Aidan Finn, IT Pro

I’m doing some stuff on VMware at home that requires a Windows 2003 SP1 RIS installation.  I set up my test domain with a DC and workstations.  I got RIS ready and started up a client in PXE mode only to get thisL

VXE-E53:  No boot filename received

PXE-M0F: Exiting Intel PXE ROM
Operating System not found

I’ve been working with RIS since 2003 and I thought I’d seen everything.  Don’t get me wrong, I think it’s been an excellent but underused part of Windows Server.  I used it for 2 years to build PC’s on the network that I designed and managed.  I googled about for a while and found plenty of people looking for help on this problem without any joy.  And then I found a blog entry by a Mark Michaelis that resolved the problem.

I had to add two scope options onto my DHCP server that I’d not seen before:

• 066 Boot Server Host Name: <RIS Server IP Address>
• 067 Bootfile Name: OSchooseri386startrom.com

I fired up the client again and everything worked.  Thanks Mark!

A quick update:

Note that my RIS server was also my DHCP server.  DHCP was previously installed and authorised.  This may have caused the above problem.  I also had another problem once I had succesfully laucnhed the RIS client.  The client failed to read configuration data for the RIS service.  I unauthorised and reauthorised DHCP and this resolved the problem.  RIS worked perfectly after this (and quite quickly too I must add).

Oh, I’ve only had a quick read, but anyone planning on using Windows Deployment Services (the succesor to RIS in Windows 2003 SP2 and Longhorn) will need to be familiar with the above two DHCP scope options.

My current client is in the process of deploying a new Windows 2003 Active Directory and a Citrix PS4 environment.  Requirements for the Citrix environment are:

• They want to use mandatory profiles (if at all possible).
• They wish to use controlled start menus and desktops.
• They want to install all applications on each server.
• They want to publish the desktop to users via WYSE terminals.
• They want to control access to licensed applications.
• License controls should be done via Domain Global or Domain Local groups.

Hmm. 

A well known Citrix expert consultancy firm recommended that they use scripts to build a users start menu and desktop based on group membership.  Nasty!  I like scripts but this would be a pain to own and maintain over time.  I first became aware of the Citrix requirements at a progress meeting yesterday.  I listened quietly and then I had a what was either a brainwave or a brain fart that evolved a bit.

• A single startmenu and desktop would be hosted on a DFS file share (replicated on the LAN).
• Shortcuts for all applications would be installed in the start menu (and desktop as neccessary).
• Shortcuts for restricted access programs would be permissioned using a suitably named domain group.
• The program folders for the restricted programs would be secured using the same groups.
• Users logging onto the Citrix servers would get the shared start menu and desktop via redirected folders and loopback group policy processing.
• ABE (Access Based Enumeration) would be installed on the hosting machines and configured for the replica shares.

One of the guys gave this a test and it worked.  A user with restricted access only downloaded the shortcuts they should have had access to.  I was expecting to see loads of USERENV errors in the application log on the server but there were none.  It appears to work really nicely.  I’m now wondering if we need ABE in this equation.  We’ll see how it goes in future testing.

Although it’s a great product, many have justification to be worried about the soon (November 1st) automated deployment of IE7.  IE7 will be made available via Automatic Updates and the Microsoft updates catalogue (SMS and WSUS).  Many are asking how to block this automatic installation.

• If you use automatic updates enabled on your PC then you can block the IE7 installation using a blocker toolkit.  Unlike the XP SP2 blocker, there is no timeout or timebomb.  You will still be able to manually install IE7 if you wish.  There is an ADM file so you can use group policy to control the blocker (reinforce the block setting) and also to remove the block setting if you want.
• Anyone with automatic updatews enabled and who does not have local administrative rights will not download nor install the product, regardless of whether the blocker toolkit is installed or not.
• If you maintain control over automatic update approval then you can prevent the installation by choosing to deselect it.
• Anyone using SMS has complete granualr control should IE7 appear in the catalogue for the Inventory Tool for Microsoft Updates.
• The WSUS team have revealed that IE7 will download as an Update Rollup.  You should choose to maintain manual control over update rollup authorisation (Options – Automatic Approval Options) if you are using WSUS (the current version being V2.0) and do not want to automatically deploy IE7.  You can choose to decline the update when it appears.

