Deploying Service Packs | Microsoft Windows 2000 Server Administrators Companion

Network administrators are frequently ambivalent about service packs. On one hand, service packs usually improve network reliability and security. On the other hand, deploying service packs is an "event" that consumes time and resources. So most administrators postpone deployment as long as possible, typically waiting until one or more of the following conditions is met:

Applications require a certain service pack to install.
A service pack fixes a serious problem for your servers and clients.
The boss decides it's time for you to deploy the latest service pack.

At the very least, wait to deploy a new service pack until enough time has elapsed for any complications to come to light. You might also want to perform a limited rollout of the service pack as a test deployment before deploying it to the entire network.

When it comes time to deploy a service pack, you have several options:

Manually install the service pack from Windows Update, a network share, or a CD-ROM, optionally with command-line switches to partially automate the installation process.
Use Group Policy (Software Installation and Maintenance) to deploy the service pack, either by assigning the service pack to computers, or by publishing the service pack so that users can install it if they choose.
Update Windows setup files on a network share (or CD-ROM) so that new Windows installations already have the service pack applied (as discussed in Chapter 5).

The following sections cover the first two methods.

You can also use SMS to deploy service packs. This process is discussed in service pack deployment guides available from Microsoft's Web site.

The new Corporate Windows Update tool provides a way for administrators to host their own Windows Updates servers, control which updates are available to users, and even automatically deploy them. For more information, see http://corporate.windowsupdate.microsoft.com.

Real World

Service Packs in Windows NT

Windows NT does not handle service packs optimally. To change or install an operating system feature that requires files from the original Windows NT installation CD, you'll then have to reinstall the most recent service pack and any post-service pack hot fixes (such as the Windows NT 4 post-Service Pack 6a security rollup).

Activities that require a service pack reinstall include the following:

Adding more components such as a DNS server, DHCP server, or IIS.
Installing an application that installs older components.
Performing an emergency repair operation.
Restoring from a backup tape made before the latest service pack was applied.

In Windows XP and Windows 2000, once you apply a service pack, there is no need to reapply it, in most cases. You'll still need to reapply a service pack if you perform an emergency repair, unless you installed Windows from a network share or media that is integrated with the service pack, as described later in this chapter.

Manually Installing Service Packs

The simplest way to install a Windows service pack is to use Windows Update to download and install the service pack (you probably don't need help with this).

You can also download service packs to a network share so that users or administrators can install from the network share. If you decide to use this approach, consider using command-line switches to exert additional control over the update process. The switches discussed in Table 25-4 work for Windows 2000 service packs and should work on Windows XP service packs as well (if you have trouble, consult the service pack documentation on Microsoft's Web site).

Table 25-4. Service pack command-line switches

Command-Line Switch	Action
-u	Runs the service pack update in unattended mode
-f	Forces any open applications to close after applying the service pack before restarting the computer
-n	Disables the backing up of files, eliminating the ability to uninstall the service pack
-o	Overwrites OEM setup files without prompting
-z	Disables the automatic restarting of the computer after the completion of setup
-q	Runs the service pack in quiet mode with no user interaction required
-s:[folder name]	Applies the service pack to a Windows install point so that future installations have the service pack preapplied

Deploying Service Packs Using Group Policy

One efficient way of deploying service packs is to use the Software Installation and Maintenance feature of Group Policy. There are two ways of doing this. You can assign a service pack to computers so that the service pack is automatically installed at the next reboot, or you can publish the service pack so that users can optionally install it using Add/Remove Programs.

