For SysAds: WSUS Tips

If you're running a Windows network of more than 3 or 4 workstations, you definitely should consider installing and using the free utility that Microsoft has created to automate applying Windows updates across network computers: Windows Server Update Services, or WSUS. Many system administrators drop the first 's' when pronouncing this acronym. But don't be fooled: WSUS is no wuss when it comes to pushing out updates to large networks.

Microsoft released WSUS 3.0 last year, and you may prefer its snap-in console format to the previous web-based format for speed. You may, however, wish to stick with WSUS 2.0 if you want to administrate WSUS from many different locations, even though 2.0 lacks some of the handy new features 3.0 has.

Click here to get WSUS 3.0

Click here to get WSUS 2.0

-=-=-=-=-=-=-

WSUS is easy to install on one of your servers, but it can get a bit tricky when you're trying to get WSUS to "see" and "talk with" all of your workstations. This is the technique I have used to ensure that WSUS finds every workstation on the domain:

1. In the group policy object (GPO) that you created for WSUS, go to Computer Configuration/Administrative Templates/Windows Components/Windows Update and make sure you have enabled the option "Enable client-side targeting". Then create a "Target Group Name" for that WSUS server:



2. In the WSUS 2.0 console, under Options / Computers, change to the other option: "Use Group Policy or registry settings on computers" to specify how to assign computers to groups. In WSUS 3.0, go to Options in the left pane, then Computers, and select "Use Group Policy or registry settings on computers":

Now it will pick up all domain computers that receive your WSUS GPO...and have the most updated version of Windows Update client installed. So if you find that there are still some workstations out there that aren't getting picked up by WSUS, and you know that they're getting the GPO, then you need to update Windows Update client (wuauclt.exe) on each of them.

The simplest way to do this is:

1. Log into that machine as an admin, right click on My Computer and select Properties.


2. Click on the Automatic Updates tab, then click on the text towards the bottom of the window that says Windows Update Web site. (On a Vista workstation, click Windows Update in the bottom left of the window, then click on the text that says Get updates for more products.)


3. The Windows Update website pops up. The first thing it does is check to see if you have the most current version of Windows Update client installed on your PC. Allow it to run this check and accept all recommendations for updates. If it asks you if it can install something, click Install or Install Now. You may need to allow it to run an ActiveX control first.


4. When you see "Welcome to Windows Update", you know that you now have the latest version of Windows Update client installed. (On Vista workstations, you will see "Microsoft Update was successfully installed.")


5. The website may suggest that you upgrade Windows Update to Microsoft Update. You can do this too, as it provides the ability to update other Microsoft software such as Office, but it is an optional step in this process.

Hopefully, after all this, your WSUS server will finally see all of your workstations.

But if not, you've got one last shot. Go to the workstation that your WSUS server can't see and do the following:

• Open up a DOS window and at the prompt, type in: wuauclt.exe /detectnow This forces the WSUS server to detect this workstation right away.
  
• Or if that doesn't work, try wuauclt.exe /resetauthorization /detectnow According to Microsoft, this "expires" the local cookie that it gets from WSUS and then phones home.

-=-=-=-=-=-=-

Speaking of wuauclt.exe, there are apparently a number of undocumented switches that you can use with wuauclt.exe at the command line. If this interests you, you can read more about them here.

-=-=-=-=-=-=-

Finally, a word of advice about how to deal with WSUS to update your servers. Many SysAds are afraid to use WSUS on their servers because it has been known to automatically reboot servers once approved patches are applied. There are plenty of horror stories like this on the web; certainly, you don't want your production servers rebooting in the middle of a business day or during a backup, and obviously you don't want servers rebooting without prior scheduling and notice to your users.

The problem is that even with the "No auto-restart" toggle enabled in the WSUS GPO, servers can still automatically reboot under certain circumstances. This toggle will only prevent auto-restart if a user is logged in. If no user is logged in (typical for servers), then it will still auto-restart.

This is how you can use WSUS to update your servers without fear of auto-restarts:

1. Make a completely separate WSUS GPO for your servers. (I actually have set up separate WSUS GPOs for "Test Servers" as well, so that Server 2003 patches can be tested on non-essential servers before patching them to production servers.)
   
