WSUS integration plan

capon

Hello friends.
My bosses gave me an assignment to make plan how to integrate WSUS server in our infrastructure.
So please help me with advise how to do it.
By now i install windows server 2012 and add WSUS role on it. Test the server in test environment and everything was good.
Now i have to accept WSUS updates in exchange servers and domain controllers, SQL servers and DMZ servers.
My question is which one will be first to update, if some update broke the server what should i do.
Our infrastructure is:
4 domain controllers - 2 with windows 2008 and 2 with windows 2012 R2
Exchange (Windows Server 2012 R2 Datacenter) have 2 DAG-а with 3 mailbox servers and 2 client access servers.
We also have 20 child domains
So please what will be the procedure to update. I must use GPO suppose but tell me what is the right order
Thanks.

rwmidl

It's been awhile since I played with WSUS but a few suggestions:

- If you can, have test systems you can deploy/test the patches on and production systems.
- Set your GPO to download but not install the patches (from memory I believe you can do that). This will help prevent patches from automatically installing.
- You can also segregate out the systems. Have a WSUS group for your Exchange servers, DCs, etc.
- Remember you can approve the patches to push from WSUS, so until you are ready (and tested) don't push them out.
- Document, document, document! You are doing change/patch management. Document what patches are to be installed. Have a rollback plan.

capon

Yes I will make different groups for exchange, domain controllers ant etc, but I think that i must update only one DC at a time not all at the same time. I'm I right ?
What will be the roll back plan. Restart from backup or what? This is what i dont understand.
And how can i understand what patches to approve, In my case i want only security updates.Should i install all which WSUS find in MS servers?
10x

Dojiscalper

Test them on a lab first before approving them for update. If you don't have the resources to do that your only other option would be to back up the servers before the update so you can do a true and complete roll back in case of failure.

techfiend

What I'd do is auto accept only security updates from WSUS and start with a test server (if all physical otherwise skip and mention going virtual if you haven't already). If you have virtual servers snapshot and update non PDC DC's first. If there's an issue rollback and troubleshoot but it'll likely work next time.

capon

All servers are virtual. We have no physical servers.

If something broke revert last snapshot right? No need from full backup?

So PDC will be updated last as i understand right.

techfiend

I just use snapshots and rollback if needed but never had an issue with monthly security updates. I'd do 2 DC's as a test for a week than do the rest. PDC is the most important DC but easily transferred. The other servers appear to be more important.

Micronewb

The way I do patches are as follow

1) Approve to test OU
2) After a week approve to Employee OU
3) Every quarter approve to infrastructure OU
4) GPO controls when patches get downloaded BUT does not install them.
5) Snapshot VM (we use VMware Sphere).
6) Apply patches
7) Rinse and repeat

Can share where the GPO settings are controlled if needed.

capon

Yes please. Share that information.
I resided to make 2 extra OU. One for critical servers (DHCP, Exchange, DC) and one for others.

Micronewb

This is what I have for the test OU in regards to the updates.

COMPUTER Configuration
Policies
Windows settings
Security settings
Administrative Templates hideWindows Components/Windows Update

Policy
Allow signed updates from an intranet Microsoft update service location Enabled
Configure Automatic Updates Enabled
Configure automatic updating: 3 - Auto download and notify for install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance
Scheduled install day: 0 - Every day
Scheduled install time: 03:00

Policy Setting Comment
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
Enable client-side targeting Enabled
Target group name for this computer test

Policy Setting Comment
No auto-restart with logged on users for scheduled automatic updates installations Enabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: [URL]https://SERVERNAME:PORTNUMBER[/URL]
Set the intranet statistics server: [URL]https://SERVERNAME:PORTNUMBER[/URL]

There is also a certification section as well but I imagine you have this setup.


Let us known if this is what you are looking for or something else.