Posts Tagged ‘SUS’

Tools of the Trade

Saturday, September 18th, 2004

Been keeping myself bussy at work with stuff that is reasonably interesting.

Oke, first the technical stuff, then the customary ranting.

Windows Update still wont work properly. Yesterday I came across some log entries that seemed to indicate hosts where having trouble finding the SUS server. I went back to my group policy and noticed that I had used wrong slashes, again, for the windowsupdate server, that we call .. http://windowsupdate
I am a little worried that there might be some host confusion at this name, as its also the DNS host name of Microsofts own update servers.
Just in case,  I then changed the same to a FQDN.

Anyhow, the reason clients are not able to resolve the Netbios name seems to be  major problems with the browsing service on the local subnet. Somehow the PDC was not properly updating its browse list, and since the PDC is also the domain master browser, everyone elses list was pretty short.  Only computers that had booted that morning where in the list, the rest, like my own, where absent. I am still looking into this, at least how it occured, using resources like the MS Windows NT Browser White Paper, and a very cool little tool I discovered here, called the NetBIOS Browsing Console (Browcon.exe), written by Brian Schafer and Tim Rains. And of course Browstat.exe. I would have used Browmon if I had the Windows NT4 resource Kit tools here, but I only have the 2003 version which I downloaded. Also the Windows 2000 Resource Kit TCP/IP Core Networking Guide has agreally good appendix on the browsing service.

That kinda pisses me off, because I had expected the Resource Kit tools to be commulative. Also, Microsoft doesn’t offer the older tool sets for download, or not completly. This is their marketing machine at work, trying to get you to buy the books, which I do, which include the ‘complete set’ of tools, while offering only a subset of the tools for download. Means in future I will have to keep the NT4, 2K, and 2K3 tools all seperatly on my laptop. I have also discovered that I need to do the same with other tools, like the support tools or deployment tools, because sometimes certain switch functionality ,or downlevel support for older enviroments, is lost in later releases. I remember a similair issue with the old NT4 regedit I think.

Anyhow, I moved about the domain browser role untill the problem was fixed. Then the domain browser service on the PDC resets, it sends out a DomainAnnouncement datagram to all hosts, and then builds up the list again from hosts sending hosts announcement messages, and they send these every 12 minutes by default. What I dont understand is why the domain master browser lost so many entries in the list, and why the list wasnt being filled up again. the eventlogs on hosts didnt give any details about netbios problems. I hope simply restarting the browsing service on the PCD helps to solve this problem in the future!

Oke. Rant time.

I am here only 2 weeks, and yet I find enough reasons to have installed the support tools, the Windows deployment tools, the Resource kit tooks, the adminpak, the Office 2000 Resource Kit tools, and various other small tools like the Process Explorer and Browcon.

Now why do I never ever see any other admin doing this? I find these tools indispesive! They are always the first things I am installing on any new pc that I will be using for administrative purposes! Why do other admins never seems to be creating distribution points for Office? Time and time again I see people dicking around with CD keys; its so unnessesary! Any new server I install, gets the support tools and resouce kit tools by default, aswell as the network monitor components. I build these installations into every unnatended install I do, so you dont have to worry about them anymore! Yet I have never ever come across a server installation at a customers, that had this stuff installed on it!

Oke.. lets think about this.

Do admins simply not know about what these tools have to offer? I am convinced this is the case, because everytime I show them these tools, they are obviously suprised!

So why then do they not know of these tools? Why is it that I do know of then? Because these tools are mentioned time again time again online, on support page, and Microsofts support sites, in documentation, etc.

That must mean that most of these admins I meet dont read or browse this kind of matieral often. Why not?

I come across this material all the time, for 2 reasons:
A. I use these resources in troubleshooting problems that I encounter.
B. I am genuinly interested in the material, so I buy a lot of books on this stuff, read a lot about it online, follow lots of Microsoft blogs, read a lot of technet stuff.

Now, I can well imagine most admins not spending their time reading technet or MSpress books. Fine. But I cannot imagine them not coming across this stuff when troubleshooting problems.

But perhaps that is the whole point. Often, these admins dont seem to be troubleshooting problems! Like they didn’t even notice the lack of NETLOGON replication on both office domains, or the fact that nothing was up to date with Windows patches.

Now the reason they dont notice these thigns , at least here, is because their allerting software, in this case Sitescope, doesnt seem to alert them. This is perhaps something I can fix in these last 2 days if me being here.

