates, a pilot deployment might be sufficient testing, followed by a general deployment if no problems occur.
gen-Uninstalling Service Packs
When you install a service pack, the installation program always gives you the opportunity to save backup copies of all the operating system files that the service pack replaces This makes it possible to uninstall the service pack at a later time and restore the original system configuration, if necessary
USING MICROSOFT BASELINE SECURITY ANALYZER
Microsoft Baseline Security Analyzer (MBSA) is a graphical tool (shown in Figure 5-2) that can check for common security lapses on a single computer or multiple comput-ers running various Windows operating system versions These lapses are typically due to incorrect or incomplete configuration of security features and failure to install security updates The security faults that MBSA can detect are as follows:
■ Missing security updates Using a list of current update releases
obtained from a Microsoft Internet server or from a local Microsoft ware Update Services (SUS) server, MBSA determines whether all the required service packs and security updates have been installed on the computer; if not, it compiles a list of the updates that need to be installed
Soft-FT05xx02
Figure 5-2 The Microsoft Baseline Security Analyzer interface
utility called Hfnetchk.exe, which operates from the command line and only checks computers for missing updates MBSA includes all the functionality of Hfnetchk.exe, including the command-line interface, which you can activate by run-
ning the Mbsacli.exe executable with the /hf parameter This enables
administra-tors to continue using batch files and scripts, incorporating Htnetchk.exe commands with a minimum of modification
Trang 14■ Account vulnerabilities MBSA checks to see if the Guest account is
activated on the computer, whether more than two accounts have
Admin-istrator privileges, whether anonymous users have too much access to
system information, and whether the computer is configured to use the
Autologon feature
■ Improper passwords MBSA checks the passwords on all the
com-puter’s accounts to see if they are configured to expire, are blank, or are
too simple This check is not performed on domain controllers
■ File system vulnerabilities MBSA checks to see whether all the disk
drives on the computer are using the NTFS file system
■ IIS and SQL vulnerabilities If the computer is running Internet
Infor-mation Services (IIS) or Microsoft SQL Server, MBSA examines these
applications for a variety of security weaknesses
In addition, MBSA displays other information about security on the computer, such
as a list of shares, the Windows operating system version number, and whether
auditing is enabled
but it is available without charge for download from the Microsoft Web site
MBSA is an informational tool that can display security information about a
com-puter, but it cannot do anything to remedy the vulnerabilities that it finds You can
use MBSA to determine which security updates to install on specific computers,
but to develop effective update policies, you must implement a system to keep
track of which security updates have been installed on every computer in the
enterprise
USING WINDOWS UPDATE
Windows Update is a Web site, maintained by Microsoft, that enables
comput-ers running Windows Server 2003 and most other vcomput-ersions of Microsoft
Win-dows to locate and download the latest operating system and driver updates
and patches When you access the Windows Update site—by clicking Start,
pointing to All Programs, and selecting Windows Update, or by using the URL
http:// windowsupdate.microsoft.com—the computer downloads an application
that examines the computer’s current configuration and compiles a list of all the
updates and patches the system might need (as shown in Figure 5-3), in the
following categories:
■ Critical updates and service packs
■ Version-specific Windows updates
■ Driver updates
The user can then select from the list of updates, download them, and install them
all at once, thereby simplifying the maintenance process
Trang 15■ Bandwidth Each time a computer receives an update release using
Win-dows Update, it downloads the software from a Microsoft server on the Internet On a large network, this would mean that hundreds or thousands
of computers would be downloading the same files For small updates, this might not be a problem, but Windows service packs are usually more than 100 MB, and downloading the same file for every computer could monopolize an enormous amount of the network’s Internet bandwidth
■ Testing Although Microsoft tests its updates carefully before releasing
them, it cannot possibly test every combination of configuration settings and software products Therefore, it is possible for a particular update to cause problems with some or all of the computers on your network Here again, for a single computer, this might not be a major issue, but if an update causes a problem on all a network’s computers, the loss of productivity and the added burden on technical support personnel could be catastrophic
here to using Windows Update assume that the computer is configured to access the Windows Update Web site on the Internet However, it is also possible to con-figure Windows Update to access software updates from an SUS server on the local network This practice eliminates potential for bandwidth and testing issues You’ll learn more about SUS later in this chapter
Using Automatic Updates
Although you can always access the Windows Update Web site manually, using Internet Explorer, it is also possible to configure Windows Server 2003 to automati-cally download and install software updates as they become available This feature is
Trang 16called Automatic Updates, and it is available in Windows Server 2003, Windows XP
with Service Pack 1 installed, and Windows 2000 with Service Pack 3 installed
the supported operating systems, you can download Automatic Updates as a
standalone client from the Microsoft SUS Web site at http://go.microsoft.com/
fwlink/?LinkID=6930.
