Our standard protocol is to install small groups of MS critical updates at a time so that roll-back can be accomplished easily if a hotfix breaks any server functions or applications. However, we have a few network infrastructure servers that neither run any third party software, nor MS installed applications. An example of this would be our Active Directory servers. My questions is this - given a server, like our AD servers that run only MS Server Roles, do I need to be so concerned about vetting critical updates? Thanks in advance for your advice.

Hello, it is not recommended to run applications on DCs for performance and security reasons. For updates, it is recommended to install all of them. What I recommend is performing periodic backups so that if something goes wrong you can restore your system from them. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator

Hello, a DC should NEVER be used for applications and especially not for 3rd party ones or critical ones. Keep in mind that a DC must maybe restored from backup what lot's of applications may not support. Do yourself a favor and install applications ALWAYS on member servers. And you should always install any update provided by Microsoft, after testing, as they have a reason for this, security, stability or fixing errors with it.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I typically recommend splitting all redundant servers into two groups. Patch the first group one night and when those patches are determined to be ok, patch the second group. This ensures that you have at least one of each type of server available to respond to requests while you remedy any bad patches on the other servers. Example: Patch Group 1 DC01 Cluster01a FilePrint01 Patch Group 2 DC02 Cluster01b FilePrint02If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". Rich Prescott | MCITP, MCTS, MCP Blog | Twitter: @Arposh | Powershell Client System Administration tool