On Wed, Jul 12, 2017 at 11:33 AM, Michael B. Smith <[email protected]> wrote:
> In my opinion, you are not being over-cautious. You certainly (ABSOLUTELY) > do not want all your DCs patching at the same time, much less rebooting at > the same time. > Yes, that's what I do manually. Patch one, reboot, make sure I can log in, log out, move on to next DC. And to emulate that, I would need multiple GPOs, all set to trigger at different time. And I can't see how to set an automatic install time except in hourly increments. So I think I may just stay with doing it manually. (I have 10 DCs, spread across the root and child domain, although there really isn't anything in the root domain except those DCs). It just takes close to an hour manually that way, between waiting for patches to install, and the reboot to finish, and check. > > *From:* [email protected] [mailto:listsadmin@lists. > myitforum.com] *On Behalf Of *Michael Leone > *Sent:* Wednesday, July 12, 2017 11:23 AM > *To:* [email protected]; Patch Management Mailing List > *Subject:* Re: [NTSysADM] Advice on patching Domain Controllers via WSUS > > > > On Wed, Jul 12, 2017 at 11:05 AM, Kennedy, Jim < > [email protected]> wrote: > > Separate group in WSUS, download but don’t install. I manually install > them during downtime I schedule shortly after patch Tuesday. That is how I > hand member servers and DC’s. > > > > But, I only have 40 or so servers to do. > > > > Yeah, we have close to 4x that. When it was only 40-50, manually > installing patches is manageable. With our number, we have 3 staff come in > and have to do 50+ servers once a month. That's like 12 hours or so > overtime (total for all 3) every month. So auto-installing patches would > also be a cost saving maneuver for us, as well. > > > > I have groups in WSUS, and approve current month patches for just our > testing servers, and everything up until this month for all other servers. > So I would just add the DCs to that second group. And then use a GPO to > either download or install, and tie it to a specific AD group. > > > > > > I'm just a bit leery about having DCs auto-patch. I don't know if I am > being over-cautious, is all ... >
