The Best Damn Windows Server 2003 Book Period- P66

Chia sẻ: Cong Thanh | Ngày: | Loại File: PDF | Số trang:10

Thêm vào BST

Báo xấu

37
lượt xem 3
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

The Best Damn Windows Server 2003 Book Period- P66:The latest incarnation of Microsoft’s server product,Windows Server 2003, brings many new features and improvements that make the network administrator’s job easier.This chapter will briefly summarize what’s new in 2003 and introduce you to the four members of the Windows Server 2003 family: the Web Edition, the Standard Edition, the Enterprise Edition, and the Datacenter Edition.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: The Best Damn Windows Server 2003 Book Period- P66

616 Chapter 18 • Deploying Software via Group Policy When you select an extension, you also have to consider some type of order since there are applications that have the same extension for the main ﬁle.The Up and Down buttons determine application preference. The Categories Tab The Categories tab has the option to create categories so that published applications will be easier to ﬁnd in the Add/Remove Programs applet from Control Panel. Figure 18.7 shows the Categories tab. Figure 18.7 Categories Tab The Add button allows you to specify new categories. Categories help in ﬁnding software instal- lations for users.This is especially helpful when software is published so that users do not have to scroll through the entire list of available software. Upgrading Applications For most applications, there will occasionally be upgrades released to address issues with the existing version.The software deployment tools available with Group Policy allow you to maintain control over upgrades by linking the upgrade package together with the original application package. Figure 18.8 shows the Upgrades tab in the Properties of an application.
Deploying Software via Group Policy • Chapter 18 617 Figure 18.8 Software Upgrades Tab The Upgrades tab shows you packages that this package will upgrade, while the bottom pane shows other packages that will be affected by this package. Use the Add button to associate this package with the package it is replacing. A good rule of thumb is to use version numbers or exact names with application upgrades to keep things easy to administer. Generally, when software is deployed as an upgrade, the user is prompted to install the upgrade or the user can select to wait until later if he or she is busy and wants to delay the installation. As we saw earlier, most software installation packages will come from the software manufacturer. These are known as natively authored packages. With natively authored packages, there can be a declared upgrade relationship between a package that is an upgrade and other packages.This is part of the database information that makes up a package.The package will know what previous versions it can upgrade and how to handle issues such as ﬁles that need to be deleted or kept. The one catch is that a declared upgrade relationship only works with natively authored pack- ages. With repackaged applications, you have to manually create the upgrade relationship using the Upgrades tab.This is done be clicking the Add button on the Upgrades tab and selecting the pre- vious versions of those repackaged applications. Active Directory and Group Policy can use this information to upgrade the appropriate users or workstations. Conﬁguring Required Updates You can use the Upgrades tab to specify whether an upgrade is required or optional. If you want to force users to use the most recent version of an application, you can put a check in the Required upgrade for existing packages box.This will automatically upgrade the users’ workstations the next time they run the application, or when the computer next reboots if the application is assigned to the computer. A required upgrade is performed whether or not the user wants to upgrade.This is good for applications such as service packs, virus updates, patches, and so forth, and is desirable for productivity applications such as Ofﬁce if you want to ensure that all users have the same version to make it easier to support and troubleshoot the application.
618 Chapter 18 • Deploying Software via Group Policy Removing Managed Applications In some situations, you may want to discontinue the use of a particular software application in your organization.This might occur because you want to replace the application with a comparable product from a different vendor, and do not want to have some users working with one vendor’s product and some with the other’s. Group Policy Software Installation gives you the ability to easily remove software that was deployed with Group Policy. In the GPO Editor, locate the existing package in the right pane and select Software Installation in the left pane either under Computer Conﬁguration or User Conﬁguration. Right-click the application name and choose All Tasks | Remove.This will invoke the Remove Software dialog box, as shown in Figure 18.9. Figure 18.9 Remove Software Dialog Box There are two removal methods available: I If you choose Immediately uninstall the software from users and computers, the software will be removed the next time the computer reboots (if the application is assigned to the computer) or the next time the user logs on (if the application is assigned to the user).This is called forced removal, and automatically removes the software regardless of users’ wishes. I If you want to leave the software on users’ workstations but prevent new installations of it, select the Allow users to continue to use the software, but prevent new installa- tions option. Users who have it installed will still be able to use it, but no one will be able to install it. You can select to have the application automatically removed if the GPO no longer applies to a user.To do this, you need to edit the Deployment tab of the application’s Properties dialog box. Check the check box labeled Uninstall this application when it falls out of the scope of management. There is one other thing to remember about software removal. If you have a legacy application that requires the use of a .zap ﬁle, you will not be able to take advantage of the removal feature described previously. For the removal feature to work, you must use Windows Installer (.msi) pack- ages to deploy the software.
