Tip

Handling patch emergencies

By James Michael Stewart, Contributor

Managing an Active Directory environment means systems administrators must successfully juggle the horde of patches from Microsoft. Even if I avoid discussions of non-OS patches and client-OS patches, there is still too much to say about patch management for Windows 2000 Server and Windows Server 2003 systems. The issue of patch management is even more precarious and essential for domain controllers (DC).

In this tip, I've provided a handful of suggestions to follow when managing patches for your AD domain controllers.

  1. Always deploy the same patches on all DCs. DCs should be kept as close to mirror images of each other as possible, at least in terms of the OS configuration. This will help eliminate incompatibilities, lost or corrupted data and replication errors.

  2. Don't patch just because Microsoft offers a patch. Every patch needs to be tested in your environment for relevance and reliability. If you don't need it, don't install it. Patches can damage your environment if the install fails to perform perfectly. You don't want to place your DCs at risk if you can avoid it.

  3. Test, test, test. You need a lab environment that mimics your production environment as closely as possible. Every patch should be thoroughly tested before deployment on production systems. Make it a rule: If you don't test, don't deploy.

  4. Avoid patch emergency response. Establish a time once a week or once a month when you evaluate new patches and queue them for deployment. You could schedule them to coincide with Microsoft's "Patch Tuesday" -- the second Tuesday of every month when new patches are to be rolled out. Even with critical patches, you need to stick to a schedule. Always download, verify, test, test, test, and then deploy. Never skip or skimp on your patch procedures, processes or protocols.

  5. Seriously consider using the newly updated Windows Update Services (WUS). It enables you to master your own privately controlled Windows Update site within your own private network. Many of the weaknesses of Software Update Services (SUS) -- the original product -- have been resolved.

  6. Document, document, document. Every patch deployed should be researched, so you fully understand it. Then retain that documentation for future reference. Don't assume you'll be able to access it again or even be able to find it again, especially if it is an Internet source. Make your own local copy. Keep records of every patch ever deployed to any system.

  7. Never assume a patch rollout was successful -- always test and verify. Every patch deployed onto a DC should be verified immediately. Member servers can be fully checked weekly or bi-monthly; and clients can be checked using a random sample.

  8. Keep in mind that your domains are only as reliable and available as you make them. Take advantage of the improvements offered by Microsoft, but don't be ruled by them. Make informed decisions based on your environment and infrastructure. Don't just follow the leader, since the leader is not always in the know about everything!


James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and is a regular speaker at NetWorld+Interop. Stewart holds the following certifications: MCSE, MCT, CTT+, CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K and iNet+. He can be reached at michael@impactonline.com.

This was first published in August 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.