Will highly recommend BatchPatch. We use it to manage patching of our servers. For DC's, we will download, install, and reboot one DC at a time....confirming that each is up before starting on the next.
We found it affordable and it saves us a ton of time to get patches installed. On Wed, Jul 12, 2017 at 11:23 AM, Michael Leone <[email protected]> wrote: > On Wed, Jul 12, 2017 at 11:05 AM, Kennedy, Jim < > [email protected]> wrote: > >> Separate group in WSUS, download but don’t install. I manually install >> them during downtime I schedule shortly after patch Tuesday. That is how I >> hand member servers and DC’s. >> >> >> >> But, I only have 40 or so servers to do. >> > > Yeah, we have close to 4x that. When it was only 40-50, manually > installing patches is manageable. With our number, we have 3 staff come in > and have to do 50+ servers once a month. That's like 12 hours or so > overtime (total for all 3) every month. So auto-installing patches would > also be a cost saving maneuver for us, as well. > > I have groups in WSUS, and approve current month patches for just our > testing servers, and everything up until this month for all other servers. > So I would just add the DCs to that second group. And then use a GPO to > either download or install, and tie it to a specific AD group. > > > I'm just a bit leery about having DCs auto-patch. I don't know if I am > being over-cautious, is all ... > > > >> >> >> >> *From:* [email protected] [mailto:[email protected] >> orum.com] *On Behalf Of *Michael Leone >> *Sent:* Wednesday, July 12, 2017 10:56 AM >> *To:* [email protected] >> *Subject:* [NTSysADM] Advice on patching Domain Controllers via WSUS >> >> >> >> Our policy has been that our DCs are not patched via WSUS, like other >> member servers, but instead that we manually install the current patches >> from Microsoft Update. But now, I would like to change this, and use WSUS >> to patch all the DCS to our production levels (meaning: one month behind on >> released patches). >> >> >> >> I don't see any downsides to this. I would create a new GPO (rather than >> modify the Default Domain Controllers Policy). I think I might still set >> them to download only, not automatically install. >> >> >> >> Thoughts? >> >> Should I let them auto-install, like most of my other member servers? >> >> Is that what you others do? >> >> Do you let your DCs get their patches via WSUS? >> >> >> >> (the more servers I don't have to manually install patches on, the >> happier I am. We have some servers that we must do manually, for reasons I >> won't go into) >> >> >> > >
