Solved

WSUS - Deployment strategy help

Posted on 2010-08-24
8
1,155 Views
Last Modified: 2012-05-10
All,

     We have a single 2K3, native, AD domain. We, now, have about 1100 PCs across the state at 70 facilities. The OU structure is simple; That is most of the workstations are in a single OU. The rest are child OUs off the main [ with various GPOs assigned to them]...here is a crude visual:

- Workstations
              - OU1
              - OU2
              - OU3
              - OU4
              - OU5
              - OU6
              - OU7
              - WSUS Filtered OUT.
              - WSUS Test OU <--- Will be used as a test OU for special applications in OUs 1-7.
              - WSUS Staging OU <--- being used to bring systems up-to-date ... but will be deleted once we are in production.


 Ultimately the PCs are used for CD/DVD RW access or some sort of special application where a TC is simply not suited. We have already identified the the applications that cannot accept updates and created an OU that will service filtering out the WSUS GPO. In addition, we have also developed a strategy to deploy the updates following application testing with the PCs in the aforementioned OUs. I will comment on that shortly.

At this time we are, relatively, up to a current update base with the PCs. All are up to XP SP 3 and most are in a WSUS staging OU receiving updates weekly. [Our current staging and planned WSUS GPO will be for Critical and Security updates ONLY. SPs will be deployed only after extensive evaluations]

Okay. Those things said, what I am looking for is guidence/confirmation/any information towards the following stratigic requirements:

1) We must have a written test plan in place to test the applications in the OUs that have been created/configured to accomodate said applications.
     * For the most part I can hammer this out. Insight would be appreciated though.

2) We must have a 2 week Lag between the Auto-Apporvals for the WSUS Test environment/OUs and the Production Environment/OUs.
     * This is where I am having some difficulty. That is, this is going to end up being a manual approval for the latter while approval for the former will remain Automatic, ,.... Correct?

3) An additional OU must be created so the WSUS Production Policy can be filtered out.
     * Like it or not...I work for an organization where any updates following XP SP 2 will simply cripple the application hosted on the system.

Any help is appreciated.

If you need further information I am happy to give it. Just let me know.

Thank you,

Naerwen
0
Comment
Question by:Naerwen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33510699
I agree to your ideas
You must create the same OU structure in WSUS console and release the patches OU wise
0
 
LVL 1

Author Comment

by:Naerwen
ID: 33511084
zsaurabh,
 
     I figured as much as you can see. I guess my main concern is that there is no way to automate the approvals for a two week delay. That is, I will have to mannually approve the updates for the Production network once we've tested the PCs and their associated applications in our test environment, correct?
 
Thanks,
 
Naerwen
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 250 total points
ID: 33511363
I would like to add that most of the WSUS administration tasks can be automated in .NET, with the library Microsoft.UpdateServices.Administration.dll

The DLL is documented in http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration%28VS.85%29.aspx

I'm not a very skilled C# programmer, but I imagine that it's fairly trivial to retrieve the updates approved for your Test OU and approving them for the Production OU.

The IUpdate.GetUpdateApprovals method has an overloaded version that allows to select Update Approvals in a specific time range:
http://msdn.microsoft.com/en-us/library/bb294943%28VS.85%29.aspx

Can't directly help with any code, but may this will give you some ideas.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 12

Expert Comment

by:Rant32
ID: 33511413
Just thought of this:

Do you have the ability to assign computers using GPO (client side targeting)?

The combination of GPO and WMI filters is very powerful. You could detect a piece of installed software using WMI (registry query) and effectuate a different GPO (different computer group) based on the installed software.

Your deployment seems large enough to warrant an investigation into this.
0
 
LVL 5

Assisted Solution

by:Rick Johnson
Rick Johnson earned 250 total points
ID: 33536049
You can approve the patches to the group you want (matching the OU structure) and then right click on the patch and set a deadline for 2 weeks, 1 week, whatever. You would then make sure that Group Policy was set up NOT to automatically patch machines, letting the deadline pass and thereby forcing it to happen.

It's a bit manual but it does work.
0
 
LVL 1

Author Comment

by:Naerwen
ID: 33542746
- Rant32, still looking into those links.
- niwqk, Curious. Setting the deadline simply means "install before this date", correct?
0
 
LVL 5

Expert Comment

by:Rick Johnson
ID: 33545249
That is correct...however, if you have it set up within Group Policy to simply download the patches but not automatically install them, this could work. Of course, it would take some training to NOT install the patches when the machine comes up with the notification.  :-)
0
 
LVL 1

Author Closing Comment

by:Naerwen
ID: 33579792
Both experts gave good advise. Though I should not that rant32's C#/.NET solution will be our likely course of action... as Deadlining an update does not offer the level of control needed for our environment.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SCCM Microsoft Report 2 97
File Server Migration from 2003 to 2008R2 3 87
DHCP server 6 63
IE Shortcut - How to open in MAXIMIZED size 11 69
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question