One of the biggest challenges that system administrators face in large networks is managing which, how and when patches are installed on machines. Each large network has many types of machines as well as types of users. For instance, a network may be logically having divisions as server computers and client computers. Or there could be division based on management — such as top management and middle management. Or still again based on job function like developers, accounts and marketing. Each type of division might require different patching logic because of reasons like availability, amount of testing and criticality.
|
Windows Server Update Services (WSUS), which we covered last month, offers this functionality and can be used to customize the deployment of patches to each 'set'. WSUS allows for two different types of deployment scenarios. The first uses the network's Active Directory setup if it already exists. The other uses manually created groups on the WSUS directly.
We'll look at how to use each of these on the network-both, individually or in a combination.
We assume that WSUS is already setup as outlined in previous month's article. We will first use the Active Directory Services method to deploy patches to a particular group.
On your Windows ADS server open up the Users and Computers console. Under the Computers branch, create a new Organizational Unit (OU) called 'Servers'. Add all the computers in your ADS domain that are servers into this OU. This will facilitate deploying patches to them using WSUS later on.
|
Right click on this OU and select 'Create and Link a GPO', here Enter a name like 'WSUS Policy' and click on Edit. This will open the Group Policy Management
Console (GPMC) and you can browse over to Computer Configuration>Administrative Templates. Right click on this and select 'Add/Remove Templates...'. Select the WUAU.ADM file from the list. Now navigate Windows Components>Windows Update under the earlier branch. You can set different Windows update client settings from here. The important ones are detailed below.
Configure Automatic Updates: Enable this to ensure that the updates are automatically downloaded to clients.
Specify Intranet Microsoft Update Server Location: Enter the HTTP URL for the place where WSUS is installed. The format is: http://
Enable Client-side Targeting: This enables WSUS to use the name of the computer group name or OU for deploying updates.
Since this particular policy is linked to the 'Servers' OU, it will deploy to all the different servers in the network automatically.
There are a number of other settings that can be used to configure the update client, but we will not look at these here.
Instead, we'll look at how you can create and manage computer groups in WSUS manually.
|
To set up manual updation, go to the WSUS console, Options>Computer Options. Select the 'Use the Move computers task in Windows Server Update Services' option to assign computers in WSUS. The other option 'Use Group Policy or registry settings on client computers' is used if the computers are managed using Group Policy as in the example earlier. Once this is done, under the same option you will also be able to create, view and manage computer groups. For instance, you can add a new group called 'Managers' here. Now in the Computer list page, move all the computers that belong to managers into the group you created. You can set different schedules and approval rules for each computer group that you create, whether it's with manual creation or with ADS.
If client computers have been configured and they have connected to the WSUS server at least once, the list of these clients will show up under the All Computers group. (Note that this is an in-built group and cannot be deleted.) If the computer you want is not listed here, you will need to configure the Windows Update Client on that machine to use this WSUS server. Last month's article
carried detailed instructions on how to do this. After the computer connects and its name shows up the computers list, you can manage it. For instance, you can now move the computer into the group you created above. When the
computer is moved into a particular group, it will inherit the update policies set for that group.
Policies for a group can be set by managing the group from the console. You can define the type of updates to install for computers in that group. For instance, Critical and Security Updates only or all updates including optional ones like Media Player. You can also define the schedule at which the updates are looked for and when they are installed on the machines. Finally you can also control options like whether updates are automatically approved for these computers, whether they are automatically installed or is the user prompted for the same, etc.
Using WSUS, you can
easily control the deployment of updates to your organization's computers very easily. And it works well for both small to medium organizations that can use the in-built computer group management capabilities of WSUS or for large enterprise level organizations by
using an existing Active Directory Service available on the network. Either way, patch management is now just an install away for any
administrator.
Vinod Unny, Enterprise Infotech