Discussion:
Running Windows Update on a Domain Controller
(too old to reply)
j***@gmail.com
2009-02-18 14:15:08 UTC
Permalink
Gentlemen, I thank you for reading.

I have two pairs of Domain Controllers running Windows Server 2003 in
a parent-child forest configuration. My DCs have not had Windows
Updates in some time, and I need to write a procedure for doing so.
Currently, the DCs are virtual machines, and the intent is to keep
them in a snapshotted state until the updates are complete and the DCs
are confirmed functional.

Are there any best practices regarding a procedure for actually
performing the updates? I have some persons in one camp telling me
that I need to shut the other three DCs down while one of them is
updating. This seems counterintuitive, as a workstation on the network
could request an update or change from the DC that's being updated,
and then the structure becomes inconsistent.

Most of my 'best practices' research on the net has lead me to
articles about implementing WSUS or GPOs restricting Windows Updates
on workstations.

There is another option, of course, which is to not run the updates at
all.

Any suggestions, comments, or thoughts are greatly appreciated.
Isaac Oben [MCITP,MCSE]
2009-02-18 17:02:54 UTC
Permalink
1 -I will have a test environment to properly test any new updates before
deploying to the production environment.
2- then, I will run updates on each domain controller or a set group
depending on large your enterprise is but will not shutdown other domain
controllers while updates are going on except doing a Schema updates etc
--
Isaac Oben [MCTIP, MCSE]
Post by j***@gmail.com
Gentlemen, I thank you for reading.
I have two pairs of Domain Controllers running Windows Server 2003 in
a parent-child forest configuration. My DCs have not had Windows
Updates in some time, and I need to write a procedure for doing so.
Currently, the DCs are virtual machines, and the intent is to keep
them in a snapshotted state until the updates are complete and the DCs
are confirmed functional.
Are there any best practices regarding a procedure for actually
performing the updates? I have some persons in one camp telling me
that I need to shut the other three DCs down while one of them is
updating. This seems counterintuitive, as a workstation on the network
could request an update or change from the DC that's being updated,
and then the structure becomes inconsistent.
Most of my 'best practices' research on the net has lead me to
articles about implementing WSUS or GPOs restricting Windows Updates
on workstations.
There is another option, of course, which is to not run the updates at
all.
Any suggestions, comments, or thoughts are greatly appreciated.
Meinolf Weber [MVP-DS]
2009-02-18 20:04:30 UTC
Permalink
Hello Jeremy,

Do NOT use snaphshot's from Domain controllers, this is an UNSUPPORTED way
to backup AD.

We use WSUS in our environments and it works like a charm.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by j***@gmail.com
Gentlemen, I thank you for reading.
I have two pairs of Domain Controllers running Windows Server 2003 in
a parent-child forest configuration. My DCs have not had Windows
Updates in some time, and I need to write a procedure for doing so.
Currently, the DCs are virtual machines, and the intent is to keep
them in a snapshotted state until the updates are complete and the DCs
are confirmed functional.
Are there any best practices regarding a procedure for actually
performing the updates? I have some persons in one camp telling me
that I need to shut the other three DCs down while one of them is
updating. This seems counterintuitive, as a workstation on the network
could request an update or change from the DC that's being updated,
and then the structure becomes inconsistent.
Most of my 'best practices' research on the net has lead me to
articles about implementing WSUS or GPOs restricting Windows Updates
on workstations.
There is another option, of course, which is to not run the updates at
all.
Any suggestions, comments, or thoughts are greatly appreciated.
Paul Bergson [MVP-DS]
2009-02-19 13:38:57 UTC
Permalink
Don't use snapshots, they don't work since they don't clear out all
transactions before the snap occurs. I can absolutely guarantee you will
have problems if you continue this practice.

Read through the link below and verify you are following the practices as
defined.
http://support.microsoft.com/kb/888794

Also, patch your dc's monthly!
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by j***@gmail.com
Gentlemen, I thank you for reading.
I have two pairs of Domain Controllers running Windows Server 2003 in
a parent-child forest configuration. My DCs have not had Windows
Updates in some time, and I need to write a procedure for doing so.
Currently, the DCs are virtual machines, and the intent is to keep
them in a snapshotted state until the updates are complete and the DCs
are confirmed functional.
Are there any best practices regarding a procedure for actually
performing the updates? I have some persons in one camp telling me
that I need to shut the other three DCs down while one of them is
updating. This seems counterintuitive, as a workstation on the network
could request an update or change from the DC that's being updated,
and then the structure becomes inconsistent.
Most of my 'best practices' research on the net has lead me to
articles about implementing WSUS or GPOs restricting Windows Updates
on workstations.
There is another option, of course, which is to not run the updates at
all.
Any suggestions, comments, or thoughts are greatly appreciated.
Jeremy
2009-02-19 14:35:38 UTC
Permalink
Since it appears to be a point of some contention within this topic, I
felt the need to clarify my statement about snapshots of our Domain
Controllers.

