Some questions:
-------------
* In order to help provide our services, we occasionally provide
information to other companies that work on our behalf. These
companies are required to keep this information confidential and
are prohibited from using it for any other purpose.
Question - We asked in the WGA forum what other info was provided and to
whom this was provided to but didn't get a good answer. In secured
networks is this shared info more disclosed to the customer?
http://forums.microsoft.com/Genuine/ShowPost.aspx?PostID=593225&SiteID=25
--------------------
· *Secure zone: *In this scenario, the tool can activate
computers using MAK proxy activation. This assumes that the clients in
the secure zone do not have Internet access. The following two key
issues need to be addressed:
· The computers must be discoverable (through Active Directory®
directory service or Workgroups).
· The tool has to make a call to the WMI services on the
computer to get status and install MAKs and CIDs.
This requires the firewall to be configured to allow DCOM RPC traffic
through it. For more details on this, see "How to configure RPC dynamic
port allocation to work with firewalls" at the following URL:
http://support.microsoft.com/?kbid=154596
Question - Is this the same sort of connection that is needed to allow
for MBSA 2.0 to scan through firewalls? As at the present time with XP
sp2 and MBSA I cannot get a consistent scan.. the remedy is in the MBSA
FAQ http://www.microsoft.com/technet/security/tools/mbsa2/qa.mspx which
states that I need to use KB 902400...which is a security patch. In
order to install this with the proper flags (per my read) I have to
uninstall 05-051 and then redeploy it with the needed flags. I don't
remove security patches lightly... do you know if the same "Dcom" issue
will affect MAK proxy as I've seen with MBSA 2.0 through XP sp2 firewalls?
*Step 1: Review system requirements*
MBSA cannot scan a remote computer protected by a firewall unless the
firewall is configured to open the ports that MBSA uses to communicate
with the computer. The Windows Update Agent implements a remote scanning
interface based on DCOM. The account being used to scan must possess
local administrator rights. The computer must also be configured to meet
the following conditions:
•
The Server service, Remote Registry service, and File and Print Sharing
service must be running on the remote computer.
•
The required ports must be open on the firewall.
•
The Windows Update Agent must be installed and the Automatic Updates
service must not be disabled.
Remote computer scans are performed using TCP port 135, a dynamic or
static DCOM port, and ports 139 and 445. Where a firewall or filtering
router separates two networks, TCP ports 135, 139, and 445 and UDP ports
137 and 138 must be open in order for MBSA to connect and authenticate
to the remote computer being scanned. You must allow these ports to be
open on the remote firewall if a personal firewall is being used.
*Note:* The use of DCOM for remote scanning through Windows Firewall on
all versions of Windows XP may require a post-SP2 hotfix as described in
Microsoft Knowledgebase article 895200, "Availability of the Windows XP
COM+ Hotfix Rollup Package 9". Customers may now obtain this fix by
installing the COM+ update (KB 902400) using these procedures:
1.
Download the update from
http://www.microsoft.com/downloads/details.aspx?FamilyId=20F79CE7-D4DB-42D7-8E57-58656A3FB2F7
on the Microsoft Download Center.
2.
Copy the update to the computer you are updating and open a command
prompt on that computer.
3.
Run the update using the command line options described in KB article
824994 (specifically, the /B:SP2QFE command line option). Doing this
will install all of the Windows XP COM+ Hotfix Rollup Package 9 fixes,
in addition to the fixes released in the security bulletin MS05-051.
Question - Also are there specific ISA rules/configurations that need to
be addressed?
---------------
Fyi for those - this caused some concern that they had taken away "full
boot" VL images... you may need to request media if you want to do a
true clean install image with a qualifying XP license around. They are
still there.. you just have to request them:
Volume License Product Use Rights require that you have a previous
qualifying operating system license for each copy of Windows Vista you
deploy. The default 32-bit Volume License media are upgrade-only and are
not bootable[1] <#_ftn1>. You must first boot a previous version of
Windows and then run the setup to install Windows Vista. Bootable media
is also available on request through your Volume License portal.
------------------------------------------------------------------------
[1] <#_ftnref1> 64-bit Volume License media are not restricted in this
way, since there is no supported upgrade path.
-----------------
From the I did not know that...
The Windows Anytime Upgrade (WAU) program allows a Windows Vista
Business user to purchase an upgrade directly from Microsoft by clicking
the Windows Anytime Upgrade link in *All Programs* and/ /*Extras and
Upgrades*. This link and the program are only provided in Windows Vista
Business editions because both volume-licensed and retail versions of
this product are available (unlike Windows Vista Enterprise, which is
only sold as a Volume License version).
-----------------------------
You need more screen shots :-) That has "build me a wizard written all
over it" for us lazy SBSers :-) Big server land... I'd be setting up a
Vista lab and testing this stuff out.
I know someone said there was a Vista beta activation newsgroup but is
it rolling over to RTM public newsgroup? Given that some of my key
business critical 'parts' for Vista are still not in place (ISA client
and my Cingular connection manager software is flakey) businesses that
do VLs need to look at this and set up labs for this. While it's a good
whitepaper (it would have been better with more screen shots ;-) ) there
is still an administrative cost to Vista VLs that I would argue XP sp2
never had that does need to be considered. WGA/OGA/VGA -- while I
totally and utterly understand the need, it's still a bit of a change
that needs to be communicated well (and us SBSers have had product
activation on our Servers for eons.. .so it's not new down here to have
product activation... in fact I had gotten so used to SBS's setup that
when I was setting up some "big server land" stuff and they asked "so
how many cals you got?" I think I fell out of my chair, and said "Oh
yeah, that's right, they trust you guys to be honest? Wow! Amazing!")
If you poke around the WGA forum...there's a lot of VL keys that end up
on the streets and shouldn't be out there.
.... oh and have I said it needs more screen shots? :-)
http://www.microsoft.com/downloads/details.aspx?FamilyID=9893f83e-c8a5-4475-b025-66c6b38b46e3&DisplayLang=en
Laura A. Robinson wrote:
You know, there's one thing I may have forgotten to mention- there's a
good whitepaper on this.
:-P
Laura
------------------------------------------------------------------------
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *MikeM
*Sent:* Saturday, December 09, 2006 12:10 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] OT: Vista Activation and KMS
So Laura, correct me if I'm wrong, but are you suggesting we read
the white paper?
Seriously, thank you for all of the input on this matter.
-MM-
12/8/2006 12:53 PM
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/