MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Lesson 3: Deploying Updates in the Enterprise

Along with RIS, you can use Group Policy to deploy software updates, including service packs. You can also create custom scripts to install hotfixes or other updates. In this lesson, you look at how Group Policy can simplify software deployment and use the Qchain.exe utility to simplify the installation of multiple hotfixes.


After completing this lesson, you will be able to

Estimated lesson time: 30 minutes


Using Group Policy to Deploy Software

Windows 2000 Group Policy includes features for deploying software updates. You can use this feature to deploy a service pack or other installation package across an OU or other Active Directory container.

To make effective use of this feature, you should place computers with identical operating systems and service pack levels in the same OU. If computers within the OU contain a different operating system or incompatible software, the installation process might cause errors. For the same reason, you should use computer policy rather than user policy to deploy software because a user might log on to an incompatible computer.

Group Policy is explained in detail in Chapter 1, "Group Policy."

Understanding .msi Installation Packages

Windows 2000 includes Windows Installer, a standard utility for installing software updates and other software packages. Windows Installer uses files with the .msi extension to control each installation. The distribution for each service pack includes an Update.msi file for use with the installer. Group Policy features for software installation also use .msi files. After you apply the policy to a group of computers, Windows Installer installs the file on each computer.

Windows 2000 Server also includes tools for creating custom .msi files, so you can install third-party software using Group Policy.

Creating the GPO

You can deploy a service pack using a user policy or a computer policy. A computer policy is the logical choice because it is not dependent on the logon process and automatically installs the service pack when the computer is booted and connects to the domain.

To create the Group Policy Object (GPO), right-click the OU containing the computers to be updated. Click Properties, and then click the Group Policy tab. Create a new policy, open its Computer Configuration node, and select Software Settings. You can then add the Update.msi package to the policy. This process is detailed in the "Practice: Deploying Multiple Hotfixes in the Enterprise" section.

Installing Multiple Hotfixes

When a large number of hotfixes have been released, especially critical security updates, you might find it inconvenient to install multiple hotfixes at each computer in the network, especially when a reboot is required after each installation. You can use a batch file to simplify this process and install several hotfixes at once.

Using Qchain.exe

Normally, you must reboot a computer after installing each hotfix. Microsoft provides the Qchain.exe utility to simplify this process. This utility configures the system after you install several hotfixes so that a single reboot can correctly install all the hotfixes. You can obtain Qchain.exe from the http://support.microsoft.com/ Web site. Search for Knowledge Base article #Q296861.

To use Qchain, first run the .exe file for each hotfix, as described in Lesson 1. Use the -z option to prevent the hotfix from rebooting the computer after installation, as in this example:

Q123456_w2k_sp4_x86.exe -z

After you have installed all of the hotfixes, run the Qchain.exe utility, and then reboot the computer. This ensures that the hotfixes do not conflict with each other.

The Qchain functionality is built into hotfixes for Windows 2000 after Service Pack 3 and into all Windows XP hotfixes. You do not need to use Qchain unless you are installing older hotfixes.

Using Batch Files

You can combine several hotfixes and the Qchain.exe program, if necessary, into a batch file to install multiple hotfixes in a single operation. Use the -m option with each hotfix .exe file to suppress its output, along with the -z option to prevent rebooting. If Qchain.exe is required, include it as the last command in the batch file. The following is a simple example of a batch file to install two hotfixes:

Q123456_w2k_sp4_x86.exe -m -z

Q234567_w2k_sp4_x86.exe -m -z

qchain.exe

Create the batch file as a text file with the .bat extension. You can then execute this file at each computer that requires the hotfixes.

Using Tools for Security Management

Depending on the size of the network you manage and your particular security concerns, you might find several other tools useful for checking update status and managing software updates across the enterprise. Tools available from Microsoft include the following:

Microsoft Baseline Security Analyzer

MBSA is a graphical tool that can analyze the security of one or more systems and produce a report. MBSA can check for hotfixes or updates that have not been installed, similar to the Qfecheck.exe tool described earlier in this chapter. It also checks for common security issues, such as misconfigured Guest or Administrator accounts. MBSA can perform checks on the following server components:

You can download MBSA from the Microsoft Technet Web site. It is distributed as a .MSI file and installed by the Windows Installer. Once you start MBSA, you can choose to scan a single computer or multiple computers across the network. After the scan has completed, MBSA stores its results in an XML (extensible markup language) file and displays it in a graphical interface.

