sKatterBrainZ

As if WSUS Admins Don't Have Enough to Deal with...

Now comes word from Microsoft that Windows Search 4.0 (formerly Windows Desktop Search) is being released via Automatic Updates.  The odd thing is that it will be labeled "optional" for XP clients, while Vista clients will see it labeled as "recommended".  I still find it ironic (and stupid) that "Root Certificates Update" is "recommended" and not marked with higher importance.  Oh well.  This "update" is tagged 940157, and is available for manual download now, if you want it that badly.

So, part of what makes this all fun, is not only the impact it might have on your desktops, but the subtle way that Microsoft has already published a KB article on how to block automatic installation of this update (read 953959).  Which tells me this is nothing more than a shot firing across the bow of Google to head them off.  Same with how IE was maneuvered in front of Netscape years ago.

As an aside - In case you're wondering where I've been.  I'm still getting situated at the new job.  To add to this, they picked a dozen of us to attend an MCSA boot camp course to help get through the 4 exams for MCSA 2003 certification.  It's grueling and intense.  Long hours and few breaks.  However, this is one of the luckiest opportunities I've had this year.  So far, I've passed three: 70-270 (XP), 70-290 (WS03) and 70-620 (Vista).  The last one to go is 70-291, the dreaded Infrastructure exam.  All covering stuff that I suffered through back in college, and drank into oblivion almost immediately after passing the finals.  Just goes to show you can never escape TCP/IP.  Anyhow, once I get through this last one (or the retake, if I fail it, ugh!) I will hopefully have a little more time to post to this blog.

Share this post:                                       

Another great Blog, ThinApp 4.0 and I need a tissue

I subscribe to Geert Baeke's blog at Baeke.info from Google Reader (via the infamous PlanetV12 news feed) - Amazing blog!  This post on ThinApp 4.0 is fantastic and there are others on the site as well.  As with Scott Lowe's blog, this is yet another site to check out.  If you've looked at SoftGrid, or XenApp or Symantec/Altiris SVS or Thinstall, you need to look at ThinApp 4.0 and this is one of the best sites I've seen on this topic. After reading through some of his posts and seeing the new screen caps, I'm pumped.  I really wish EMC would consider giving ThinApp away in some form.  Maybe a "lite" version and a "full" version or something.  Maybe "lite" could chop out app-link and app-synch, and just make a dumb package (as if that would even be "dumb", chuckle...)  I'm still betting Microsoft will weave SoftGrid, in some form, into Windows 7.  It's gotta happen.  It's a no-brainer from a marketing standpoint.  Imagine the leverage that would have with respect to impressing upon their enterprise customers the notion of (a) eliminating MSI packaging, and (b) application conflicts and legacy app support.

Share this post:                                       

WSUS: Vista SP1 Arrives

The WSUS Team Blog folks posted a notice yesterday that Service Pack 1 for Windows Vista is now available for WSUS synchronization.   That's definitely good news, but also reason to stop and think before you click that Approve button.  I say it over and over, but "fat" updates are always something to be careful with.  If all you have are LAN links you may be ok (depending upon how many clients are in your LAN and when they're available for patching).  If you're pointing clients to your WSUS servers over WAN links, oh boy.  OC-48 might be ok, or if you only have a small number of clients, or you have downstream WSUS servers to help stage the deployments, or Martians invade and eat your clients before they need patching.  Ummm..

Share this post:                                       

MCSA Boot Camp, RSAT, WSUS Virtues

As I posted on my "other blog", I've been immersed in an eight-day MCSA "boot camp" for Server 2003.  I've passed two of the four exams so far, working on the remaining two.  Long hours.

I finally had a minute to download and install RSAT on my Vista desktop to manage my servers.  Maybe I'm the only one that found myself dumbfounded after installing RSAT and not being able to find any of the goodies anywhere to launch.  I was really lost.  Then I actually took my own advice: RTFM.  I discovered you have to open Control Panel, then Programs, and then click on "Turn Windows Features On or Off" and select "Remote Server Administration Tools".  Lo and behold, I have admin tool!  No major new goodies from the familiar Admin Toolkit, but everything works and that's good.