By default, the Automatic Updates client in Windows Server 2003 is configured to
connect automatically to a Windows Update server and download updates, and
then prompt the user to install them You can modify this default behavior by
open-ing the System Properties dialog box from Control Panel and selectopen-ing the
Auto-matic Updates tab (as shown in Figure 5-4), or by launching the AutoAuto-matic Updates
Setup Wizard by clicking the Stay Current With Automatic Updates icon in the
task-bar tray You can also configure Automatic Updates using a group policy object
(GPO), as described in “Configuring Automatic Updates” later in this chapter
FT05xx04
Figure 5-4 The Automatic Updates tab of the System Properties dialog box
When you configure Automatic Updates, you can select from the following three
options:
■ Notify Me Before Downloading Any Updates And Notify Me Again
Before Installing Them On My Computer When new updates are
available, the computer creates an entry in the System log (which you can
access using Event Viewer) and notifies the system’s administrators by
means of a balloon in the taskbar tray
■ Download The Updates Automatically And Notify Me When They
Are Ready To Be Installed The computer downloads updates from the
Windows Update site as they become available, using the Background
Intelligent Transfer Service (BITS) to perform the file transfer using idle
network bandwidth BITS ensures that network performance is not
affected by the file transfers The Automatic Updates client then confirms
the Microsoft digital signature on the downloaded files, examines the
cyclical redundancy check (CRC) on each package, and notifies the
sys-tem’s administrators of their presence, using a System log entry and a
Trang 17balloon in the taskbar tray The administrator can then select the updates
to install from a list of those downloaded
no user is logged on, installation occurs automatically If the installed updates require that the system be restarted, a five-minute countdown notification appears, informing users of the impending restart Only an administrator can cancel the restart
DEPLOYING UPDATES ON A NETWORK
A network administrator who decides not to have users download their own ating system updates from the Internet can use a variety of alternative methods of delivering the updates to the individual computers on the network, as described in the following sections
oper-Installing Service Packs Manually
When you purchase a service pack CD, you receive a disk containing all of the vice pack files in expanded form To install the service pack, you run the Update.exe program in the Update folder This launches the Service Pack Setup Wizard (shown
ser-in Figure 5-5), which takes you through the process of ser-installser-ing the service pack After you agree to the supplemental end user license agreement, the wizard prompts you to specify whether you want to create archive copies of the files the service pack replaces so you can uninstall the service pack later, if needed After the instal-lation is completed, you are prompted to restart the computer
FT05xx05
Figure 5-5 The Windows XP Service Pack 1 Setup Wizard
Trang 18When you download the network version of a service pack, you receive a single
executable archive file with a name that specifies the operating system for which the
update is intended and the number of the service pack release For example, the
archive file for Windows XP Service Pack 1 is Xpsp1.exe When you run the
execut-able, the computer expands all of the files in the archive, writes them to a temporary
directory on the system’s drive, and then executes the Update.exe file, so the
installa-tion proceeds just as with the CD version You can put the archive file on a network
share and run it from any computer on the network The archive program always
cop-ies the installation files to the local drive and runs the installation program from there
The service pack’s Update.exe file and the network download archive also support
command-line switches that you can use to affect the installation process You can
run the executable with these switches from a command prompt or from the Run
dialog box The switches, which are the same for both Update.exe and the archive
file, are as follows:
■ /D:foldername By default, the installation program creates backup copies
of all the files it overwrites to a folder called $ntservicepackuninstall$ This switch enables you to specify an alternate folder name for the backup files
■ /F Causes the installation program to close all open applications
with-out saving data when it restarts the computer after the installation is completed
■ /L Displays a list of all hotfixes installed on the computer.