The second reason, is that they are simply not interested enough in their office network, to even care to check manually. Their main business is their digital tv channel stuff, for which they have seperate domains and subnets, and they are bussy with that all day. They have left their office network to decay to the point of being a massive security and functionality hole, and their support persion, who has become their defacto sysadmin for the office network, simply doesnt know enough.

Unfortunatly, this is a scenario that seems to repeat itself over and over and over, and I come across it at almost every customer I am placed at. No wonder IT is so untrustworthy, with investment like this, or lack thereoff, and i am talking mental investment, not even financial, IT enviroments will never improve in reliability or managebility, and the way IT is practices will only ever be second rate. God how I long to work for a company that has their shit together in this.

Large businesses using Automatic Updates?? – Never heard of SUS?

Tuesday, August 24th, 2004

Omg. I am continuously perplexed at how corperate IT is run around the world. Here is another halarious example.

Microsoft started distributing their new Service Pack 2 via Automatic Updates last week, but had to stop short of updating Windows XP Proffesional PC’s, because as it turns out, there are rather a lot of businesses that seem to rely on Automatic Updates.

“When we designed Automatic Updates, we had consumers and small businesses in mind. We have been surprised by the number of enterprises who use Automatic Updates,” said Jon Murchinson, a program manager at Microsoft. (From, read the rest of the article here)

Now while Windows XP Home edition pc’s have been recieving SP2, MS has chosen to wait a week for XP Pro, and give admins a change to block Automatic Updates (via a registry key), until they can prepare and test properly.  I mean.. they’ve only had SINCE DECEMBER last year to prepare and test properly!!

Anyway. The reason I am rolling around the floor laughing, is that there is no valid reason I can think of, that you would want to make your corperate client park dependant on Automatic updates! its just a bad idea, and any admin with a fragment of sense should know this. I mean.. admins who use this feature for their client park, must somehow have missed the whole discussion about Automatic Updates when XP first came out!

People already expressed their concern back then, that if one relied soley on this mechanism, one risked the change of a ‘faulty’ patch, screwing things up seriously. And god knows this has happed in the past with MS hotfixes, and SP2 is of course the ultimate example.

But because this is of course a totally clear and recognized issue, Microsot came out with a totally clear and recognized solution: Software Update Services!

Now Software Update Services, better known as SUS, is basicly nothing more than a proxy server for Automatic updates, but it gives you the ability to control the distribution of updates and hotfixes, by letting you authorize patches on the server, before they are distributed to your client park. This gives you ample time to test patches and updates, before you hit the relevant checkbox.

Now SUS has been around for about as long as Windows XP has, and Microsoft extensivly supports its use and implimentation, i mean, I cant turn two pages of a Microsoft whitepaper without beign reminded about it!

So how come all these stupid businesses are not using it then! For Pete’s sake! I mean, its a FREE download! It works on Windows Server 2000 and 2003, and uses next to no resources, except perhaps hard disk space if you choose to store patches locally.

The reasons that these companies possibly have for not using SUS, may perhaps be perfectly valid reasons, involving resource management, connectivity issues, that kind of thing, even though, if anything, SUS solves more problems that it could cause, if it can cause any problems at all! (??!)

I think the main reason admins have not started using it, boils down to two reasons: A. Lazyness, B. ignorrence.

Point A: Installing SUS doesnt take 5 minutes. Anyone with half an ounce of IIS knowledge can do it, and if you are going a bit further than your average SUS implementation, and doing a multi-forward-WAN setup or something, then you might have to spend some time thinking though how your gonna deploy it.

All you need thereafter is some cool Group Policy Settings, or , if you are in the stone age and still have an NT4 domein with XP clients, some hand-made registry settings for Poledit.

And that is about it!  About a days work for the average enterprise, and you have completely streamlined your patch-management process! What could be cooler?! Cant be too hard to convince your IT manager to give you the time to do it, considdering the benefits!

But point B is trickier.

Like i have said in earlier rants, I am constantly coming across admins that seem to have burried their collective heads in the sand when it comes to IT and the developments in that field. People like that may very well never have heard of SUS, or all the work that MS is actually doing into correcting their security issues of old.

Now personally, I would like to take all these kind of admins out into the parking lot, and shoot them, but that would be rather challenging considdering that they seem to be in the majority.

Inept system admins, or IT managers, are the whole reason that worms like Blaster and Sasser are succesfull, and the reason that dispite everything MS or anyone else does for security, and exactly because it is the most used OS on the planet, it will always remain vulnerable, primairly because of human failing.