Review: Windows Server 2003 SP1

The chatter is back and louder than ever, it has nothing to do with homeland security or the threat of a dirty bomb, and any operative trying to decipher the caustic lingo might think the Sith are about to attack the Jedi. But all the talk about R2 and SP1 has nothing to do with the latest movie in the Star Wars trilogy or some suicidal maniacs hiding in caves somewhere. It's what technology specialists are worrying about since Microsoft released the first Windows Server 2003 Service Pack to manufacturing a few weeks ago, and then announced the first beta of Windows Server 2003 R2 available for download on May 6.

So why the heartburn? It's not that upgrades and service packs are looked upon with suspicion, fear or loathing by just about every Microsoft Certified Systems Engineer. They are, mostly out of fear, but it has more to do with the negative news of incompatibilities with critical systems that have now appeared, coupled with Microsoft's simultaneous announcement that it is planning to ship Release 2 of the same operating system by this fall. If there was ever a better excuse to put off a service pack, the portent of Release 2 would be it.

In my opinion, as a SP beta tester and keeper of a large Windows server network, you would not be inconvenienced if you waited for a couple of months before installing SP1 on your servers. If you are looking for a target, then shoot for the time Microsoft ships Release 2 (so tentatively named) towards the end of the year. By then, SP1 will be a much easier proposition for you and will have wider support from the independent software and hardware vendors. And by then it will have been stale dog food on the Redmond campus.

So why the notice to proceed with extreme caution,and in some cases not at all? For starters,SP1 went on a cyber-equivalent of the Atkins Diet by the time it was released. Microsoft cut the carbs to get the thing out the door. During the 18 months I was watching SP1 beta, features were peeled off so many times I thought it would release as a blank DVD. Let's examine some of the issues people are having with SP1.SP1 is not difficult to install. Like all service packs, applications and operating systems that are logo compliant, you can install it in a variety of ways -- from network shares, local CD drives, Systems Management Server (SMS), unattended installations, Windows Installer and Group Policy, bare bones RIS images with SP1 added in, and so on. Getting it on the system is easy . . . but hold your breath for what happens after restart.

Your first installation in a lab will likely be to a single standalone server already running the base OS from a CD. In this case, you'll either execute the installation files or run the Update.exe executable, which extracts the SP bits. The rest of the process is straightforward and your server is unlikely to befall any malevolence as a result of the upgrade. However, depending on what you were running on the server before the upgrade, what you experience after the fact may make you break out in a rash or stub your toe against the rack.If you installed to Small Business Server (SBS) as some attention-deficit techies have tried to do, then shame on you, because the current SP is meant for the full release of Windows Server 2003. (Shame on Microsoft, because it dumped SP1 bits into Windows Update and the SP found its way onto more than a couple of SBS servers passing by in the middle of the night. Microsoft corrected that "error" before many noticed.)

If you are installing to a server running an antivirus package, you will run into two problems as soon as the kernel is ready for calls. First, if you don't shut off the AV, it will freak out as it jumps onto the thousand of files pouring out of the service pack extraction process. That will not affect the installation; it will just take an eternity to extract all the files. Second, the antivirus, which scans at the low levels, is unlikely to work with the SP1 overhaul of the registry, file system, and other crucial layers. As of this writing, we are still awaiting news that our antivirus suites will get updates and patches that will allow them to continue to protect the servers under SP1. Until then, our production servers are off-limits for SP1. Also, antivirus is not the only low-level file system scanning software that has issues with SP1: Most backup software also has issues with the service pack. I run CA's Brightstor ARCserve, and the hanging problems I saw with this backup solution on SP1 are enough for me to pencil in a revisit at about the time the leaves start to fall again.

