You should have a test lab. When you have a production environment that you can't afford to have go down you should always have a test lab to verify patches and upgrades, etc. Outside of that it is usually good to designate a dog food server or two. These are the first production servers that get upgrades. You select them based on your ability to recover them and the hopefully lack of dependence on them being 110% available.
I would never allow DCs to be autoupdated. It is always a case of me pushing the change and watching for the results because unexpected/unplanned changes on DCs have a tendency to end up on a trail of tears. Note that thinking there will probably be some patch that gets applied on the second Tuesday of the month is not a planned change. If you have a case where all DCs just start autoupdating you could find yourself in a position where all DCs aren't working. I watched a Global 5 DataCenter have large numbers of Windows Servers hit the ground with BSDs after an AV update that was pushed out by the AV Team. My and several other paranoid admins' servers didn't go down because we didn't allow automatic AV updates (as well as automatic OS updates). Had we done so, 400 domain controllers across the world would have BSD'ed and no one could have logged on with domain creds. When I was an ops guy, I actually used all of my empty Root DCs as dog food servers. They were always the first to get patches and things done to them. Impact was limited if those machines took it in the shorts because users didn't specifically need those machines. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murray Wall Sent: Tuesday, July 05, 2005 1:31 PM To: [email protected] Subject: [ActiveDir] Patching Strategy on DC's I have a question about a patching strategy for Domain controllers. We have a single forest single domain, 4 dc's, when patching for security patches should we do all the DC's at once, or do half of them or should we introduce a test lab or lastly a latent replicated production site with a dc in it? Thoughts and approaches appreciated! List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
