To update a previous post, if you are using ISC DHCPd, you don’t need to copy startrom.com and others around to alter the path the RIS client tries to use, you just need double slashes:
filename "\OSChooser\i386\startrom.com";
And, I’d recommend Argon’s RISme, though looking at the capabilities of RIS Menu Editor, I’d say either one are perfectly capable of doing the job.

I’ve been playing around with WSUS recently for use in Housing. Primarily, I’m testing it with student site computers as the targets for automated installs, though the reporting we get from the “download and wait to install” mode also works well on our servers.

A few things bother me though:

• There doesn’t seem to be a way to force the install of a patch as soon as the computer checks in. Our workstations are commonly reinstalled during the year, if I switch to WSUS as my patch management solution, it appears as though I need to keep patching my install point every month. Not a big deal, as long as the /integrate: option always works.
• WSUS needs the BITS 2.0/WinHTTP 5.1 update and Microsoft Installer 3.1 before it can do anything else. This isn’t a real big deal, either expect to wait 24 hours to install actual patches or stuff those into cmdlines.txt to run during unattended setup.
• Superceded update handling seems to be wonky, or something. I’v seen 1 case where an update for Windows 2000 is shown as “superceded” by an update for Windows 2003. Not likely. And all this update declining business is confusing too.

I guess, when all is said and done, WSUS is a better solution than our current homebuilt Winbatch file version checker feeding into a SQL database. And WSUS is free, so no complaining allowed!

Other updates to, hopefully, come for the labs this summer: Acrobat Reader 7, McAfee VirusScan 8.0i and all the newest versions of all the free stuff we run (GAIM, Firefox, putty, etc). I’m also investigating McAfee’s ePO server, but that may have to wait until fall to get done.

Apparently, certain settings left over from NT System Policies (ntconfig.pol) conflict so badly with Group Policy settings that the 2 never decide who wins. I just wasted two hours trying to get screen saver settings to not conflict, when the 2 are setting things in different places and something in the OS can’t decide which one takes precedence.

I guess I get to migrate all our NTConfig.pol settings over to group policies tommorrow. I’ve been putting it off until we close, and that’s passed, but we’ve got a giant conference coming in tomorrow and I’d hate to break something. Oh well.

Update: Knowledgebase article 257939 has something to say about this phenomenon.

Chase says Firefox is dropping the .zip builds. The comments on that post alone ought to be enough to get them to bring them back.
I’ve been using them since I discovered that the unattended/silent install didn’t work as advertised. They claimed to have fixed that bug, but I haven’t had time to look at it yet. I’ve gotten addicted to the easy plugin install method of just copying the contents of the previous plugins folder over to the new install and going on.
I’m handling this update using the low tech method mentioned in the forum thread: Install in new directory on one machine, copy directory to server, treat like a zip build.
That works for now.

More survey greats:

• possibly renting out portable USB ports. this would help with the transferring of memory from one computer to the next whether it be our own in our room, the ones in the lab, or someone elses.
• I consider the services offered excellent. No complaints. It would be nice if you had a stapler physically attached to the table so that we do not have to go searching for one after we print.
• Provide wireless routers to every URH dorm room, so that every URH dorm room could have wireless access to the University network.

3 more days.

We are running our annual technology survey, and the same issues that always come up are happening, just like clockwork:

• “You don’t have application X and I need it for class Y (or just because)!”
• 9 times out of 10, we have the application, or something very similar. SSH is a perfect example, we’ve got 2 different clients and still people are asking for it.
• AutoCAD is another common request. We have the regular AutoCAD 2005, but we don’t have the Inventor version that requires a high end 3D video card.
• “NetTechs are slow!” and “The NetTechs are the greatest thing since sliced bread!”
• Both these comments can’t be true, but if person A only needed help during opening week, when we are slammed with requests, while person B needs help every other week and has a tech on the same floor…Well, you get the picture.
• “More wireless internet in the dorms!”
• We are working on this as fast as we can, adding hotspots to many areas this year and this summer. But, wireless will never replace the wired URHNet connection in the rooms, so don’t ask. And if you don’t know why it won’t, either do some research or ask someone who has dealt with large scale wireless deployments.
• “The computers in the labs are slow and sucky” and “Having fast, reliable computers in an always open lab is great, keep up the good work!”
• Similar to the nettech comments, these both can’t be true. Apparently replacing computers every 4 years isn’t often enough for all people. It’s still nice getting compliments.

And, of course, there are just the classic responses:

• To a question about what additional programming would be nice on our in house cable channel: “More porn like girls gone wild and stuff.”
• “you guys kick ass
  the network here at school is probably the best i’ve ever connected through. i know it kicks other school networks ass. Lastly i’m very satisfied with how fast problems get fixed if there ever are any. i like u guys u make things run”

The student sites are now NT4 free! I reinstalled the last NT4 BDC with Windows 2003 Server today. I also moved the FSMO roles off the upgraded DC to a clean install server, so next up is to demote the upgraded DC and then reformat and reinstall it.
After that is the upgrade for the admin domain, but that involves an Exchange 5.5 server, so much more testing will be needed before we even start thinking about actually doing that.

MS04-040
And they were getting so good at keeping things on the second Tuesday of the month. Oh well, at least they are fixing holes with known exploits in the wild.

Home users, time to visit WindowsUpdate. I’m putting off updating all the lab machines for at least 24 hours to make sure there aren’t a string of “this update hosed my computer/network/server farm/enterprise” posts to NTBugTraq.

The student sites are now running on a Windows 2003 Server Active Directory. I learned a few things along the way:

• Don’t try to reuse an existing server name if it is staticly mapped in your WINS database. The Windows Server 2003 upgrade process will think there is a name collision and use some randomly generated name for the server, UNIVERSI-2345a8 for example.
• If you have messed around with the User Rights on your NT4 domain, you’d best find the defaults for Windows 2003 and reset them. Updates and other things just don’t install correctly until they are reset. (The Threats and Countermeasures Guide came in pretty handy here too.)
• Until the workstations DNS server and the default DNS domain name is changed, they keep working right along as if the domain is still NT4 based. Dynamic DNS doesn’t start working until then either.

I still need to move all the FSMO roles off the temporary DC, but that doesn’t need to happen any time soon. I may put any more changes off until winter break.

When MBSA 1.2.1 tells you this about MS04-025, it’s probably safe to ignore.

A required registry key does not exist. It is necessary in order for this patch to be considered installed. [SOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{3B7C8860-D78F-101B-B9B5-04021C009402}Compatibility Flags]

Check the file versions listed in the bulletin, but it’s probably wrong.

Oh, and this guy deserves a nice pat on the back for wonderful instructions on how to patch an Office 2003 administrative install share. Amazingly enough, patching the install share and then calling setup.exe REINSTALL=ALL /qb /L*v c:o2k3re.log actually works as advertised.

(And it looks like my stylesheet still needs some adjustments)