■ /N Prevents the installation program from creating backup copies of the
files overwritten during the installation
■ /O Causes the installation program to overwrite original equipment
man-ufacturer (OEM) files during the installation without notifying the user
■ /Q Runs the installation in quiet mode In this mode, the installation
program uses the default values for all options but does not display a progress indicator or any error messages
■ /S:foldername Incorporates the service pack distribution files with the
operating system distribution files to create an integrated installation This
process is also known as slipstreaming The foldername placeholder lets
you specify the path to the operating system distribution files
■ /U Runs the installation in unattended setup mode In this mode, the
instal-lation program uses the default values for all options and displays a progress indicator, but only critical error messages stop the installation process
■ /X Causes the archive executable to expand all of the files in the
archive and store them in an i386 directory structure on the local drive without executing the Update.exe program
■ /X:foldername Causes the archive executable to expand all of the files
in the archive and store them in the folder you specify on the local drive without executing the Update.exe program
■ /Z Prevents the installation program from restarting the computer after
the installation is completed This option is most commonly used when you plan to install hotfixes immediately after the service pack and want to defer the system restart until after the hotfix installations
Trang 19Installing Hotfixes Manually
As with service packs, users can download and install hotfixes through the dows Update Web site, but it is also possible to download them as individual exe-cutables This enables network administrators to deploy hotfixes to large numbers
Win-of computers without having to perform redundant Internet downloads A hotfix distribution file is an executable archive file, much like the network download file for a service pack, but much smaller The filename uses the following format:
OperatingSystem -KBKnowledgeBase#-Platform-Language.exe
For example, one particular security update for Windows Server 2003 is named WindowsServer2003-KB823980-x86-ENU.exe The number 823980 is that of the Knowledge Base article describing the issue the hotfix addresses, x86 is the pro-cessor platform for which the hotfix is intended, and ENU indicates that the hotfix
is for the U.S English version of Windows Server 2003
software that is actually installed on the computer when you run the installation program If you remove an operating system component and later reinstall it, you must also reinstall any hotfixes that apply to that component
Running a hotfix executable extracts the files in the archive to a temporary folder
on the local system and runs the Update.exe installation program, just as with a service pack Hotfixes always make backup copies of overwritten files for uninstall purposes by default, saving them to a hidden folder beneath the system root called
$NtUninstallKB######$, where ###### is the hotfix’s Knowledge Base article
number
To modify the default behavior of the hotfix installation program, you can run it with any of the following switches:
■ /F Causes the installation program to close all open applications without
saving data when it restarts the computer after the installation is completed
■ /L Displays a list of all hotfixes installed on the computer.
■ /N Prevents the installation program from creating backup copies of the
files overwritten during the installation
■ /Q Runs the installation in quiet mode In this mode, the installation
program uses the default values for all options but does not display a progress indicator or any error messages
■ /U Runs the installation in unattended setup mode In this mode, the
installation program uses the default values for all options and displays a progress indicator, but only critical error messages stop the installation process
■ /X Causes the archive executable to expand all of the files in the
archive and store them in a directory structure on the local drive without executing the Update.exe program
■ /Z Prevents the installation program from restarting the computer after
the installation is completed
Trang 20NOTE Hotfix Checks When you attempt to install a hotfix, the installation
program always checks to see what service packs have been installed on the
com-puter If the hotfix you are installing is older than the system’s currently installed
service pack, the installation halts because the hotfix was already applied as part
of that service pack If the hotfix is newer than the currently installed service
pack, the installation proceeds
Chaining Hotfixes
Starting with the Windows 2000 Service Pack 3 release, all hotfixes include a
pro-gram called Qchain.exe that makes it possible to install multiple hotfixes one
after the other without restarting the computer after each one If you install
mul-tiple hotfixes that include different versions of the same file, Qchain.exe ensures
that the system is using the correct version of that file when the installation is
completed
To chain hotfix installations, you run the hotfix installation programs with the /Z
command-line switch, which prevents the programs from restarting the computer
However, you must remember to restart the system after the last hotfix is installed
so the hotfixes can take effect To automate the process of installing multiple
hot-fixes, you can create a batch file like the following:
WindowsServer2003-KB8239809-x86-ENU.exe /Z /U
WindowsServer2003-KB8239810-x86-ENU.exe /Z /U
WindowsServer2003-KB8239811-x86-ENU.exe /U
Notice that the first two hotfix installation commands in the batch file include
the /Z switch, preventing a restart, while the last command omits this switch
so the computer will restart after all of the hotfixes are installed All three
commands include the /U switch, which prevents the installations from pausing
for user input
You can also incorporate a service pack installation into the batch file, thus
auto-mating the entire postinstallation update process, as follows:
When you install new computers on a network, the operating system installation is
not necessarily the end of the process You might have to install a service pack and
numerous hotfixes as well While it is certainly possible to install each component
separately, it is often preferable to incorporate the service pack and the hotfixes
into the operating system installation This process is called slipstreaming.
