Windows Server 2003 Configure Software Updates on Earlier Operating Systems

Sun, 23 Nov 2008 22:02:05 EST

Configure Software Updates on Earlier Operating Systems:
For earlier Windows operating systems, Group Policy will not be effective. For Windows NT, Microsoft recommends using the System Policy editor. For all down level, clients use registry edits. Use these edits with caution because they can cause serious problems on a machine. The registry settings are stored in HKLM\Software\Policies\ Microsoft\Windows\WindowsUpdate\AU.

Entry Name Value Range and MeaningsData Type
NoAutoUpdateRange = 0|1
0 = Automatic Updates is enabled (default), 1 = Automatic Updates is disabled.Reg_DWORD
AUOptionsRange = 2|3|4
2 = notify of download and installation, 3 = automatically download and notify of installation, 4 = automatic download and scheduled installation. All options notify the local administrator.Reg_DWORD
ScheduledInstallTimeRange = n; where n = the time of day in 24-hour format (0-23).Reg_DWORD
UseWUServerSet this to 1 to enable Automatic Updates to use the Windows Update server as specified in WUServer.Reg_DWORD
ScheduledInstallDayRange = 0|1|2|3|4|5|6|7
0 = every day; 1 through 7 = the days of the week from Sunday (1) to Saturday (7).Reg_DWORD
RescheduleWaitTimeRange = n; where n = time in minutes (1-60).Reg_DWORD
NoAutoRebootWithLoggedOnUsers0 to 1; set this value to 1 if you want logged on users to choose whether or not to reboot their system.Reg_DWORD To specify the server running SUS that you want your clients and servers to connect to for their Windows updates, you need to add two entries to the registry in the subkey HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate. For the required entries,

Entry NameValuesData Type
WUServer The HTTP name for the Windows Update intranet server (for example, http://intranetsus).Reg_SZ
WUStatusServerThe HTTP name for the Windows Update intranet server (for example, http://intranetsus).Reg_SZ

Pop Quiz Questions
1. What two steps are needed to install Software Update Services on a Windows Server 2003?
2. What is the Security.inf template used for on a Windows Server 2003?
3. Where are the client SUS files for Windows 2000 client machine?
4. What is the WUServer registry key used for on older Window client machines?
5. Does a local or group policy setting take precedence on a Windows Server 2003?

Pop Quiz Answers:
1. Download the software from the Microsoft site and then run the update configuration.
2. The Security.inf template represents the default security settings applied during installation of the operating system, including the file permissions for the root of the system drive.
3. Client components for SUS are contained in Windows 2000 SP3 as an msi file. This holds true as well for Windows XP SP 1, and in all Windows 2003 installations.
4. WUServer is used to enable Automatic Updates on the client server. Set the key to 1 to allow the client to use the Windows Update server for updates.
5. Group Policy settings always take precedence over local settings.

Monitor Network Protocol Security:
For this Microsoft exam, there are two main areas of monitoring that you need to be familiar with: IPSec and Kerberos authentication. The IPSec snap-in for MMC provides a complete monitoring tool for IPSec issues, while for Kerberos authentication, there are numerous tools. First, we will look at the IPSec Monitor.

The IP Security Monitor Microsoft Management Console (MMC) Snap-in:
The IPSec Monitor snap-in for MMC provides extensive monitoring and troubleshooting capabilities for the network administrator. You can view details about the IPSec process, and also examine IPSec policies in effect both locally and in the domain.
The first node, Active Policy, shows information relating to the active IPSec policy currently in effect. The other nodes allow for advanced troubleshooting of the IPSec process.

Kerberos Support Tools: Auditing logon events and viewing with Event Viewer can provide some insight into Kerberos issues. The Microsoft Windows 2000 Resource Kit provided a troubleshooting tool, kerbtray.exe. Kerbtray allows you to see the ticket-granting process, and is also considered an advanced tool for network support.

Troubleshoot Network Protocol Security:Troubleshooting in this area can be extensive, but for this discussion, we will only look at two tools: Event Viewer and Network Monitor.
Event Viewer
Event Viewer is one of the best-known tools in Microsoft's Administrative Tools folder. For troubleshooting network protocol security, this centers on the configuration of auditing, and the subsequent examination of the security log. As we noted above, auditing account logon events can give us information about Kerberos issues. For Kerberos-related troubleshooting, some of the more common problems are Event 672-Authentication service ticket successful, Event 673-A ticket granting service ticket was granted, Event 675-Pre-authentication failed; user typed in wrong password and Event 678-An account was successfully mapped to a domain account. If the server is running RRAS and is being used as a remote access server, then auditing can be used to troubleshoot access issues.

Network Monitor:Network Monitor is a very advanced tool, as is any packet analysis utility. Captured traffic can be analyzed for a wide variety of purposes. Even Microsoft concedes that most administrators will need to send packet captures to an expert for analysis.

TRCB.com RSS Feed

Windows Server 2003 Configure Software Updates on Earlier Operating Systems