2. Start by configuring this "Servers" WSUS GPO exactly the same as your "Workstations" GPO.
   
3. Then, under "Configure Automatic Updates", use Automatic Updating level 3 ("Auto download and notify for install") rather than 4 ("Auto download and schedule the install").
   
4. Ensure "Target group name for this computer" is set to a distinct name, such as "Servers".
   
5. Then ensure "Allow Automatic Updates immediate installation" is set to Disabled.
   
6. Now set "Reschedule Automatic Updates scheduled installations" to Disabled.
   
7. Finally, ensure "No auto-restart for scheduled Automatic Updates installations" is set to Enabled...just to be safe, even though we know it's only going to work half the time!

Apply this server-specific WSUS GPO to the OU where your servers are located. You will being to see servers appear in their own group in WSUS. (The group will be named whatever name you specified in step 4 above.) Once they are in that group, you can begin to see what updates are already installed and what updates need to be installed on each server.

When you decide to install a particular patch/update, you can simply approve it for your Servers group. WSUS will automatically upload the patch(es) to each server, but it will not install them. You will need to log in to each server and manually install the patches. That may seem like extra work, but it ensures that you control when the server reboots following applied updates.

Even though you have to manually do the actual install, WSUS is still helpful in this scenario for two reasons:

• It still automates the downloading of update files to each server from microsoft.com or WSUS -- this is still a huge time savings!
  
• WSUS gives you clear, comprehensive, up-to-the-minute data on what updates are installed on each server and what updates each server needs

We have operated in this framework in our organization for the past 6 months and have found it to be very successful.

Some Advice About Inkjet Printers, Part 3

I have doled out a lot of verbal advice over the past few years related to inkjet printers: which ones to buy, when to replace the cartridges, when to replace the printer you've got, and so on.

This is Part 3 of a three-part series of Tech Tips focusing on inkjet printers. If you missed Parts 1 and 2, click here to read from the beginning.


7. When buying an inkjet printer, consider a model that loads paper from the top.

Inkjet printers, like all other types of printers, load paper in different ways. The two predominant ways are from the top, like a typewriter, and from the bottom, like a photocopier. Although bottom-loading printers may be more aesthetically-pleasing, since the paper tray is underneath the printer and out-of-sight, the top-loading style has better long-term reliability.

Top-loading printers work with the force of gravity to pull the paper into the machine. Bottom-loading printers, on the other hand, have to pull sheets of paper against the force of gravity. The pulling is done by a series of rubber rollers. These rollers harden and lose their ability to grip the page over time, and they are usually first to fail on bottom-loading inkjet printers.

While rollers like these are a cost-effective and somewhat routine fix for laser printers, they are neither cost-effective nor routine for inkjet printers. If your bottom-loading inkjet printer begins to have trouble loading paper, its days are probably numbered. By comparison, a top-loading inkjet printer tends to see longer roller life, and even when the rollers wear out, gravity can help them along. You can often coax life out of a top-loading printer with failing rollers simply by "retrying" print jobs until the paper finally feeds, thanks to gravity. Bottom-loading printers do not have the same benefit.

8. When printing photos, brand of paper really does matter!

I mentioned earlier in this 3-part series that you do have a choice of brand when it comes to ink. However, if you plan to print high-quality photos (glossy or matte), you may be better off shelling out the money on the printer-brand ink and paper.

Yes, that's right: the brand of paper actually matters. I can't tell you what the physical differences are between brands of paper. I can't elaborate on the physics or chemistry of Epson ink and Canon paper. But I will offer a brief, marginally-thrilling true story as a word of caution.

Until not long ago, I owned a Canon inkjet printer capable of photo printing. In the early years, I always used Canon ink and Canon paper and found the photo results to be consistently impressive. While the colors on the photo that came out of the printer weren't exactly the same as those on the photo you saw on the screen, they were fairly close. Given that my monitor was never calibrated professionally, what you saw on the screen wasn't necessarily any less accurate than what you got on the page.

After a couple of years using the Canon and loving the photo output, I found a good deal on some generic photo paper at a computer show and brought some home. Guess what the results with the new paper were? Awful. The ink actually failed to sink into the page completely, instead pooling on top of the paper in big droplets. Unacceptable quality. I assumed that what I had was bargain-basement paper, and I got what I paid for.

