+ Post New Thread
Results 1 to 8 of 8
Windows Thread, windows update in Technical; I'm the new techie and this is my first time working at a school. Unfortunately I have inherited an unstable ...
  1. #1

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    windows update

    I'm the new techie and this is my first time working at a school. Unfortunately I have inherited an unstable network with extremely precarious servers - no documentation and no handover, security is noticable by its complete and utter absence - no patch management - antivirus 13 months out of date and only installed on a small handfull of clients, etc etc. phewwww.
    Running hfnetchk on the servers revealed that many patches are missing. My query is - what is the best policy on patching servers. We can't test anything - and servers typically are multirole machines (SQL, Exchange and whatnot). I'd like to deploy WSUS across the network but as far as the servers are concerned it's not unheard of for patches to break exchange or SQL. The last place I worked everything was tested, but this really isn't viable in a school is it?

  2. #2
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22

    Re: windows update

    I use WSUS all across our domain and that includes the servers. I configure WSUS to install automatically all Critical Updates and all Security Updates at the time i specify.

    As for the stuff f like Service Packs and major updtaes to say SQL and Exchange I manually cofigure thees. I wait till i have had chance to test these updates and then install them as and when i am ready. In you case if you have no where to do any testing i suggest you keep your eye on newsgroups and forums to see the sort of feedback other users give and then deploy when you feel confident, maybe eventually come to bite the bullet and see.

  3. #3

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: windows update

    How on earth do you get the time to test updates LOL.

    Actually, it sounds like its just a case of common sense. Anyway - cheers for that

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: windows update

    If you can't afford the physical hardware to test you might want to consider using VMWare or VirtualPC to create some emulated computer systems to test patches on.

  5. #5

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,941
    Thank Post
    1,343
    Thanked 1,788 Times in 1,111 Posts
    Blog Entries
    19
    Rep Power
    595

    Re: windows update

    Or you could operate the 3 day rule.
    Subscribe to a number of microsoft.public newsgroups, mainly those central to roles you have on servers (windows.general, windows.server.*, etc) and then watch for potential issues for three days.

    I tend to look at applying patches on a friday after school ... that way if anything goes wrong there is the weekend to either fix it or search for one.

  6. #6

    Join Date
    Jul 2005
    Location
    Corby
    Posts
    1,056
    Thank Post
    12
    Thanked 20 Times in 18 Posts
    Rep Power
    24

    Re: windows update

    I agree with Tony. When I started at our school the patch management went something like this: "a patch is out. Install it." I changed that. First, I installed SUS on our 2000 Server and started getting updates out that way (never had a problem there). But what I do is wait to authorise the patches for download to client machines until one week after the update is released. I also subscribe to the MS email lists for security and watch various forums on the internet for signs of trouble, and it works.

    Early this year I installed a new Dell Poweredge server (2003) for our admin network. It handles other things like internal email, intranet, and is a GC. After installing it though I momentarily forgot myself and nearly installed SP1. That would have been very bad, since an issue with SP1 on PE servers would have meant that my BIOS would have gone south and the server would have been unbootable. Luckily I checked myself and looked at the Dell support forums- voila! News of an issue with SP1. Don't install yet. So I didn't, and I therefore didn't encounter a CLM (Career Limiting Move).

    Moral- check those sites out and don't be too hasty to install those patches if you can't test them first. On the other hand, don't wait so long as to be too paranoid and then leave your systems unpatched!

    Paul

  7. #7

    Join Date
    Sep 2005
    Location
    York
    Posts
    15
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Re: windows update

    I'm the cautious type only too aware how those CLM can leap out at one.
    However,
    I've actually found an old server that I may be able to press into use and set up as a lab, now I think I may be straying into another topic and there might be a thread somewhere hereabouts, but when you guys test do you DCPROMO a test DC into the production environment and then disconnect it? I'd really like to replicate as much as I can so that I can test anti-virus, patches etc but I understand I'd probaly have to run ntdsutil to clean up the metadata on the production AD. Is this hazardous - it looks pretty straightforward - but these as we are only too well aware are the quintessential famous last words.


    If you are interested in a snapshot of your current AD, you can:
    - dcpromo a new DC in production
    - make the new DC a GC
    - install DNS on the new DC
    - disconnect the new DC from production network
    - clean up the DC's metadata in production environment

    - put the disconnected DC in a seperate VLAN
    - seize the FSMO roles
    - in the test environment perform metadata cleanup to remove the production DCs from test environment.
    - update the sites&subnets info to reflect the new test subnet layout

  8. #8
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,463
    Thank Post
    10
    Thanked 496 Times in 436 Posts
    Rep Power
    113

    Re: windows update

    I've not put it into practice yet, but I'm hoping my new esx servers are going to do well here, at least to test patching and checking for error free boot. I can take a copy of the machine while its running (crash consistent state) and test the patch on a seperate vlan and then do the real one all going well.

SHARE:
+ Post New Thread

Similar Threads

  1. XP restore cripples Windows Update
    By FN-GM in forum Windows
    Replies: 0
    Last Post: 2nd October 2007, 09:38 PM
  2. Windows Pro SP2 Will Not Update
    By DaveP in forum Windows
    Replies: 1
    Last Post: 20th February 2007, 02:03 PM
  3. Windows Update
    By rush_tech in forum Windows
    Replies: 5
    Last Post: 23rd January 2007, 02:25 PM
  4. Can't do a Windows Update
    By SimpleSi in forum Windows
    Replies: 4
    Last Post: 10th January 2007, 07:19 PM
  5. Windows Update for Non-IE browsers.
    By Geoff in forum Links
    Replies: 2
    Last Post: 22nd November 2005, 02:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •