Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SUS Software Update Services

4 views
Skip to first unread message

James Johnson

unread,
Jan 15, 2003, 12:10:22 PM1/15/03
to
Hi all.

Is it possible to have SUS installed on a server and have
it force updates out to another server without having
windows updater installed on the target server..

My situation is as follows.

I am regularly building servers (WIN2K o/s) with a tight
timescale. When it comes to running windows update it can
take some time to download the update depending on wether
or not the proxy server has cached the updates being
downloaded.

It would be nice to have a dedicated server on our network
download these updates overnight and to be able to connect
a new server to the network and download any updates from
there..

I need to be able to do this without having to download
any software onto the new server nor to have to enter any
proxy information/passwords as these servers go out to a
customer site.

Please can anyone help.

kind regards
James

james....@wcigroup.com

Torgeir Bakken (MVP)

unread,
Jan 15, 2003, 9:13:00 PM1/15/03
to
James Johnson wrote:

> Is it possible to have SUS installed on a server and have
> it force updates out to another server without having
> windows updater installed on the target server..

No. But if you install SP3 on the server, the SUS/WU client will also be
installed.


> My situation is as follows.
>
> I am regularly building servers (WIN2K o/s) with a tight
> timescale. When it comes to running windows update it can
> take some time to download the update depending on wether
> or not the proxy server has cached the updates being
> downloaded.
>
> It would be nice to have a dedicated server on our network
> download these updates overnight and to be able to connect
> a new server to the network and download any updates from
> there..
>
> I need to be able to do this without having to download
> any software onto the new server nor to have to enter any
> proxy information/passwords as these servers go out to a
> customer site.

This is how I would have done it:

Prepare a CD or network share with all the relevant updates. You can download
those updates from Windows Update Catalog yourself (without installing them on
the computer). See my previous post at
http://groups.google.com/groups?selm=3E1B8D2D.5B4624%40hydro.com for more
information about this


Then create a vbscript or a batch file that installs them unattended (suppress
reboots and reboot prompts with command line switches). After the installs, add
running qchain.exe to the updater script.

Before you run this updater script, install relevant Service Pack (can be done
unattended) if you don't have slipstreamed the service pack into your server OS
CD (so the SP is installed together with the OS.

After the boot from the SP install, run the updater script and then reboot.


More information and tips for this:

From: Torgeir Bakken (MVP) (Torgeir.B...@hydro.com)
Subject: Re: best way do install catalog updates after downloading?
Newsgroups: microsoft.public.win2000.windows_update
Date: 2002-12-14 17:41:16 PST

<quote>
dt wrote:

> I have the same problem many other people have - how to perform
> windows update on many machines, or on machines that don't have a
> broadband connection. I have successfully downloaded all 88 "Critical
> Updates and Service Packs", and all 27 "Recommended Updates for
> Windows 2000". I have found lots of help regarding how to download
> the updates to store on a machine - but now what? What is the best
> way to go about updating one or more machines using these downloaded
> files? Manually executing all 115 updates on every machine doesn't
> seem very efficient! And what about prerequisites - does the order in
> which the updates are installed matter? I could write a Perl script
> to traverse the Update Catalog tree searching for the executables, and
> have it generate a batch file that executes all of them, but is this
> the best answer?

Hi

I don't think all those you have downloaded (88 + 27) is relevant if you install

SP3 first.

This is how I would have done it:

Install SP3 for Win2k if not already installed. Reboot in the case you installed

SP3.

Command-Line Options for W2ksp3.exe and Update.exe
http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/spdeploy.htm#command_line_switches_for_update_exe_and_w2ksp3_exe_nthj


Then (after the reboot if needed because of SP3 install) install only *relevant*

pre-SP4 (a.k.a. post-SP3) updates. This should not be very many. Be sure to read

all the documentation for the different updates before you choose to put them in

the upgrade "batch"! This documentation includes e.g. the security bulletins
found here http://www.microsoft.com/technet/security/current.asp (read the
Knowledge Base articles they are referring to as well, often e.g. command line
install switches is only documented there!)

Going to http://www.microsoft.com/technet/security/current.asp, it looks like
MS02-057 is the latest one listed in the TOC on the left side. This is not
correct, as you will see in the main "body" of the Web page, the latest one is
now MS02-071 (clickable).

Start at MS02-024, I think this is the first pre-SP4 fix that was released, and
work yourself up to the last bulletin released:

Microsoft Security Bulletin MS02-024
Authentication Flaw in Windows Debugger can Lead to Elevated Privileges
(Q320206)
http://www.microsoft.com/technet/security/bulletin/ms02-024.asp


The order the updates are installed (AFTER SP3 is installed) does not matter
(but I would have installed them in the sequence they was released just to be on

the safe side). You could use Qchain.exe after the installs before the reboot,
but it should not be necessary (but it would not hurt either, we do it)

From "Use QChain.exe to Install Multiple Hotfixes with Only One Reboot"
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q296861

<quote>
NOTE: QChain.exe functionality is included in all Windows 2000 hotfixes release
since May 18, 2001.

NOTE: The QChain.exe tool is not required on Microsoft Windows XP or Windows
2000 post-Service Pack 3 (SP3) updates. The hotfix installer in Windows XP and
Windows 2000 post-SP3 updates includes functionality to support multiple hotfix
installations.
</quote>


One problem with updates and hotfixes, they have at least three different ways
on how the setup switches needs to be set to make the installation unattended
and suppress reboot.

/u /q /z
/q /r:n (alt. /q:a /r:n)
/q /c:"dahotfix.exe /q /n" (alt. /q:a /c:"dahotfix.exe /q /n")


Example of the first one:

q329115_wxp_sp2_x86_enu /u /q /z
See http://support.microsoft.com/?kbid=329115


Internet Explorer security updates are cumulative, so you will only need the
latest one when it comes to IE.

MS02-068: December, 2002, Cumulative Patch for Internet Explorer
http://support.microsoft.com/?kbid=324929

Unattended install of Q324929.exe with the reboot dialog (and the reboot)
suppressed:

Q324929.EXE /q /r:n

If you want to suppress install errors as well:

Q324929.EXE /q:a /r:n


Some other types of hotfixes will need another command line to install, e.g.
this one:

Q318202_MSXML20_x86.exe /q:a /c:"dahotfix.exe /q /n"

More about this here: http://support.microsoft.com/?kbid=318202

and this one:

q329414_mdacall_x86.exe /q /c:"dahotfix.exe /q /n"

See near the bottom here:

MS02-065: Buffer Overrun in Microsoft Data Access Components Can Lead to Code
Execution
http://support.microsoft.com/?kbid=329414


All setup programs that supplies the message box below when run with the /?
switch, is built with IExpress, and will usually support "/q /r:n" or "/q
/c:"dahotfix.exe /q /n""

---------------------------
Some title
---------------------------
Command line options:

/Q -- Quiet modes for package,

/T:<full path> -- Specifies temporary working folder,

/C -- Extract files only to the folder when used also with /T.

/C:<Cmd> -- Override Install Command defined by author.

---------------------------
OK
---------------------------


Almost all setups of this type can be fully controlled with command line
switches when it comes to e.g. suppressing any dialog boxes to the user and also

controlling the reboot.

Using the /Q /R:N switches, you will suppress any messages, also reboots/reboot
messages as well.

/Q alone will be a silent install, but give the user the option to reboot if
necessary.

If you want to suppress some error messages as well, use /Q:A /R:N


You can also control or force restart with /R (you might have to change /q:a to
/q for some of the options below?):

a.. R = /R:A (Default)
b.. /R:= /R:A (Default)
c.. /R:N -- Never reboot, overrides INF settings in package
d.. /R:A -- Always reboot, prompt user with reboot choice
e.. /R:I -- Reboot if needed, prompt user with reboot choice
f.. /R:AS -- Always reboot, silent and don't prompt user
g.. /R:IS -- Silent reboot if needed, silent and don't prompt user


More information on available switches here:

Common Command-Line Switches for Self-Installing Update Files (Q197147)
http://support.microsoft.com/support/kb/articles/Q197/1/47.ASP


- and here -

Message-ID: <#DxIcwcQ$GA....@cppssbbsa02.microsoft.com>
From: Mike Whalen (MS) (mwh...@microsoft.com)
Subject: Re: redistribution of Microsoft Scripting Engines 5.1
Newsgroups: microsoft.public.scripting.wsh
Date: 1999/12/08
http://groups.google.com/groups?hl=en&selm=%23DxIcwcQ%24GA.236%40cppssbbsa02.microsoft.com

</quote>

--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and a ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter


0 new messages