Sunday, January 14, 2007

Day Three: Reality check

Did I say SMS administration wasn’t a full time job and that ITMU was the end all savior answer to our SMS prayers? Time for that reality check.

So here’s what actually happened on Friday. I setup a meeting with admin 2 and 3. I bring my laptop and a projector so we can all see what’s going on. Combined with the patch update document left by the last admin and a little knowledge based on my readings about ITMU, we figured an hour was plenty of time to setup the patch advertisement. Just to be sure I blocked out an hour and half for the meeting. On our agenda: update the existing Microsoft Update patch package to include the January patches, and advertise it to a test group. The patches themselves had already been tested and approved for our environment. Our job was to simply integrate it into SMS and start the monthly company patching process.

Here’s Microsoft’s diagram on how this should work: https://www.microsoft.com/smserver/techinfo/administration/20/using/suspackhowto.mspx

So looking at the document left by the old admin and dated July 2006, we think we have a pretty good handle on how to start this process. Step 1> Right click on the correct advertisement and choose the option to distribute software updates. Well which advertisement is the correct one? Certainly not the one for the entire company. But, there doesn’t appear to be a good test advertisement setup. How can this be? Obviously, something is wrong with this document and we’re only on step one. Okay, no problem. We are three very bright admins (there are 30 Systems Administrators at this company), and the each of the three of us would definitely rank within the top five category for our company. Surely we can figure this out and move on. We start by exploring the options available for every type of object. Strangely, distribute software updates is available via packages, collections, and advertisements. Well, we know we want to update the package, so let’s proceed from there.

Step two: Pick the correct scanning tool (the screenshot show MBSA). We’ll that doesn’t strike us as correct. The DSUW has Microsoft Updates already listed, and based on what comes up in the rest of the wizard (yes we poked around), it appears to default to the values chosen the last time it was run. Additionally, Microsoft’s ITMU documents also appear to use Microsoft Updates. Keep in mind, our company has had SMS in place for 4 years now. The list of scanning tools available include MBSA, Windows update, Office update, and Microsoft Update. Our best guess, Microsoft Update supersedes all the other tools since it combines the features of Windows Update and Office Updates in order to Update both in one shot. This conclusion was reached based on our knowledge of the difference between Windows Update, Office Update, and Microsoft Update’s respective websites.

Moving on to step three: Pick the Q number of the patches to include in your package. Our understanding at this point is that the sync tool has already run and these patches should already be in the package source. Click a couple of corresponding checkboxes and move on. How wrong we were. Since the patch test group had already downloaded the patches and tested them, I know the network share to look at and find the appropriate patches. They are kept in the share and organized by year and then by Microsoft Bulletin number. Example is \\share\2007\MS07-002 . This folder refers to this bulletin: http://www.microsoft.com/technet/security/Bulletin/MS07-002.mspx

As you can see in the bulletin the Office 2000 version of the patch is KB925524. The network share lists each file that was downloaded and the first file in the list is office2000-kb925524-fullfile-enu.exe. Cool, let’s type that into the filter and check the box! Only problem is, 925524 doesn’t return any results. How can this be? Did the sync tool not run? We need to check things out. So we spend the next hour looking for reports, queries, advertisements status queries, checking package source folders etc. As best as we can tell, the sync tool ran on 01/09/07, aka patch Tuesday. So where in the world is 925524? Shouldn’t it be in there? Can Microsoft make this any more difficult? Why isn’t this working right? I’m sure some of the SMS veterans and Security folks would get a real kick out of this train of thought. An hour or so later it’s time to admit defeat and move on to the next one. Excel 2002/xp number KB925523, comes up without an issue. Check a bunch of boxes and we feel pretty damm good. So what happened to 925524. Let’s poke around some more. It’s time to actually read the bulletin. Look at that, MS07-002 has a number next to it: 927198. Maybe that’s the Q number we should be typing in? At this point, I admit we’re lost. I type in every number I can find, check the boxes that come up and ignore the ones that don't. Hopefully the old admin will answer our emails before we deploy to the company.

The rest of the process pretty much proceeds as expected. Updates get downloaded. DP’s get updated. We choose not to update the collections and advertisements, because we want to do it ourselves and not screw up the company (yet).

The hour long meeting only took 4 hours! This SMS stuff is easy as pie.

No comments: