2

I've got a small infrastructure of about 20 servers that are all on a domain and receiving updates from a local WSUS server. The group policy at the moment is that automatic updates are configured to auto download and schedule in the install for 3am on Sunday mornings.

This has worked well, but the problem I've noticed is that this takes the entire infrastructure down at around 3:05am on Sunday mornings as they go through a Windows Update reboot.

I appreciate that many updates require a reboot, but having all the servers schedule the install for 3am results in some outages as both domain controllers will go down at the same time, both sides of the MSSQL cluster go down etc.

Is there a good way to specify for servers to schedule their install at a random time during a set maintenance window? This should then avoid having the servers reboot simultaneously and spread it out across a longer time, hopefully resulting in no service outage.

growse
  • 8,020
  • 13
  • 74
  • 115

2 Answers2

6

AFAIK the only option is to set a specific time.

That being said, I think you're not fully aware of the implications of having ALL the servers doing automated installs/reboots.

What if there is a faulty patch wich breaks the kernel or similar.. do you really want to come to work in the morning and finding all your servers in a boot loop?

I suggest you turn on auto-install only for the servers that are critically to keep updated (internet-facing servers, terminal servers) and do the rest in a manual maintenace schedule.

If that don't work out for you, then atleast set up WSUS, test updates, and then deploy them when you are 100% sure that they dont break your OS or your applications (latter more common).

You can also create separate group policies with different timeslots, and use either OU's or security filtering to choose wich server gets what.

pauska
  • 19,620
  • 5
  • 57
  • 75
  • 1
    I think it's a good point - I'm happy with the dev kit rebooting whenever, but the more critical stuff I might set to a 'Download and notify for install' rather than 'download and schedule for install' setting. – growse Jul 14 '11 at 10:16
  • +1 - Servers rebooting themselves make me uncomfortable, generally. Scheduled maintenance windows FTW. – Evan Anderson Jul 14 '11 at 11:32
  • @Evan Anderson: Indeed, but I can also understand that this is very hard for small shops. – pauska Jul 14 '11 at 11:35
  • Haha. I also just noticed pauska had said the same thing I did. I could of sworn it wasn't in his answer when I typed mine, but it was late. – surfasb Jul 15 '11 at 02:58
3

You could just split the servers up into three or four update groups through WSUS. Then just approve updates for one group each week.

surfasb
  • 467
  • 2
  • 12
  • +1, we used a similar method and it worked well. Really handy for keeping certain must-be-patched-but-can't-reboot-all-at-once clustered services updated. 1am, 2am, 3am for those. Or Tues/Thurs/Sat for others. – sysadmin1138 Jul 14 '11 at 11:42
  • It'sa a valid approach, my concern is that I target WSUS groups through GPO, so I'd effectively have to create an 'A Side' GPO and a 'B Side' GPO and give them different WSUS install times. – growse Jul 14 '11 at 15:21
  • I must be missing something. WSUS is essentially 4 or 5 GPO settings x 2 . . . – surfasb Jul 15 '11 at 02:55
  • An easier way to manage that would be to create a base OU, then make Child OU A and Child OU B. Your base OU will get the Update settings, while the Child OUs will just be different times. Makes it easier to manage. – surfasb Aug 08 '11 at 02:23