Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cross-Forest WSUS Patch Management

Posted on 2012-04-02
2
Medium Priority
?
1,882 Views
Last Modified: 2012-06-27
Hi,

My current employers are co-hosting a number of client's Win 2003/2008 AD forests on our own infrastructure, and because the combined infrastructures are relatively small (~80 server hosts), I want to implement a single WSUS server that roll patches out to all servers.

Has anyone implemented a cross forest WSUS server, and if so, do you have any tips/advice/steps/manuals?
0
Comment
Question by:cpadm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Author Comment

by:cpadm
ID: 37796868
I have the following roll-out steps in my head:

1.) Install WSUS server (make sure patches not stored on OS drive...)
2.) Create a WSUS folder for each forest, with subfolders for each server OS/Role.
3.) Create a server WSUS group policy in each forest to point at the single WSUS server.
4.) Set all servers to download patches, but manually install
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 37799287
WSUS isn't domain specific, so all you would need to do is configure all of the clients to point to a single WSUS server and then set up different groups for patching.

When I used to patch, I preferred not to use target groups, instead, manage the reboots on the computers, and managed the groups on WSUS instead.  I then set up patching and reporting groups that all computers were members of.  Because of our weird patching schedules, I did have to manually move servers into (and out of) the patching groups the week they were scheduled to patch, but servers are always a member of their respective reporting groups.

You generally would pick a subset of low-risk servers to patch first (can be from different 'forests'), then release the same patches to servers that are more important, but not business critical.  The last servers will be your 'critical' production group(s).  Some multi-teired apps need reboots in specific order, but if you are manually pushing the patches and not auto-rebooting, there isn't a lot to worry about.  It will save Internet bandwidth.  :)

You would probably want to use client-side targeting to prevent accidental grouping (mixing) of WSUS clients from the WSUS Admin console.  http://paulslager.com/?p=10
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question