Small Business Susan

SBSized Windows 2003 sp2 release notes

Okay so you’ve read the REAL Windows 2003 sp2 release notes right? If not, do that and then come back.


If you want to know what’s in Win2k3 sp2, the Windows Server blog points to the highlights – http://blogs.technet.com/windowsserver/archive/2007/03/13/sp2-goes-live.aspx


(edit) Please note that SP2 is fully and utterly supported on SBS 2003 sp1.


Before we begin to install SP2 I want you to do a few steps.


  1. Consider (okay.. how about DO) install this in a VMware or any other server than a client’s production box first.  Get a feel for this process.  In the era of free Virtual PC the argument that we don’t have test boxes won’t fly anymore.  Go build one with Action pack software and leave the 30 day clock running.  Use that to test.
  2. Ensure you have a good backup.. a tested backup.
  3. Disable third party services (not just stop the services, turn them to disabled)
  4. Do an additional … an Oferized backup… of just the SystemState just to be sure.  (To Ofer means to ensure your clients and you are ready for anything.  Ofer has best practices down to a fine art.)
  5. Consider rebooting the box BEFORE the service pack is applied to know that you have a good solid boot.  (Okay so Ofer would say just do it)
  6. Scan the event logs before you start the process to get a feel for the pulse of a “normal” SBS box
  7. Ensure you have enough room to install the SP2 – http://msmvps.com/blogs/bradley/archive/2007/03/15/how-much-space-is-needed-for-win2k3-sp2.aspx

On the ActiveDir listserve (where I suck at lurking), I jokingly call the SBS server the “Kitchen Sink server” because of all the services we have running and because of that we have some errors in the log files that are normal.  I call this tripping on our toes. And this tripping might get a smidge enhanced with the application of a service pack on an underpowered box.


Some of the events that I get in a vmware SBS are like this


Event Type: Warning
Event Source: WinMgmt
Event Category: None
Event ID: 5603
Date:  11/4/2006
Time:  6:01:50 PM
User:  NT AUTHORITY\SYSTEM
Computer: SERVERTEST
Description:
A provider, PerfProv, has been registered in the WMI namespace, ROOT\CIMV2\MicrosoftHealthMonitor\PerfMon, but did not specify the HostingModel property.  This provider will be run using the LocalSystem account.  This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.  Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.  


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


So when I see the SAME error message AFTER the application of the Service pack I know that the service pack is not the thing that caused this and it working fine before and should be fine afterwards. 


Like on this VMware system right after each reboot I’ll always get this:


Event Type: Error
Event Source: Windows SharePoint Services 2.0
Event Category: None
Event ID: 1000
Date:  3/17/2007
Time:  1:42:28 PM
User:  N/A
Computer: SERVERTEST
Description:
#50070: Unable to connect to the database STS_Config on SERVERTEST\SharePoint.  Check the database connection information and make sure that the database server is running.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


But Sharepoint is working just fine.  All this is is a timing issue of the websites loading up and my server is actually running just fine.  Thus rule one.. don’t panic. 


So without further ado, here are the SBSized Windows 2003 Sp2 release notes:


1.  Reboot a second time after the application of SP2:


We’ve seen a couple of boxes whose web sites got stuck or needed a manual restart after the application of this service pack.  Don’t panic on first reboot.  Reboot a second time.  THEN scan the event logs and start debugging if things don’t look right, but don’t use that first boot process to be your determination of how well the SP install went.


2.  When using the SBS 2003 R2 interface to approve SP2 the .Net will throw off an error.


No biggie.  It’s just a .Net weirdness due to two hyperlinks for the one service pack.  Just click on continue and it doesn’t hurt a thing. 



As Roger is apt to say in such occasions, “Continue on, these are not the droids you were looking for” and keep going.


