[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 230
  • Last Modified:

Patching and Updates for a Domain Controller (2008 R2) that has not been patched since 2010. HELP!

Need some insights before I attempt this as it is a little nerve racking. We have two physical domain controllers (I built one of them) in an AD environment (total servers - physical and virtual - about 27) and have the FSMO roles distributed across them. The two DC's are backed up successfully and right now everything (DCDIAG) is running smoothly between them. The 2nd DC also hasn't been patched for a while, mainly to not let it get ahead too far in terms of updates and other out-of-scope reasons. Suffice to say these two DC's need to be patched as best practice. DC1 is 2008 R2 ENT, DC2 is 2008 R2 STD with SP1. I noticed that the updates (MS Baseline Security Analyzer Report) does not show SP1 for DC1 yet so I suspect that it needs more updates than are reported and that these will show up after the missing one's are installed including SP1. Most of the missing updates are security related, as well as updates for Server 2008 x64 edition. However, I am also seeing some .net 3.5.1 security updates and rules update for AD best practice analyzer, kernel and user mode framework 1.11 drivers, ie9 (eventually ie10/11) malicious removal tool, etc. I was going to backup the server (including system state) and then patch it (security first -  reboot, server updates - reboot, other items). After doing so (and assuming I don't blow it up) I was going to run DCDIAG etc. to make sure that the two DC's and AD still talk. I was then going to do the same with DC2 the next day so as to avoid the two being out of sync too long, followed by another round of verification and system health checks. Greatly appreciate any/all insights at this point on how to handle this without losing a DC, messing up AD and having a stroke. LOL! I can list the KB's if needed. MANY, many thanks in advance to all you server guru's out there.
0
Laszlo Denes
Asked:
Laszlo Denes
  • 4
  • 3
  • 2
1 Solution
 
awawadaCommented:
So you do not have WSUS?

1)  Install all needed security updates
2) After check other needed updates or list it here.
0
 
Laszlo DenesAuthor Commented:
Sorry, no WSUS as we are a very small environment. I scan using MS update and Microsoft Baseline Security Analyzer.
The issue is that there are many updates (over 100) and I cannot be sure if any of them will have an impact on AD.
Normally I would patch servers every month or two (and member servers are now updated), but these two (DC1 especially) worry me because of AD.

Here is what is missing (and there are likely more) and installed:


            Security Updates                  
            
                  | MS12-001 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2644615) | Important |
                  | MS13-004 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2742598) | Important |
                  | MS12-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2765809) | Important |
                  | MS11-070 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2571621) | Important |
                  | MS12-006 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2585542) | Important |
                  | MS11-017 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2483614) | Important |
                  | MS11-085 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2620704) | Low |
                  | MS10-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB979688) | Important |
                  | MS11-075 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2564958) | Important |
                  | MS10-059 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982799) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2676562) | Critical |
                  | MS10-065 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2124261) | Important |
                  | MS11-024 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2506212) | Important |
                  | MS11-043 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2536276) | Critical |
                  | MS12-004 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2631813) | Important |
                  | MS11-100 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656355) | Critical |
                  | MS11-030 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2509553) | Critical |
                  | MS12-078 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2753842) | Critical |
                  | MS12-054 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2712808) | Moderate |
                  | MS13-004 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2756920) | Important |
                  | MS11-037 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2544893) | Low |
                  | MS10-076 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982132) | Critical |
                  | MS10-096 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2423089) | Important |
                  | MS12-020 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2621440) | Critical |
                  | MS13-006 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2785220) | Important |
                  | MS12-048 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2691442) | Important |
                  | MS13-032 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2772930) | Important |
                  | MS10-092 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2305420) | Important |
                  | MS13-007 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2736418) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2659262) | Important |
                  | MS11-011 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2393802) | Important |
                  | MS12-024 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2653956) | Critical |
                  | MS10-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB979687) | Important |
                  | MS10-100 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2442962) | Important |
                  | MS12-054 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2705219) | Moderate |
                  | MS11-059 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2560656) | Important |
                  | MS10-074 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2387149) | Moderate |
                  | MS11-051 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2518295) | Important |
                  | MS12-081 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2758857) | Critical |
                  | MS12-009 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2645640) | Important |
                  | MS12-082 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2770660) | Important |
                  | MS12-017 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2647170) | Important |
                  | MS10-043 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2032276) | Important |
                  | MS12-073 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2719033) | Moderate |
                  | MS11-090 | Missing | Cumulative Security Update for ActiveX Killbits for Windows Server 2008 R2 x64 Edition (KB2618451) | Critical |
                  | MS13-036 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2840149) | Moderate |
                  | MS13-019 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2790113) | Important |
                  | MS12-012 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2643719) | Important |
                  | MS11-048 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2536275) | Important |
                  | MS10-101 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2207559) | Important |
                  | MS11-002 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2419640) | Important |
                  | MS12-049 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2655992) | Important |
                  | MS11-042 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2535512) | Important |
                  | MS12-013 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2654428) | Critical |
                  | MS12-056 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2706045) | Low |
                  | MS12-073 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2716513) | Moderate |
                  | MS12-074 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2729451) | Critical |
                  | MS10-081 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2296011) | Important |
                  | MS11-019 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2511455) | Critical |
                  | MS13-015 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2789644) | Important |
                  | MS13-001 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2769369) | Critical |
                  | MS12-069 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2743555) | Important |
                  | MS11-013 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2425227) | Important |
                  | MS13-002 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2757638) | Moderate |
                  | MS10-040 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982666) | Important |
                  | MS12-035 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2604114) | Critical |
                  | MS13-029 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2813347) | Moderate |
                  | MS13-018 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2790655) | Important |
                  | MS12-045 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2698365) | Moderate |
                  | MS12-020 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2667402) | Critical |
                  | MS12-036 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) | Critical |
                  | MS13-027 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2807986) | Important |
                  | MS12-034 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656410) | Low |
                  | MS13-031 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2813170) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2658846) | Important |
                  | MS11-071 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2570947) | Important |
                  | MS12-005 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2584146) | Important |
                  | MS10-061 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2347290) | Important |
                  | MS12-033 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2690533) | Important |