I was chatting with someone the other day about what makes WSUS worth considering and I dug up something from the back of my skull that I didn't even think about until that moment.  The issue is comparing "Automatic Updates" (a standard staple for workgroup/standalone computers) and WSUS.  One of the benefits is dealing with "non-critical" updates which *I* (and many others) consider "critical" but for some reason, Microsoft does not.  One good example are the "Root Certificates Update" which affects a lot of things on Windows XP and Windows Vista alike.  Automatic Updates will not automatically deploy that one.  Most users don't bother to visit Windows Update on their own.  You have to threaten or scare the crap out of them first.  WSUS will deploy it, as well as many other such goodies, and do it silently and easily.  Things like Windows Media Player 11, IE7, .NET Framework 3.5 and Silverlight to name a few.  As Ron Popeil might say: "Just set it, and forget it".  Ok, maybe you can't (or shouldn't) forget it, but it's something any geek should have running at home if they have Windows clients in the house. 

The Level5 guides on WSUS cover a lot of other features and benefits of using WSUS, so I strongly urge you to check them out.  For those of you have already subscribed to them: THANK YOU!  You have no idea how much I appreciate that.  I welcome any feedback on them and would like to produce more guides when my schedule allows for it, but I need some help from you to know what topics would be of interest to others.  Post a feedback comment here to let me know.

Share this post:                                       

Recommended Reading: SCCM Article

This is a VERY brief product-horn-tooting article, on the Redmond Magazine site (and in the print version), but it's fairly balanced on both the useful customer viewpoint side as well as the marketing hype side. The only beef I have is with the comment about "getting your head around OSD".  I must be dumber than dumb, but OSD (and Microsoft Deployment aka BDD) simply leave me standing in the rain with my jaw dragging in the gutter.  I've managed to deploy a pure-vanilla Vista client with it, but OMG (yes, that's Oh My God, not some new Microsoft product name) getting Office and other apps to roll in "seamlessly" was not within my reach for some reason.  Probably because I keep telling myself I have better things to do.  What was wrong with the basic RIS way of building and deploying OS images?  RIS was simple.  Sure, it sucked, but it was simple.  It could have been patched to make it do what we needed, rather than put through a meat grinder and made into BDD/MD.  Sort of the same views people have with respect to XP vs Vista I suppose.  I digress (sorry).Anyhow, this is a pretty good short article for anyone not really familiar with System Center Configuration Manager 2007 (geez, that's a lot to type).

One final note is the boxed section, item #1 "Clean up AD".  I can't emphasize that enough.  So many AD environments are simply trashed to hell.  Lack of concern or training or procedures or whatever.  AD is the foundation for so many things in a Windows network environment.  You have to pay attention to it.  It's like checking the oil in your engine.  If you ignore it long enough, it will let you know (in a very painful way).

Share this post:                                       

Patching WSUS 3.0 with KB954960

The WSUS Team finally posted word that an update/hotfix is now available (KB954960) for public download to address the synchronization "issues" reported recently.  The installation is a breeze.  The download is actually a .cab file which contains a .msp patch file.   You should extract the .msp file out of the .cab file first.  Remember to run it with appropriate administrative rights.  So for anyone running Windows Server 2008, the solution is simply to open a CMD console via the right-click "Run as Administrator" method.  Then navigate to the folder with the .msp file and simply fire it off.  It's that easy (it's that cheesy).  And what exciting new features will you see when you bust open the WSUS console afterwards?!  Nothing.  It's a hotfix, remember?  It fixes a rather nasty little bug that stopped clients from synchronizing with your WSUS server if they had certain "conditions" present.  Read the WSUS team blog post for more details if you prefer.

Share this post:                                       

WSUS SQL Goodies, a New WUA, more FUD Busting

Microsoft's Travis Plunk posted a modified version of Marc Shepard's WSUS SQL script for producing a report of non-compliant computers from the WSUS database.  Indeed, this is good stuff and you should give it try.  Works whether you're hosting WSUS on SQL Server 2005 or Windows Internal Database using SQL Express (note the info in Marc's posting also).  Apparently, Travis discovered that if you have a lot of computers in your WSUS database (in his case over 12,000) the time it takes to run the script was causing it to block clients from running synch processes.  Travis modified it to use dirty data instead.

Also, Marc posted a reminder about the forthcoming updated Windows Update Agent to be cascaded out through Windows Update and eventually through WSUS and other avenues.  I'm wondering how much whining we'll have to endure from all the FUD-mongers over this.  "Eew, they're updating my software and I don't like it."  followed by "I wish they'd update this software because I don't like the current one."  Waaaah.