It's not only 3rd party or ISV software that has issues with SP1; many of Microsoft's own applications and products become insubordinate under SP1. For instance, a number of labs have reported that Exchange 2003 misbehaves on the SP1 platform. If Exchange is running well where it currently lives, then leave it be, especially if it's on a cluster with 3rd party high availability solutions like NSI-Software's Double-Take and GeoCluster. In any event, if you are looking for the added security features of SP1 you should not be eyeing the platform Exchange is running on . . . at least not yet. Your Exchange solution should be tucked away at the back of your network. Keep your front end servers and smart hosts in the frontline and in the DMZ.Talking about the DMZ, that's where my biggest disappointment currently lies. I have a number of ISA Server 2004 gateways and firewalls on my networks, many of them key in the protection of Exchange from all the rubbish floating around in cyberspace.

My favorite add-ins on ISA Server are a bunch of cyber-cop software suites from GFI Software. Thus, besides the native protection built in, the ISA Server installations are critical components in my enterprise information network. However, ever since I installed ISA Server the system locks up on me at least once a week. I have been on the phone with support, scanned the Internet for possible reasons, and replaced the hardware, network interface cards and more. Tests show it's something going on at the network layer, and the problems tend to materialize if the ISA Servers are used for VPN tunnels between the branch offices (which depend on RRAS for connectivity). It could also have something to do with the servers themselves. I was hoping the SP1 on ISA Server 2004 would fix this problem; but it will not work with ISA Server 2004 at all, nor many of the add-ins. To date, there is no news that ISA Server 2004 has any stake in the service pack that will allow it to stay up for longer.

Microsoft has released a flurry of patches since the release to manufacturing in March, so you should continue to check on your applications and 3rd party providers for pending patches to fix SP1 glitches. To its credit, Microsoft has managed to achieve a self-proclaimed 90 percent compatibility with SP1. My only problem is that it's not yet stable on my key servers, so that does not make me feel warm and fuzzy. If it does not yet work with ISA Server and Exchange, which thousands of companies depend on, then why would you care about the apps with which it does work?There are also issues with SP1 and Microsoft Operations Manager. At the beginning of April, Microsoft noted that SP1 was the cause of a failure in the MOM-to-MOM product connector. In other words, after installing SP1 on your MOM server, it would no longer connect to the other MOM management servers. This is a critical issue if you have a large MOM implementation comprising multiple management servers on the WAN. I go to bed at night counting on MOM to wake me up on any sign of trouble. The last thing I need to worry about is MOM taking a dive on some as yet unknown SP1 issue, leaving me to wake up in the morning to find the network and my job gone to hell.

You know you have a SP1-MOM incompatibility error when the MOM server throws an UnauthorizedAccessException. There is a tedious registry workaround for the problems but there is currently no freely available patch. On a large widely distributed network of MOM servers, this makes automatic updating to SP1 something to avoid until the hotfixes come down from the update services pike or from downloads.

All this does not make for a very positive outlook for the immediate application of the service pack. But your needs may be a little different, and you may be running on a new server that can reap the benefits of the SP enhancements. Or you may have a smaller installation that doesn't run into the compatibility problems, and figure you could use the security enhancements. So it may still make sense for you to install SP1. The additional security features, such as the Security Configuration Wizard are useful. The bulk of the security fixes are not readily apparent to the end users, and they are additives you cannot really see (but sure can feel if they don't agree with your applications).

Another word of advice is to not panic about the rumors that abound telling of hackers that are studying SP1 fixes and then writing Trojans and hostile worms to hit servers that have not been updated. The last thing you need to do is allow hacker chatter to dictate how you manage a network. One thing that's important to remember is that many of the critical security problems fixed in SP1 are for the most part already applied to your servers. These are immediately released with Software Update Services (SUS) and the Windows Update website and are provided in SP1 as a cumulative all-encompassing package. You'll see hotfixes even after SP1 is applied.SP1 took a long time to make. The beta programs started in earnest nearly two years ago and if Microsoft had not yanked some of the items it had promised to ship with SP1, it might have taken another six to eight months to release. This is a major disappointment for many administrators that were looking to some nifty features and applets in SP1 that were bound to make life a lot simpler. These "attractions" did not make it into SP1; instead Microsoft pulled them out and lined them up for inclusion in a new SKU of the Server product line, currently known as Windows Server 2003, Release 2 (R2).

