none
Installing Windows Updates on Domain Controller

    Question

  • Hi All,

    We have one domain controller 2008 and Exchange server 2010 connected with DC. everything is working fine so still do i need to download and install latest Windows updates on both servers OR can i leave my servers as it is without updates, is it recommended? if it is not recommended then what are recommendations, do i need to install updates manually or Automatically on servers?

    Thanks

    Ali

    Saturday, June 25, 2011 12:30 PM

Answers

  • You should most definately develop a procedure for installing updates on your servers are well as workstations.  Updates for mitigating critical vulnerabilities are very important.  Aside from that, you'll also have to keep up with the latest service packs and hotfixes to ensure your systems remain stable.

    for production systems, it is recommended that you apply pathes on test first, then apply to production.  If you apply patches without testing, you run the risk of impacting services provided by the system.  While the chance is low, you'll never know what negative impact you may encounter when applying patches.  The same really goes for any change to the system.  Applying proper change management is important.

    With regard to 64 bit OS installed on a 32 bit system.  No, you cannot install Windows 64 bit on a computer that has a 32 bit processor.


    Visit: anITKB.com, an IT Knowledge Base.
    Saturday, June 25, 2011 3:10 PM

All replies

  • Hi Ali

    Standard recomendations / Best practices are to have 2 DC's so if 1 is down the other will be able to continue servicing the login requests.

    And yes it is definitly recomended to have the latest Windows Patches installed or you may have a huge security risk, just running windows update will find all of the ones you need.

    Saturday, June 25, 2011 1:44 PM
  • Thanks a lot,

    i will download and install them. i have a question that our Domain controller 2008 64bit edition is installed on 64bit CPU, can i install additional domain controller 2008 64 bit Windows on 32bit CPU? is it possible and will it work fine if first DC down. everything will work fine like our client PCs, Apps and exchange 2010?

    Thanks,

    Ali

     

    Saturday, June 25, 2011 2:01 PM
  • You should most definately develop a procedure for installing updates on your servers are well as workstations.  Updates for mitigating critical vulnerabilities are very important.  Aside from that, you'll also have to keep up with the latest service packs and hotfixes to ensure your systems remain stable.

    for production systems, it is recommended that you apply pathes on test first, then apply to production.  If you apply patches without testing, you run the risk of impacting services provided by the system.  While the chance is low, you'll never know what negative impact you may encounter when applying patches.  The same really goes for any change to the system.  Applying proper change management is important.

    With regard to 64 bit OS installed on a 32 bit system.  No, you cannot install Windows 64 bit on a computer that has a 32 bit processor.


    Visit: anITKB.com, an IT Knowledge Base.
    Saturday, June 25, 2011 3:10 PM
  • It is always recommended by Microsoft to install latest updates. You schedule these updates like you want.

    Now, some advice about your AD / Exchange environment:

    • It is recommended to have at least two DC / DNS /GC servers per domain
    • It is recommended to run Exchange on a member server 

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

     

    Saturday, June 25, 2011 3:22 PM
  • The basic rules are:

    "The risk of implementing the service pack, hotfix and security patch should ALWAYS be LESS than the risk of not implementing it."

    And,

    "You should never be worse off by implementing a service pack, hotfix and security patch. If you are unsure, then take steps to ensure that there is no doubt when moving them to production systems."

     

    For more information check this article.

     

    Thanks

    Saturday, June 25, 2011 7:27 PM
  • Thanks All,

    How can i know which update is suitable or not suitable to install for our servers becuase we are downloading from Microsoft website it is trusted site for us, it should be download and install those updates automatically which are suitable for our servers and without any problem. i dont have any test DC server can i first install updates on additional DC then on Primary DC?

    which types of updates need to install on vital servers : Critical updates, Security Updates, normal Updates or service pack?

    Thanks,

    Ali

    Sunday, June 26, 2011 6:48 AM
  • First of all you should know how these updates are classified based on that you can do it urself

     

    Critical Update

    Definition: A critical update is a broadly released fix for a specific problem that addresses a critical, non-security-related bug.

    Cumulative update (CU)

    Definition: A CU is a roll-up update that contains all previous critical on-demand hotfixes to date. Additionally, a CU contains fixes for issues that meet the hotfix acceptance criteria. These criteria may include the availability of a workaround, the effect on the customer, the reproducibility of the problem, the complexity of the code that must be changed, or other reasons.

     

    Service Pack

    Definition: A service pack is a tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Service packs may also contain additional fixes for problems that are found internally since the release of the product and a limited number of customer-requested design changes or features.

     

    Security Update

    Definition: A security update is a widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated based on their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low.

    Update

    Definition: An update is a widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug.

     

    for classification of updates please see here

     

    http://support.microsoft.com/?kbid=824684

     

     


    http://www.virmansec.com/blogs/skhairuddin
    Sunday, June 26, 2011 9:39 AM