Dave
asked on
WSUS randomised reboot times - Maintenance Windows doesnt work
I am successfully using WSUS to update our fleet.
I have an issue with the timing of the installation and reboots, particularly of Servers.
At 4am (scheduled install time) all servers download, install and reboot.
Which is what its meant to do.
The issue i have is that often the reboots happens within minutes of each other, and worse, may have all Active Directory Servers rebooting at exactly the same time, so for a few minutes there is no AD servers on the network.
I want to be able to randomise the reboots by 1 hour so that they dont all occur at exactly the same time.
I looked at the Maintenance Scheduler GPO settings which should allow randomisation, so that the Automatic Maintenance runs at 3am (plus or minus 1 hour), which should install Updates and reboot if needed. But this doesnt seem to work.
My GPO settings are as below:
Computer Configuration (Enabled)
Policies
Administrative Templates
Windows Components/Maintenance Scheduler
Automatic Maintenance Activation Boundary Enabled
Regular maintenance activation boundary 2000-01-01T03:00:00
Automatic Maintenance Random Delay Enabled
Regular maintenance random delay PT1H
Windows Components/Windows Update
Allow Automatic Updates immediate installation Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 6
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance Enabled
Scheduled install day: 0 - Every day
Scheduled install time: 04:00
If you have selected “4 – Auto download and schedule the install” for your scheduled install day and specified a schedule, you also have the option to limit updating to a weekly, bi-weekly or monthly occurrence, using the options below:
Every week Disabled
First week of the month Disabled
Second week of the month Disabled
Third week of the month Disabled
Fourth week of the month Disabled
Install updates for other Microsoft products Enabled
Do not include drivers with Windows Updates Enabled
Enable client-side targeting Enabled
Target group name for this computer Windows Servers
Specify active hours range for auto-restarts Enabled
Specify the max active hours range:
Max range: 18
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://wsus.domain.local
Set the intranet statistics server: http://wsus.domain.local
Set the alternate download server:
(example: http://IntranetUpd01)
Download files with no Url in the metadata if alternate download server is set.
Turn off auto-restart for updates during active hours Enabled
Active Hours
Start: 6 AM
End: 10 PM
Turn on recommended updates via Automatic Updates Enabled
Windows Components/Windows Update/Windows Update for Business
Manage preview builds Enabled
Set the behavior for receiving preview builds: Disable preview builds
Select when Quality Updates are received Enabled
After a quality update is released, defer receiving it for this many days: 7
Which im hoping will do this:
Set the Maintenance Windows to be 3am with a Random Delay of 1hour (so hopefully the server installs the updates and reboots at a random 1 hour time, doesnt seem to work)
Install updates immediately if they dont affect the OS.
Check for updates often, every 6 hours
Download and Install the updates everyday during the Maintenance Window and also at 4am (which it does exactly at 4am, but not during Maintenance Window at 3am+-1hour)
Set Active hours to be between 6am and 10pm so no reboots occur during working hours.
Dont install Preview Builds and dont install Quality Updates immediately, wait 7 days before installing.
So what am i doing wrong as the Servers are not installing the Updates during the Maintenance Window, but is waiting until 4am and then they all reboot around the same time?
I have an issue with the timing of the installation and reboots, particularly of Servers.
At 4am (scheduled install time) all servers download, install and reboot.
Which is what its meant to do.
The issue i have is that often the reboots happens within minutes of each other, and worse, may have all Active Directory Servers rebooting at exactly the same time, so for a few minutes there is no AD servers on the network.
I want to be able to randomise the reboots by 1 hour so that they dont all occur at exactly the same time.
I looked at the Maintenance Scheduler GPO settings which should allow randomisation, so that the Automatic Maintenance runs at 3am (plus or minus 1 hour), which should install Updates and reboot if needed. But this doesnt seem to work.
