Windows 2000 Service Pack 3 (SP3), the long-awaited upgrade that Microsoft released this summer, is 145MB in its expanded form, containing more than 1000 code fixes in 1670 files. In addition to the usual laundry list of bug and security fixes, SP3 improves Win2K performance and functionality in several areas. The service pack also offers several installation options to fit your environment.

Top Improvements
Primary SP3 enhancements include a more robust Win2K Server Terminal Services and a new model for allocating and managing temporary Terminal Services licenses, enhanced File Replication Service (FRS), better USB device recognition and operation, more reliable Novell NetWare interoperability, and the new Automatic Updates feature. In addition, SP3 provides several worthwhile enhancements to various Win2K components. Microsoft has also released companion updates for Win2K Support Tools and Deployment Tools.

Terminal Services. SP3 includes 41 Terminal Services bug fixes—6 to correct blue screens, 5 to correct problems when Terminal Services clients attempt to print to a network printer, and several to address network, desktop, and logon and logoff problems. Equally important, the service pack provides a new model for assigning temporary Terminal Services Client Access Licenses (TSCALs) and recycling expired TSCALs.

After SP3 installation, Terminal Services assigns a temporary 90-day TSCAL when a machine connects for the first time. If the same client logs on again, Terminal Services assigns a full TSCAL (as long as a valid license is available). The new model prevents Terminal Services from allocating permanent licenses to machines at which Terminal Services users mistakenly log on.

Even better, when a licensed Terminal Services client machine fails, you no longer need to call the Microsoft Clearinghouse to recover the lost TSCAL token. (Versions earlier than SP3 store these tokens on the client, so the tokens are lost if that system's hard disk fails or if you take the machine out of service.) Each TSCAL now has an expiration period of between 52 and 89 days. When a TSCAL is within 7 days of expiring, Terminal Services connects to the license server and renews the license for another 52- to 89-day period. If the license server doesn't respond, Terminal Services attempts to renew the expiring license each time the client logs on. If the license expires, Terminal Services returns it to the available pool. With this model, when a system suffers a hard disk failure or other disaster, Terminal Services assigns a 90-day temporary TSCAL to the replacement system, one day longer than the maximum 89-day full TSCAL period. After 89 days, the original license on the failed machine is available for reuse and can be assigned to the replacement system.

FRS. Robust and reliable file replication is crucial in a large distributed network. SP3 includes an earlier standalone update in which Microsoft addressed several FRS weaknesses and problem areas.

With this update, FRS obtains replica sets serially from partner systems, a process that reduces the time and resources that FRS requires to obtain replica information. The updated version also uses a new algorithm that lets FRS continue to replicate files when the staging area is 90 percent full. The algorithm permits the service to delete staging files until the amount of consumed space drops below 60 percent of the staging area's capacity, which is 660MB by default.

The update also increases the default FRS journal size to 128MB. The larger size reduces the frequency of journal overwrites and the need for nonauthoritative Active Directory (AD) restores. In earlier Win2K versions, you need to use the most recent backup to restore a domain controller (DC)—in other words, perform a nonauthoritative as opposed to an authoritative restore—and to recover from FRS-replication problems. Now, FRS lets you change the staging path without first requiring a nonauthoritative restore. To change the staging path, stop FRS, move the files, and restart FRS. And instead of automatically initiating a restore, FRS writes a message in the FRS event log stating that the restore is required, so you can schedule the restore at your convenience.

The update also eliminates an SP2 bug that cropped up when FRS attempted to replicate compressed files. If you have a large replication infrastructure, these improvements alone justify upgrading to SP3.

USB devices. USB devices have been problematic since Win2K's initial release. Among SP3's USB-related fixes, one eliminates a long delay in recognizing a USB keyboard and USB mouse at startup, a second prevents a deadlock that USB devices cause when a system resumes from standby, and a third eliminates a system hang that occurs when you connect or remove a USB camera. SP3 also corrects two USB-related blue screens: one that crops up when you plug in a serial USB device while the system is running and a second that occurs when you try to install Win2K from a USB CD-ROM. SP3 lets you copy—without errors—more than 4KB of data from a USB device to another device on the system. Be aware, however, that systems with a USB keyboard and a PS/2-style mouse still have a problem: The OS on such a system can take as much as 1 hour after booting to recognize this combination of devices. If you can avoid this hardware combination, do so. If not, you can obtain a bug fix from Microsoft Product Support Services (PSS).

NetWare interoperability. SP3 improves three NetWare-interoperability components: Client Services for NetWare (CSNW), Gateway Services for NetWare (GSNW), and File and Print Services for NetWare (FPNW). The update eliminates tedious delays when clients browse for or open a file on a NetWare server, corrects an erroneous error message that pops up when clients delete a file in a NetWare system­hosted My Documents folder, and ensures that the My Documents directory refreshes correctly. If you manage a mixed Win2K/NetWare environment, you'll appreciate fixes that eliminate a CSNW print-based access violation, let you change the default settings on a GSNW-hosted printer, and let you better administer FPNW clients in AD. SP3 also lets CSNW clients use different accounts to log on to Win2K and NetWare and to successfully change NetWare passwords, regardless of password length.

