Link to home
Start Free TrialLog in
Avatar of Laszlo Denes
Laszlo DenesFlag for Canada

asked on

Patching and Updates for a Domain Controller (2008 R2) that has not been patched since 2010. HELP!

Need some insights before I attempt this as it is a little nerve racking. We have two physical domain controllers (I built one of them) in an AD environment (total servers - physical and virtual - about 27) and have the FSMO roles distributed across them. The two DC's are backed up successfully and right now everything (DCDIAG) is running smoothly between them. The 2nd DC also hasn't been patched for a while, mainly to not let it get ahead too far in terms of updates and other out-of-scope reasons. Suffice to say these two DC's need to be patched as best practice. DC1 is 2008 R2 ENT, DC2 is 2008 R2 STD with SP1. I noticed that the updates (MS Baseline Security Analyzer Report) does not show SP1 for DC1 yet so I suspect that it needs more updates than are reported and that these will show up after the missing one's are installed including SP1. Most of the missing updates are security related, as well as updates for Server 2008 x64 edition. However, I am also seeing some .net 3.5.1 security updates and rules update for AD best practice analyzer, kernel and user mode framework 1.11 drivers, ie9 (eventually ie10/11) malicious removal tool, etc. I was going to backup the server (including system state) and then patch it (security first -  reboot, server updates - reboot, other items). After doing so (and assuming I don't blow it up) I was going to run DCDIAG etc. to make sure that the two DC's and AD still talk. I was then going to do the same with DC2 the next day so as to avoid the two being out of sync too long, followed by another round of verification and system health checks. Greatly appreciate any/all insights at this point on how to handle this without losing a DC, messing up AD and having a stroke. LOL! I can list the KB's if needed. MANY, many thanks in advance to all you server guru's out there.
Avatar of awawada
awawada

So you do not have WSUS?

1)  Install all needed security updates
2) After check other needed updates or list it here.
Avatar of Laszlo Denes

ASKER

Sorry, no WSUS as we are a very small environment. I scan using MS update and Microsoft Baseline Security Analyzer.
The issue is that there are many updates (over 100) and I cannot be sure if any of them will have an impact on AD.
Normally I would patch servers every month or two (and member servers are now updated), but these two (DC1 especially) worry me because of AD.

Here is what is missing (and there are likely more) and installed:


            Security Updates                  
            
                  | MS12-001 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2644615) | Important |
                  | MS13-004 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2742598) | Important |
                  | MS12-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2765809) | Important |
                  | MS11-070 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2571621) | Important |
                  | MS12-006 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2585542) | Important |
                  | MS11-017 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2483614) | Important |
                  | MS11-085 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2620704) | Low |
                  | MS10-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB979688) | Important |
                  | MS11-075 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2564958) | Important |
                  | MS10-059 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982799) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2676562) | Critical |
                  | MS10-065 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2124261) | Important |
                  | MS11-024 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2506212) | Important |
                  | MS11-043 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2536276) | Critical |
                  | MS12-004 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2631813) | Important |
                  | MS11-100 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656355) | Critical |
                  | MS11-030 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2509553) | Critical |
                  | MS12-078 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2753842) | Critical |
                  | MS12-054 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2712808) | Moderate |
                  | MS13-004 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2756920) | Important |
                  | MS11-037 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2544893) | Low |
                  | MS10-076 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982132) | Critical |
                  | MS10-096 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2423089) | Important |
                  | MS12-020 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2621440) | Critical |
                  | MS13-006 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2785220) | Important |
                  | MS12-048 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2691442) | Important |
                  | MS13-032 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2772930) | Important |
                  | MS10-092 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2305420) | Important |
                  | MS13-007 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2736418) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2659262) | Important |
                  | MS11-011 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2393802) | Important |
                  | MS12-024 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2653956) | Critical |
                  | MS10-083 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB979687) | Important |
                  | MS10-100 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2442962) | Important |
                  | MS12-054 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2705219) | Moderate |
                  | MS11-059 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2560656) | Important |
                  | MS10-074 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2387149) | Moderate |
                  | MS11-051 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2518295) | Important |
                  | MS12-081 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2758857) | Critical |
                  | MS12-009 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2645640) | Important |
                  | MS12-082 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2770660) | Important |
                  | MS12-017 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2647170) | Important |
                  | MS10-043 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2032276) | Important |
                  | MS12-073 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2719033) | Moderate |
                  | MS11-090 | Missing | Cumulative Security Update for ActiveX Killbits for Windows Server 2008 R2 x64 Edition (KB2618451) | Critical |
                  | MS13-036 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2840149) | Moderate |
                  | MS13-019 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2790113) | Important |
                  | MS12-012 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2643719) | Important |
                  | MS11-048 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2536275) | Important |
                  | MS10-101 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2207559) | Important |
                  | MS11-002 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2419640) | Important |
                  | MS12-049 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2655992) | Important |
                  | MS11-042 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2535512) | Important |
                  | MS12-013 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2654428) | Critical |
                  | MS12-056 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2706045) | Low |
                  | MS12-073 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2716513) | Moderate |
                  | MS12-074 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2729451) | Critical |
                  | MS10-081 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2296011) | Important |
                  | MS11-019 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2511455) | Critical |
                  | MS13-015 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2789644) | Important |
                  | MS13-001 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2769369) | Critical |
                  | MS12-069 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2743555) | Important |
                  | MS11-013 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2425227) | Important |
                  | MS13-002 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2757638) | Moderate |
                  | MS10-040 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB982666) | Important |
                  | MS12-035 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2604114) | Critical |
                  | MS13-029 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2813347) | Moderate |
                  | MS13-018 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2790655) | Important |
                  | MS12-045 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2698365) | Moderate |
                  | MS12-020 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2667402) | Critical |
                  | MS12-036 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2685939) | Critical |
                  | MS13-027 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2807986) | Important |
                  | MS12-034 | Missing | Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB2656410) | Low |
                  | MS13-031 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2813170) | Important |
                  | MS12-034 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2658846) | Important |
                  | MS11-071 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2570947) | Important |
                  | MS12-005 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2584146) | Important |
                  | MS10-061 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2347290) | Important |
                  | MS12-033 | Missing | Security Update for Windows Server 2008 R2 x64 Edition (KB2690533) | Important |

