Sunday, April 10, 2005

Mistakes in Articles

I hate it when I read a magazine article that contains mistakes. And I hate it even more when it's my article that is in error. Sadly, although we try, writers do occasionally get it wrong. That happened recently to me - the March edition of Service Management Magazine contains an article about Beta 2 of WUS (Windows Update Service) with 3 minor errors. I wrote the article back in early December, just after WUS B2 was released before I'd really had a chance to really play with it in anger. Since then,the product has been renamed Windows Server Update Service (WSUS) and an improved release candidate for WSUS has been released (and I've filed a bunch of bug reports {grin}). The product has moved on a great deal - and for the better.

I've had a strong mail from Jason Leznek, a Product Manager for WSUS at Microsoft who is "concerned over the inaccuracies" in the article. He also demands that the mistakes get put right as quickly as possible. Since magazine articles are written a long time in advance (the WUS article that appeared mid-March was completed in early December '04), getting the errors corrected in the print edition is going to take some time. In the meanwhile, I'm happy to post these corrections both here in my blog and in the WSUS newsgroups.

There were three relatively trivial errors contained in the article:

1. The article suggested that SQL suport was not included in WSUS. SQL is supported and I've seen two SQL patches already. But since installing one of them (MS03-031) my ISA Server firewall service no longer starts up automatically. Exchange is also meant to be supported in WSUS, but I've see no Exchange patches yet and the Windows Server 2003 SP1 update has also not been seen yet. While I still can't understand why MS won't suport ALL main stream MS products with this first release (aside from sheer inertia), but that's the way it is.

2. The article incorrectly stated that the WSUS was not supported on the Windows Server 2003 Web edition. Web Edition is supported, although there are some minor restrictions for its use. See for more details on using the Web edition for WSUS.

3. MS also are unhappy at my view that WSUS is not AD integrated. Jason points out that the Automatic Update client can get WSUS configuration from a Group Policy setting, for those computers that are members of an AD domain. So he's right, byut up to a point. The WSUS server itself, however, is unaware of the AD. This means WSUS target groups are not obtained from AD, for example - the WSUS administator has to create them manually. Additionally, the WSUS server does not get it's list of machines from the Active Directory - WSUS only knows about those machines that have made a connection. This means that in a larger domain environment it's more difficult to determine which machines have never contacted the WSUS server and are therefore potentially unpatched - and initial client remediaion remains a deployment issue for larger organisations. So while the AD client is AD aware, the server isn't - I can't really say that WSUS is AD-integrated the way that, for example, ISA Server or Exchange is.

Having made these mistakes, the real question is whether I still feel that WSUS is a good product? Basically yes, although my enthusiasm is certainly not quite as high as it was earlier. WSUS is not as easy to use as I'd have liked, and client remdiation still seems to be an issue (although the clientdiag.exe shipped with the RC does indeed help to resolve most of the easy issues). One example of usability issues I've seen us an AU client (which happens to be my mail server that is otherwise running just fine) which has registered with the WSUS server but has never picked up updates from WSUS. There's no error messages in WSUS, and the client diagnostic tool fails. I certainly feel some empathy for admins who want this to be a simple, simple, simple product. Maybe that's a point though - patching is not simple. But even so, WSUS is not as simple a product as I'd have liked. Another example of lack of ease of use of WSUS concerns the April updates, released yesterday - which I've just finished installing on my test network. In all the communication material I've seen from MS in the past 24 hours, each update is titled with the MSRC ID, e.g MS05-19, MS05-20, etc. However the titles of the updates issued to WSUS only use KB numbers, with the MSRC ids burried in the update's detail pages (which is slow to bring up). While you can open each patch individually, and work out the MSRC number, this is harder than it should be. Some more joined up thinking and communication about these updates sure would be useful, or the abilitiy to add columns to the UI.

So should you go for WSUS? For smaller, all MS environments, it's appropriate, especially since WSUS is a free tool and it's miles better than SUS which it replaces. For larger larger either all or mostly-all Microsoft environents, SMS is propbably a better bet - it delivers a lot more functionality (albeit at a price) and the remediation approaches are well understood in the community. And for more heterogenous environements, you may need to either run multiple products (using WSUS for your Windows systems or look at some of the 3rd party tools on the market since support for non-MS products and services is not included in WSUS and there are no formal released plans, thus far, for this to happen (at least that I'm aware of!). And if you do decide to take WSUS, be prepared for some up front work to get it up and running.

And finally - an apology for the mistakes made in the article. I'll try to get the next article proofread and edited better.

No comments: