none
Best practice when update securiry patch windows for Active Directory

    Question

  • Hello

           can you help me about update windows for active directory ?

              - what patch should update for windows

              - should update new version dotnet ?

              - should choose update all patches is option when windows update ?

           Current my active directory

             - widnows server 2012 r2

             - All Function level is 2008 r2

          How about order when update windows ?

          I plane update order as below , please any one check help me

          as we had 4 server root and 5 server child , so will update

               - update one server root first (not hold FSMO) after that waiting user access and check log two day , if no log error then continue update another server root domain .

               - when update server hold FSMO then transfer all role to another server ready update windows and monitor one day , if all ok then will process update this server

               - after that update all child the same step root domain

    Thanks


    Friday, February 24, 2017 1:08 AM

Answers

  • Hello

           can you help me about update windows for active directory ?

       


    AFAIK Microsoft has changed its update mechanism and it is no longer available to have selective updates. Either you have to update all or not. This is what I know based on our patch management team.

    However applying updates on which scope is another story. Normally we apply updates and approve them for our servers  two days ahead of our real production environment. We do have a pilot environment, and we apply the updates on our DCs and servers and if everything went well by two days, we apply them to the real environment. So we can say our production environment will receive the updates with 2 days delay.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Friday, February 24, 2017 3:39 AM
    Moderator
  • No need to transfer FSMO roles to other domain controller. I would firstly update domain controllers of a child domain which has the least impact on your environment. If you are running a single domain, you can select the domain controller with the least impact in your forest e.g a remote site DC with low number of users.

    Then follow the procedure for the rest of your domain controllers.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Monday, February 27, 2017 1:46 PM
    Moderator

All replies

  • Best to apply the monthly rollups as they are offered via windows update.

    https://support.microsoft.com/en-us/help/22801/windows-7-sp1-and-windows-server-2008-r2-sp1-update-history

    https://support.microsoft.com/en-us/help/24717/windows-8-1-and-windows-server-2012-r2-update-history

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Friday, February 24, 2017 1:56 AM
  • Hello

           can you help me about update windows for active directory ?

       


    AFAIK Microsoft has changed its update mechanism and it is no longer available to have selective updates. Either you have to update all or not. This is what I know based on our patch management team.

    However applying updates on which scope is another story. Normally we apply updates and approve them for our servers  two days ahead of our real production environment. We do have a pilot environment, and we apply the updates on our DCs and servers and if everything went well by two days, we apply them to the real environment. So we can say our production environment will receive the updates with 2 days delay.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Friday, February 24, 2017 3:39 AM
    Moderator
  • Hello

    Thanks for your support

    How about order when update windows ?

          I plane update order as below , please any one check help me

          as we had 4 server root and 5 server child , so will update

               - update one server root first (not hold FSMO) after that waiting user access and check log two day , if no log error then continue update another server root domain .

               - when update server hold FSMO then transfer all role to another server ready update windows and monitor one day , if all ok then will process update this server

               - after that update all child the same step root domain

    Thanks

    Monday, February 27, 2017 2:37 AM
  • No need to transfer FSMO roles to other domain controller. I would firstly update domain controllers of a child domain which has the least impact on your environment. If you are running a single domain, you can select the domain controller with the least impact in your forest e.g a remote site DC with low number of users.

    Then follow the procedure for the rest of your domain controllers.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Monday, February 27, 2017 1:46 PM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 7, 2017 6:38 AM
    Moderator
  • Hello

        Thanks for all your support

    Wednesday, March 8, 2017 12:55 PM
  • Hi,

    Glad to hear that the information is helpful to you. Please remember to mark the replies as answers and it should be helpful to other forum members.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 9, 2017 1:42 AM
    Moderator