Microsoft released a security patch or "security upgrade" for Windows XP SP2 machines with wireless NIC’s:

• WPA2 can be configured using group policy.
• A wireless computer can be configured not to broadcast the networks it wishes to connect to.
• A vulnerability for "parked" or disconnected wireless clients has been resolved.
• You must now manually choose to join an ad-hoc network instead of being automatically joined.

Make sure you test the update before deploying.

Credit goes to Michael Kassner for the alert.

• Enhanced performance through a new scanning engine.
• Streamlined, simplified user interface and alerts.
• Improved control over programs on your computer using enhanced Software Explorer.
• Multiple language support with globalization and localization features.
• Protection technologies for all users, whether or not they have administrator rights on the computer.
• Support for assistive technology for individuals who have physical or cognitive difficulties, impairments, and disabilities.
• Support for Microsoft Windows XP Professional x64 Edition.
• Automatic cleaning according to your settings during regularly scheduled scans.

You’ll see that the MS burb says it supports x64.  Well, I ran it in beta on x64 and it brought my machine to it’s knees.  Mark Russinovich reported a similar experience soon after his laptop joined the Microsoft network.  Maybe this has been fixed. *fingers crossed*

I was very impressed with it on x64, especially the Internet Explorer fixing function.  It compared well with other products, sometimes it caught things they didn’t and vice versa.

If you don’t have an anti spyware solution now then this free option might be for you.  Forefront Client Security will include this engine when it goes live (around April next year).  This corporate solution will likely include mangement from a central console and possibly via Group Policy.  I hoping to get on the beta program which has started on a limited basis.

You can see a comparison of the various anti-malware solutions from Microsoft on their website.

One thing I do like about Defender … it uses Automatic Updates to its definitions.  This will be a bandwidth saver for those who install it on company networks.  It also simplifies your distribution mechanism.  This will make it a viable solution for those who want to run it along side a cheap or free AV product.

A new version (2.0) of the SMS 2003 Desired Configuration Monitoring feature pack has been released.  DCM 2.0 allows administrators to audit servers and desktops to ensure that they comply with approved configurations.  Reports can be generated to idenity non compliant machines.  This new version sports a new user interface for defining models.

Modelling is a key component of Microsoft’s Dynamic Systems Initiative for design, monitoring and control and we will to see more and more of this concept, e.g. Capacity Planner, Operations Manager 2007, etc.

I’ve just finished a white paper on the Inventory Tool for Custom Updates feature pack that is included with SMS 2003 R2.  I also describe how to use the Custom Updates Publishing Tool.

Although many organisations may not be aware or choose not to utilise them, we have many
solutions available for updating Microsoft operating systems and products. Solutions include the
free WSUS 2.0 or 3.0 (currently in beta) or the Inventory Tool for Microsoft Updates feature pack
for SMS 2003.

However, what do you use to maintain the same level of updates for 3rd party products or even
your own in-house implementations? Microsoft sees SMS as a solution for medium to large
organisations. These organisations often have large implementations of 3rd party products and in
house applications. 3rd party products sometimes have their own deployment mechanisms and
sometimes have no mechanism at all. But medium to large organisations usually have at least
one home bread application. These are the most difficult to manage because they are often
tweaked on a frequent basis by developers who have little understanding (or care) for how the
updates should be deployed and managed. They just build them and expect them to magically
appear on PC’s, usually at short notice.

