Prerequisite:

Download the following components firstly:

1.      WSUS SP1 (WSUS2-KB919004-x86.exe):

http://www.microsoft.com/windowsserversystem/updateservices/
downloads/WSUSSP1.mspx

Save it on WSUS server.

2.      Please download Windows Server Update Services API Samples and Tools from

http://www.microsoft.com/windowsserversystem/updateservices/
downloads/default.mspx

Install it on WSUS server. It contains a migration tool, which is very helpful in WSUS backup/restore.

Backup the existing WSUS:

Before installing WSUS SP1, we should keep the WSUS content folder that contains all update exe file downloaded, and backup the original SUSDB. With these 2 parts, we could restore the original WSUS if there is any unexpected exception during installing SP1.

You may refer to the link below for backing up WSUS.

http://technet2.microsoft.com/WindowsServer/en/Library/c0f1a661-eb48-4156-81a2-267d846f844f1033.mspx

1.      Backup WSUS Database

1.)   Stop services:

CMD: net stop wsusservice; net stop w3svc

2.)   Backup the existing SUSDB

CMD: osql -E -S %computername%\WSUS -Q "BACKUP DATABASE SUSDB TO DISK='C:\SUSDBRTM.BAK' WITH INIT, STATS=10"

The SUSDBRTM.BAK can be a restore source if restore is necessary.

3.)   Copy the database file:

CMD: net stop MSSQL$WSUS

Under \WSUS\MSSQL$WSUS\Data, copy SUSDB.mdf and SUSDB_log.LDF to safe place. These 2 files can be another restore source if restore is necessary.

4.)   Start services:

CMD: net stop MSSQL$WSUS; net start wsusservice; net start w3svc

5.)   Under C:\Program Files\Update Services API Samples and Tools\WsusMigrate\WsusMigrationExport

CMD: WsusMigrationExport.exe WSUS.XML

The generated WSUS.XML is useful in some migration/restore scenarios.

2.      Backup the downloaded update files

Just keep the WSUS content folder \WSUS\WsusContent

Install WSUS SP1 with WMSDE

WSUS SP1 could be installed solely or installed directly on WSUS RTM. After installation, the version on WSUS admin page will be changed from 2.0.0.2472 to 2.0.0.2620.

Run the following SQL script on SUSDB, the returned BuildNumber should be 3790.2620

osql -E -S %computername%\WSUS -Q "USE SUSDB select * from dbo.tbSchemaVersion"

WSUS client will not be affected during SP1 installation. After installation, client WUA will be self-updated from 5.8.0.2469 to 5.8.0.2607 (file version of %windir%\system32\wuaueng.dll).

Run WSUS2-KB919004-x86.exe on the existing WSUS server, go though the steps in installation wizard. Check if SP1 can be installed in this way.

Summary:

This guide provides step-by-step instructions for creating and configuring a highly available print server on Microsoft Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition operating systems. These print servers use a typical, single quorum device, multi-node server cluster that uses a shared disk.

A server cluster is a group of independent servers working collectively and running the Microsoft Cluster Service (MSCS). Server clusters provide high availability, failback, scalability, and manageability for resources and applications. Using server clusters allows clients’ access to applications and resources in the event of failures and planned outages. If one of the servers in the cluster is unavailable because of a failure or maintenance requirement, resources and applications move to other available cluster nodes. Using server clusters does not guarantee non-stop operation, but does provide sufficient availability for most mission-critical applications. The cluster service can monitor applications and resources designed to work in a clustered environment and automatically recognizes and recovers from many failure conditions. This provides flexibility in managing the workload within a cluster. It also improves overall system availability.

Included in This Document

• Requirements for Server Cluster Configuration

• Configuring a Print Server on a Cluster

• Scalability and Consolidation

• Architecture

• Troubleshooting

Download link: http://download.microsoft.com/download/2/a/9/2a9c5a6b-472a-40b0-942f-3ba50240ccd9/ConfiguringAHighlyAvailablePrintServer.doc

Best practice for configuring a print cluster:

1. Use Windows built-in print driver.

2. Use standard TCP/IP port

3. Do not use level-2 (NT 4.0 version, kernel mode driver) printer driver.

4. Periodically back up the printer driver using Printor Migrator tool against virtual server so the drivers can be easily restored in case or a disaster.

Locking down desktops is becoming more and more prevalent in today’s corporate environment.  Malware, viruses and malicious users are putting the pressure on IT staff to remove users as local admin’s and lockdown systems.  In order for this to be successful, administrators need a delivery mechanism to install software and hot fixes to users machines. Here is some of our experiences in locking down desktops as a very import step in securing your infrastructure. Specifically, we focused on locking down desktop via Group Policy and how to leverage that in an Active Directory environment.

In many corporate environments, users are required to install their own software and patches.  While this may reduce the load on IT staff, the ability for users to download applications off the ‘net, including viruses, Malware and other suspect software will increase the load.  Certifying software to be used, locking down and automating software installation and patch management shifts the role of the IT staff; however the load should remain the same.  With a proper infrastructure in place you can reduce the workload on the IT department by implementing such a scheme.  Applications such as WSUS and SMS make it easier for IT staff to implement and manage this.

