willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
Those of you who work in a Windows environment, do you have a patching plan?
I'd like to hear what others are doing. I'm currently in an environment which has to be up and running 24/7 for the factory to operate but half of Sunday its completely closed so no problems bouncing network/servers. AFAIK MS release patches every Tuesday, do you guys just smash the patches on and reboot when you feel like? I've come from a background when a server reboot wasn't the done thing as it must ALWAYS be up.
|
Neo
Member
Registered: 20th Feb 07
Location: Essex
User status: Offline
|
Exactly that Will, I put them on, schedule downtime (in your case half of sunday) reboot then.
Only problems occur when archaic hardware doesn't come back up 
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
All the SBS ones just apply as per default SBS policy.
24/7 environments don't get done unless it needs it, still the odd windows update that causes major hassle.
|
Neo
Member
Registered: 20th Feb 07
Location: Essex
User status: Offline
|
Oh, and I try and only reboot once a month tops. Simply because otherwise i'd be constantly chasing updates.
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Servers don't get rebooted unless I'm rebooting for something else or it needs to be done right then.
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
WSUS for clients, with a scheduled re-boot when needed.
Servers re-booted once change requests are done and approved (ITIL shite)
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Not a 24/7 environment but clients are WSUS and sort themselves out (weekly scheduled reboots) and the servers get taken down one at a time and updated when needed during the evenings/nights. If there's any issue with one then the other doesn't get touched until the first is fixed, just incase there is an issue with the updates.
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
You have a virtual environment. So take a copy run the updates to test if the servers still work once they have been updated. Then schedule the production installs
|
Kyle T
Premium Member
Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
|
Ugh we're just starting to tackle this now.
Previously we had a WSUS server but only used it to apply bug fixes for things which were causing us problems, we were too scared to be proactive about it.
We're deploying SCCM2012 as I type so we're going to use that going forward, and we've decided to operate a suck it and see mentality with critical updates and security updates. Patch away, reboot when convenient and then address any problems as they arise, we don't really have the manpower to test each update in detail.
Out biggest issue isn't arranging server downtime, it's an irrational fear of rebooting client PC's or asking them to reboot. It's ridiculous, we seem to be terrified of our users so I've propsed a transparent approach of notifying the user of a required install - allowing them to choose a time/date for the install and then again for the reboot if required. If they keep ignoring notifications they'll trigger a deadline and get installed/rebooted anyway.
Lotus Elise 111R
Impreza WRX STi
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
quote:
Originally posted by VrsTurbo
You have a virtual environment. So take a copy run the updates to test if the servers still work once they have been updated. Then schedule the production installs
I'm not too bothered about the servers failing, but it is in the back of my mind at all times that a new patch thats been introduced would fuck everything.
With the once a month idea (my boss wants it once every 2 months) I guess I could do the testbed idea, what would be the best way to approach this? Run the testbed VM on my PC? Or copy it on the cluster then run it? I'm guessing I'd have to kill off all the network interfaces on the clone so it doesnt come up and absolutely fuck everything with ip conflicts and what not.
Thanks for everyones input
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
Interfaces on the VM won't go external to the VM unless you specify it.
|
M2RTY
Member
Registered: 25th May 01
User status: Offline
|
4 wsus servers, test/dev, live, 2x DMZs
400ish servers in total. vms and physical
patches come out every 2nd tuesday of month (usually)
patch every sunday 8am-4am the monday morn, roughly 10 every 2 hour, all automated
week 2 - test/dev
week 3 and 4 - live and dmz
week 5 - live
clusters need a bit of thought, few issues with servers not rebooting as people forget to log off
set up the system myself, was O patching prior, had w2000 servers with 200 missing patches still, security auditors went nuts!
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
quote:
Originally posted by Ian
Interfaces on the VM won't go external to the VM unless you specify it.
yes mate.
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
tttttttttt
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Not gone with the 'Suck it and see' approach?
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
What you on about bro
|
pow
Premium Member
Registered: 11th Sep 06
Location: Hazlemere, Buckinghamshire
User status: Offline
|
Clients on WSUS, servers are rebooted remotely over weekends/evenings when they aren't required (Hyper-V machines so take snapshots if anything big is happening)
|
