locked
2 Server 2012R2 machines rebooted in the middle of a workday for udpates! RRS feed

  • Question

  • In the past two weeks I've witnessed two Server 2012 R2 machines reboot in the middle of the day to install Windows updates.  This caused a downtime event for the services these servers were running.  As a business we cannot have servers rebooting in the middle of the day for updates.  They belong to a Computer OU that has a Windows update policy configured to get updates from our WSUS server and install them at 3 AM on Sunday mornings and reboot if necessary.  The issue is one rebooted on a Wednesday and one on a Saturday both around 10 am.

    I've since moved the one very critical server into a different Computer OU that has a policy to just download but not install updates.  We will have to manually do that server in a maintenance window like a bunch of other servers in that OU.  But I did not move the second VM to that OU yet because I want to figure out what is going on here.

    The date and time is correct, and they are authenticating to the domain with kerberos, so its within 5 minutes.  Also the event viewer shows that its getting proper NTP from our domain controllers running the NTP service.

    I haven't yet seen this happen on a Server 2008 / 2008 R2 vm yet.  

    What is going on here, the GPO's worked flawlessly for a number of years.  Machines in the one OU updated and rebooted every Sunday, machines in the other OU were a manual process by a Sys Admin, usually off hours.

    Saturday, February 25, 2017 4:58 PM

All replies

  • In the past two weeks I've witnessed two Server 2012 R2 machines reboot in the middle of the day to install Windows updates.  This caused a downtime event for the services these servers were running.  As a business we cannot have servers rebooting in the middle of the day for updates.  They belong to a Computer OU that has a Windows update policy configured to get updates from our WSUS server and install them at 3 AM on Sunday mornings and reboot if necessary.  The issue is one rebooted on a Wednesday and one on a Saturday both around 10 am.

    I've since moved the one very critical server into a different Computer OU that has a policy to just download but not install updates.  We will have to manually do that server in a maintenance window like a bunch of other servers in that OU.  But I did not move the second VM to that OU yet because I want to figure out what is going on here.

    The date and time is correct, and they are authenticating to the domain with kerberos, so its within 5 minutes.  Also the event viewer shows that its getting proper NTP from our domain controllers running the NTP service.

    I haven't yet seen this happen on a Server 2008 / 2008 R2 vm yet.  

    What is going on here, the GPO's worked flawlessly for a number of years.  Machines in the one OU updated and rebooted every Sunday, machines in the other OU were a manual process by a Sys Admin, usually off hours.

    Saturday, February 25, 2017 3:46 PM
  • Since WSUS is involved I'd ask over here.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverwsus

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, February 25, 2017 3:57 PM
  • Hi, KJSTech.

    Got some tips, I would look for:

    System Log - maybe some one else "clicked" Update button.

    "GPO modelling wizard" for both servers.

    "gpresult /h" -  to compare with "GPO modelling wizard". 

    Saturday, February 25, 2017 7:43 PM
  • Ok GPMC Group Policy modeling on the server that did it Saturday shows the correct GPO applied that handles windows updates.  We call it Auto Update Policy which has the following setup which is under Windows Components/Windows Update

    Configure Automatic Updates: 4 - Auto download and schedule the install, 1 - Every Sunday, 03:00

    Automatic updates detection frequency: 16 hours

    Allow signe dupdates from an intranet Microsoft update service location: enabled

    Enable client-side targeting: Auto Update Servers

    specify intranet Microsoft update service location: both values defined to our wsus server

    gpresult /h on the server shows its attaching the same group policy.

    System log shows the following: 

    Log Name:      System
    Source:        User32
    Date:          2/25/2017 9:53:06 AM
    Event ID:      1074
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          SYSTEM
    Description:
    The process C:\Windows\system32\svchost.exe (servername) has initiated the restart of computer servername on behalf of user NT AUTHORITY\SYSTEM for the following reason: Operating System: Recovery (Planned)
     Reason Code: 0x80020002
     Shutdown Type: restart

    The other server, the SQL server also shows the same symptom. 

    Since then I defined this in the GPO:

    Always automatically restart at the scheduled time: Restart timer 15 minutes

    So in theory the updates install every Sunday at 03:00, once done it should automatically restart in 15 minutes... not a half a week or 6 days later.

    And on Saturday I was the only person in the IT department on staff that would have access to the server that rebooted then.  Last time noone was on the SQL server, and we use ObserveIT which records everything anyone does on a particular server for playback, DVR style.

    Monday, February 27, 2017 3:50 PM