Look, I have to digress here a bit.  There are two basic reasons for upgrading software:  Profit and Functionality.  When it's for profit, we all know it.  The list of improvements is shallow and the marketing is heavy.  When it's for features and functionality we know it as well.  The functional changes are deep and the marketing is usually an afterthought.  Upgrades which are for functionality are a GOOD thing.  Those done for profit are obviously a BAD thing, unless you own stock in the vendor.  When IT weenies whine about upgrades without evaluating which of these types is involved, I get a little angry.  I want to slap them.  It reminds me of The Godfather when Brando loses it with Johnny the Vegas singer.

The basic fact is this: Software was designed to change.  That's why it was called "SOFT"ware.  Charles Babbage (if textbook memory serves me, and I was lucid during college) was tired of machinery being "hard-coded" through mechanical configurations.  He wanted an easier way to implement changes, improvements and so forth, without having to retool or physically reconfigure the machinery itself.  So whenever I hear someone complain about software getting patched, hotfixed, upgraded or whatever, I have to ask: "does it qualify as a feature/functionality upgrade or a profit-only upgrade?"  If they respond in a way that indicates they really don't know (usually a knee-jerk, media-hype-induced ignorant answer) I gnash my teeth.

If it wasn't mean to change, it would be called "hardware", which even that changes over time.

Share this post:                                       

Sometimes I want to go back to bed

After reading this post, I had to shake my head.  There's nothing inherently "wrong" with the post itself, nor with what Shawn says.  It's with the number stated by the NGC software survey of 368,000.  I don't care about the mitigation caveate of 4% either, it's just insane!  That many SQL Server instances running open on the net is like casually saying 368,000 Taliban have just entered the U.S. Capital building.  I don't see any difference at all.  Same thing.  Shawn's post on MSDN Blogs covers some really useful information about configuring the Windows Firewall on WS08 to deal with SQL Server issues like this.  I often wonder why there isn't a strict licensing requirement to run a computer like their is for operating on humans or flying aircraft.  It might help to alleviate some of the stupidity that seems so prevalent.

Share this post:                                       

Oh No. Say it ain't so! WSUS is choking on updates?!

According to Microsoft advisory 954960, Microsoft is "investigating public reports" of a problem reported with WSUS 3.0 and something stopping the deployment of updates when there are clients in the environment installed with Office 2003.  Anyone know of any of these?  Hah!  I thought so, there are more than a few of those out there.  This would have to be HUGE.  I would say more customers are running Office 2003 than any other version of Office, but I don't have any official numbers to back that up.  Just anecdotal bragging and a half empty can of warm beer (and a hairy gut sticking out, sorry).

From the sounds of this I would expect a rapid response from Microsoft and something to patch WSUS with (and hopefully nothing more complicated than that).

Share this post:                                       

Windows Server 2008: Pitchforks and Torches

I'm really trying to be stupidly poetic for some unknown reason.  Maybe because I'm really, really REALLY tired right now.  Commuting an hour each way to work (2 hours on Fridays) at 44 years old is very taxing.

Ok, on to the subject...

Like many wonderful IT folk, I work in an environment called "big corporate WAN place" which is built (mostly) on Windows Server 2003.  Like many big corporations, they're slow to adopt new technologies and products.  Not because they just don't want to, but because most places like this have developed meticulous methods and processes for handling what we all love to call "change management". The real reason behind that is "stability" (ok, you could also say "reliability" or "availability" or "sensibility" or even "lack of humility" - any will do).  That's not a bad reason either.  You can't expect to maintain consistent services for 20,000 "customers" if you develop a habit of tossing new things into the mix because "they're cool" (dude!).

But, like most IT folk that actually don't fear change (ok, we frigging die for it, but we have to be patient to earn the almighty paycheck), we will be powerless to resist the urge to propose something like this at a staff meeting, most likely on a friday....

"Hey guys, I was playing with Windows Server 2008 and it's really cool!  Maybe we...."

Dead stop, Sound of brakes skreetching and trash cans getting knocked down.

And you get THE STARE of death.  You know what I mean.

So what gives?  Why is it that the reaction is expected before the question is posed?  And why does it seem that it's even more pronounced with WS08 than it was with WS03?  Do you remember when you first had discussions about going from WS2K to WS03?  Or even NT4 to WS03?  I'll bet it really wasn't that horrific of a discussion.  Now, try that same approach with WS08 and watch the response.  If you're lucky (and if you are, please hire me?) your coworkers and boss all say "cool!  yes!  let's get a beer first and then start working on that idea!"  Man, I would need a box of tissues.

