Solved

Patching and Updates for a Domain Controller (2008 R2) that has not been patched since 2010. HELP!

Posted on 2016-11-28
9
24 Views
Last Modified: 2016-11-30
Need some insights before I attempt this as it is a little nerve racking. We have two physical domain controllers (I built one of them) in an AD environment (total servers - physical and virtual - about 27) and have the FSMO roles distributed across them. The two DC's are backed up successfully and right now everything (DCDIAG) is running smoothly between them. The 2nd DC also hasn't been patched for a while, mainly to not let it get ahead too far in terms of updates and other out-of-scope reasons. Suffice to say these two DC's need to be patched as best practice. DC1 is 2008 R2 ENT, DC2 is 2008 R2 STD with SP1. I noticed that the updates (MS Baseline Security Analyzer Report) does not show SP1 for DC1 yet so I suspect that it needs more updates than are reported and that these will show up after the missing one's are installed including SP1. Most of the missing updates are security related, as well as updates for Server 2008 x64 edition. However, I am also seeing some .net 3.5.1 security updates and rules update for AD best practice analyzer, kernel and user mode framework 1.11 drivers, ie9 (eventually ie10/11) malicious removal tool, etc. I was going to backup the server (including system state) and then patch it (security first -  reboot, server updates - reboot, other items). After doing so (and assuming I don't blow it up) I was going to run DCDIAG etc. to make sure that the two DC's and AD still talk. I was then going to do the same with DC2 the next day so as to avoid the two being out of sync too long, followed by another round of verification and system health checks. Greatly appreciate any/all insights at this point on how to handle this without losing a DC, messing up AD and having a stroke. LOL! I can list the KB's if needed. MANY, many thanks in advance to all you server guru's out there.
0
Comment
Question by:Laszlo Denes
  • 4
  • 3
  • 2
9 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41904778
So you do not have WSUS?

1)  Install all needed security updates
2) After check other needed updates or list it here.
0
 

Author Comment

by:Laszlo Denes
ID: 41905873
Sorry, no WSUS as we are a very small environment. I scan using MS update and Microsoft Baseline Security Analyzer.
The issue is that there are many updates (over 100) and I cannot be sure if any of them will have an impact on AD.
Normally I would patch servers every month or two (and member servers are now updated), but these two (DC1 especially) worry me because of AD.

Here is what is missing (and there are likely more) and installed:


            Security Updates                  
            
                  | MS12-001 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2644615) | Important |
                  | MS13-004 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2742598) | Important |
                  | MS12-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2765809) | Important |
                  | MS11-070 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2571621) | Important |
                  | MS12-006 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2585542) | Important |
                  | MS11-017 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2483614) | Important |
                  | MS11-085 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2620704) | Low |
                  | MS10-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB979688) | Important |
                  | MS11-075 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2564958) | Important |
                  | MS10-059 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982799) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2676562) | Critical |
                  | MS10-065 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2124261) | Important |
                  | MS11-024 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2506212) | Important |
                  | MS11-043 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2536276) | Critical |
                  | MS12-004 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2631813) | Important |
                  | MS11-100 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656355) | Critical |
                  | MS11-030 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2509553) | Critical |
                  | MS12-078 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2753842) | Critical |
                  | MS12-054 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2712808) | Moderate |
                  | MS13-004 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2756920) | Important |
                  | MS11-037 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2544893) | Low |
                  | MS10-076 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982132) | Critical |
                  | MS10-096 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2423089) | Important |
                  | MS12-020 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2621440) | Critical |
                  | MS13-006 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2785220) | Important |
                  | MS12-048 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2691442) | Important |
                  | MS13-032 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2772930) | Important |
                  | MS10-092 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2305420) | Important |
                  | MS13-007 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2736418) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2659262) | Important |
                  | MS11-011 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2393802) | Important |
                  | MS12-024 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2653956) | Critical |
                  | MS10-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB979687) | Important |
                  | MS10-100 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2442962) | Important |
                  | MS12-054 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2705219) | Moderate |
                  | MS11-059 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2560656) | Important |
                  | MS10-074 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2387149) | Moderate |
                  | MS11-051 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2518295) | Important |
                  | MS12-081 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2758857) | Critical |
                  | MS12-009 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2645640) | Important |
                  | MS12-082 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2770660) | Important |
                  | MS12-017 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2647170) | Important |
                  | MS10-043 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2032276) | Important |
                  | MS12-073 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2719033) | Moderate |
                  | MS11-090 | Missing | Cumulative Security Update for ActiveX Killbits for Windows Server 2008 R2 x64 Edition (KB2618451) | Critical |
                  | MS13-036 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2840149) | Moderate |
                  | MS13-019 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2790113) | Important |
                  | MS12-012 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2643719) | Important |
                  | MS11-048 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2536275) | Important |
                  | MS10-101 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2207559) | Important |
                  | MS11-002 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2419640) | Important |
                  | MS12-049 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2655992) | Important |
                  | MS11-042 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2535512) | Important |
                  | MS12-013 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2654428) | Critical |
                  | MS12-056 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2706045) | Low |
                  | MS12-073 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2716513) | Moderate |
                  | MS12-074 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2729451) | Critical |
                  | MS10-081 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2296011) | Important |
                  | MS11-019 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2511455) | Critical |
                  | MS13-015 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2789644) | Important |
                  | MS13-001 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2769369) | Critical |
                  | MS12-069 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2743555) | Important |
                  | MS11-013 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2425227) | Important |
                  | MS13-002 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2757638) | Moderate |
                  | MS10-040 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982666) | Important |
                  | MS12-035 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2604114) | Critical |
                  | MS13-029 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2813347) | Moderate |
                  | MS13-018 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2790655) | Important |
                  | MS12-045 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2698365) | Moderate |
                  | MS12-020 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2667402) | Critical |
                  | MS12-036 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) | Critical |
                  | MS13-027 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2807986) | Important |
                  | MS12-034 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656410) | Low |
                  | MS13-031 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2813170) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2658846) | Important |
                  | MS11-071 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2570947) | Important |
                  | MS12-005 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2584146) | Important |
                  | MS10-061 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2347290) | Important |
                  | MS12-033 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2690533) | Important |