If you were looking for promises like an integrated Group Policy Management Console -- which replaces the standard Group Policy Editor on domain controllers -- or the full VPN Quarantine feature called Network Access Quarantine Control (NAQC), then you will have to wait for R2. It's a pity because most of us in the Windows server community were hoping these tools would have been here more than a year ago already. So let's now have a look at Release 2 and why it might make sense for you to at least wait until R2 ships before installing SP1.One item to get out upfront is that R2 is not free software, unless you have recently purchased Windows Server 2003 with Software Assurance. R2 is a complete server product on its own: It comprises all the bits of the original 2003 operating system and then some. Many of the promises originally slated for SP1 are now only going into R2 (which -- you got it -- means that you may have to pay for what you thought was coming for free). Most importantly, out of the box, R2 with all its add-ons will incorporate SP1 and a lot more, because it is built directly on top of SP1 code. In other words, anything that SP1 chews up during the R2 beta cycle will make SP1 much more stable in six months time when a full suite of patches will be available for your old warriors. R2, for example, includes the next major release (Version 2.0) of the .NET Framework and ASP.NET (which we thought for sure we would get in SP1). Thus, R2 will be the platform of choice for new server installations ready and willing to run SQL Server 2005 and the new development technologies on the horizon, such as Team Foundation Server, for software development projects.

Now if you were sitting on the edge of your seat waiting for Network Access Protection (NAP), it's also been dropped from R2 and the NAP team has been taken off the Maalox. NAP will now debut with Longhorn, which means a wait until late 2006. However, the good news is that Microsoft is going to release Network Acces Quarantine Control (NAQC) in R2 this year. What is NAQC? Consider the current VPN nightmare scenario. When Windows clients connect to the corporate network from the road, the farmhouse, or the Internet Caf in downtown Kabul, the most you really know about the connection is the type of operating system talking to you. What you don't know is how the client has been configured, what service packs have been installed on it, what hot-fixes were applied and what antivirus and security software it is running. This is an open backdoor anyone can connect to. Under the protection of NAQC, if the client does not meet the policies published in a quarantine manifest, the client is rejected from full access to the network or kicked off. You can think of NAQC as the precursor to NAP, which will provide full-blown network access protection architecture for the next major release of Windows Server.

Release 2 also bundles an exciting upgrade to the immensely popular Windows SharePoint Services (WSS), now named Windows SharePoint version 2.0; the already released rights management bits (RMS); Identity Management Services; Active Directory Federation Services (ADFS, known before as TrustBridge); new scripting engine technology; the Common Logging File Systems (CLFS); File Server Migration Toolkit (FSMT); Interix and Network File System (NFS) support. Of course, Unix gets to stay connected to Windows a few more years, but NetWare has long since been kicked off the island. In the storage and file system areas, you'll be seeing more SAN support, the Storage Resource Management subsystem currently code-named "Corral." There are also improvements coming in replication (and about time too) as part of the so-called Branch Office File Replication services (FRS). There are some file and print management enhancements in line as well.

In sum, SP1 has released. It comes with some much lauded security fixes (many of them already on your servers from hotfixes), and it's a stable "patch" for your current operating system. But it may cause you to lose disaster recovery,anti-virus, ISA Server, Exchange 2003, and some operations management stuff. To upgrade to SP1 you also need to upgrade or patch a bunch of other products as well, such as AV and DR bits. That's no trivial pursuit.

The juicy bits you were hoping to get in SP1 did not make it. Instead they now go to R2, and if you don't have Software Assurance, you may have to pay for the additional CD that Microsoft is planning to ship with the new SKU. Still, if you're in any danger of running into SP1's known incompatibilities, you're probably better off waiting, no matter what R2 costs. It's no wonder much of the MSCE tooth grinding this past week is sounding like the chatter of suicidal maniacs lurking in some Afghan cavern somewhere.Jeffrey R. Shapiro is the co-author of Windows Server 2003 Bible (Wiley) and is an infrastructure architect who manages a large Windows Server network for an insurance firm.