Slipstreaming a Service Pack
To slipstream a service pack into the Windows Server 2003 operating system
instal-lation, you must first create a distribution folder on a network share and copy the
i386 folder from the Windows Server 2003 installation CD to that folder Then, from
Trang 21the folder containing the service pack installation files, you run the Update.exe program or the archive executable with the /S switch, specifying the location of the distribution folder you created, as in the following examples:
Update.exe /s:distfolder
W2k3sp1.exe /s:distfolder
The installation program extracts the service pack files from the archive to a temporary directory (if necessary) and then copies the files to the appropriate places in the distribution folder You can then start the operating system installation from the distribution folder, and the service pack files will be installed at the same time
Using Group Policies
Another method of automating service pack installations is to use the combination
of Windows Installer and the Software Installation policy in a GPO Windows Installer is a program that installs software that has been saved as a Windows Installer Package file with an msi extension Service pack releases include a Win-dows Installer Package version of the installation program called Update.msi Update.msi is located in the update folder on a service pack CD If you have down-loaded the network version of the service pack, you must expand the archive file
by running it with the /X switch before you can use Update.msi
To deploy a service pack using its Update.msi file and group policies, you must select an Active Directory object containing the computers you want to update If all of the computers on your network are running the same version of Windows, you can configure the Software Installation policy in the default domain GPO asso-ciated with your Active Directory domain object If you have computers running various versions of Windows, you can create an organizational unit (OU) object for each version and then create a GPO containing the correct Windows Installer Pack-age for each OU, or you can create multiple Windows Installer Packages in the default domain GPO and use permissions to specify which computers should receive each package
see the course for exam 70-294, “Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.”
To add the Windows Installer Package to your default domain GPO, use the lowing procedure:
fol-1. Log on to Windows Server 2003 as Administrator
2. Expand the service pack archive to a distribution folder on a network share
3. Click Start, point to Administrative Tools, and click Active Directory Users And Computers The Active Directory Users And Computers console appears
Trang 224. Select the domain icon in the scope pane and, from the Action menu, select
Properties The Properties dialog box for your domain object appears
5. Select the Group Policy tab, and then click Edit The Group Policy Object
Editor console appears
6. In the scope pane, expand the Computer Configuration/Software Settings
folder and select the Software Installation icon
The User Configuration heading also has a Software Settings folder and a
Software Installation icon, but you cannot use them to install service
packs You must use the Computer Configuration heading
7. On the Action menu, point to New and select Package An Open dialog
box appears
8. Type the full path to the Update.msi Windows Installation Package file
in the Update subfolder of your distribution folder A Deploy Software
dialog box appears
Be sure to use a Universal Naming Convention (UNC) name for the
path to the package file, not a drive letter For example, you can use
\\Server01\d$\sp1\i386\update\update.msi, but not D:\sp1\i386
\update\update.msi
9. Click OK to accept the default Assigned option The installation package
for the service pack appears in the details pane (as shown in Figure 5-6)
FT05xx06
Figure 5-6 The Group Policy Object Editor console with a service pack installation
package
The next time the computers in the domain restart, they will download the service
pack installation files from the specified share and install them
USING MICROSOFT SOFTWARE UPDATE SERVICES
Deploying any software on a large network is a complicated task, and operating
system updates are no exception What might be a simple task on a single computer
turns into a major project when you have hundreds or thousands of computers
SUS is a free product that notifies administrators when new security updates are
available, downloads the updates, and then deploys them to the computers on the
network (as shown in Figure 5-7)