To deploy a service pack using Group Policy, use the following procedure:

Create a folder in the software distribution point (see the section entitled Creating a Software Distribution Point earlier in this chapter) for the service pack.
Extract the service pack files to the software distribution point. For example, to extract Windows 2000 Service Pack 3, open a command prompt, switch to the folder storing the service pack, and then type the following command: w2ksp3.exe -x. When prompted, enter the path to the folder you created on the software distribution point.
If you want to publish the service pack to users so that they can optionally install it, create a .ZAP file pointing to the Update.exe file in the software distribution point.
Optionally, create a new Group Policy object (GPO) for the service pack update.
Open the desired GPO and in the console tree, select Computer Configuration (or User Configuration if you're publishing the service pack using a .ZAP file), then Software Installation.
From the Action menu, choose New, and then choose Package from the submenu.
Browse to the service pack folder on the software distribution point, open the i386\Update folder, select Update.msi (or the .ZAP file you created), and click Open. Note that you should use the My Network Places icon to navigate to your package, ensuring that Group Policy learns the network path instead of a local file path.
Select Assigned in the Deploy Software dialog box, and click OK (choose Publish if you're publishing the service pack using a .ZAP file).

You will see the Deploy Software dialog box only if you selected the Display The Deploy Software Dialog Box option in the Software Installation Properties dialog box, as described in the section entitled Setting Software Installation Options earlier in this chapter.

You can also use Group Policy to deploy security patches and hot fixes, although doing so requires repackaging the patches using WinInstall LE. See Microsoft Knowledge Base Article Q314273 for more information.

Checking Service Pack and Hot Fix Installations

Microsoft provides a graphic tool and three command-line tools to verify the existence of service packs, security patches, and hot fixes. These tools—Microsoft Baseline Security Analyzer, Hfnetchk.exe, Qfecheck.exe, and Spcheck.exe—are described in the following sections.

Using Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer is a powerful tool that can check the security settings of multiple computers. As such, it's the first tool to use when verifying the security status of computers on your network.

To use the Microsoft Baseline Security Analyzer, use the following steps:

Download and install the program from the Microsoft Security Web site (http://www.microsoft.com/security).
Launch the program from the Start menu or the desktop.
Click the Scan A Computer hyperlink to scan a single computer, or click the Scan More Than One Computer link to scan multiple computers.
Specify the IP address or address range of the computer or computers, specify what you want to look for, and click Start Scan.
Review the results, clicking links as appropriate to view more detailed information.

Using Hfnetchk.exe to Determine Which Hot Fixes Are Needed

Hfnetchck.exe is a command-line tool to query either a local computer or a computer on the network and determine what hot fixes or security patches each computer is missing. The tool connects to the Internet and downloads the latest list of patches and compares this list to the patches installed on the specified computer.

To install Hfnetchk.exe, download it as described in Microsoft Knowledge Base Article Q303215.

To run Hfnetchk.exe, open a command prompt window, navigate to the folder to which you installed Hfnetchk.exe and then type hfnetchk.exe followed by any desired parameters. A few parameters are described in Table 25-5; for a full listing, type hfnetchk -?.

Table 25-5. A partial listing of Hfnetchk.exe parameters

Parameter	Function
-v	Specifies verbose output, which provides extra detail.
-h	Specifies the NetBIOS host name of the computer to scan.
-i	Specifies the IP address of the host to scan.
-d	Specifies the domain to scan. All computers in the domain will be scanned.
-b	Performs a baseline security scan, which leaves out noncrucial hot fixes.
-f	Specifies that the output should be saved to the specified text file.

To scan network computers, the computers must have NetBIOS Over TCP/IP enabled and the Server service and the Remote Registry service must be running.

Using Qfecheck.exe to Check Installed Hot Fixes

The Qfecheck.exe program allows you to scan the local computer for installed hot fixes. To install Qfecheck.exe, download it as described in Microsoft Knowledge Base Article Q2782784.

Once installed (the program installs like a hot fix), the command is available from any command prompt window; simply type qfecheck.exe along with the appropriate parameter (type qfecheck /? for a complete listing of parameters).

Using Spcheck.exe to Check Service Pack Files

The Spcheck.exe tool scans the local computer and reports the service pack level of key system files. To install Qfecheck.exe, download it as described in Microsoft Knowledge Base Article Q279631. Once installed, run Spcheck.exe from the folder in which you installed the program. This creates a report file (in the same folder) that you can open and read in Notepad or another text editor.