3.  You may see an event in the log files right after that first reboot like this:


Event Type: Error
Event Source: dsrestor
Event Category: None
Event ID: 1005
Date:  3/17/2007
Time:  1:41:21 PM
User:  N/A
Computer: SERVERTEST
Description:
The DSRestore Filter failed to connect to local SAM server. Error returned is <id:997>.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

If the error persists, follow http://support.microsoft.com/default.aspx?scid=kb;en-us;322672 


4.  Help and support is missing


Several folks in the newsgroup have reported this and we saw it during SP1.  If you find this happening, fix it like this:


Suggestion 1. Reinstall Help and Support service.


 


1. From a command prompt go to the “C:\Windows\pchealth\helpctr\binaries” folder by typing:  CD  \windows\pchealth\helpctr\binaries


2. Run the following commands one by one:


      Start /w helpsvc /svchost netsvcs /regserver /install
      net  start  helpsvc


 


Suggestion 2. Reinstall Help and Support.


1. Open Windows Explorer.
2. Go to C:\Windows\inf folder.
3. Right click pchealth.inf and click Install.
4. If the system prompts for installation CD, please insert installation CD
5. If the system prompts for SP1 installation CD, you have to manually create a slipstream installation CD
Universal Windows Slipstreaming and Bootable CD Guide http://www.msfn.org/articles.php?action=show&showarticle=49


 


Suggestion 3. Use SFC to check system protected files.


If the problem persists, please use SFC command to check whether there’s any corrupted system protected file.


1. Click Start and click Run.
2. Key in “SFC /scannot”, then click OK.
3. The system will automatically scan the protected files.
4. Wait for the wizard to complete.
You may also need to insert the slipstream installation CD 1.


 


5.  If you have not updated ISA to the 2004 version and 2000 is still installed you will see VPN failing


Resolution – install ISA 2004 or follow the registry edit in http://support.microsoft.com/default.aspx?scid=kb;en-us;897651


Specifically do this:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpNat\Parameters


You must set this value as follows:


Value name: DisableBootTimeSecurity
Value type: REG_DWORD
Value data: 1


 6.  If ISA 2004 does not include all the sp2 post hotfixes you may see symptoms of Outlook not connecting but OWA works great. 


 The issue is that RPC is being blocked and thus ensure you have the post hotfixes like:


http://support.microsoft.com/default.aspx?scid=kb;en-us;916106 and http://support.microsoft.com/default.aspx?scid=kb;en-us;897716 and http://support.microsoft.com/default.aspx?scid=kb;en-us;930414


 Some have reported that following this has fixed the issue: http://msmvps.com/blogs/bradley/archive/2006/03/11/86066.aspx
I actually did that setting in my network as some of my internal management stuff wasn’t working with RPC being blocked.


 7.  Broadcom and their offloading stuff are biting us in the butt again (have we said that we hate Broadcom nics again?)


 Remember why we hate Broadcom nics?  Did you forget?  If you did, review this: http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-network-cards-are-evil.aspx  (Nick says all TOE enabled nics will prob need these edits)


But it looks like that due to the fact that SP2 includes Scalable networking pack, the Checksum offloading stuff and Receive Side Scaling might be causing some issues and the symptoms you will see is slow file copies, problems accessing web sites and DHCP issues where your workstations won’t pick up an IP address, Secure NAT and VPN issues especially with Premium boxes.  To disable this do the following:


To disable checksum offloading:


From the registry you can do:


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters


Click Edit, point to New, and then click DWORD Value.


Type DisableTaskOffload as the entry name, and then press ENTER.


Right-click DisableTaskOffload, and then click Modify.


In the Value data box, type a value of 1 , and then click OK.


 


(edit) Disable RSS (and no we’re not talking about disabling Newsgator here) but Receive side scaling – more of that Scalable networking stuff – impacting SecureNat


http://support.microsoft.com/kb/912222/en-us

1. Click Start, click Run, type regedit , and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. On the Edit menu, point to New, click DWORD Value, and then type EnableRSS .
4. Double-click EnableRSS, type 0 , and then click OK.

 


8.  IE 7 install causing the very first reboot to “hang”


 


(I personally saw this on my test VMware SBS box when I chose to install BOTH IE7 and Win2k3 sp2 at the same time)


 


I am hoping that in June when this patch gets auto installed if you have AU enabled that it will be a slow patch month, as I personally saw in a test situation that installing two big patches at the same time meant that when the box rebooted, it got stuck finishing up the IE 7 install.  I had to hit control-alt-delete and get into the task manager and “kill” the  configure settings task and then force a reboot.  Once I did that the box was fine.


 


Only install SP2 all by itself.  Don’t choose a bunch of patches at the same time.  You want to only see the impact from THIS service pack when you patch.


 


9.  Normal patch day weirdness rules apply


 


Just like in a normal patch Tuesday, the normal catroot corruptions and weirdness may apply.  We’ve gotten a few reports that installs via MU and WSUS failed to complete indicating an error in the install and when the system came back online, this was reported:


 


After the forced reboot, the logon screen gives me a warning about not being able to determine the configuration and having to roll back to last known good.


 


Check your log files (windowsupdate.log and svcpack.log) for hints but also check out this KB http://support.microsoft.com/kb/822798 and consider dumping the catroot folder or the softwaredistribution folder.


 


For the Softwaredistribution folder, stop the Update services, delete the folder, rescan Microsoft Update and try again.


 


For catroot weirdness,
Stop crypto services
rename \windows\system32\catroot2
Create a blank catroot2 folder
Start crypto services
try again…


 


10.  If the install fails check your log files


 


If the install fails, click on start, then run, then windowsupdate.log.  In the notepad that loads up, scroll to the bottom and read from the bottom up and review the messages.  Look for the svcpack.log file in the c:\windows folder and review that.  Issues with a service pack are a free call to support but you may find the answer to the issues in those log files.  Remember Microsoft Partners have “Server down” support and Managed newsgroups and SBSC newsgroups.  So you have lots of resources in addition to the public newsgroups.


 


Last but not least, relax.


 


All of the issues listed above were seen with Windows 2003 sp1.  There’s nothing new here.  Nothing unusual, just our typical “crusty boxes” that may need a bit of tender loving care. The Windows server blog indicates that this service pack will come down on Win2k3 sp1 boxes on the June patch day.  So before then will you promise me that you will evaluate your stance on this patch and be ready for it.  If you don’t want it auto installed, then don’t.  If you do want it auto installed, then be ready.  If you are using R2’s WSUS you’ll know that it’s sitting up there for your approval when YOU want it.


http://blogs.technet.com/windowsserver/archive/2007/03/14/sp2-buzz.aspx


 


But bottom line, don’t panic.  SP2 is not throwing off any unusual weirdness.  So far everything we’re seeing we saw before with SP1.


 


We just have that many more “crusty” boxes is all. (and more with ISA 2004)


 


(edits) 3/19 – Added line to indicate that Win2k3 sp2 is fully supported on SBS 2003 sp1 (unlike the Win2k3 sp1 era you won’t see us yelling to not install it)
          3/19 – Added line to indicate that Receive Side Scaling may need to be disabled



6 comments ↓

  • #   Dag Staale Jensssen on 03.19.07 at 2:13 am     

    Time will tell.


  • #   James B on 03.19.07 at 7:15 am     

    How about instead of having a list of un-official fixes for a MS patch we instead demand MS release a fixed patch for SBS and to get their heads out of their ….. and stop posting crap to WSUS that is not ready for prime time. There is no way MS can state this SP was tested on a fully deployed SBSr2Pre server not to mention the lack of a KB then to change the KB basically once a day for a week.

    MS tells customers to stay patched, customer has ponied up the bucks for SBSr2, followed all the install prompts so has WSUS running, patched their WORKING server and now it’s broke, who is suppose to pay for that down time? Not every SBS customer out there has a full time IT person or even a support shop they call so how are they suppose to know they can’t or shouldn’t install certain patches unless they have the time and expertise to fix what the patch breaks? Even those with support such as some of my customers are sick and tired of “patching” so they can be “broken” so I have to bill them to “fix the patch”.