Automatic Updates. Automatic Updates is the only completely new feature in SP3. You can't easily exclude this feature during an upgrade, so unless you get creative, this component will be part of every Win2K SP3 system. If you keep your systems current by regularly visiting the Microsoft Windows Update Web site, you'll appreciate the automatic performance of this task.

SP3 installs two new services that support update activity—the Automatic Updates service and the Background Intelligent Transfer Service (BITS)—and adds the Control Panel Automatic Updates applet. When enabled, the Automatic Updates service scans for new crucial hotfixes every 22 hours plus a random offset; the BITS service downloads crucial updates from the preferred update server. You can configure Automatic Updates' behavior locally, through the Automatic Updates applet, or through Win2K Group Policy. You must log on with an Administrator account to use either method. When you use Group Policy to configure update behavior (as the Web-exclusive sidebar "Configuring Automatic Updates Through Group Policy," http://www.winnetmag.com, InstantDoc ID 27114, explains), you can choose to redirect the client from the Microsoft Windows Update Web site to an internal Software Update Services (SUS) server. Using a SUS server gives you the option of selecting, testing, and verifying that updates function correctly before you distribute them throughout your organization. You can download the SUS server software and related white papers at http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp. Be aware that the SP3 documentation incorrectly states that Automatic Updates is disabled by default. This feature isn't enabled in the Group Policy Windows Update template but is enabled locally in the Automatic Updates applet.

Additional highlights and tools. SP3 also includes useful updates to several Win2K components. Notable changes include the following:

  • License Manager no longer assigns a permanent license to a computer account (i.e., machinename$) when a system connects to SYSVOL for a policy download or to a server to obtain a software update. Eliminating bogus licenses should make the database more accurately reflect the actual number of users. You might consider cleaning out the database before you upgrade so that you start fresh with SP3. To do so, you can manually delete old computer and user accounts or you can delete License Manager's three database files on all DCs. See the Microsoft article "How to Reset License Manager Information" (Q153140, http://support.microsoft.com) for instructions about purging the database on all systems on your network.
  • NT Backup no longer fragments a disk when you restore a whole volume.
  • Crashdump works on systems with more than 4GB of memory.
  • A VPN user must authenticate before the user can change his or her password.
  • Hewlett-Packard (HP) multifunction printers no longer use 100 percent of the CPU when spooling to a print file.
  • AD uses an urgent replication technique to push account-unlock events and password changes immediately to the PDC and other DCs within a site. In SP3, AD doesn't trigger an urgent replication when you disable an account. To propagate a disabled account immediately to other DCs within a site, you must also change the disabled account's password.
  • A DC on which you restore AD replicates correctly with its partners.
  • Numerous failures in the Local Security Authority Server service (LSASS), several of which occur when you use Dcpromo to promote or demote a DC, are corrected.

Support Tools and Deployment Tools. Microsoft has also released two SP3 companion updates: Win2K SP3 Support Tools and Win2K SP3 Deployment Tools. You can access these updates on the SP3 CD-ROM or through downloads (see the Web box "SP3 Resources," http://www.winnetmag.com, InstantDoc ID 27086, for the appropriate download sites). The Support Tools update contains 19MB of changes to the utilities in the Win2K CD-ROM's \support\tools directory. To install the Support Tools updates from the SP3 CD-ROM, double-click \support\tools\setup.exe. To install the changes from the Support Tools download, double-click the download file to start the installation. The companion documentation includes the sreadme.doc file, which contains instructions for distributing Support Tools updates to multiple systems by using the Windows Installer 2000rkst.msi package, and a new Error and Event Messages Help file, which includes the most current reference of Win2K error and event messages, indexed by event ID.

The Deployment Tools update contains an improved version of the Microsoft Windows 2000 Server Resource Kit's Sysprep utility (sysprep.exe). Sysprep now works correctly with the Microsoft Server Appliance Kit, no longer generates duplicate computer names, and writes OEM device information to the correct registry path.

Making the Upgrade
Before you upgrade a system to SP3, be sure to back up the system disk, System State, and Emergency Repair Disk (ERD). When you update the ERD, remember that NT Backup overwrites files in \winnt\repair. If you want to archive a copy of the system before the ERD update, simply copy the files in \winnt\repair to an alternate location.

Keep in mind four steps that are important to a successful upgrade: identifying and replacing installed post-SP3 hotfixes that conflict with the official SP3 catalog, identifying necessary security hotfixes, updating Microsoft Internet Explorer (IE), and planning for Automatic Updates behavior. The sidebar "4 Steps to a Successful Upgrade" explains these steps.