Deploying Software via Group Policy • Chapter 18 619 Managing Application Properties After packages are conﬁgured, you generally will not have to do much with them. However, there might be occasions when you need to edit an application’s properties.To do this, double-click the package in the right details pane of the GPO Editor, with Software Installation selected in the left pane, and select Properties. Figure 18.10 shows the resulting dialog box. Figure 18.10 Application Properties You are presented with six tabs that are used to conﬁgure various features, as follows: I General Allows you to rename the package display name and add a URL for support information if desired. Programmers can put contact and telephone information into the package, which will be displayed in those ﬁelds.This tab also provides information about the software, including a version number, the publisher’s name, language, and the platform on which the software is designed to run. I Deployment As discussed earlier, this tab indicates whether the software is assigned or pub- lished as shown in Figure 18.11.This is also where you can select whether the application is to be installed by ﬁle extension activation (document invocation); this option is selected by default. Other deployment options include the ability to have the system automatically unin- stall the application when it falls out of the scope of management, and the ability to prevent the package from being displayed in the Add/Remove Programs applet in Control Panel. You can also select to have the package installed at logon.This tab also allows you to choose the interface that the user will see during installation (basic or maximum).The Advanced button allows you to ignore language when deploying the package, and you can also select to make a 32-bit x86 application available to 64-bit Windows machines. Some advanced diag- nostic information, including the product code, deployment count, and script name/path, are also provided in the Advanced Deployment Options dialog box.
620 Chapter 18 • Deploying Software via Group Policy Figure 18.11 Deployment Tab I Upgrades As discussed previously, this tab contains upgrade information, including the name(s) of the package(s) that this package will upgrade, whether the package is to be a required upgrade that will be deployed regardless of the user’s wishes, and packages in the GPO that will upgrade this package. I Categories This tab allows you to associate the application with a category that is already conﬁgured as shown in Figure 18.12.This is especially useful when you publish applica- tions, as they make it easier for users to ﬁnd the applications within the list in the Add/Remove Programs applet. However, both published and assigned applications can be categorized. Figure 18.12 Categories Tab I Modiﬁcations This tab is used to associate transforms with the package, and control the order in which the transforms are applied to the package, as described in the section titled Adding and Removing Modiﬁcations for Application Packages later in the chapter.
Deploying Software via Group Policy • Chapter 18 621 I Security This tab is used to control which users and groups are able to see and use the object in Active Directory, and deﬁne the level of access each has. Figure 18.13 shows the Security tab. Figure 18.13 Security Tab By default, the permissions shown in Table 18.1 will apply. Table 18.1 Default Active Directory Permissions When Adding Packages User or Group Default Permissions Authenticated Users Read Creator/Owner Read/Write Domain Admins Full Control Enterprise Admins Read/Write Enterprise Domain Controllers Read SYSTEM Full Control Categorizing Applications We mentioned that you can set up categories for your applications to make it easier for users to ﬁnd the software they need. Categories are set up ﬁrst.This is done within the Properties of Software Installation. If you right-click on Software Installation and go to Properties, there is a Categories tab. Administering categories is simple.The Add button allows you to create new category.You can name it however you want. Many organizations use department names or division names as part of their naming plan. The Modify button allows you to select an existing category and make modiﬁcations.The Remove button will remove a category.
622 Chapter 18 • Deploying Software via Group Policy Once the categories are created, the Properties of a package that is already set up will have a Categories tab also.This was shown in Figure 18.11 earlier.There is a list on the left of available cat- egories, and the list on the right tells you what categories this application is setup for. Adding and Removing Modiﬁcations for Application Packages Often you will need more than one version of an application in use on the network, or even on a single machine.You may also need different features enabled for different users. Instead of creating a different package for each unique conﬁguration of an application, you can use modiﬁcations, or transforms, to customize the package.To make a transform or modiﬁcation, you must have the appropriate software.The packaging programs discussed earlier also can be used to create transforms based on a package. To add and remove modiﬁcations, open the application’s Properties dialog box and click the Modiﬁcations tab. You can assign multiple modiﬁcations to a package. Use the Add and Remove buttons to add the appropriate .mst ﬁle to the list or to remove it, and use the Up and Down buttons to organize the various transforms within the package and control the order in which they will be applied. Apply a Transform to a Software Package When working with packages, you might have to apply a transform or modiﬁcation to the original installation in order to customize the package.This can be because of .ini ﬁle changes, Registry changes, or other customization required by your organization.To complete this example, you need an existing .msi ﬁle and an .mst ﬁle. In this example, we will apply a transform to a package that is deployed to users at the domain level. 1. Open Active Directory Users and Computers and right-click the domain name. Click Properties. 2. Select the Group Policy tab, select the Default Domain Policy, and click Edit. 3. In the GPO Editor, navigate to the Software Installation node under User Conﬁguration in the left console pane. 4. Right-click Software Installation, select New, and then select Package. 5. In the Open dialog box, navigate to the package (.msi ﬁle) you chose for this lab and select it. Click the Open button. 6. Select Advanced when asked about published or assigned. Click OK. 7. Click the Modiﬁcations tab. 8. On the Modiﬁcations tab, click the Add button and browse to the .mst ﬁle you chose earlier. 9. Click OK to apply the transform to the package. The tricky part about working with modiﬁcations is that you must use the Modiﬁcations tab when you are initially setting up the package within the group policy. When you select Advanced
