Best Practice Windows Update in Production Environment

[Guest Charles Law]

I'm just wondering what people's views/experiences are here.

 

When configuring a production system, is there a recommended approach to

Windows Update? What I mean is, we have a production system, and support

system that is identical. When setting the two systems up originally, we

have avoided using Windows Update to download and apply SPs and hotfixes.

 

At some point, before deploying, we want to apply SPs and patches, but in

exactly the same way to each system. We also want to keep track of

subsequent updates so that the two systems stay in sync.

 

I see there is something called Windows Server Update Services (WSUS), but I

don't know whether this is widely used for this purpose.

 

I would be grateful for any recommendations, and/or links to documented

preferred approaches.

 

We are using Windows Server 2003 RC2 x64 Enterprise and Standard Editions.

 

TIA

 

Charles

[Guest Danny Sanders]

Re: Best Practice Windows Update in Production Environment

 

> I see there is something called Windows Server Update Services (WSUS), but

> I don't know whether this is widely used for this purpose.

 

This is what you want. Put the servers/workstations in groups, approve

specific updates for specific groups. I would suggest working out a process

where the servers download the updates and set a deadline to install the

updates when they can safely be rebooted and someone is there to monitor the

reboots to ensure the servers come back up. Especially since this is

production.

 

If you have "development" servers that mimic the production servers this

will give you the chance to patch the development servers one weekend and

check to see if the patches "break" anything before applying the to

production.

 

WSUS is the way to go.

 

hth

DDS

 

 

"Charles Law" <blank@nowhere.com> wrote in message

news:e6ZDYIxQIHA.1204@TK2MSFTNGP03.phx.gbl...

> I'm just wondering what people's views/experiences are here.

>

> When configuring a production system, is there a recommended approach to

> Windows Update? What I mean is, we have a production system, and support

> system that is identical. When setting the two systems up originally, we

> have avoided using Windows Update to download and apply SPs and hotfixes.

>

> At some point, before deploying, we want to apply SPs and patches, but in

> exactly the same way to each system. We also want to keep track of

> subsequent updates so that the two systems stay in sync.

>

> I see there is something called Windows Server Update Services (WSUS), but

> I don't know whether this is widely used for this purpose.

>

> I would be grateful for any recommendations, and/or links to documented

> preferred approaches.

>

> We are using Windows Server 2003 RC2 x64 Enterprise and Standard Editions.

>

> TIA

>

> Charles

>

>

[Guest Charles Law]

Re: Best Practice Windows Update in Production Environment

 

Hi Danny

 

Thanks for the quick reply. I will download WSUS to a test server and get

started.

 

I see on the WSUS home page that there is also something called System

Center Essentials 2007, which is a paid for option (the basic WSUS is free,

if I have read correctly). Is this System Center Essentials 2007 thing worth

a look, or should I just concern myself with the basic WSUS?

 

Cheers

 

Charles

 

 

"Danny Sanders" <DSanders@NOSPAMciber.com> wrote in message

news:u6dOQZyQIHA.4128@TK2MSFTNGP06.phx.gbl...

>> I see there is something called Windows Server Update Services (WSUS),

>> but I don't know whether this is widely used for this purpose.

>

> This is what you want. Put the servers/workstations in groups, approve

> specific updates for specific groups. I would suggest working out a

> process where the servers download the updates and set a deadline to

> install the updates when they can safely be rebooted and someone is there

> to monitor the reboots to ensure the servers come back up. Especially

> since this is production.

>

> If you have "development" servers that mimic the production servers this

> will give you the chance to patch the development servers one weekend and

> check to see if the patches "break" anything before applying the to

> production.

>

> WSUS is the way to go.

>

> hth

> DDS

>

>

> "Charles Law" <blank@nowhere.com> wrote in message

> news:e6ZDYIxQIHA.1204@TK2MSFTNGP03.phx.gbl...

>> I'm just wondering what people's views/experiences are here.

>>

>> When configuring a production system, is there a recommended approach to

>> Windows Update? What I mean is, we have a production system, and support

>> system that is identical. When setting the two systems up originally, we

>> have avoided using Windows Update to download and apply SPs and hotfixes.

>>

>> At some point, before deploying, we want to apply SPs and patches, but in

>> exactly the same way to each system. We also want to keep track of

>> subsequent updates so that the two systems stay in sync.

>>

>> I see there is something called Windows Server Update Services (WSUS),

>> but I don't know whether this is widely used for this purpose.

>>

>> I would be grateful for any recommendations, and/or links to documented

>> preferred approaches.

>>

>> We are using Windows Server 2003 RC2 x64 Enterprise and Standard

>> Editions.

>>

>> TIA

>>

>> Charles

>>

>>

>

>

[Guest Danny Sanders]

Re: Best Practice Windows Update in Production Environment

 

> if I have read correctly). Is this System Center Essentials 2007 thing

> worth a look, or should I just concern myself with the basic WSUS?

>

 

 

I have not seen/used System Center Essentials 2007. A quick look and it's

recommended for 30 servers and up to 500 PCs. Would not use it here because

we have over 200 servers and 6,000 desktops. I would say it is worth taking

a look if you fit the target audience.

