Active directory Patch Update best practise

what is the best way to deploy the Microsoft  server patches and the client updates deployment method
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To try and answer that without background info is not very clever.
To start with: What do you think are the factors that make you feel the default settings are not the best settings for your netrwork?
Use WSUS if You don't want pay for additional software.
WSUS + GPO policy are simply way to do this :)
I use WSUS which is a great way to manage patches, as it can be scheduled to suit your requirements.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Having any tool is better than no tool where everything needs to be done manually on individual servers.  There are many options and features/functionality differs with price.  Below are some solutions:

- WSUS (free) and limited capabilities for pushing third-party applications
- PDQ Deploy (free and paid version) is a very powerful tool and support third party applications
- GFI LanGuard can do automated patching as well have capabilities for performing vulnerabilities scans, audit/inventory for hardware/software as well as compliance report
- Shavlik is a very powerful tool with the ability to have multiple consoles in various subnets/locations to ensure patches are pushed out locally and not over wide area network
- Microsoft System Center is the best in my opinion but is also very complicated and expensive
curAuthor Commented:
Thank you for your information  . I am adding one AD related issue on going  . most of the times PC s that are removed from the network due to OS or hardware issue not disconnecting from the AD . how can I get the PCs that are not in the network due to that reason , how can I get recognized  

And  also my AD objects move from one place to another will take longer time to visible from the AD level .

Some of the PCs already indicating the membership from the client end  . but there is no record in the AD level
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Thanks for the information.  What you need to do is to get a list of computer objects that have not logged on to the domain for x weeks, after y weeks, disable the computer account and after z weeks, delete them.

Below is the query to identify computers that have not logged on for 8 weeks:
dsquery computer -inactive 8

Below is the query to disable computers that have not logged on for 12 weeks:
dsquery computer -inactive 12 | dsmod computer -disabled yes

Below is the query to delete computers that have not logged on for 16 weeks:
dsquery computer -inactive 16 | dsrm

When moving AD objects, it takes time to show on different DCs is caused by replication settings.  Lower it from default 90 minutes.

For PCs that are configured to be part of Domain, however, there is no account for it in AD is caused by someone deleting computer account in AD but not removing computers from domain.  This needs to be manually and this is caused by a breakdown in your process.
curAuthor Commented:
DO you know any method to check the required licenses in the network . Any script based utility to manage the right numbers
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
AD does not keep license information in database and the license system with Microsoft is based on honor system.  Better get a system or at least a spreadsheet setup.
curAuthor Commented:
Can I refresh the AD changes manually . same like GPO policy ? there is a countable delay in the AD level
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You could replicate changes faster by going to AD Sites and Services and then replicating the connector for each DC or you could run "repadmin /syncall" if you have support tools installed.  Alternatively, you could go to your AD Sites and Services and change the replication interval between your sites.  Minimum interval for Win2K3 is 15 minutes and I am not sure what it is for Win2K8 or higher.  Below is a screen capture showing the option:

Also note that replication between DCs in the same site is almost instantaneous and the replication interval only applies to servers in different sites.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
curAuthor Commented:
All our servers in the same site  . Any recommended practice for physical and virtual  ? like at least one physical server running AD recommended
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
It is a good idea to have one physical DCs if everything else will be virtualized.  In virtualization world (Hyper-V, v-Center, etc.), all tend to rely on LDAP authentication which is in most cases is AD.  If you are using VMware, you could get away where you could logon to each server directly instead of vCenter and start your DC in an event where the VMs didn't start correctly.
curAuthor Commented:
this is Microsoft . how can I go with the time setting  . 2ads one is GC server .
Seth SimmonsSr. Systems AdministratorCommented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for kola12's comment #a40796101

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.