Solved

WSUS - Deployment strategy help

Posted on 2010-08-24
8
1,144 Views
Last Modified: 2012-05-10
All,

     We have a single 2K3, native, AD domain. We, now, have about 1100 PCs across the state at 70 facilities. The OU structure is simple; That is most of the workstations are in a single OU. The rest are child OUs off the main [ with various GPOs assigned to them]...here is a crude visual:

- Workstations
              - OU1
              - OU2
              - OU3
              - OU4
              - OU5
              - OU6
              - OU7
              - WSUS Filtered OUT.
              - WSUS Test OU <--- Will be used as a test OU for special applications in OUs 1-7.
              - WSUS Staging OU <--- being used to bring systems up-to-date ... but will be deleted once we are in production.


 Ultimately the PCs are used for CD/DVD RW access or some sort of special application where a TC is simply not suited. We have already identified the the applications that cannot accept updates and created an OU that will service filtering out the WSUS GPO. In addition, we have also developed a strategy to deploy the updates following application testing with the PCs in the aforementioned OUs. I will comment on that shortly.

At this time we are, relatively, up to a current update base with the PCs. All are up to XP SP 3 and most are in a WSUS staging OU receiving updates weekly. [Our current staging and planned WSUS GPO will be for Critical and Security updates ONLY. SPs will be deployed only after extensive evaluations]

Okay. Those things said, what I am looking for is guidence/confirmation/any information towards the following stratigic requirements:

1) We must have a written test plan in place to test the applications in the OUs that have been created/configured to accomodate said applications.
     * For the most part I can hammer this out. Insight would be appreciated though.

2) We must have a 2 week Lag between the Auto-Apporvals for the WSUS Test environment/OUs and the Production Environment/OUs.
     * This is where I am having some difficulty. That is, this is going to end up being a manual approval for the latter while approval for the former will remain Automatic, ,.... Correct?

3) An additional OU must be created so the WSUS Production Policy can be filtered out.
     * Like it or not...I work for an organization where any updates following XP SP 2 will simply cripple the application hosted on the system.

Any help is appreciated.

If you need further information I am happy to give it. Just let me know.

Thank you,

Naerwen
0
Comment
Question by:Naerwen
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33510699
I agree to your ideas
You must create the same OU structure in WSUS console and release the patches OU wise
0
 
LVL 1

Author Comment

by:Naerwen
ID: 33511084
zsaurabh,
 
     I figured as much as you can see. I guess my main concern is that there is no way to automate the approvals for a two week delay. That is, I will have to mannually approve the updates for the Production network once we've tested the PCs and their associated applications in our test environment, correct?
 
Thanks,
 
Naerwen
0
 
LVL 12

Accepted Solution

by:
Rant32 earned 250 total points
ID: 33511363
I would like to add that most of the WSUS administration tasks can be automated in .NET, with the library Microsoft.UpdateServices.Administration.dll

The DLL is documented in http://msdn.microsoft.com/en-us/library/microsoft.updateservices.administration%28VS.85%29.aspx

I'm not a very skilled C# programmer, but I imagine that it's fairly trivial to retrieve the updates approved for your Test OU and approving them for the Production OU.

The IUpdate.GetUpdateApprovals method has an overloaded version that allows to select Update Approvals in a specific time range:
http://msdn.microsoft.com/en-us/library/bb294943%28VS.85%29.aspx

Can't directly help with any code, but may this will give you some ideas.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 33511413
Just thought of this:

Do you have the ability to assign computers using GPO (client side targeting)?

The combination of GPO and WMI filters is very powerful. You could detect a piece of installed software using WMI (registry query) and effectuate a different GPO (different computer group) based on the installed software.

Your deployment seems large enough to warrant an investigation into this.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 5

Assisted Solution

by:n1wgk
n1wgk earned 250 total points
ID: 33536049
You can approve the patches to the group you want (matching the OU structure) and then right click on the patch and set a deadline for 2 weeks, 1 week, whatever. You would then make sure that Group Policy was set up NOT to automatically patch machines, letting the deadline pass and thereby forcing it to happen.

It's a bit manual but it does work.
0
 
LVL 1

Author Comment

by:Naerwen
ID: 33542746
- Rant32, still looking into those links.
- niwqk, Curious. Setting the deadline simply means "install before this date", correct?
0
 
LVL 5

Expert Comment

by:n1wgk
ID: 33545249
That is correct...however, if you have it set up within Group Policy to simply download the patches but not automatically install them, this could work. Of course, it would take some training to NOT install the patches when the machine comes up with the notification.  :-)
0
 
LVL 1

Author Closing Comment

by:Naerwen
ID: 33579792
Both experts gave good advise. Though I should not that rant32's C#/.NET solution will be our likely course of action... as Deadlining an update does not offer the level of control needed for our environment.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Learn about cloud computing and its benefits for small business owners.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now