vetting MS Updates
Our standard protocol is to install small groups of MS critical updates at a time so that roll-back can be accomplished easily if a hotfix breaks any server functions or applications. However, we have a few network infrastructure servers that neither
run any third party software, nor MS installed applications. An example of this would be our Active Directory servers.
My questions is this - given a server, like our AD servers that run only MS Server Roles, do I need to be so concerned about vetting critical updates?
Thanks in advance for your advice.
August 24th, 2011 4:05pm
Hello,
it is not recommended to run applications on DCs for performance and security reasons.
For updates, it is recommended to install all of them.
What I recommend is performing periodic backups so that if something goes wrong you can restore your system from them.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2011 4:21pm
Hello,
a DC should NEVER be used for applications and especially not for 3rd party ones or critical ones. Keep in mind that a DC must maybe restored from backup what lot's of applications may not support.
Do yourself a favor and install applications ALWAYS on member servers.
And you should always install any update provided by Microsoft, after testing, as they have a reason for this, security, stability or fixing errors with it.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
August 24th, 2011 4:27pm
I typically recommend splitting all redundant servers into two groups. Patch the first group one night and when those patches are determined to be ok, patch the second group. This ensures that you have at least one of each type of server available
to respond to requests while you remedy any bad patches on the other servers.
Example:
Patch Group 1
DC01
Cluster01a
FilePrint01
Patch Group 2
DC02
Cluster01b
FilePrint02If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
Rich Prescott | MCITP, MCTS, MCP
Blog | Twitter:
@Arposh |
Powershell Client System Administration tool
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2011 6:41pm