Installing Service Packs

  • Thread starter Thread starter Nik
  • Start date Start date
N

Nik

Morning
Can someone guide me on how to install a service pack to a user workstation
through active directory.

Thanks
Nik
 
Nik,

This is just like any other deployment of software via Group Policy. You
would simply have to assign it to the computer configuration ( NOTE: You can
not publish this.....it must be assigned ). Make sure that this GPO is
linked to the OU ( assuming that you would be doing this to the OU level ).
Make sure that the computer account objects that you want to receive this
GPO reside directly in the OU to which you linked the GPO. Once you have
configured the GPO you have to reboot the computers to be affected.

Does this help you?

Cary
 
Hi Nik, not too sure are you referring to the recent Win XP SP2? Anyway,
download Win XP SP2 from
http://download.microsoft.com/downl...0-73cf11fdcdf8/WindowsXP-KB835935-SP2-ENU.exe

Inside the SP2 contains a Update.MSI in i386\update. Use this MSI file to
assign to your PCs in Active Directory.

If you are referring to other patches / service packs, you will need a 3rd
party tool like WinInstall LE 2003 from
http://downloads1.ondemandsoftware.com/download/installs/wininstallle.exe

This tool use the before/after changes to produce a MSI file. Then use the
same method above to deploy patches/ service packs to your PCs in AD.

Hope this helps.
 
I would like to think one of these will help. I have just a few users who do
not have the Win2000 SP4 service pack on their computer so I wanted to
install it on just those users without having to go to their desk.

I'll try this.
Thanks for both responses.
 
Nik,

I hope that I did not ass/u/me that you have deployed applications via GPO
before. If you have not and need / want some assistance with the set up I
would gladly help you. Once you have done it a couple of times it is as
easy as brushing your teeth. But, there are a several things that must be
in order for it to work!

Also, since you mention that there are only a few computers that need SP4 I
can show you a way to know exactly which computers have which Service Pack
installed. You would use something called ldifde ( that is LDIFDE ). It is
really a nice tool. In WIN2003 environments you would probably use the
newer ds* tools, though.

HTH,

Cary
 
Hey Cary, Sorry if I made u ass/u/me. :-). However, I really have never
done the distribution of software via Group Policy. So I would definitely
appreciate all the help you are willing to give me. Thanks a million.
Nik
 
Nik,

No problem.

Okay - the big picture is that we need to put the Service Pack on a
networked Server, create the package and deploy it to the necessary
computers. That sounds easy enough, right?

Well, let's look at the details for doing this.

I do not know in what format you have the Service Pack - whether it is the
single file .exe or the CD-ROM. if you have the single file executable you
will need to extract it. That should be easy enough. WinZip will do it for
you. You could also use some switches from the command prompt to do this.
I would suggest that you create a shared folder first, though. For things
like this I like to hide the shares so that when people are browsing the
network these types of folders are not directly visible. So, share it as
W2KSP4$. The "$" makes it a hidden share. You will need to include the "$"
later when you are telling AD the path to update.msi.......I like to give
either Domain Admins or Administrators Full Control on both the Share and
NTFS permissions and - in this particular case - Domain Computers Read on
the Share permissions and then Read and Execute, List Folder Content and
Read on the NTFS permissions.

You would then copy the directory structure into this shared folder.

This is the end of Part 1.

Now, you need to create an Organizational Unit ( OU ) and move the computer
account objects that need to have SP4 installed into this OU. Please keep
in mind that it is a really bad idea to move a computer account object into
an OU to which a GPO that installs software is linked, let the software be
installed and then move the computer account object out of that OU ( like
back to the default COMPUTERS container ). So, one the computer account
objects are in an OU they should generally stay there. Generally.

This is the end of Part 2.

Now, we need to create the Group Policy Object and link it to the OU in
which the computer account objects directly reside. Sidenote: please do
not be fooled by the name. Groups really have very little to do with Group
Policy Objects. You can not place a group inside this OU that you have
created and create and link the GPO to this OU and think that because the
computers are members of this group that the GPO will apply. It will not.
This is a common mistake that a lot of people make. The computer account
objects must directly reside inside the OU.....Period!

