Here is the promised “Best of” Q&A from the webcast I delivered yesterday (Aug 24, 2005) on Windows Server 2003 System Administration (Part 2 of 2)

A huge THANK YOU to Harold Wong and Kelley DuBois for handling the Q&A.  They get most of the credit for these awesome answers. 


“The website for MBSA says that it is designed for small to medium sized business.  Is there a reason it's not for large?”

It's a question of scale. If you have over 2000 nodes you want to move to a higher end management system like SMS that will scale out to support networks of that size.

“Can you scan for a list of servers in a text file?”

Not in the GUI interface.  You can, however, use the command-line version that is installed with it, MBSACLI.EXE.  This one can allow you to script scans of a list of machines.

“I can't find an article at this moment, but it is mbsacli.exe /listfile targets.txt - you can check it by quering mbsacli.exe with /? Parameter”

YES!  Using the command line you can script it.  See

“Any areas/uses in which MBSA beats 3rd party security scanners like Retina or XSpider?”

We can not comment on the efficiency of third party scan tools. MBSA is offered as a free resource for our customers.  If budget is less of a consideration for you, we would encourage you to compare third party solutions and based on cost and feature sets select the solution that does what you want it to do.

“WSUS work like GPs?”

No, the difference is that WSUS enables IT administrators to deploy the latest Microsoft product updates to Microsoft Windows Server 2000, Windows Server 2003, and Windows XP operating systems. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. Policies, on the other hand, allow for settings to be applied to all machines, and for those that are part of a domain, an administrator can use the application of Group Policy objects to set policies that apply across a given site, domain, or organizational units (OUs) in the Active Directory® directory service.

“Any timelines for when WSUS scanning technology will be able to detect and deploy to apps like Visual Studio 2003, ISA Server, PowerPoint Producer, etc? KB 895660 details where WSUS technology is lacking. . http://support.microsoft.com/?scid=kb;en-us;895660

The dev team is working to expand the functionality of WSUS in new and appropriate ways. We have no public timeframe for a new release or update of the current system.

“Does MOM have the capabilities to handle Updates?”

Use MOM to monitor and report on your network Use SMS to deploy updates http://www.microsoft.com/mom/evaluation/faqs/default.mspx#ECAAA

“What build of WSUS is he using?”

Using the most recent downloadable version – WSUS 1.0

“Does a computer (standalone) have to be  joined to a domain to be under a WSUS servers control?”

No, the machines are never under the control of the WSUS server, rather the clients configured to use WSUS request pull updates from the server at the scheduled interval. Configure your non-domain machines in the local security policy to point to your WSUS server.

“Can the WSUS server update itself?”

Yes.  It’s a good idea, though to make sure that the server is fully updated before WSUS is loaded.

“Do the users computers have to be logged on as local admins to install updates using WSUS?”

No.  See http://www.microsoft.com/downloads/details.aspx?FamilyId=3BA03939-A5A9-407B-A4B0-1290BA5182F8&displaylang=en

“Does SMS do uninstall of applications easily too? For instance weather bug! :)”

Sure can...If you choose Specify a Custom Command Line, on the Custom Command Line page that appears, type the new run command line (which should be the command that is installed on the client and executes the application from the server). Then, if you have created an uninstall script and registered the program with Add/Remove Programs, type the Uninstall key. For more information, see "Setting Up Removal for Client Applications" later in this chapter. When you click Next, the wizard displays the Migration Status page. For more information, see "Analyzing and Migrating Individual Programs" earlier in this chapter.

“Sorry If I missed this, but do all the applications need to be installed on the sms server to create the package? Or is there a package client for creating the packages on another computer?”

Check out
for details on how to create a package in SMS.

“How much does MOM 2005 cost?”

See http://www.microsoft.com/mom/howtobuy/default.mspx
for details---in the $500-$1000 range

“Where can we find those [MOM Management] packs?”

Management packs are provided by the vendor. So Microsoft provides a variety of packs for our products and many third party vendors have created packs for MOM, in those cases contact the vendor.

“For instance SQL Server 2000 and BizTalk server 2002 and 2004.”

See the catalog http://www.microsoft.com/management/mma/catalog.aspx

“Does MOM require SMS?”

No, but they go great together.

“So, a MOM+LanDesk combination would work fine?”

I am unfamiliar with that product but if it is a management system—yes.