• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 218
  • Last Modified:

Servers Updates

Hi all,

The situation is that we have 4 winodws 2000 SP4 servers, that I am planning to keep them up to date by applying security fixes provided by microsoft on a week-by-week plan.

I have some concerns though, since I know that sometimes those fixes are not actually fixes, and that they might cause problems, this should never be the case on out production servers.

right now, we have pending updates since 2005, and i am starting to apply those updates, but i need a clear path on how to do those keeping in mind that the servers keep stable as they are.

anybody has any already made plans or links to articles and/or advised would be appreciated.

Please notice that we have 2 web servers (ASP, no dotNET even that we might migrate soon) and 2 SQL 2000 SP4 servers.

Thanks.
 

right now they have
0
Inteqam
Asked:
Inteqam
  • 9
  • 7
  • 5
  • +1
3 Solutions
 
Jay_Jay70Commented:
Hi Inteqam,

nothing beats testing, can you set up a machine the same spec as you have and then trial the update? even a virtual machine

also look at this
http://www.microsoft.com/windowsserversystem/updateservices/default.mspx
0
 
InteqamAuthor Commented:
well, unfortunatly no,

also, sometimes applying the update will not show any problems till maybe after a week:(

an example of a strategy that i am thinking to follow, is to only apply updates that are at least 2 months old.

what do you think ?
0
 
InteqamAuthor Commented:
i can't use this WSUS thing, i don't trust it might damage the server.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Jay_Jay70Commented:
it wont damage your server, it is what most network admins will use to adminsister updates - its proven time and time again to be the most efficient

that will allow you to approve and no approve what you dont want
0
 
InteqamAuthor Commented:
ok, if it allows you to select what to install and what to not, then it doesn't differ than the build in (custom update) that comes with windows, that's not what i am searching for,

I am searching for a second line of defense, a procedures, a plan. for exaplme:


1- take a backup of system state.
2- apply only updates that are older than one month.
3. etc...


in case of failure or instability:

1- restore ...
2. etc...

sorry, i am more a developer than a network admin, so, please be patient with me.
0
 
r-kCommented:
I would vote for having a spare server for testing also as suggested by Jay_Jay, but if that is not possible, you can consider this approach:

(1) Make sure your system drive is a raid-1 mirror.

(2) Just before applying an update, shut down the server and remove one of the mirror disks (and replace it with another disk). Don't break the mirror before shutdown.

(3) Apply the update.

(4) If all seems well after quick testing then re-build mirror using that "new" disk you inserted in step (2)

(5) If obvious problems (system won't boot etc.) then replace system disk with the disk you removed in step (2)

Of course, as with all such plans, test and make sure it works before trouble strikes, and it is not a solution for everything (such as problems that surface days or weeks later), but it gives you an extra layer of safety for the cost of a disk or two.
0
 
InteqamAuthor Commented:
nice thoughts ;)

the problem is that i don't have phisycal access to the servers, i only connect through VPN.

Anyhow, also, this is not what i am afraid of,

I mean, i am afraid for example that MDAC update will need changes on the code to keep the web server going.

i am afraid that updates to the IIS, prevents running some javascripts.


things alike
0
 
r-kCommented:
"i am afraid that updates to the IIS, prevents running some javascripts."

This would be covered by what I suggested, assuming you tested for this soon after an upgrade, but not having physical access to the server makes it tough.

Monitoring for known problems via a web search for the KB reference might help, but won't guarantee trouble-free updates. At the same time, the updates of late have been less trouble-prone than they used to be, but you are right to be cautious.

Good luck.
0
 
gidds99Commented:
Inteqam -

" i am afraid for example that MDAC update will need changes on the code to keep the web server going.

i am afraid that updates to the IIS, prevents running some javascripts. "

I do not think that you will have any problems of this nature.  These updates do not make changes of this type.  i.e. they do not generally alter any functionality rather they fix bugs/holes/etc.

The main concern is that they may (in a very small number of cases) cause some instability and/or "break" the server (i.e. it wont boot, runs slow or crashes).

To reiterate what has already been said above you can reasearch each update before applying it to identify any known issues as you can bet that if there is any major problems someone else will experience them and discuss their issues on the web.  

Also where you are unable to test the patch on a test system you may delay deployment for a month or so to allow you check for any issues which may be identified by others.  You should also bear in mind that where a serious problem is identified and Microsoft acknowledges a problem then generally the patch itself would be patched to address the problem.

Hope this helps.
0
 
InteqamAuthor Commented:
cool,

Now, is there a software way, to ensure that i can get back to where i was before doing a hotfix? system state backup for example?
0
 
gidds99Commented:
You can do it with a backup.  But there is also this method for removing hotfixes:

http://www.jsifaq.com/SUBF/TIP2700/rh2717.htm
0
 
r-kCommented:
Yes, you can uninstall hotfixes, even from the Add/Remove control panel, but it is not a perfect science, and sometimes it fails to undo the damage.

Re. backups, backing up the system state is a good start, but that doesn't backup any application data, web sites, programs etc.

At the same time, for _most_ people there is no problem with updates. If your application is important enough that downtime would be very bad, then you really should be looking at a test server, mirror disks, and along those lines.
0
 
Jay_Jay70Commented:
i think you are taking an over cautios approach myself - and i dont mean that in an insulting way

it is very rare that hotfixes and updates do damage..... there has been one or two that i can think of and there were fixes within 24 hours kind of thing...

software update services are your BEST option for deployment but i would agree that there is no testing faciity with them

if you want to be this careful, then set up another server, even a cheap box, and mirror your config, saves you time and stops your risking a screw up with a system state backup and restore

just my opinion
0
 
gidds99Commented:
I would agree that.  You are being overcautious and the chance of a serious problem are very remote.
0
 
InteqamAuthor Commented:
All this is ok,

i have one concern still, since i am building my solution based on an OLD tech, (ASP with VB 6), i am still afraid that i do an update that corrupts the working model.

can this happen?
0
 
Jay_Jay70Commented:
it "could" happen, but its a pretty hard thing to predict - just take it slow
0
 
InteqamAuthor Commented:
one thing that just happened to my now (on my PC), there was an update to the network driver, taht when i installed, i lost my connection - lost the ability to enable it, i had to uninstall the new driver (even signed) and search for the original CD, and re-install the old driver.

:|
0
 
r-kCommented:
Yes, that does happen, unfortunately. For that reason I don't update drivers on important systems unless there are problems with the old driver.
0
 
Jay_Jay70Commented:
i never allow windows to update anythning realting to hardware, use the manufacturers, you are just asking for trouble with windows hardware drivers
0
 
InteqamAuthor Commented:
good, i feel like pulling words from you guys, those are recommendations that i was looking for, i want to know them not the HARD WAY.

any other recommendations?
0
 
Jay_Jay70Commented:
hmm windows updates has been pretty secure for me as long as i hold off on hardware updates and let the base drivers run from the manufacturers,

its also good to check the ms site regularly for news on potentially hazardous updates, they are pretty on the ball with those bulletins

besides that the only other reccos i have would be a test system but often this isnt feasible, you can even look at using virtual server or vmware and setting up a test system... works well...
0
 
InteqamAuthor Commented:
thanks all
0
 
Jay_Jay70Commented:
no problem, good luck
0
 
r-kCommented:
Thanks. Happy patching!
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 9
  • 7
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now