So, right click the OU, select Properties and go to the Group Policy tab.
Simply click on the New... button. Sidenote: Why is there and Add...
button? Because you can use this button to link an existing GPO to this OU.
So, forget about SP4 for a moment. Say that you have created a GPO and
linked it to the OU in which the Marketing user account objects reside. Say
that the Finance people see what happens when the Marketing people log on
and want/need this to happen for them. Instead of having to recreate this
GP you simply use the existing one and link it to the OU in which the
Finance user account objects reside. You see, it is an object ( thus the
GPO - for Group Policy Object ) and can be linked to many different levels
if necessary. Now, back to SP4. You need to give this a 'friendly name'.
I would call it something original - like WIN2000 SP4 or whatever. Now, you
have actually created the Group Policy. Granted, it is pretty much blank.
But the Group Policy object has been created and linked. You have given it
the 'Friendly name', you have Group Policy Container, or GPC, in the Domain
partition for this policy and you have created the Group Policy Template, or
GPT, in the SYSVOL folder. This is all happening, by default, on the Domain
Controller in this domain that holds the FSMO role of PDC Emulator. So, how
do you change this ( remember, it is pretty much blank at the moment )?
Well, you click on the Edit... button. You would open up the Computer
Configuration and click on Software Installations and then right click on
Software Settings and select NEW. And sorry if the terms are a bit off. I
am going from memory. You now need to tell AD where the .msi file is. So,
you enter the following:
\\servername\W2KSP4$\update\update.msi. You then need to tell it to Assign
this package ( and ***NOT**** publish ).

You are pretty much finished.

Give it a moment and then go to the computers in question and reboot them.
SP4 should be installed upon booting up. It will take a bit of time.

What if things do not work? Make sure that the clients are pointing ONLY to
your internal DNS Servers ( and not to the DNS Servers of your ISP ). That
is the first thing. You can also use GPOTool and GPResults. I would even
navigate to the update.msi file and manually double click it to see if it
runs. Sometimes things do not extract so well. But I would do the other
things first.

HTH,

Cary
 
Cary,
I have a GPO at my site level so I put the package in that GPO hope that is
OK. Also you had mentioned that you would show me a way to determine which
computers need the service pack before it installs it or does this take care
of it.
Nik
 
Nik,

A couple of things: Site-level GPOs are valid but a bit more difficult to
troubleshoot and maintain. *Usually* you want to stay away from a Site GPO
for deploying software. Now, do not get me wrong, you can do that. I would
not. But it is possible.

What I would do is a bit more advanced and a bit more involved. If you have
implemented this GPO already then there is no need for me to go into the
details. However, I will give the 'Big Picture' information.

You create the GPO and link it to the Domain-level or OU-level. You put the
'application to be deployed' on one of the local Servers ( so, if you have
three Sites and in Site01 you have DC01 and DC02 and in Site02 you have DC03
and DC04 and in Site03 you have DC05 and DC06 and we are interested in
Site03 then you put the application on one of the two DCs in Site03 or - and
this is even better - on a File Server, if available ) and you create a
security group that contains the user account objects ( or, in your case,
the computer account objects ) and simply remove the 'Authenticated Users'
group from the security tab of that GPO and replace it with the security
group that contains the objects in need of this application and make sure to
give that security group both the READ and APPLY GROUP POLICY rights.

This is a bit more involved but it gives you better control over things.

Now, the way to figure out which computer account objects have which Service
Pack you can use a built-in tool called ldifde ( and there are others but
let's go with this one....it is free and requires no scripting skills ).

Here is what you would enter:

c:\>ldifde -f servicepack3.ldf -s servername.domain.com -t 389 -d
"DC=domain,DC=com" -r
"(&(objectClass=computer)(operatingSystemServicePack=Service Pack 3))" -l
"DN,sAMAccountName,operatingSystem,operatingSystemVersion,operatingSystemSer
vicePack"

This would determine all of the computers with Service Pack 3 installed.
You could also do the same for Service Pack 2 and Service Pack 1 if needed.
You would simply call the .ldf file for the Service Pack 2 query
servicepack2.ldf and the .ldf file for the Service Pack 1 query
servicepack1.ldf.

HTH,

Cary
 
Back
Top