 

hth

DDS

 

"Charles Law" <blank@nowhere.com> wrote in message

news:un16aiyQIHA.5164@TK2MSFTNGP03.phx.gbl...

> Hi Danny

>

> Thanks for the quick reply. I will download WSUS to a test server and get

> started.

>

> I see on the WSUS home page that there is also something called System

> Center Essentials 2007, which is a paid for option (the basic WSUS is

> free, if I have read correctly). Is this System Center Essentials 2007

> thing worth a look, or should I just concern myself with the basic WSUS?

>

> Cheers

>

> Charles

>

>

> "Danny Sanders" <DSanders@NOSPAMciber.com> wrote in message

> news:u6dOQZyQIHA.4128@TK2MSFTNGP06.phx.gbl...

>>> I see there is something called Windows Server Update Services (WSUS),

>>> but I don't know whether this is widely used for this purpose.

>>

>> This is what you want. Put the servers/workstations in groups, approve

>> specific updates for specific groups. I would suggest working out a

>> process where the servers download the updates and set a deadline to

>> install the updates when they can safely be rebooted and someone is there

>> to monitor the reboots to ensure the servers come back up. Especially

>> since this is production.

>>

>> If you have "development" servers that mimic the production servers this

>> will give you the chance to patch the development servers one weekend and

>> check to see if the patches "break" anything before applying the to

>> production.

>>

>> WSUS is the way to go.

>>

>> hth

>> DDS

>>

>>

>> "Charles Law" <blank@nowhere.com> wrote in message

>> news:e6ZDYIxQIHA.1204@TK2MSFTNGP03.phx.gbl...

>>> I'm just wondering what people's views/experiences are here.

>>>

>>> When configuring a production system, is there a recommended approach to

>>> Windows Update? What I mean is, we have a production system, and support

>>> system that is identical. When setting the two systems up originally, we

>>> have avoided using Windows Update to download and apply SPs and

>>> hotfixes.

>>>

>>> At some point, before deploying, we want to apply SPs and patches, but

>>> in exactly the same way to each system. We also want to keep track of

>>> subsequent updates so that the two systems stay in sync.

>>>

>>> I see there is something called Windows Server Update Services (WSUS),

>>> but I don't know whether this is widely used for this purpose.

>>>

>>> I would be grateful for any recommendations, and/or links to documented

>>> preferred approaches.

>>>

>>> We are using Windows Server 2003 RC2 x64 Enterprise and Standard

>>> Editions.

>>>

>>> TIA

>>>

>>> Charles

>>>

>>>

>>

>>

>

>

[Guest Hank Arnold (MVP)]

Re: Best Practice Windows Update in Production Environment

 

Charles Law wrote:

> Hi Danny

>

> Thanks for the quick reply. I will download WSUS to a test server and get

> started.

>

> I see on the WSUS home page that there is also something called System

> Center Essentials 2007, which is a paid for option (the basic WSUS is free,

> if I have read correctly). Is this System Center Essentials 2007 thing worth

> a look, or should I just concern myself with the basic WSUS?

>

> Cheers

>

> Charles

>

>

> "Danny Sanders" <DSanders@NOSPAMciber.com> wrote in message

> news:u6dOQZyQIHA.4128@TK2MSFTNGP06.phx.gbl...

>>> I see there is something called Windows Server Update Services (WSUS),

>>> but I don't know whether this is widely used for this purpose.

>> This is what you want. Put the servers/workstations in groups, approve

>> specific updates for specific groups. I would suggest working out a

>> process where the servers download the updates and set a deadline to

>> install the updates when they can safely be rebooted and someone is there

>> to monitor the reboots to ensure the servers come back up. Especially

>> since this is production.

>>

>> If you have "development" servers that mimic the production servers this

>> will give you the chance to patch the development servers one weekend and

>> check to see if the patches "break" anything before applying the to

>> production.

>>

>> WSUS is the way to go.

>>

>> hth

>> DDS

>>

>>

>> "Charles Law" <blank@nowhere.com> wrote in message

>> news:e6ZDYIxQIHA.1204@TK2MSFTNGP03.phx.gbl...

>>> I'm just wondering what people's views/experiences are here.

>>>

>>> When configuring a production system, is there a recommended approach to

>>> Windows Update? What I mean is, we have a production system, and support

>>> system that is identical. When setting the two systems up originally, we

>>> have avoided using Windows Update to download and apply SPs and hotfixes.

>>>

>>> At some point, before deploying, we want to apply SPs and patches, but in

>>> exactly the same way to each system. We also want to keep track of

>>> subsequent updates so that the two systems stay in sync.

>>>

>>> I see there is something called Windows Server Update Services (WSUS),

>>> but I don't know whether this is widely used for this purpose.

>>>

>>> I would be grateful for any recommendations, and/or links to documented

>>> preferred approaches.

>>>

>>> We are using Windows Server 2003 RC2 x64 Enterprise and Standard

>>> Editions.

>>>

>>> TIA

>>>

>>> Charles

>>>

>>>

>>

>

>

 

Start with WSUS (be sure to get 3.0). It fills the bill for many of us.