You can choose from four methods to upgrade a system running any earlier version of Win2K: a local installation, a network installation, a Microsoft Systems Management Server (SMS) package, or a computer-specific installation package using the Windows Installer update.msi package and Group Policy. The Microsoft Windows 2000 Service Pack 3 Installation and Deployment Guide contains excellent instructions for using each of these four methods. To install Win2K SP3 on a new system or to upgrade a Windows NT system, you can perform a slipstream or combination installation, as the Web-exclusive sidebar "Slipstream and Combination Installations" (http://www.winnetmag.com, InstantDoc ID 27115) explains. SP3 doesn't support upgrading legacy Windows 9x systems—you must first upgrade these systems to Win2K, then install SP3.

A local upgrade always requires more disk space than a network upgrade because the Setup utility expands and copies 1670 service pack files into a local temporary directory. When you use the SP3 CD-ROM or the w2ksp3.exe download file to perform a local upgrade, the local system needs at least 410MB of free space for Win2K Professional or 550MB for Win2K Server. By comparison, a network-based installation requires 240MB of free space for Win2K Pro and 335MB for Win2K Server. The installer returns 45MB of this amount on all platforms when it removes the temporary files after the upgrade.

You can double-click w2ksp3.exe (locally or on a mapped network share) in Windows Explorer or run w2ksp3.exe from a command prompt. When you run the file from Windows Explorer, you must close Windows Explorer before the upgrade finishes to avoid an error that occurs when the Installer attempts to replace the Windows Explorer mshtml.dll file.

To reduce the local free-space requirements during an installation, you can expand the download file, share the top level of the expanded directory, and initiate an installation through SP3's Update utility (update.exe). To expand the service pack from the command line, type

w2ksp3.exe /x

When prompted, enter the path to the appropriate local or network installation directory. If you enter the path C:\sp3, the extraction process creates the C:\sp3\i386 directory and copies all standard OS files and directories to or below C:\sp3\i386. To display update.exe's command-line options after you extract the files, type

i386\update\update /?

Use the /l option to list hotfixes, the /u option for an unattended install, the /z option to prevent a reboot so that you can apply additional fixes before you restart, and the /s:installation directory option to create a slipstream installation.

When you start an upgrade by double-clicking or running w2ksp3.exe (as opposed to first expanding the service pack), the Installer extracts the service pack files to a temporary folder and runs update.exe from the temporary folder. Next, the Installer inventories system files and identifies files that must be updated. While the inventory is in progress, the Installer displays the End User License Agreement (EULA) and prompts you to create an uninstall directory. This point in the installation is your last opportunity to safely cancel the upgrade.

Next, the Installer creates the $NTServicePackUninstall$ directory and copies into it all files that are marked for update. The Installer then replaces system files with files from the service pack. If the files are locked (i.e., in use), the Installer gives the replacement file a temporary name and adds it to the rename pending log file. The system replaces these files during the next reboot. The Installer parses applicable .inf files to update registry hive information and executes several programs through rundll32.exe (a technique used to run programs while the OS is being modified). These programs register Java applets, apply the upgrade's security template, remove Performance Monitor counters, and perform other cleanup tasks. After the programs run, the Installer deletes all temporary files and initiates a system restart. The file-rename process finishes after the computer reboots.

SP3 Setup logs all these activities in the %systemroot%\svcpack.log file. After a successful upgrade, the first portion of the log contains references to old information in the registry and new information in the registry. If you used the default option to create an uninstall directory, the log file next shows the Installer creating the uninstall directory, followed by several lines that estimate the time necessary to create and populate OS directories (including the uninstall directory). The log then documents the registration of the uninstallation program and the copying of files to various locations in the system root. Log lines that begin with Starting Process: document the final stages, during which Setup marks some .dll files to replace at the next reboot and runs several housekeeping programs.

If SP3 installation and setup fails on a machine, you can compare that system's log file (%systemroot%svcpack.log) with a log file from a successful upgrade to try and identify the problem. The Web-exclusive sidebar "Known Setup Problems" (http://www.winnetmag.com, InstantDoc ID 27116) describes several factors that might interfere with upgrades.

Timely Reminders
You don't need to reinstall SP3 after you change a system's configuration. Assuming the SP3 catalog is valid, Windows File Protection (WFP) won't let applications that use Windows Installer replace current files with earlier versions. However, if you remove and then reinstall Windows components, you should reinstall any hotfixes that affect those components.

When I wrote this article, I found more than 100 post-SP3 bug reports. To get a random sampling of known post-SP3 problems, go to http://support.microsoft.com/default.aspx?scid=fh;en-us;kbhowto, choose Windows 2000 from the Select a Microsoft Product drop-down list, then enter kbwin2000presp4fix in the Search for text box. I use the word random because Microsoft hadn't yet published a comprehensive list that consists solely of post-SP3 bugs; I hope that one will be available by the time you read this article.

A month after its release, the jury was still out on how well SP3 performs. When you add IE updates, post-SP3 bug fixes, and security hotfixes to the mix, the final upgrade can apply as many as 1100 code changes. Many compelling reasons to upgrade exist, but only after you've methodically prepared for and tested the effects that these massive changes might have in your production environment.