RIS can automatically install Win2K Server and all hotfixes
Once upon a time, I thought nothing of building a new test server without hotfixes or service packs. After all, it was just a test server; it contained no data that was important to me, so I didn't care whether the server was secure. But those were the days before the Microsoft IIS worms. Nowadays, if I put an unsecured server on the network, it could become infected and become one of the legions of machines that spend all day looking for other computers to infect.
But hotfixes are a pain to install. Microsoft has committed to writing hotfixes that don't require reboots. Until then, however, I need to apply more than a dozen hotfixes to—and reboot more than a dozen times—any post—Service Pack 2 (SP2) Windows 2000 system, if I want the system to be as secure as Microsoft knows how to make it.
I'm a fan of both scripting and Microsoft Remote Installation Services (RIS). This month, I show you how to set up a RIS server that will let you start an automated Win2K installation, walk away for a while, and return to find all the latest hotfixes installed. Although I build my example on RIS, this approach also works on a simpler network-based installation that uses a shared i386.
Assembling Tools
First, assemble the tools that you need to roll out the server. You need a RIS server and, of course, prospective server systems that can boot to RIS by using either built-in clients or RIS's generic boot disk. You also need the latest service pack (SP2 at the time of this writing) and all post—service pack hotfixes. To find the hotfixes, I suggest that you either go to http://www.microsoft.com/security or search Microsoft's site for "security bulletin." Either approach should lead you to a page that summarizes the latest hotfixes.
Hotfixes are usually .exe files with names such as q303984_w2k_sp3_x86_en.exe. The filename alone can tell you a lot: That name tells you that the Microsoft article Q303984 explains what the hotfix fixes, that the fix is for Win2K in that OS's Intel Pentium version, that the patch is destined to be incorporated into SP3, and that the patch is for the English version of the OS.
You also need one more tool. Installing hotfixes has always been a pain for (at least) two reasons. The aforementioned first reason is that when you install a hotfix, you must reboot your system. Applying the 16 hotfixes that were current as of mid-October 2001, for example, would require 16 reboots. Fortunately, most hotfixes written since mid-2000 provide two switches, -m and -z, which tell the hotfix to install quietly and not to force a reboot, respectively. But the second reason is that when you apply several hotfixes, they can conflict with one another unless you install them in the right order.
That's where Microsoft's qchain.exe tool comes in. After you use the -z switch to install multiple hotfixes and before you reboot, use Qchain: It rearranges all the hotfixes so that they don't conflict. The Microsoft article "Use QChain.exe to Install Multiple Hotfixes with Only One Reboot" (http://support.microsoft.com/directory/article.asp?id=kb;en-us;q296861) explains the tool and provides a link to download it.
Qchain 101
To see how Qchain interacts with hotfixes, let's look at an example. Suppose we wanted to apply all post-SP2 hotfixes to several already-configured systems. We'd download qchain.exe and all the hotfixes to a network share that we'll call Patches, which is on server Srv1. Then, in Patches, create a batch file, which we'll call fixes.cmd, to apply the hotfixes and run Qchain. If we had only three hotfixes, that batch file would look something like the file that Listing 1 shows.
To apply the hotfixes, we'd simply open a command line and type
\\srv1\patches\fixes
then press Enter. The batch file would apply the fixes, run Qchain, and report any problems in a file called logfile.txt in the C drive's root.
To use this batch file, replace \\srv1\patches in the file's first line with your share's Universal Naming Convention (UNC) name. Replace the second through fourth lines with a line for each of your hotfixes. Because I have 16 hotfixes, my batch file has 18 lines.