    As much as I think UAC is useless because it will train users to just click “allow” all the time, see MAC Ads, users are getting tired of having working machines become broken from Windows updates and we might just find them refusing to patch. I’ve ran across a number of machines in the past few months that were not just not up to date but rather years out of date. Customer’s answer, everything works so why update. Well MS if you’re going to break things with patches that is exactly what end users will start saying across the board. From patches to a totally broken DST process there needs to be a hard look at what’s coming out of MS “Fixes” Division.


  • #   bradley on 03.19.07 at 8:08 am     

    James, there is no need for a SBSized patch because this is just a recap of unusual items. This isn’t the list of “oh this will get you ” this is a list of what may.

    I did it to help, just in case folks got stuck, not to point out that it would happen.

    Most of the issues here are related to out of date ISA or those broadcom nics.

    Yes, the Server team needs to learn how to post a blog post before something hits the download page, but there is nothing in this service pack we weren’t seeing networking wise in SP1.


  • #   Sylvia Dulaney on 03.19.07 at 9:50 am     

    Since an attempt at installing SP2 on SBS2003(Basic), when I use System Management and click Monitoring and Reporting, I get “No performance data is available at this time. Performance data is collected hourly.” Is this related to your comment 4. Help and Support is missing? (Sorry if this got posted twice).


  • #   Pat D on 03.19.07 at 4:35 pm     

    So remind me what happened with SBS 2003 when server 2003 SP1 came out. Did they not initially say it was fine for SBS? And then a few days later they pulled it and said NOT to install on SBS yet? Then they came out with the additional SBS SP1 patch to be run after the server 2003 sp1 patch.

    What was all that about, and should we be waiting to see if it happens again?


  • #   Lars Nelson on 04.03.07 at 3:50 pm     

    First Susan, thanks for your time posting these notes to make our life easier.

    2nd I’m with James. I’ve just about had it.

    Right now, my mood is terrible, because before I could get down my first bit of coffee this morning, my Symantec AV was telling me that the ASUS website just tried to pass along the currently unpatched .ANI exploit. Yes, it appears as though ASUS has been hacked and is passing along the .ANI exploit that as I understand Microsoft has know about for a few years. See http://www.dynamoo.com/blog/ for details on the ASUS thing.

    And now, SP2 on SBS is shaping up to be a major ordeal — just like SP1 was.

    I don’t know about anyone else, but whenever I have to apply a patch, or especially a service pack on SBS I sweat bullets until the thing is in — because of so many issues, tweaks, workarounds etc.

    IS ANYONE ELSE SICK OF WORKAROUNDS? I AM.

    As the worlds wealthiest company, and as this is software, why can’t we be given a tested pack that works 99% of the time out of the box — on SBS? Or, if there are engineered issues with the SP on SBS, a short/consise document that explains what they are and not the technobabble that typically accompanies a SPack release.

    It’s as if a whole industry has sprung up in direct relation to MS incompetance/indifference/laziness or all three of the above.

    All too often, we seem to look at these MS shortcomings as cute, folksey etc. This may have been fine back in the days of Standalone DOS where VisiCalc, Dbase and WordStar were really toys and not mission critical apps.

    These days if the SBS Server is down, whole businesses stop functioning.

    To my customers, SBS is as important as Ma Bell and the Electric Company to it’s survival. We would never tolerate such performance from our utilities and we should stop taking this garbage from MS.

    It is not fun be looking a an error dialog box, or, service failed to start screen at 3:30PM on a Friday while you have had a client network already down for 2 hours of patching with the Small Business Owner looking over your shoulder and asking how everything is going.

    For you, or me to have to place SP2 in a VM and test it and get to know its nuances and to have a full backup and all tested and lastly have the box blessed by the pope before we install a patch or SPack it just isn’t right.

    If the server works before the patch, the patch should not break the server.

    OK. I’m done now and feel nuch better.