Deploying Software via Group Policy • Chapter 18 623 when setting up a package, you are presented with the Properties dialog box for your application. If you select the Modiﬁcations tab, you will have the opportunity to click the Add button. However, if you select Assigned or Published and are not immediately presented with a conﬁg- uration dialog box, you will not be able to add modiﬁcations.The Apply button will be grayed out. Troubleshooting Software Deployment An important part of any administrator’s job is troubleshooting. With software deployment, as with any other aspect of networking, sometimes things go wrong, and when they do, you need to know how to track down the source of the problem and correct it.The Application log in Event Viewer can be a helpful ﬁrst step in diagnosing some common problems. Various types of Event Log Error messages might be observed here: I If you see a series of MsiInstaller messages in Event Viewer, you are experiencing a problem with the Windows Installer service.These errors can range from a permissions issue on the distribution point to a problem with the version of Windows Installer you have running on the workstation. I Watch for Application Management messages.These sometimes can indicate the reason why an application didn’t deploy properly. I Userenv is another source to look for that may give clues to why software installation failed. Some common problems encountered with Group Policy software installation and possible methods of resolutions include: I Published application doesn’t show up in Add/Remove Programs I Check the Group Policy Object link. If there are ﬁlters conﬁgured or permissions have been changed, the policy may not be getting applied to the user resulting in the software not showing up in Add/Remove Programs. I Use tools such as gpresult.exe and GPOTool.exe to further troubleshoot the group policy settings and their application to the workstation or user. I Check to see what categories are displaying. All Categories will show all available software for installation. I There is an option to mark that does not allow the application to display in Add/Remove Programs control panel. I Directory replication not being synchronized can cause software not to show up until all domain controllers are up to date. I Software installation not completed when assigned I Check the Group Policy Object link. Make sure there aren’t any conﬂicting Group Policy settings. When planning software installation via Group Policy you need to be careful when you have other policies at higher levels like Domain or OU.This
624 Chapter 18 • Deploying Software via Group Policy can be especially true if you have the same package conﬁgured within multiple GPOs. I Check permissions on the GPO. Users or Computers must have Read and Apply Group Policy permissions on the GPO.To check permissions, you must right-click on the site, domain, or OU, select Properties, go to the Group Policy tab, and click Edit. On the Properties window of the group policy, the Security tab has the permission entries. I Check permissions on the distribution point (the shared folder where the .msi package is located). Users need Read and Execute permissions to the distribution point hierarchy. I Make sure the software is on a Windows 2003 Share. If you are in a mixed envi- ronment, putting shares on Windows NT 4.0 servers is not supported. I Double check that if the group policy is set for Computers that it is associated with the appropriate OU.The same thing applies to the group policy set for Users; if software installation is assigned to a user and linked to an OU with only Computer objects, then of course the result would not be successful. I Name resolution problems I Name resolution is necessary for users to access the shares where packages are located, whether they are stored on a regular share or within a Dfs hierarchy. Ensure that your DNS servers are running properly. One possibility you should always check when it comes to Active Directory is whether the DNS server is overloaded. Ensure that it is responding to client name resolution requests properly. If name resolution ceases to function, many components of Active Directory will not work properly. Verbose Logging When you are experiencing serious application deployment problems, you can turn on verbose log- ging.This will create a special log ﬁle that records information about software installation and group policy application.To turn these features on, you must make a Registry change. For software instal- lation, make sure the following entry exists in the Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics DWORD Appmgmtdebuglevel = 0000009b Turning this feature on will created an appmgmt.log located in the %windir%\debug\user- mode\ folder. Only turn this feature on as needed, as it can create a large amount of overhead on the network. You can also turn on logging for Windows Installer services.You also make a change in the Registry to turn this feature on:
Deploying Software via Group Policy • Chapter 18 625 HKLM\Software\Policies\Microsoft\Windows\Installer DWORD Debug = 00000003 Setting this value will cause logging to happen for Windows Installer actions.The log created depends on the action itself.Two types of log ﬁles can created: deployment-related or user-related. With a deployment-related action you will see a log created in %windir%\temp%\msi*.log.This is because deployment-related actions run in the system context so the system temp folder is used. User action would include using add/remove programs to install software.These log ﬁles end up in the user’s temp folder.The path would be %temp^\msi*.log. Software Installation Diagnostics Tool Another tool that you can use comes from the Resource Kit.This tool is Software Installation Diagnostics and can be used to gain additional insight into problems you may be experiencing.This tool is also a command-line tool; you have to open a command prompt to run it. The ﬁle is called addiag.exe.You can type addiag.exe /? and receive a list of commands to become familiar with the tool.You can use this tool to print out information possibly related to problem deployments. It will also generate Event Log entries related to software installation.