My GPO settings are as below:
Computer Configuration (Enabled)
Policies
Administrative Templates
Windows Components/Maintenance Scheduler
Automatic Maintenance Activation Boundary Enabled
Regular maintenance activation boundary 2000-01-01T03:00:00
Automatic Maintenance Random Delay Enabled
Regular maintenance random delay PT1H
Windows Components/Windows Update
Allow Automatic Updates immediate installation Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours): 6
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance Enabled
Scheduled install day: 0 - Every day
Scheduled install time: 04:00
If you have selected “4 – Auto download and schedule the install” for your scheduled install day and specified a schedule, you also have the option to limit updating to a weekly, bi-weekly or monthly occurrence, using the options below:
Every week Disabled
First week of the month Disabled
Second week of the month Disabled
Third week of the month Disabled
Fourth week of the month Disabled
Install updates for other Microsoft products Enabled
Do not include drivers with Windows Updates Enabled
Enable client-side targeting Enabled
Target group name for this computer Windows Servers
Specify active hours range for auto-restarts Enabled
Specify the max active hours range:
Max range: 18
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://wsus.domain.local
Set the intranet statistics server: http://wsus.domain.local
Set the alternate download server:
(example: http://IntranetUpd01)
Download files with no Url in the metadata if alternate download server is set.
Turn off auto-restart for updates during active hours Enabled
Active Hours
Start: 6 AM
End: 10 PM
Turn on recommended updates via Automatic Updates Enabled
Windows Components/Windows Update/Windows Update for Business
Manage preview builds Enabled
Set the behavior for receiving preview builds: Disable preview builds
Select when Quality Updates are received Enabled
After a quality update is released, defer receiving it for this many days: 7
Which im hoping will do this:
Set the Maintenance Windows to be 3am with a Random Delay of 1hour (so hopefully the server installs the updates and reboots at a random 1 hour time, doesnt seem to work)
Install updates immediately if they dont affect the OS.
Check for updates often, every 6 hours
Download and Install the updates everyday during the Maintenance Window and also at 4am (which it does exactly at 4am, but not during Maintenance Window at 3am+-1hour)
Set Active hours to be between 6am and 10pm so no reboots occur during working hours.
Dont install Preview Builds and dont install Quality Updates immediately, wait 7 days before installing.
So what am i doing wrong as the Servers are not installing the Updates during the Maintenance Window, but is waiting until 4am and then they all reboot around the same time?
McKnife
Set the DCs up so they do different times or better even days. If an update decides to wreck something on all DCs, what will you do? So it's better to do the first half of DCs on one day and the other on the next day.
ASKER
Thanks.
So you are suggesting to move the DCs into another Sub OU and apply a different GPO to them?
That's a bit clunky as a solution, but would work.
But it doesn't help for the rest of the servers that are Rebooting at the same time. That's a load in the VM Hosts.
Is there a way to randomise the times?
So you are suggesting to move the DCs into another Sub OU and apply a different GPO to them?
That's a bit clunky as a solution, but would work.
But it doesn't help for the rest of the servers that are Rebooting at the same time. That's a load in the VM Hosts.
Is there a way to randomise the times?
No. I am suggesting to use another policy for them, not to move into other OUs, which is not recommended for this.
You can use security filtering on policies so that they only will only be applied by certain computers/groups of computers (one way) or use WMI filtering (another way).
I did not use randomization for restart times yet and would have to try that out myself, sorry.
You can use security filtering on policies so that they only will only be applied by certain computers/groups of computers (one way) or use WMI filtering (another way).
I did not use randomization for restart times yet and would have to try that out myself, sorry.
ASKER
@McKnife
Yes, ok. So a WMI query that would apply to Odd numbered final octet IPs and another that would apply to Even Numbered last octet IPs would work well.
The AD servers are consecutive IPs, x.x.x.10 and x.x.x.11 so a GPO with a WMI filter for Odd numbers would apply one day (or week) and then another GPO with Even number WMI filter could apply for the next day (or week)
This would also work on the rest of the servers, that would mean only half of the servers would reboot at around 4am, the other half would the next day (or week)
No idea how to write that WMI query though :-)
@Everyone
Still a load on the VM Hosts to have half the server farm rebooting within 10-20 minutes of each other, which randomisation of the WSUS would fix.
Im surprised that i havent seen this before elsewhere (or i just havent noticed) and that this isnt a problem for others as well?
Any other ideas to get a randomisation reboot schedule for Windows Updates?
The Maintenance Schedule looks like its perfect for it, if it worked!
Yes, ok. So a WMI query that would apply to Odd numbered final octet IPs and another that would apply to Even Numbered last octet IPs would work well.