            Update Rollups and Service Packs
            
                  | 2779562 | Missing | Update for Windows Server 2008 R2 x64 Edition (KB2779562) |  |
                  | 982861 | Missing | Windows Internet Explorer 9 for Windows Server 2008 R2 for x64-based Systems |  |
                  | 890830 | Missing | Windows Malicious Software Removal Tool x64 - November 2016 (KB890830) |  |

            Current Update Compliance
            
                  | MS09-059 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB975467) | Important |
                  | 980408 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB980408) |  |
                  | MS10-022 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB981332) | Low |
                  | MS10-019 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB978601) | Critical |
                  | MS10-030 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB978542) | Important |
                  | 974431 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB974431) |  |
                  | MS10-037 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB980218) | Important |
                  | 981793 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB981793) |  |
                  | MS10-012 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB971468) | Important |
                  | MS10-041 | Installed | Microsoft .NET Framework 3.5 SP1 Security Update for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB979916) | Important |
                  | MS10-013 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB975560) | Critical |
                  | MS10-033 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979482) | Critical |
                  | MS09-056 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB974571) | Important |
                  | MS10-021 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979683) | Moderate |
                  | MS10-020 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB980232) | Critical |
                  | MS10-001 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB972270) | Low |
                  | MS10-019 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979309) | Critical |
                  | 977074 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB977074) |  |
                  | MS10-034 | Installed | Cumulative Security Update for ActiveX Killbits for Windows Server 2008 R2 x64 Edition (KB980195) | Critical |
0
 
masnrockCommented:
You will find yourself having to skip a number of older updates because of potential compatibility issues, especially after 6 years. I know a test environment is not going to be an available option at this point. How did it get this far behind to begin with?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Laszlo DenesAuthor Commented:
Why it got this far behind is a long story and not really part of the solution so I will skip it. :-)
Any tips as to which one's to look out for?
Since it does not have SP1 yet should I just download it (MS update does not list it yet so likely it needs others first) and deploy it and then rescan. Hoping for some feedback that will help me please and kindly.. Thanks!
0
 
awawadaCommented:
Any tips as to which one's to look out for?
No. Microsoft Baseline Security Analyzer shows only security updates so install them all. :)
0
 
masnrockCommented:
SP1 is at least a major rollup of updates, so I'd probably start there as long as all of the prerequisite patches are there. So install any required updates to be ready for SP1, then install SP1. And after that, rerun the baseline, and you should get an improved list. The baseline analyzer, as awawada has pointed out, just tell you what you should install. Windows itself figures out what order the updates need to be installed in, but Service Packs always get priority.
0
 
Laszlo DenesAuthor Commented:
Okay thanks that helps. Obviously some of the patches are missing to install SP1 as it is not offering it yet in the base analyzer and windows update... Will work on identifying the one's I am missing first! Any idea where I can find such a list of required updates for SP1 (2008 R2)
0
 
masnrockCommented:
This is very skimpy and vague, but at least it gives 3 of the updates you need: https://support.microsoft.com/en-us/kb/2505743

Depending on what's running on the servers, you may want to look at upgrading the servers as soon as you can. Right now, we're a year past the end of mainstream support.
0
 
Laszlo DenesAuthor Commented:
Thanks... appreciate your help and insights... all points to you :-)
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now