AutoDiscover

WSUS – Auto Patching Servers

Posted by robd on June 02, 2016
WSUS / 1 Comment

So recently we took the plunge to auto patch and reboot all our servers based on the following schedules:

Schedule_1 WSUS Auto Approve – 7 days Deadline – When new updates are downloaded by WSUS they are held for 7 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Monday after the 7 day deadline expires at 03:00.  Please note all previous updates that are needed will be installed installed on any Monday at 03:00.

Schedule_2 WSUS Auto Approve – 12 days Deadline – When new updates are downloaded by WSUS they are held for 21 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Tuesday after the 21 day deadline expires at 02:00.  Please note all previous updates that are needed will be installed installed on any Tuesday at 02:00.

Schedule_3 WSUS Auto Approve – 31 days Deadline – When new updates are downloaded by WSUS they are held for 31 days then rolled out to the servers.  The server will then auto install and reboot (if necessary) the Wednesday after the 31 day deadline expires at 03:00.  Please note all previous updates that are needed will be installed installed on any Wednesday at 03:00.

 

So in other words patch schedule 1 first and see if the servers break then 5 days later do install the patches on the servers in schedule 2 and then 24 days later do the rest.  I.e. Test, test and finish.

So here’s how we did it:

  • On WSUS setup some Computer Groups i.e. Schedule 1, Schedule 2 and Schedule 3:

Schedules

  • Put your servers in these groups (or if you auto place servers in groups via GPO then I cover that later).
  • Create some Auto Approval Rules under Options in WSUS manager:
    • The following example only applies Critical and Security updates to Computer Folder Schedule 1 and the deadline to install (i.e. install after) is 7 days at 03:00Auto_Approval
    • Auto_Approval2
    • Auto_Approval3
    • IMPORTANT – Once you’ve created the rules click RUN RULE or the rule wont run against the existing updates.
    • RunRule
  • Finally setup the Group Policies for the Servers (example for schedule 1), I applied a security group to the GPO so only the servers in schedule 1 received these updates:
    • Administrative TemplatesWindows Components/Windows Update
      Allow Automatic Updates immediate installation Enabled
      Always automatically restart at the scheduled time EnabledThe restart timer will give users this much time to save their work (minutes): 15

      Configure Automatic Updates Enabled

      Configure automatic updating: 4 – Auto download and schedule the install
      The following settings are only required and applicable if 4 is selected.
      Install during automatic maintenance Disabled
      Scheduled install day: 3 – Every Monday
      Scheduled install time: 03:00
      Enable client-side targeting Enabled

      Target group name for this computer Schedule_1  (Note – if you use GPOs to place servers in computer groups in WSUS then is the setting)

      No auto-restart with logged on users for scheduled automatic updates installations Disabled
      Specify intranet Microsoft update service location Enabled

      Set the intranet update service for detecting updates: http://WSUS01:8530
      Set the intranet statistics server: http://WSUS01:8530

That should be it!!!!

Tags: , , , ,

Outlook with Windows 7 prompts for username and password

Posted by robd on May 23, 2012
AutoDiscover, exchange 2010, Office 2010 / No Comments
We’re in the very slow processes of consolidating domains at work.  We’re going from three domains across three sites to one gigantic domain…. Fun fun fun.

As we used to use some awful hosted Exchange 2003 platform we decided the first thing to be moved was Exchange…. So as all the users were on a separate domain we created a lavish Exchange 2010 platform and used linked mailboxes for everyone and migrated the mail!! Think I posted on how we did this earlier…basically created the linked mailboxes via PowerShell and a CSV file then ExMerge the mail out of Exchange 2003 and used a PowerShell import command to pull the mail in (although you could use new PST Capture tool now to import which provides a pretty GUI).

So here we are, linked mailboxes as far as the eye can see, full of crappy mail!

Next we setup Auto Discover on all our domains to point to exchange and bobs your uncle.

So, everyone is working away…and suddenly people start complaining they keep getting prompted for their username and password credentials  in Outlook 2010 running Windows 7!

Ok I think, you’d expect it once or twice due to going cross domain but not 20 or 30 times!!

The Fix, after trying everything we discovered it was down to AutoDiscover and it not being routed internally!

Added it (it being AutoDiscover.Domain.com) to the proxy exclusion list in IE and wham! No more prompts!

 

Tags: , ,