If you want to patch programs other than MS ones or you need more

control (including "pushing") over patches, you can take a look at one

of several alternatives (Shavalik, Patchlink, etc.).

 

--

 

Regards,

Hank Arnold

Microsoft MVP

Windows Server - Directory Services

[Guest Charles Law]

Re: Best Practice Windows Update in Production Environment

 

Hi Hank

 

Thanks for the extra info. Minor hiccough at the moment as the WSUS 3.0

installer keeps asking for IIS, even though Windows insists that it is

installed. Oh well, if it were easy then everyone would be doing it ...

 

Cheers

 

Charles

 

 

"Hank Arnold (MVP)" <rasilon@aol.com> wrote in message

news:OwRqgm7QIHA.1184@TK2MSFTNGP04.phx.gbl...

> Charles Law wrote:

>> Hi Danny

>>

>> Thanks for the quick reply. I will download WSUS to a test server and get

>> started.

>>

>> I see on the WSUS home page that there is also something called System

>> Center Essentials 2007, which is a paid for option (the basic WSUS is

>> free, if I have read correctly). Is this System Center Essentials 2007

>> thing worth a look, or should I just concern myself with the basic WSUS?

>>

>> Cheers

>>

>> Charles

>>

>>

>> "Danny Sanders" <DSanders@NOSPAMciber.com> wrote in message

>> news:u6dOQZyQIHA.4128@TK2MSFTNGP06.phx.gbl...

>>>> I see there is something called Windows Server Update Services (WSUS),

>>>> but I don't know whether this is widely used for this purpose.

>>> This is what you want. Put the servers/workstations in groups, approve

>>> specific updates for specific groups. I would suggest working out a

>>> process where the servers download the updates and set a deadline to

>>> install the updates when they can safely be rebooted and someone is

>>> there to monitor the reboots to ensure the servers come back up.

>>> Especially since this is production.

>>>

>>> If you have "development" servers that mimic the production servers this

>>> will give you the chance to patch the development servers one weekend

>>> and check to see if the patches "break" anything before applying the to

>>> production.

>>>

>>> WSUS is the way to go.

>>>

>>> hth

>>> DDS

>>>

>>>

>>> "Charles Law" <blank@nowhere.com> wrote in message

>>> news:e6ZDYIxQIHA.1204@TK2MSFTNGP03.phx.gbl...

>>>> I'm just wondering what people's views/experiences are here.

>>>>

>>>> When configuring a production system, is there a recommended approach

>>>> to Windows Update? What I mean is, we have a production system, and

>>>> support system that is identical. When setting the two systems up

>>>> originally, we have avoided using Windows Update to download and apply

>>>> SPs and hotfixes.

>>>>

>>>> At some point, before deploying, we want to apply SPs and patches, but

>>>> in exactly the same way to each system. We also want to keep track of

>>>> subsequent updates so that the two systems stay in sync.

>>>>

>>>> I see there is something called Windows Server Update Services (WSUS),

>>>> but I don't know whether this is widely used for this purpose.

>>>>

>>>> I would be grateful for any recommendations, and/or links to documented

>>>> preferred approaches.

>>>>

>>>> We are using Windows Server 2003 RC2 x64 Enterprise and Standard

>>>> Editions.

>>>>

>>>> TIA

>>>>

>>>> Charles

>>>>

>>>>

>>>

>>

>>

>

> Start with WSUS (be sure to get 3.0). It fills the bill for many of us. If

> you want to patch programs other than MS ones or you need more control

> (including "pushing") over patches, you can take a look at one of several

> alternatives (Shavalik, Patchlink, etc.).

>

> --

>

> Regards,

> Hank Arnold

> Microsoft MVP

> Windows Server - Directory Services

[Guest Gwen Zierdt]

Re: Best Practice Windows Update in Production Environment

 

 

in reply to:

>

> I have not seen/used System Center Essentials 2007. A quick look and it's

> recommended for 30 servers and up to 500 PCs. Would not use it here because

> we have over 200 servers and 6,000 desktops. I would say it is worth taking

> a look if you fit the target audience.

 

WSUS is free, and it manages pushing out of Microsoft patches.

 

Essentials 2007 is targeted at the mid-size business that want to do more

than manage Microsoft patches. There is a 30 day evaluation environment that

you can add to your existing network to try Essentials 2007 on up to 10

Servers and 50 Clients.

 

For larger organizations, Operations Manager and Configuration Manager would

be the right tools to consider.

 

Read more details at

http://myitforum.com/cs2/blogs/gzierdt/archive/2007/12/07/new-evaluation-version-of-system-center-essentials-2007-available.aspx

 

Gwen

http://myitforum.com/cs2/blogs/gzierdt/default.aspx

[Guest Hank Arnold (MVP)]

Re: Best Practice Windows Update in Production Environment

 

Gwen Zierdt wrote:

>

> WSUS is free, and it manages pushing out of Microsoft patches.

>

 

To be absolutely correct, WSUS does not "push" anything. Each client

checks in with the server and "pulls" down what it needs.

 

--

 

Regards,

Hank Arnold

Microsoft MVP

Windows Server - Directory Services