In this current plan, we are shutting down all four DCs (in that they
will be cold from a machine state), and creating a snapshot of all
four, at the same time in that state. I appreciate the issue with
snapshotting a Domain Controller in a live-and-running state due to
the transitional nature of an Active Directory - a transaction having
been applied on one, but not federated to the others will cause a very
deep level of havoc. In this case, snapshotting is only used as a last-
ditch 'Hey, we broke the AD' fallback. I appreciate the input.

There have only been three actual suggestions as to the Windows Update
question (the entire reason for my posting). None of them have
actually addressed my concern.

Yes, we have a dev environment - the patches have been ratified as
safe.
No, we're not using WSUS. There was an implementation plan Once Upon a
Time, but it was never pushed forward. All things in time.
Patch our DCs monthly! Verily! However:

Should I need to do anything to the Domain Controllers (e.g. stop
services, restart them immediately before, wave a magic wand, shut the
others down while one is updating) while patching? Many different
people telling me many different things - it started when one admin
(not on our team, this was during a discussion about practice) noticed
we didn't stop the DNS Server service to patch the DC while in our dev
environment. I told him he was crazy. The patch went fine, but it got
me to thinking: is there some voodoo to follow when patching a Domain
Controller? Is it really as simple as just running Windows Update like
Any Other Server(tm) ?
Paul Bergson [MVP-DS]
2009-02-19 18:03:17 UTC
Permalink
There is nothing special about patching a dc. We use a thrid party product
and they are patched in the evening w/o any special issues other than
testing prior to production. If you have multiple dc's in your site, you
should be able to do during the day, as long as there is also a gc available
and Exchange is at least 2003. I believe Exchange needs this to more easily
manage if a gc within the site goes away. I have dropped dc's during the
day w/o a single call.
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
Post by Jeremy
Since it appears to be a point of some contention within this topic, I
felt the need to clarify my statement about snapshots of our Domain
Controllers.
In this current plan, we are shutting down all four DCs (in that they
will be cold from a machine state), and creating a snapshot of all
four, at the same time in that state. I appreciate the issue with
snapshotting a Domain Controller in a live-and-running state due to
the transitional nature of an Active Directory - a transaction having
been applied on one, but not federated to the others will cause a very
deep level of havoc. In this case, snapshotting is only used as a last-
ditch 'Hey, we broke the AD' fallback. I appreciate the input.
There have only been three actual suggestions as to the Windows Update
question (the entire reason for my posting). None of them have
actually addressed my concern.
Yes, we have a dev environment - the patches have been ratified as
safe.
No, we're not using WSUS. There was an implementation plan Once Upon a
Time, but it was never pushed forward. All things in time.
Should I need to do anything to the Domain Controllers (e.g. stop
services, restart them immediately before, wave a magic wand, shut the
others down while one is updating) while patching? Many different
people telling me many different things - it started when one admin
(not on our team, this was during a discussion about practice) noticed
we didn't stop the DNS Server service to patch the DC while in our dev
environment. I told him he was crazy. The patch went fine, but it got
me to thinking: is there some voodoo to follow when patching a Domain
Controller? Is it really as simple as just running Windows Update like
Any Other Server(tm) ?
Meinolf Weber [MVP-DS]
2009-02-19 21:20:35 UTC
Permalink
Hello Jeremy,

You can patch a DC like any other computer. When you have more then one also
during business hours.

Also have a look here about use of snapshots:
http://support.microsoft.com/kb/875495

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by Jeremy
Since it appears to be a point of some contention within this topic, I
felt the need to clarify my statement about snapshots of our Domain
Controllers.
In this current plan, we are shutting down all four DCs (in that they
will be cold from a machine state), and creating a snapshot of all
four, at the same time in that state. I appreciate the issue with
snapshotting a Domain Controller in a live-and-running state due to
the transitional nature of an Active Directory - a transaction having
been applied on one, but not federated to the others will cause a very
deep level of havoc. In this case, snapshotting is only used as a last-
ditch 'Hey, we broke the AD' fallback. I appreciate the input.
There have only been three actual suggestions as to the Windows Update
question (the entire reason for my posting). None of them have
actually addressed my concern.
Yes, we have a dev environment - the patches have been ratified as
safe.
No, we're not using WSUS. There was an implementation plan Once Upon a
Time, but it was never pushed forward. All things in time.
Should I need to do anything to the Domain Controllers (e.g. stop
services, restart them immediately before, wave a magic wand, shut the
others down while one is updating) while patching? Many different
people telling me many different things - it started when one admin
(not on our team, this was during a discussion about practice) noticed
we didn't stop the DNS Server service to patch the DC while in our dev
environment. I told him he was crazy. The patch went fine, but it got
me to thinking: is there some voodoo to follow when patching a Domain
Controller? Is it really as simple as just running Windows Update like
Any Other Server(tm) ?
Loading...