Then about a year later, I picked up some Staples brand and some Kodak brand inkjet photo paper. Cue the printing problems a second time. Photos that looked great on the screen were coming out completely wrong on the page. Horribly wrong: green skin tones, oversaturation, overly-dark and under-contrasted colors. Even the Kodak paper yielded poor results no matter what printer settings I used. Painstakingly trying every photo paper setting and color processing setting in the Canon printer settings, nothing would work. I probably wasted an entire package of expensive photo paper and tens of dollars worth of ink trying to figure out what the problem was.

I thought for sure my printer was slowly dying, yet when I later when I tried again using Canon paper, the photos came out clear and accurate. It was then that I realized that I needed to purchase paper made by the same company that made my printer. I'm not sure if the poor results are the natural result when you disturb the delicate, engineered chemical balance between Canon ink and Canon paper, or simply another deliberate boardroom-hatched plot by Canon to force you to buy their expendables. Either way, if photos are what you're trying to make, you'll probably want to just shell out the extra bucks and save yourself a few headaches.

9. The best way to avoid all these inkjet headaches? Buy a laser printer. Seriously.

After reading three weeks of pure vitriol from me on the topic of inkjet printers, it should be no surprise to you that my final piece of advice to you is simple: avoid purchasing an inkjet printer if you can.

In the '80s and early '90s, those of us who had home computers used dot-matrix printers -- those noisy, slow printers that boasted lame features like "Near Letter Quality". They were the inexpensive home alternative to the expensive laser printers that were blossoming in the workplace. Late in the decade, inkjet printers took the baton from dot-matrix printers, offering silent operation, superior resolution, and even the ability to print photo-like images. At the time, inkjet printers were a boon for all of us, as laser printers were still prohibitively expensive for most home use.

In recent years, however, laser printers have come down so far in price that they now must be considered by any home user. The local big box store carries black-and-white laser printers for as little as $80, and color laser printers now can be found for as little as $250.

Think that a laser printer for your home PC is overkill? Think again:

• Laser printers are far more durable than inkjet printers. In my workplace, I can count several HP LaserJet 4 laser printers still in use today. These printers were manufactured circa 1994.....fourteen years ago.
• Laser toner cartridges cost more than inkjet ink cartridges, but they last many times longer. So much longer, in fact, that it is actually much cheaper, page for page, to print on a laser printer than on an inkjet printer. Need an example? We had an Epson Action Laser printer in our family that was purchased circa 1993. When I threw it away about 18 months ago, it was still working -- and more importantly, it was still on its original toner cartridge, more than a dozen years later! That one toner cartridge lasted so long that it long outlived its production run at Epson.
• Ask yourself if you really need color at home. If you don't do photo printing, you probably don't need it, and can find a B&W laser printer for about what you'd pay for an inkjet printer.
• Don't forget that laser printers reign supreme at printing text. Inkjet text printing has come a long way over the years, but laser text printing still looks as good as a page out of a textbook. Line drawings, sheet music, logos, and other vector-based artwork also look superior when printed out on a laser printer.

When my Canon inkjet printer finally died, I decided I'd had it with inkjet printers and made the leap to a color laser printer. After months of comparison shopping, I settled on the Brother HL-4070CDW. I couldn't be happier with it. Not only does it print the usual laser-sharp text and graphics, plus very good photos, but it is "fully-duplexed", allowing it to print on both sides of the page automatically. (A good idea for those of us trying to save a few trees...and a few dollars while we're at it.) The printer has a built-in network interface like most laser printers, but what really sets this one apart is that it also has a built-in wireless network interface. Now, I can locate this printer anywhere in my home that I want, and any computer in the house can print to it wirelessly. That's nice if you have a good-sized house and want to locate the printer in a central location like the kitchen, but your wireless router is upstairs in the home office.

In conclusion, while we all thought that computers would someday lead us to a paperless society, the proliferation of inkjet printers has only proven the opposite to be true. We like to make hard copies of what we see on the screen, and we like to make lots of them. But we don't often think about how much each page of printing costs us. So it's very important to take the time to buy the right printer for your PC.

Just remember this:

• Cost of gasoline.......................$3 per gallon
• Cost of Starbucks coffee........$32 per gallon
• Cost of inkjet printer ink.......upwards of $8000 per gallon