raytung
asked on
Patch installation via Novell ZENwork to Windows 2000 PCs
I have a Novell 5.1 LAN with ZENwork 2 installed. Recently a security patch has to be installed on all Win2k Pro. PCs. Usual practice is to create a ZENwork application and apply it to the PCs. However, I encountered problems when trying to replace some "protected" Windows system DLLs -- in this particular case, is the file NTDLL.DLL
I have set up a test PC (same config. as production one). I logon with the testing account, and checked that the ZENwork application has been distributed, with files pending to be replaced. Here are the registry keys which tells the OS to replace files on next reboot:
Under "HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Ses sion Manager" :
"AllowedProtectRenames"=dw ord:000000 01
"PendingFileRenameOperatio ns"=hex(7) :5c,00,3f, 00 ... 00,00
(when view with REGEDT32.EXE, it reveals:
\??\C:\WINNT\System32\NAL9 .tmp
!\??\C:\WINNT\System32\NTD LL.DLL)
The file "NAL9.tmp" is located at the right place. After restarting the PC, the replace operation didn't take place, the file "NAL9.tmp" is still there, with "NTDLL.DLL" remains unchanged. This makes me puzzled!!
Could anyone tell me how to fix this problem? Many thanks!!
I have set up a test PC (same config. as production one). I logon with the testing account, and checked that the ZENwork application has been distributed, with files pending to be replaced. Here are the registry keys which tells the OS to replace files on next reboot:
Under "HKEY_LOCAL_MACHINE\SYSTEM
"AllowedProtectRenames"=dw
"PendingFileRenameOperatio
(when view with REGEDT32.EXE, it reveals:
\??\C:\WINNT\System32\NAL9
!\??\C:\WINNT\System32\NTD
The file "NAL9.tmp" is located at the right place. After restarting the PC, the replace operation didn't take place, the file "NAL9.tmp" is still there, with "NTDLL.DLL" remains unchanged. This makes me puzzled!!
Could anyone tell me how to fix this problem? Many thanks!!
ASKER
Tried the tool suggested. No luck, not even done it locally with local Administrator.
The tool itself copy the source to a temp. name under C:\Temp and create a key under "HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Ses sion Manager\PendingFileRenameO perations" instructing to replace the files on next reboot. It didn't succeed, however.
Is it something to do with the file "NTDLL.DLL" itself?
Besides, I have 2000+ PCs hooked up in a Novell LAN and it would be impossible to go to every PC, logon as Administrator and apply the patch!!
BTW, is there a way to allow normal users to run the MS patch (ref. MS03-007) with local Admin. right temporarily?
Thanks!!
The tool itself copy the source to a temp. name under C:\Temp and create a key under "HKEY_LOCAL_MACHINE\SYSTEM
Is it something to do with the file "NTDLL.DLL" itself?
Besides, I have 2000+ PCs hooked up in a Novell LAN and it would be impossible to go to every PC, logon as Administrator and apply the patch!!
BTW, is there a way to allow normal users to run the MS patch (ref. MS03-007) with local Admin. right temporarily?
Thanks!!
Try downloading another copy of this patch, there were some issues with it's initial launch. Some workstations would not even come up on reboot. So donwload the latest patch and try applying it. You may be able to use snapshot to deploy this one.
ASKER
Let me clarify the situation:
1. The patch itself can be installed using local Administrator on a Win2K PC;
2. I then use Novell ZENwork snapshot tools to capture the image of the changes to build a package for deployment;
3. The package itself involves copying files to certain locations and add registry keys as described originally in my question;
4. After package deployed on a Win2K PC, I discovered that the file "NTDLL.DLL" wasn't being replaced at all;
5. I tried the tool "inuse" but it wasn't successful -- even with local Administrator account.
Now here's what puzzles me:
I had done similar things on some other MS patches and they all worked fine. So, is this something to do with the file "NTDLL.DLL" itself? Are there any alternatives to replace this file besides running the MS patch interactively with local Administrator account (this obviously is not practical when you have over 2000+ PCs to work on) ?
And I cannot understand why running the patch itself is ok, while I deploy the changes via ZENwork is not. The critical files/keys have been put in the right place, but the file just wouldn't be replaced after reboot... I could have put a command to run the MS patch directly when users login, but then the patch itself cannot be run by non-admin. accounts...
HELP!!!
1. The patch itself can be installed using local Administrator on a Win2K PC;
2. I then use Novell ZENwork snapshot tools to capture the image of the changes to build a package for deployment;
3. The package itself involves copying files to certain locations and add registry keys as described originally in my question;
4. After package deployed on a Win2K PC, I discovered that the file "NTDLL.DLL" wasn't being replaced at all;
5. I tried the tool "inuse" but it wasn't successful -- even with local Administrator account.
Now here's what puzzles me:
I had done similar things on some other MS patches and they all worked fine. So, is this something to do with the file "NTDLL.DLL" itself? Are there any alternatives to replace this file besides running the MS patch interactively with local Administrator account (this obviously is not practical when you have over 2000+ PCs to work on) ?
And I cannot understand why running the patch itself is ok, while I deploy the changes via ZENwork is not. The critical files/keys have been put in the right place, but the file just wouldn't be replaced after reboot... I could have put a command to run the MS patch directly when users login, but then the patch itself cannot be run by non-admin. accounts...
HELP!!!
ZenWorks imaging did not capture all the registry changes. Is this the first time you have had a Snapshot fail? Download the executable patch and without a Snapshot, push it out with ZenWorks.
ASKER
Yes, I have worked for quite a lot of snapshots (you can imagine when MS releases patches from time to time) and all are working fine. Occasionally there will be some files that just couldn't be replaced after deployment (the ZENwork imaging tool did not capture all the registry changes as you said), but then when I added that key "AllowedProtectRenames" in the ZENwork application, it worked flawlessly.
I've also tried to distribute the patch itself and run on the PCs, but the user account has not enough authority to run the batch (no administrative rights), is there any way to bypass that to allow them to execute it?
I've also tried to distribute the patch itself and run on the PCs, but the user account has not enough authority to run the batch (no administrative rights), is there any way to bypass that to allow them to execute it?
Forgive me as Zen 3.2 was the last version I worked with, it has been sometime since I worked on Zen 2. Do you have an option to run the script as the system or with elevated rights?
ASKER
No, I don't think it has such an option, it only has edit boxes for Launch scripts (before / after) and Distribution scripts (before / after)
ASKER
I discovered a trick which finally makes it works!! I added a command in the "Run before distribution script":
#cmd /c ren c:\winnt\system32\ntdll.dl l _03007_.tmp
which renames the DLL to some other name before the application is deployed; that way, the OS will uses the new version of the DLL when reboots. However, the downside is that the temp. file remains.
Thank you once again for all your help!!
#cmd /c ren c:\winnt\system32\ntdll.dl
which renames the DLL to some other name before the application is deployed; that way, the OS will uses the new version of the DLL when reboots. However, the downside is that the temp. file remains.
Thank you once again for all your help!!
Glad I could be of some help, hope you get to Zen 4 soon! You'll wonder what you have been doing. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Chmod...No objections, I am only expert on this could close now?
Thanks MSGeek
ASKER
Thanks MSGeek for all your help and advice. Greatly appreciated!!
That's what it's all about. That guy helping you in the Novell section really knows his stuff, I have followed lots of his posts. Listen to him, he'll get you on the right track.
But my gut feeling is this will need to be done locally. You may as well upfrade to Netware 6 and Zen 4 while your at it.