To download MBSA or view its detailed documentation, visit the Technet Web site at http://www.microsoft.com/technet, and select Security, Tools And Checklists from the navigation tree.

HFNetChk

HFNetChk is a command-line tool that checks the patch status of one or more machines across the network. Formerly a separate command-line utility, the latest version of HFNetChk is built into MBSA version 1.1, and is used by MBSA to display information in a graphical format.

You can manually run the HFNetChk utility using the Mbsacli.exe /hf command. The Mbsacli.exe program is installed as part of MBSA. You can also use the options described in Table 14.2 on the command line.

Table 14-2. Basic HFNetChk Options

Option

Description

-v

Display detailed information about patches that are not installed.

-u

Specify a user name to access remote computers.

-p

Specify a password to access remote computers.

-h

Specify the host (NetBIOS) names of computers to scan, separated by commas.

-i

Specify the IP addresses of computers to scan, separated by commas.

For more information about HFNetChk including a complete list of command-line options, visit http://support.microsoft.com and search for Knowledge Base article #303215.

SMS

Microsoft Systems Management Server (SMS) is a comprehensive tool that can manage the distribution of operating systems, applications, and software updates across the enterprise. It also includes tools for remote troubleshooting and asset management. You can use SMS to deploy updates to a large number of computers and track which computers have been updated.

SMS is a separate product available from Microsoft, and is licensed based on the number of users. For more information about SMS and to learn where to obtain licenses, visit http://www.microsoft.com/smserver.

Practice: Deploying Multiple Hotfixes in the Enterprise

In this practice, you create a GPO to deploy a Windows 2000 service pack and create a batch file to install multiple hotfixes. Because the service pack and hotfix levels on your computer can vary, be sure to use only updates you have not already installed instead of those shown in this practice.

Exercise 1: Deploying Updates with Group Policy

In this exercise, you deploy a Windows 2000 service pack by creating a GPO and adding the Update.msi file to the policy.

To deploy a service pack using Group Policy

  1. Perform this procedure from the domain controller.

  1. Click Start, point to Programs, point to Administrative Tools, and click Active Directory Users And Computers. The Active Directory Users And Computers management console appears.

  2. In the console tree, select the Information Technology organizational unit under Department.

  3. From the Action menu, choose Properties. The Information Technology Properties dialog box appears.

  4. Select the Group Policy tab. The Group Policy Properties are displayed.

  5. Click New, and name the new policy Service Pack 3.

  6. Click Edit to edit the GPO. The Group Policy management console appears.

  7. In the console tree, expand Computer Configuration, Software Settings, and select the Software Installation.

  8. From the Action menu, point to New and then choose Package. The Open dialog box is displayed, as shown in Figure 14.28.

    Figure 14-28. Selecting a package file

  9. Select the C:\SP3\I386\Update\Update.msi file, and click Open.

    This requires that you have extracted the service pack files to C:\SP3, as described in Lesson 1, Exercise 2.

    The Deploy Software dialog box appears.

  10. Select the Assigned option, and click OK.

    The service pack will now be deployed to each computer in the OU when the computer is next booted.

  11. Close the Group Policy console.

  12. Click OK to close the Information Technology Properties dialog box.

  13. Close the Active Directory Users And Computers management console.

Exercise 2: Using Qchain and Batch Files

In this exercise, you create a batch file to install multiple hotfixes using the Qchain.exe utility.

To create a batch file to install multiple hotfixes

  1. From the command prompt, type edit fix.bat. The text editor is displayed, as shown in Figure 14.29.

    Figure 14-29. Creating a batch file

  2. Type two or more hotfix .exe file names in the batch file. Be sure to include the correct path to the location of the hotfixes.

  3. Type Qchain.exe as the last line.

  4. From the File menu, choose Exit.

  5. Select Yes to save the batch file.

    After you have created the batch file, you can run it by typing its name at the command prompt or in the Run dialog box, or run it on multiple computers using Group Policy.

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. Which file format does Group Policy support for installation files?

  2. What is the package file name for a service pack?

  3. Are user or computer policies better for deploying service packs?

  4. What is the purpose of the Qchain.exe utility?

  5. For which hotfixes is Qchain.exe required?

Lesson Summary

Категории