            Update Rollups and Service Packs
            
                  | 2779562 | Missing | Update for Windows Server 2008 R2 x64 Edition (KB2779562) |  |
                  | 982861 | Missing | Windows Internet Explorer 9 for Windows Server 2008 R2 for x64-based Systems |  |
                  | 890830 | Missing | Windows Malicious Software Removal Tool x64 - November 2016 (KB890830) |  |

            Current Update Compliance
            
                  | MS09-059 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB975467) | Important |
                  | 980408 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB980408) |  |
                  | MS10-022 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB981332) | Low |
                  | MS10-019 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB978601) | Critical |
                  | MS10-030 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB978542) | Important |
                  | 974431 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB974431) |  |
                  | MS10-037 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB980218) | Important |
                  | 981793 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB981793) |  |
                  | MS10-012 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB971468) | Important |
                  | MS10-041 | Installed | Microsoft .NET Framework 3.5 SP1 Security Update for Windows 7 and Windows Server 2008 R2 for x64-based Systems (KB979916) | Important |
                  | MS10-013 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB975560) | Critical |
                  | MS10-033 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979482) | Critical |
                  | MS09-056 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB974571) | Important |
                  | MS10-021 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979683) | Moderate |
                  | MS10-020 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB980232) | Critical |
                  | MS10-001 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB972270) | Low |
                  | MS10-019 | Installed | Security Update for Windows Server 2008 R2 x64 Edition (KB979309) | Critical |
                  | 977074 | Installed | Update for Windows Server 2008 R2 x64 Edition (KB977074) |  |
                  | MS10-034 | Installed | Cumulative Security Update for ActiveX Killbits for Windows Server 2008 R2 x64 Edition (KB980195) | Critical |
Avatar of masnrock
You will find yourself having to skip a number of older updates because of potential compatibility issues, especially after 6 years. I know a test environment is not going to be an available option at this point. How did it get this far behind to begin with?
Why it got this far behind is a long story and not really part of the solution so I will skip it. :-)
Any tips as to which one's to look out for?
Since it does not have SP1 yet should I just download it (MS update does not list it yet so likely it needs others first) and deploy it and then rescan. Hoping for some feedback that will help me please and kindly.. Thanks!
Any tips as to which one's to look out for?
No. Microsoft Baseline Security Analyzer shows only security updates so install them all. :)
SP1 is at least a major rollup of updates, so I'd probably start there as long as all of the prerequisite patches are there. So install any required updates to be ready for SP1, then install SP1. And after that, rerun the baseline, and you should get an improved list. The baseline analyzer, as awawada has pointed out, just tell you what you should install. Windows itself figures out what order the updates need to be installed in, but Service Packs always get priority.
Okay thanks that helps. Obviously some of the patches are missing to install SP1 as it is not offering it yet in the base analyzer and windows update... Will work on identifying the one's I am missing first! Any idea where I can find such a list of required updates for SP1 (2008 R2)
ASKER CERTIFIED SOLUTION
Avatar of masnrock
masnrock
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks... appreciate your help and insights... all points to you :-)