            Update Rollups and Service Packs
            
                  | 2779562 | Missing | Update for Windows Server 2008 R2 x64 Edition (KB2779562) |  |
                  | 982861 | Missing | Windows Internet Explorer 9 for Windows Server 2008 R2 for x64-based Systems |  |
                  | 890830 | Missing | Windows Malicious Software Removal Tool x64 - November 2016 (KB890830) |  |

            Current Update Compliance
            
                  | MS09-059 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB975467) | Important |
                  | 980408 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB980408) |  |
                  | MS10-022 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB981332) | Low |
                  | MS10-019 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB978601) | Critical |
                  | MS10-030 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB978542) | Important |
                  | 974431 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB974431) |  |
                  | MS10-037 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB980218) | Important |
                  | 981793 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB981793) |  |
                  | MS10-012 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB971468) | Important |
                  | MS10-041 | Installed | Microsoft .NET Framework 3.5 SP1 Security Update for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB979916) | Important |
                  | MS10-013 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB975560) | Critical |
                  | MS10-033 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979482) | Critical |
                  | MS09-056 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB974571) | Important |
                  | MS10-021 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979683) | Moderate |
                  | MS10-020 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB980232) | Critical |
                  | MS10-001 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB972270) | Low |
                  | MS10-019 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979309) | Critical |
                  | 977074 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB977074) |  |
                  | MS10-034 | Installed | Cumulative Security Update for ActiveX Killbits for Windows Server 2008 R2 x64 Edition (KB980195) | Critical |
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41906201
You will find yourself having to skip a number of older updates because of potential compatibility issues, especially after 6 years. I know a test environment is not going to be an available option at this point. How did it get this far behind to begin with?
0
 

Author Comment

by:Laszlo Denes
ID: 41906306
Why it got this far behind is a long story and not really part of the solution so I will skip it. :-)
Any tips as to which one's to look out for?
Since it does not have SP1 yet should I just download it (MS update does not list it yet so likely it needs others first) and deploy it and then rescan. Hoping for some feedback that will help me please and kindly.. Thanks!
0
 
LVL 18

Expert Comment

by:awawada
ID: 41907030
Any tips as to which one's to look out for?
No. Microsoft Baseline Security Analyzer shows only security updates so install them all. :)
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41907249
SP1 is at least a major rollup of updates, so I'd probably start there as long as all of the prerequisite patches are there. So install any required updates to be ready for SP1, then install SP1. And after that, rerun the baseline, and you should get an improved list. The baseline analyzer, as awawada has pointed out, just tell you what you should install. Windows itself figures out what order the updates need to be installed in, but Service Packs always get priority.
0
 

Author Comment

by:Laszlo Denes
ID: 41907302
Okay thanks that helps. Obviously some of the patches are missing to install SP1 as it is not offering it yet in the base analyzer and windows update... Will work on identifying the one's I am missing first! Any idea where I can find such a list of required updates for SP1 (2008 R2)
0
 
LVL 20

Accepted Solution

by:
masnrock earned 500 total points
ID: 41907321
This is very skimpy and vague, but at least it gives 3 of the updates you need: https://support.microsoft.com/en-us/kb/2505743

Depending on what's running on the servers, you may want to look at upgrading the servers as soon as you can. Right now, we're a year past the end of mainstream support.
0
 

Author Closing Comment

by:Laszlo Denes
ID: 41907337
Thanks... appreciate your help and insights... all points to you :-)
0

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now