No, really though, it seems more often than not, there is increased resistance, actually, more appropriate would be to say there's increased "distrust" regarding WS08.  This is extremly unfair in my humblest opinion.  WS08 really is amazing.  I'll avoid sounding like Billy the OxyClean guy, but if you haven't actually tried it on, you really should.  Go download it and throw it into a VM and start beating it up.  You will be amazed.  It is simply the best server product (OS-wise) Microsoft has ever produced.  Period.  Hands-down.  End of story.  Umm, er, not so fast, I'm not done telling my story yet...

After some digging and questioning, I've found that it's almost always related to Vista.  Yes, Vista.  The FUD surrounding Vista, particularly in business environments, has spilled over into WS08.  Corporate IT folk have heard the market slathering of how great Vista is and what Vista can do and all that, but that sweet smell has faded considerably in the face of mounting opposition from many directions, even from mixed marketing signals coming out of Redmond itself.  So they've all developed a distrust for Microsoft marketing and this really wraps around operating system products it seems.  I can't say this evident with Office, System Center and database products (among others), just with regards to their operating systems.

Unfortunate indeed.  Microsoft really needs to regroup, rethink and redirect their efforts away from the shiney robot magazine ads, the monotonous voice tone TV ads espousing business ROI crap and get down to what sells the product: impressing the IT guys.  That's what works.  Because even when the CxO golfing buddy crowd isn't down with the 4-1-1 of something new and exciting, the IT folks are already there and they will find clever, creative, and inventive ways to stealthily weave it into the environment regardless of bureaucratic obstacles.  Don't believe me?  What has happened with Linux in the past 10 years?  Hmmmm?  I doubt 1 in 100 CEO's gave explicit directives to put Linux into the data center, yet it got there somehow.  I rest my case.

Microsoft:  The product is cool.  It's worthy.  Let it sell itself.  Stop with the dumb ads aimed at MBA people.  Adjust your sites and get to work.  We're waiting.

Share this post:                                       

Let's ask Mr. Owl: How many licks does it take to get to the max limit of WSUS 3.0?

Ok, I'm dating myself horribly here.  For anyone that figured out that tagline, great.  I'll see you in the pudding line at the retirement home.  For the rest of you:  It was an old cartoon TV advertisement for Tootsie Roll Pops.  Oh well.  I shall digress (because that's about the only thing I'm really good at it seems).

Brian Tucker posted a great blog article about setting up a SUP role on SCCM 2007 using WSUS 3.0 of course.  Read Brian's post if you want the good stuff.  The mention of how many clients you can support with a WSUS server node brought back a memory from a webcast session a while back, in which someone asked that very same question of the Microsoft wizard.  Ok, the wizard is the one talking, but they have a few background guys fielding the chat questions.  I'll paraphrase the answer and embellish it a bit (another thing I'm good at).

The party line is "20,000 or thereabouts".  However, and this is a BIG however, the answer really is....

IT DEPENDS

On what? You ask?  Well, on several factors, actually more than several, but I can't think of what comes after couple, few, several...  Oh well.

Some of the obvious ones are NIC capabilities, LAN link characteristics, WAN links, switches, routers, fiber quality, rodents chewing on cables, cables crimped in door jams, cable terminators installed by idiots, a poorly maintained server, a poorly maintained network, a poorly maintained staff.  I could go on, but those are the obvious items.  The not-so-obvious items are:  the size and quantity of updates (even with BITS, it doesn't really do much since BITS can't really "See" your network traffic loads, only what's happening with the local NIC(s) and such).  Also, the mix of local versus remote clients matters (LAN vs WAN = switches versus routers, etc).  There really is no one-size-fits-all answer for this question.  The same formulaic response has to be applied to many questions like this (i.e.  File server performance with respect to various client groups at various locations and times of day).

Ponder this for a moment (be thankful I didn't try to sneak the work pontificate in there): Supporting 10,000 concurrent clients from a single WSUS server might work for most Windows security updates, but what about Vista Service Pack 1, or Office 2007 Service Pack 1?  If you knee jerked and said "no problem!" you're drinking too much.  Remember, I said "concurrent".  Anyone that's experienced the painful burn and itch of such an attempt knows you need to stage things, either by time blocking or by hierarchical distribution (aka dissemination).  So, again, the answer is really "it depends".

