How about: (and maybe not in this order) 1) Install a test environment - test patches before implementation 2) Patch half after compatibility and performance, then patch the others within 48 hrs. (less, if you're feeling comfortable or the patch is of a very critical and high risk category) 3) Get a complete system state backup of all DCs before applying any patches.
A couple thoughts - and to expand upon my earlier comment. Security IS Risk Management - plain and simple. Don't patch quickly just for the sake of patching because Microsoft releases a fix. Look closely at the details of the patch - specifically the Technical sections. Determine what RISK this vulnerability poses to your environment. If it has to do with Alerter on your DCs, but you have the Alerter service off and Disabled, then it poses less of a risk than, say - RPC which will allow remote execution if exploited. However, at the time you need to take into account that there is a real potential that the application of any un-tested patch WILL cause disruption of normal operations. Thereby, you need to approach any patching with the give and take of applying a patch because it is necessary and critical, with that of the possibility of disruption. Analyze the risk of either action, and act accordingly. Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, July 05, 2005 12:31 PM To: [email protected] Subject: [ActiveDir] Patching Strategy on DC's I have a question about a patching strategy for Domain controllers. We have a single forest single domain, 4 dc's, when patching for security patches should we do all the DC's at once, or do half of them or should we introduce a test lab or lastly a latent replicated production site with a dc in it? Thoughts and approaches appreciated! List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
