Author: AFinn

I just got an email from Connect saying that the development stage of SP2 for Windows 2003 is nearing it’s end.  I’ve just started documenting the service pack.  Already, I’ve got 8 pages on how to install the thing!  I’m only getting to what’s in it now, let alone devling into Windows Deployment Services.

Details of the Vista MCP exam are on the Microsoft website.  It will be in beta testing from the end of the month until mid-November.

Crikey, I’d just love to get an exam opening this year from either Pearson or Prometric to finally sit 70-296, let alone Vista!

Credit: Bink

Microsoft OM 2007 (the successor to MOM 2005) RC1 is now available on the Connect website. Improvements over the beta include:

• Improved install process
• Major usability improvements made to the UI
• Updated Management Packs and new Active Directory MP
• Ability to Gateway
• Certificate manage non-trusted devices
• Support for more deployment topologies including multiple management servers
• Improved stability

You will need to uninstall the beta release to install RC1.  As promised, RC1 can be upgraded to RC2 and then to RTM.

OK, it’s not really much of an infrastructure story, but things have been slow in the MS world over the last few days.  Windows Media Player 11 was released late last night.  There’s a 32 and a 64bit edition.  For someone like me who just listens to the odd MP3, CD or ESPN broadcast, there’s not much of interest other than a nice new slate grey skin.  I’m told that media junkies will appreciate it, especially some new library functions.

I’m preparing to finally sit the 70-296 exam to upgrade my MCSE (about time).  I’ve done my brushing up and all I need now is an opening to actually sit the exam … come on Prometric!  I’m starting to work on Windows 2003 SP2 beta and Windows Deployment Services.  I hope to get a good bit done on that this weekend.  It’s looking much bigger than I originally anticipated.  Some documentation will appear on here when I’m done.  I’ve also started reading Mark Minasi’s (and co) new "Mastering … " book on Windows 2003 SP1 and R2.  It’s excellent.  The list of contributors is a real who’s-who in the Microsoft Windows world.

Betanews is reporting that starting from today, any downloads for Microsoft Office will require you to go through a validation process, regardless of your licensing.  Today it appears that only downloading templates is affected.  Starting in January, it appears all downloads will be affected.

If your copy is installed with a known stolen license key then you can expect some very bad things to start happening after going through this process.

I’m doing some stuff on VMware at home that requires a Windows 2003 SP1 RIS installation.  I set up my test domain with a DC and workstations.  I got RIS ready and started up a client in PXE mode only to get thisL

VXE-E53:  No boot filename received

PXE-M0F: Exiting Intel PXE ROM
Operating System not found

I’ve been working with RIS since 2003 and I thought I’d seen everything.  Don’t get me wrong, I think it’s been an excellent but underused part of Windows Server.  I used it for 2 years to build PC’s on the network that I designed and managed.  I googled about for a while and found plenty of people looking for help on this problem without any joy.  And then I found a blog entry by a Mark Michaelis that resolved the problem.

I had to add two scope options onto my DHCP server that I’d not seen before:

• 066 Boot Server Host Name: <RIS Server IP Address>
• 067 Bootfile Name: OSchooseri386startrom.com

I fired up the client again and everything worked.  Thanks Mark!

A quick update:

Note that my RIS server was also my DHCP server.  DHCP was previously installed and authorised.  This may have caused the above problem.  I also had another problem once I had succesfully laucnhed the RIS client.  The client failed to read configuration data for the RIS service.  I unauthorised and reauthorised DHCP and this resolved the problem.  RIS worked perfectly after this (and quite quickly too I must add).

Oh, I’ve only had a quick read, but anyone planning on using Windows Deployment Services (the succesor to RIS in Windows 2003 SP2 and Longhorn) will need to be familiar with the above two DHCP scope options.

My current client is in the process of deploying a new Windows 2003 Active Directory and a Citrix PS4 environment.  Requirements for the Citrix environment are:

• They want to use mandatory profiles (if at all possible).
• They wish to use controlled start menus and desktops.
• They want to install all applications on each server.
• They want to publish the desktop to users via WYSE terminals.
• They want to control access to licensed applications.
• License controls should be done via Domain Global or Domain Local groups.

Hmm. 

A well known Citrix expert consultancy firm recommended that they use scripts to build a users start menu and desktop based on group membership.  Nasty!  I like scripts but this would be a pain to own and maintain over time.  I first became aware of the Citrix requirements at a progress meeting yesterday.  I listened quietly and then I had a what was either a brainwave or a brain fart that evolved a bit.

• A single startmenu and desktop would be hosted on a DFS file share (replicated on the LAN).
• Shortcuts for all applications would be installed in the start menu (and desktop as neccessary).
• Shortcuts for restricted access programs would be permissioned using a suitably named domain group.
• The program folders for the restricted programs would be secured using the same groups.
• Users logging onto the Citrix servers would get the shared start menu and desktop via redirected folders and loopback group policy processing.
• ABE (Access Based Enumeration) would be installed on the hosting machines and configured for the replica shares.

One of the guys gave this a test and it worked.  A user with restricted access only downloaded the shortcuts they should have had access to.  I was expecting to see loads of USERENV errors in the application log on the server but there were none.  It appears to work really nicely.  I’m now wondering if we need ABE in this equation.  We’ll see how it goes in future testing.

Although it’s a great product, many have justification to be worried about the soon (November 1st) automated deployment of IE7.  IE7 will be made available via Automatic Updates and the Microsoft updates catalogue (SMS and WSUS).  Many are asking how to block this automatic installation.

• If you use automatic updates enabled on your PC then you can block the IE7 installation using a blocker toolkit.  Unlike the XP SP2 blocker, there is no timeout or timebomb.  You will still be able to manually install IE7 if you wish.  There is an ADM file so you can use group policy to control the blocker (reinforce the block setting) and also to remove the block setting if you want.
• Anyone with automatic updatews enabled and who does not have local administrative rights will not download nor install the product, regardless of whether the blocker toolkit is installed or not.
• If you maintain control over automatic update approval then you can prevent the installation by choosing to deselect it.
• Anyone using SMS has complete granualr control should IE7 appear in the catalogue for the Inventory Tool for Microsoft Updates.
• The WSUS team have revealed that IE7 will download as an Update Rollup.  You should choose to maintain manual control over update rollup authorisation (Options – Automatic Approval Options) if you are using WSUS (the current version being V2.0) and do not want to automatically deploy IE7.  You can choose to decline the update when it appears.

Microsoft released a security patch or "security upgrade" for Windows XP SP2 machines with wireless NIC’s:

• WPA2 can be configured using group policy.
• A wireless computer can be configured not to broadcast the networks it wishes to connect to.
• A vulnerability for "parked" or disconnected wireless clients has been resolved.
• You must now manually choose to join an ad-hoc network instead of being automatically joined.

Make sure you test the update before deploying.

Credit goes to Michael Kassner for the alert.