Best Practices for Applying Automatic updates on Exchange server 2013 using wsus or sccm

we have 4 exchange 2013 servers  in production environment
2 CAS Server with NLB
2 Mbox Server with DAG
what is the best practices for updating this server using  WSUS/SCCM
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Since you never want to allow servers to update and reboot automatically, you will want to put those servers in a particular OU and create a policy for it.

In the policy you'll want to specific your WSUS server to control the downloads of all updates and make sure automatic reboot is not enabled.

Now that you have that in place, you'll want to create a schedule in your calendar to apply the updates.  I have mine set that every two weeks to send me an email and remind me to apply the updates.

There's a tool I like using with WSUS that will automatically update all the servers I pick and to keep rebooting the servers until the updates are all applied.  You can watch it live as it does it on each server.  That program is called BatchPatch:

You can create a timed schedule in conjunction with your updates so that if you time it all out right, Batchpatch will automatically start downloading the updates from your WSUS server to your Exchange servers at the time you specify.  That way you don't have to keep going to each server one by one and doing the updates manually.
Simon Butler (Sembee)ConsultantCommented:
Ensure that the CAS role holders are patched before any mailbox roles are patched. If the mailbox role server is higher than the CAS, then you can get problems with OWA access.

Otherwise I use a group policy object for all servers that has Automatic Updates download the updates, but allows me to choose when to install them. I can then do them one at a time, reboot and then do the other one.

Will SzymkowskiSenior Solution ArchitectCommented:
Typically you are going to want to have a Test environment for your Exchange servers so that patches can be tested. Personally, I like to uses patch management for pushing the patch downloads to the machines themselves. However, I always manually intervine when i am doing patches. Even though you can supress the reboot after updates are applied, it is never a good idea to allow patches to be in a pending state for an extended period of time.

I also like to ensure that the patches for Exchange have properly been applied and also perform testing after a batch of patches have been applied. Then once i have confirmed everything is working, i start another batch.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

AmitIT ArchitectCommented:
Are you asking for Windows OS patches or Exchange related patches? For OS you can use WSUS or SCCM. For Exchange, you need to download and install manually.

In both case, you need to put server into maintenance mode and then perform the upgrade.
harisaboobakerAuthor Commented:
both ..os patches and exchange patches..updating through automatic updating mechanism like wsus or SCCM ...
Will SzymkowskiSenior Solution ArchitectCommented:
I would not be doing this unattended. That is just my opinion. Exchange is a sensitive business application and applying patches (Windows or Exchange specific) is not a good practice unatendedly. Like i said origainlly, it is fine to have them download to the Exchange servers ahead of time but I would be monitoring them as testing them after every reboot that is required.

I would also make sure that you are doing these patches in batches and also having a lab environment where they can be tested on.

AmitIT ArchitectCommented:
Remove Exchange from WSUS. use it for OS patches. Exchange you download separately and then apply.
Simon Butler (Sembee)ConsultantCommented:
WSUS doesn't deliver patches for Exchange 2013 except in very rare circumstances.
Updates for Exchange 2013 are usually delivered through the CU system.

My standard method for servers is to manage approval through WSUS, but manually install on to all servers. No automatic installation/reboots.

harisaboobakerAuthor Commented:
Thaks.All..Thanks.very much..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.