• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 383
  • Last Modified:

Patch installation via Novell ZENwork to Windows 2000 PCs

I have a Novell 5.1 LAN with ZENwork 2 installed. Recently a security patch has to be installed on all Win2k Pro. PCs. Usual practice is to create a ZENwork application and apply it to the PCs. However, I encountered problems when trying to replace some "protected" Windows system DLLs -- in this particular case, is the file NTDLL.DLL

I have set up a test PC (same config. as production one). I logon with the testing account, and checked that the ZENwork application has been distributed, with files pending to be replaced. Here are the registry keys which tells the OS to replace files on next reboot:

Under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" :
"AllowedProtectRenames"=dword:00000001
"PendingFileRenameOperations"=hex(7):5c,00,3f,00 ... 00,00
(when view with REGEDT32.EXE, it reveals:
\??\C:\WINNT\System32\NAL9.tmp
!\??\C:\WINNT\System32\NTDLL.DLL)

The file "NAL9.tmp" is located at the right place. After restarting the PC, the replace operation didn't take place, the file "NAL9.tmp" is still there, with "NTDLL.DLL" remains unchanged. This makes me puzzled!!

Could anyone tell me how to fix this problem? Many thanks!!
0
raytung
Asked:
raytung
  • 7
  • 6
  • 2
1 Solution
 
MSGeekCommented:
Problem is those files are in use when you are trying to replace them.  You may be able to use something like http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asp

But my gut feeling is this will need to be done locally.  You may as well upfrade to Netware 6 and Zen 4 while your at it.
0
 
raytungAuthor Commented:
Tried the tool suggested. No luck, not even done it locally with local Administrator.

The tool itself copy the source to a temp. name under C:\Temp and create a key under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations" instructing to replace the files on next reboot. It didn't succeed, however.

Is it something to do with the file "NTDLL.DLL" itself?
Besides, I have 2000+ PCs hooked up in a Novell LAN and it would be impossible to go to every PC, logon as Administrator and apply the patch!!

BTW, is there a way to allow normal users to run the MS patch (ref. MS03-007) with local Admin. right temporarily?

Thanks!!
0
 
MSGeekCommented:
Try downloading another copy of this patch, there were some issues with it's initial launch.  Some workstations would not even come up on reboot. So donwload the latest patch and try applying it.  You may be able to use snapshot to deploy this one.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
raytungAuthor Commented:
Let me clarify the situation:
1. The patch itself can be installed using local Administrator on a Win2K PC;

2. I then use Novell ZENwork snapshot tools to capture the image of the changes to build a package for deployment;

3. The package itself involves copying files to certain locations and add registry keys as described originally in my question;

4. After package deployed on a Win2K PC, I discovered that the file "NTDLL.DLL" wasn't being replaced at all;

5. I tried the tool "inuse" but it wasn't successful -- even with local Administrator account.


Now here's what puzzles me:

I had done similar things on some other MS patches and they all worked fine. So, is this something to do with the file "NTDLL.DLL" itself? Are there any alternatives to  replace this file besides running the MS patch interactively with local Administrator account (this obviously is not practical when you have over 2000+ PCs to work on) ?

And I cannot understand why running the patch itself is ok, while I deploy the changes via ZENwork is not. The critical files/keys have been put in the right place, but the file just wouldn't be replaced after reboot... I could have put a command to run the MS patch directly when users login, but then the patch itself cannot be run by non-admin. accounts...

HELP!!!
0
 
MSGeekCommented:
ZenWorks imaging did not capture all the registry changes.  Is this the first time you have had a Snapshot fail?  Download the executable patch and without a Snapshot, push it out with ZenWorks.
0
 
raytungAuthor Commented:
Yes, I have worked for quite a lot of snapshots (you can imagine when MS releases patches from time to time) and all are working fine. Occasionally there will be some files that just couldn't be replaced after deployment (the ZENwork imaging tool did not capture all the registry changes as you said), but then when I added that key "AllowedProtectRenames" in the ZENwork application, it worked flawlessly.

I've also tried to distribute the patch itself and run on the PCs, but the user account has not enough authority to run the batch (no administrative rights), is there any way to bypass that to allow them to execute it?

0
 
MSGeekCommented:
Forgive me as Zen 3.2 was the last version I worked with, it has been sometime since I worked on Zen 2.  Do you have an option to run the script as the system or with elevated rights?
0
 
raytungAuthor Commented:
No, I don't think it has such an option, it only has edit boxes for Launch scripts (before / after) and Distribution scripts (before / after)
0
 
raytungAuthor Commented:
I discovered a trick which finally makes it works!! I added a command in the "Run before distribution script":

#cmd /c ren c:\winnt\system32\ntdll.dll _03007_.tmp

which renames the DLL to some other name before the application is deployed; that way, the OS will uses the new version of the DLL when reboots. However, the downside is that the temp. file remains.

Thank you once again for all your help!!
0
 
MSGeekCommented:
Glad I could be of some help, hope you get to Zen 4 soon!  You'll wonder what you have been doing.  :)
0
 
ChmodCommented:
Dear Expert(s),

A request has been made in Community Support to close this question:
http://www.experts-exchange.com/Community_Support/Q_20567057.html

If there are no objections, after 72 hrs, a moderator will finalise this question by:

- Saving this Q as a PAQ and refunding the points

Please leave any recommendations here.

Chmod
Community Support Moderator @Experts Exchange
0
 
MSGeekCommented:
Chmod...No objections, I am only expert on this could close now?
0
 
ChmodCommented:
Thanks MSGeek
0
 
raytungAuthor Commented:
Thanks MSGeek for all your help and advice. Greatly appreciated!!
0
 
MSGeekCommented:
That's what it's all about.  That guy helping you in the Novell section really knows his stuff, I have followed lots of his posts.  Listen to him, he'll get you on the right track.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now