The AD servers are consecutive IPs, x.x.x.10 and x.x.x.11 so a GPO with a WMI filter for Odd numbers would apply one day (or week) and then another GPO with Even number WMI filter could apply for the next day (or week)
This would also work on the rest of the servers, that would mean only half of the servers would reboot at around 4am, the other half would the next day (or week)
No idea how to write that WMI query though :-)
@Everyone
Still a load on the VM Hosts to have half the server farm rebooting within 10-20 minutes of each other, which randomisation of the WSUS would fix.
Im surprised that i havent seen this before elsewhere (or i just havent noticed) and that this isnt a problem for others as well?
Any other ideas to get a randomisation reboot schedule for Windows Updates?
The Maintenance Schedule looks like its perfect for it, if it worked!
Use security filtering. Create a policy "WSUS for DC1", open properties ->security -> Authenticated users: untick "apply policy" and add the group "DC1" (which holds the 1st half of your DCs) and check "apply policy" for them. Do the same on another policy "WSUS for DC2" which applies only to group DC2. No WMI needed.
ASKER
Thanks
That's ok for the DCs but not for the rest of the server fleet.
DCs don't change often so a static group will work.
Putting machines into groups is too manual for the everything else.
That's why I was thinking of wmi as it's automatic.
That's ok for the DCs but not for the rest of the server fleet.
DCs don't change often so a static group will work.
Putting machines into groups is too manual for the everything else.
That's why I was thinking of wmi as it's automatic.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@McKnife. Thank you again for your prompt replies and I appreciate it.
I can use an IP address filter, but thats for an IP Address Range.
So i can set the range to be half of the Server Subnet, and the second policy to the the other half, so half the servers reboot at one time, and the other half all reboot at another different time. So thats almost there.
But like a lot of people, our AD Servers have consecutive IP addresses, so they will be in the same half.
So we are back to the AD servers rebooting at the same time, so the GPP solution wont work for the Domain Controllers.
I would have to use the initial solution of security filtering of computer names for the DC OU
That will work.
But, boy is that messy.
Its going from one GPO describing WSUS settings for all servers, including DCs to 4 GPOs:
2 with manual security filtering of Computer names
2 with GPP and Item level targeting IP address ranges.
If only randomisation would work on the single WSUS GPO that would be so much cleaner.
I can use an IP address filter, but thats for an IP Address Range.
So i can set the range to be half of the Server Subnet, and the second policy to the the other half, so half the servers reboot at one time, and the other half all reboot at another different time. So thats almost there.
But like a lot of people, our AD Servers have consecutive IP addresses, so they will be in the same half.
So we are back to the AD servers rebooting at the same time, so the GPP solution wont work for the Domain Controllers.
I would have to use the initial solution of security filtering of computer names for the DC OU
That will work.
But, boy is that messy.
Its going from one GPO describing WSUS settings for all servers, including DCs to 4 GPOs:
2 with manual security filtering of Computer names
2 with GPP and Item level targeting IP address ranges.
If only randomisation would work on the single WSUS GPO that would be so much cleaner.
I cannot try and test randomizations before Monday - but I will.
I have no test server to try with at the moment, but let me make sure: is "install during automatic maintenance" in the "configure automatic updates" GPO even checked?
ASKER
Yep.
Install during automatic maintenance Enabled
Install during automatic maintenance Enabled
Let's see if I can use my testlab at home tonight.
ASKER
Hi @McKnife
Did you have any luck with the randomisation?
Did you have any luck with the randomisation?
Tried, but it took more than just turning it on. Not experienced with scheduled maintenance - abandoned the testing for now, sorry. Will return to it for sure, but I cannot say how soon.
ASKER
@McKnife. No worries, thanks for your help so far
I returned to that problem on Sunday, but found that it will only start maintenance if the download has already occurred and that hadn't happened. So again, I need to take a moment of time for tests.
ASKER
Thanks @McKnife
Sorry for not coming back - Simply didn't find time to sit down within all the daily stuff. I cannot see when this will improve, so maybe it's best to close this question for now.
ASKER
In the end, I couldnt get randomisation working the way i hoped.
I did get partial solutions that were not what I was looking for.
However, thanks to McKnife for his assistance anyway.
I did get partial solutions that were not what I was looking for.
However, thanks to McKnife for his assistance anyway.