It sounds like a lot of work. We can use group policy as a starting point. What can we set with group policy? To lock down desktops, we can focus on the following policies or settings:

• Access control list's (ACL’s)

• Corporate policy

• User rights

• Restricted groups

• Software restrictions

• Security templates

• Administrative templates

For instance, you can restrict what software users can run on the server by using Software Restriction Policies:

Using Software Restriction Policies to Protect Against Unauthorized Software

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

Outlined below is a list of some common policies used to lock down desktops:

In a non-domain environment, you can download the beta Shared Computer Toolkit and get powerful new software tools for shared computers in classrooms, school computer labs, libraries, and public places. It’s designed to help you lock-down and support computers that are running as shared resources:

Lock Down Desktops without GP

http://blogs.technet.com/mitpro/archive/2005/06/29/407058.aspx

Since Terminal Servers (or Citrix servers) are usually a shared desktop for your users, it makes sense to include Terminal server in your desktop lockdown plan. For more information on how to lock Terminal Server session, view the following articles:

278295          How to lock down a Windows Server 2003 or Windows 2000 Terminal Server session

http://support.microsoft.com/default.aspx?scid=kb;EN-US;278295

Locking Down Windows Server 2003 Terminal Server Sessions

http://www.microsoft.com/downloads/details.aspx?FamilyID=7f272fff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en

This is a common topic in the DFS_FRS field. Customers often describe how some users are unexpectedly denied access to targets in the namespace while other users can access the targets without problems. Customers also ask whether there are DFS permissions somewhere that must be adjusted. The answer is that DFS clients will respect the combination of NTFS and share permissions set on the particular target the client is trying to access.

Inconsistent access is often caused by the following configurations:

▪       For a given target, the NTFS and share permissions are in conflict, with one prohibiting access and the other allowing access.

▪       For a folder with multiple targets, NTFS and share permissions aren’t set identically on all targets, so users have different access experiences depending on which target they access.

▪       A combination of the previous two bullets can compound the problem.

So if your customers have unexpected access problems, check the share and NTFS permissions for all targets as described above. Also, when setting NTFS permissions, always use the path of the physical folder (\\servername\sharename) instead of navigating through the DFS namespace to set permissions. This is especially important when you have multiple folder targets for a given folder. Setting permissions on a folder by using its DFS path can cause the folder to inherit permissions from its parent folder in the namespace.

In addition, if there are multiple folder targets, only one of them gets its permissions updated when you use the DFS path. KB article 842604 also covers this recommendation.

And finally, for any admin out there whose users are using Office 2000 against a domain-based namespace, the symptom might be permissions-related due to the inconsistent access problems when, in fact, the problem was something else entirely. See articles 272230 and 294687 for details.

Summary

Many of customers request information on querying hot fix information. They need a report on what hot fixes have been patched and what hot fixes they do not have installed. This article explains several ways to find this information.

1.    Go to Windows Update Online.

If the computer is connected to the Internet, you can go to Windows Update Online at
http://windowsupdate.microsoft.com. After scanning your system, the website will tell you what hot fixes you do not have.

2.    In the %windir%, you can find a number of log files with names beginning with “KB” and followed by six digits, e.g. KB870764.log, KBxxxxxxUninst.log.

KBxxxxxx.log – Contain installation information of the hot fix. If you can find this file and there are no errors in the log, then the hot fix in the file name has been installed.

KBxxxxxxuninst.log – Contain uninstallation information of this hotfix. If you can find this file and there are no errors in the log, then the hot fix KBxxxxxx has been uninstalled from your system.

In addition, you also can find uninstall folders of the hotfix in %windir% (with names like $NtUninstallKBxxxxxx$) and %windir%\$hf_mig$ (with names like KBxxxxxx). Generally you can uninstall the hot fix from that folder by running spuninst.exe.

3.    Cmd /c wmic QFE LIST > c:\hotfix.txt
This command will use WMI interface to list information on all installed hot fixes for the system.

4.    QFECHECK(q282784)
Qfecheck.exe is a command-line tool that allows network administrators to track and verify installed Windows 2000 and Windows XP hot fixes.

5.    MBSA tool (Recommend).
MBSA can detect common administrative vulnerabilities and missing security updates on your computer. Any update published on Microsoft Update as a security update, update rollup, or service pack can be scanned. It also supports offline scanning (as long as you have a local wsusscan.cab) and remote scan, and it generates a report upon completion.

Note: You can use this tool to check security-related update information.

Microsoft Baseline Security Analyzer 2.0:
http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx

6.    Use WUA API (Recommend).
Windows Update Agent (WUA) API is a set of COM interfaces that enable system administrators and programmers to access Windows Update and Windows Server Update Services (WSUS). Scripts and programs can be written to examine which updates are currently available for a computer, and from there you can install or uninstall updates.

It also supports offline scan (as long as you have a local wsusscan.cab) and remote scan, and it generates a report upon completion.

You can find a useful script to detect what hot fixes are missing at the article below:
Using WUA to Scan for Updates Offline
http://msdn.microsoft.com/library/en-us/wua_sdk/wua/using_wua_to_scan_for_updates_offline.asp

For more information, consult:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wua_sdk/wua/portal_client.asp

-End- 

Author: Dan Ma