If you're really bent on getting a factual-based answer, I'm sure you can do it.  I don't have the patience (or time it seems), but maybe you do.  If so, please feel free to post a feedback comment here for others to enjoy? 

Share this post:                                       

More Windows Server 2008 Links

Planning and Deploying WS08 RODCs

Windows SBS 2008 Help

SCDP 2007 Feature Pack for WS08, SQL 2008, more

WS08 Active Directory Features Overview

Share this post:                                       

Windows Server 2008 Links

How to install SC Data Protection Manager on Windows Server 2008

Multi Site Failover Clustering Connectivity and Windows Server 2008

Windows User Profile Policies on Windows Vista and Windows Server 2008

Share this post:                                       

WSUS System Event 13001: Part 2 - Sending Notifications

I was asked by a few readers (I can't believe I have a "few", I thought it was just "one") about how to setup the notification I mentioned.  It's very easy but depends on what operating system is used.  If you're on WS08, just create an Event-based Scheduled Task.  If you're on WS03, just create a scheduled task to fire off a VBScript file that sends an email using CDOsys.  Below is an example VBScript that will send an email for you WS03 users.  Be sure to edit the mailServer value, as well as the Send-To and Send-From values to make it work properly.  Another reason to go with WS08: simplicity.

'------------------------------------------------------
Const mailServer ="myMailServer.MyDomain.com"

Sub SendMail(sendto, sendfrom, subjectline, msgBody, msgFormat)
    Dim objMessage
    If (sendto <> "") and (sendfrom <> "") and (subjectline <> "") and (msgBody <> "") Then       
        Set objMessage = CreateObject("CDO.Message")
        objMessage.Subject = subjectline
        objMessage.From  = sendfrom
        objMessage.To = sendto
        If msgFormat = "TEXT" Then
            objMessage.TextBody = msgBody
        Else
            objMessage.HTMLBody = msgBody
        End If
        objMessage.Configuration.Fields.Item _
            ("http://schemas.microsoft.com/cdo/configuration/sendusing <http://schemas.microsoft.com/cdo/configuration/sendusing> ") = 2
         objMessage.Configuration.Fields.Item _
            ("http://schemas.microsoft.com/cdo/configuration/smtpserver <http://schemas.microsoft.com/cdo/configuration/smtpserver> ") = mailServer
         objMessage.Configuration.Fields.Item _
            ("http://schemas.microsoft.com/cdo/configuration/smtpserverport <http://schemas.microsoft.com/cdo/configuration/smtpserverport> ") = 25
         objMessage.Configuration.Fields.Update
        objMessage.Send
        Set objMessage = Nothing
    Else
        DebugPrint "error: Insufficient parameters (sendmail)"
    End If
End Sub
 

SendMail "you@MyDomain.com", "sender@MyDomain.com", "WSUS is having a bad day", "Computers are being bad - Go spank them now!"

Share this post:                                       

WSUS System Event 13001

Something I'm finding many WSUS admins are ignoring is that when you start seeing problems in the WSUS console as far as computers failing to install updates, there's also a corresponding Windows System event log entry 13001.

Log Name:      Application
Source:        Windows Server Update Services
Date:          6/23/2008 4:09:57 PM
Event ID:      13001
Task Category: 6
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:     wsus01.davesnetwork.home
Description:  Client computers are installing updates with a higher than 10 percent failure rate. This should be monitored.

Why would I mention this?  Because if you really want to make your IT administration life simpler and more "automated" (don't we all), you can look to this for sending alerts.  There are many, many ways to leverage event logs for notification processing.  From EVENTCREATE to SCHTASKS to about a hundred shareware and freeware utilities, to plain old fashioned scripting (VBScript, KixTart, PowerShell, etc.)  If you don't fancy making a daily ritual out of opening up the WSUS console to hunt for problems like this, you can make them come to your Inbox or cell phone.  Keep in mind that this error repeats quite a bit, so you'd probably want to set things up using a scheduler or batch job, rather than making it event driven.

Share this post:                                       

Guess How Old: Hypervisor, VMM, Virtualization

Catchy, huh?  So, maybe you're younger than me (probably) and think all this Virtualization is "new stuff" and really "new" and "cutting edge".  Take a guess at what year all this stuff was first widely blabbered about:

1. 1995

2. 1974

3. 2001

The answer is (B), oops, I mean (2).  Don't believe me?  Read this and dig through the cited references: http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf

Share this post: