RE: [mssms] Patching servers with SCCM

[Marcum, John]

I do something very similar but I have it down to 4 sets of server MW 
collections and I use AD groups to define the collections. The server admins 
are responsible for putting each server in a group. If they fail to do so then 
the server is patched using a “default” patching rule that basically patches 
and reboots it. ☺

________________________________
        John Marcum
            MCITP, MCTS, MCSA
              Desktop Architect
   Bradley Arant Boult Cummings LLP
________________________________

  [H_Logo]

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Mote, Todd
Sent: Wednesday, January 6, 2016 8:45 AM
To: ms...@lists.myitforum.com
Subject: RE: [mssms] Patching servers with SCCM

We’ve been patching about 400 servers for a number of years that range from 
domain controllers to exchange, SQL, and everything in between.  The TL;DR is 
“Maintenance Windows are your friend.”

We have about 100 collections that are nothing more than maintenance window 
collections that servers get put in.  I don’t admin all of them so the local 
admin lets us know what window they want and the server goes into that 
collection.  Nothing is deployed to these collections, they only apply MW’s.

We have separate collections where things get advertised to, like Software 
Updates.  Each deployment has its own settings about whether to ignore or 
respect maintenance windows.  Every deployment is always set to be available as 
soon as possible and deadline as soon as possible if it’s set to respect 
maintenance windows.  Then, at the MW time, it patches and reboots.

Our exchange 2010 environment is about 30 servers, CAS’s start patching on 
Thursday mornings and the mailboxes patch on Sunday mornings, the rest are 
scattered around between them and their windows don’t overlap.  Domain 
controllers patch one a night over a week.  If servers have clusters or some 
failover requirement we work with the server admin to set up automated 
processes to occur 10 minutes before the window begins to move resources from 
node to node to facilitate patching.  We do this for failover clusters and FSMO 
roles on DC’s.

If you have services that are resilient, and Microsoft doesn’t break anything 
with bad patches, patching servers is pretty easy, not much different than 
clients, to be honest.  In fact, if you give clients maintenance windows too it 
works out great, everybody knows when their computers will reboot, but that’s 
another discussion.


From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Duncan McAlynn
Sent: Wednesday, January 6, 2016 3:46 AM
To: ms...@lists.myitforum.com<mailto:ms...@lists.myitforum.com>
Subject: RE: [mssms] Patching servers with SCCM

I have just a little experience in this… ;-)

Honestly, I would strongly recommend taking a look at Infront’s OPAS solution 
that can make this almost a no-brainer. It really does help remove all the pain 
points you’ve talked about addressing. You can learn more at: 
http://www.infrontconsulting.com/opas



[cid:image002.png@01D0819A.0B097420]

Duncan McAlynn, Sr. Solutions Specialist, Americas
HEAT Software
M: +1.512.391.9111 | 
duncan.mcal...@heatsoftware.com<mailto:duncan.mcal...@heatsoftware.com>
HEAT Software<http://www.heatsoftware.com/> |  490 N McCarthy Blvd. Suite 100 | 
Milpitas, CA 95035

Ask 
me<mailto:duncan.mcal...@heatsoftware.com?subject=Why%20are%20you%20THE%20leader%20in%203rd%20party%20patching%20for%20Microsoft%20System%20Center?>
 why we’re THE leader in 3rd party patch management for System Center

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Russ
Sent: Tuesday, January 05, 2016 5:00 PM
To: mssms
Subject: [mssms] Patching servers with SCCM

We've been patching our servers with WSUS up until this point, but we'd like to 
move over to SCCM.  I wanted to get an idea on how people are handling their 2 
and 3 tier applications?  Currently we have a number of different windows to 
patch the SQL servers, then app tier, then web tier or whatever.  But what I am 
hoping is to make things a bit more well defined (and to start building 
collections for various applications and that sort of thing.)

Do you suppress reboots on servers, and then send out a script for rebooting?  
Do you make maintenance schedules which would cause reboots in certain order?   
Do you patch or reboot manually?  What sorts of methodologies do you deploy?

It would be nice to put a process and methodology in place so that it's not 
reinventing the wheel for every individual group of servers.

We don't currently have SCCM in place for servers, so that's all new as well.  
So we sort of have a unique opportunity to start fresh.

Would appreciate any feedback or ideas you have give me.

Thanks, Russ



________________________________

Confidentiality Notice: This e-mail is from a law firm and may be protected by 
the attorney-client or work product privileges. If you have received this 
message in error, please notify the sender by replying to this e-mail and then 
delete it from your computer.