This gap between the developer and the system administrator is something Microsoft has started
to recognise. In fact, it was the subject of their keynote speech at TechEd Europe 2005.
Microsoft has responded by developing the Dynamic Systems Initiative. The aim to resolve these
problems by changing the way we build, deploy and manage applications starting with design in
Visual Studio to management with Microsoft Operations Manager and SMS.

One of the solutions is the Inventory Tool for Custom Updates (ITCU) feature pack that is
included with SMS 2003. By using ITCU you can deploy non-Microsoft updates to applications
on your SMS clients using the software updates functionality of SMS 2003. Microsoft’s aim with
ITCU is to open up their own catalogue solution that third parties can use with the Inventory Tool
for Microsoft Updates in SMS 2003. By itself, the ITCU is supported by Adobe and by Citrix.
There are also some rumblings that 1E will also adopt the usage of ITCU. But, you can use
another tool that is included with SMS 2003 R2 (and via MSDN) called the Custom Updates
Publishing Tool (CUPT) to create your own updates catalogue and import them into SMS 2003.

The document continues …

I am now officially registered as a Microsoft Partner and have access to all the perks that come with that status including partner training, education resources and support from Microsoft on cirtical issues.

• Windows XP with Service Pack 2 (x86)
• Windows 2003 Server (x86)
• Windows 2003 Server and Windows XP (x64)

You can find out about the features and the system requirements on the Microsoft IE web site.

Personally, I find the phishing filter slows down my browsing experience so I disable it (not just turn it off).  I know when someone is trying to get me to divulge my credit card or banking details.  I really like the addition of tabbed browsing (about time) and RSS (which I use a lot).  You’ll find when you start it up that a number of companies (not just the usual search engines) have produced extension to make their site the default search engine for your browser and that IE7 presents you with this choice.

I’ve been using IE7 during it’s beta process and I can recommend it.  Do make sure you test against your applications before widespread deployment.  There’s bound to be junkware out there that doesn’t like it.

• Microsoft Softgrid: Softrird (from the Softricity acquisition) is a super new way of deploying complex application catologs to the desktop environment.  Using application virtualisation you can seperate the application from ther desktop’s OS installation and from other applications.  This reduces complexity, eliminates regression testing, resolves compatibility problems and increases security.  Self service user deployment (with workflow/approval)is possible via a web portal which minimises IT involvment in application deployment.  Also, by using streaming, wasted disk space is eliminated.
• Microsoft Asset Inventory Services: Every application installed on your desktop network can be identified for auditing purposes.  This goes much fiurther than SMS 2003 on SP2 si going because it can identify application from a database of 430,000 known applications.  It does not just rely on the contents of add/remove programs because as we know, many vendors do not adhere to well accepted standards.
• Microsoft Advanced Group Policy Management: To quote Microsoft, it "increases control over Group Policy Objects (GPOs) – the component rules within Windows’ administrative management system – and is intended to allow IT administrators to delegate or assign administrative control of specific tasks based on employees’ titles or roles … provides administrators additional safeguards for GPOs, including detailed logs to track all changes and the ability to quickly undo inappropriate changes. These new tools function as a native extension to Microsoft’s Group Policy Management Console, providing a central management interface for all Group Policy administration".
• Microsoft Diagnostic and Recovery Toolset: This offers diagnostic tools, the ability to recover data that has been lost and a post crash analysis toolkit.

There is a feature chart available.

Anyone tracking what Microsoft has been doing will have noticed a number of acquisitions of interesting players in this market.  I can see that Softrgrid was purcahsed from Softricity.  I am wondering if Advanced Group Policy Management is a result of the Desktop Authority acquisition.  The tools in the Diagnostic and Recovery Toolset are a result of the recent Winternals acquisition.

This tool kit will be of great benifit to desktop/laptop administrators.  It will reduce complexity, offer new deployment mechanisms, reduce project times and costs, enahnce automation and enable them to spend more time on engineering rather than firefighting or repetitive tasks.  And if things do go wrong, there will be tools to help diagnose those problems.