NavigationUser login |
Patches with SMS 2.0 or 2003 for servers during user defined maintenance slotsAbstractAllows to define a machine specific maintenance slot in which to install patches and other software. This slot is relative to an administrator-set time frame in which a certain patch or software installation has to take place. Inside this time frame, the server's owner (a person who is the main user of a machine) is free to select a suitable slot in which operations are performed. This allows for a flexible and user friendly integration of administrator driven installations. The project is based on Microsoft Systems Management Server. MotivationDistribution of patches is critical to system stability and security. For administrators of a substantial amount of servers, an automatic and convenient way to do so is required. Another requirement for the environment I was working in was, that a role called "Server Owner" be defined. All servers would be set up and maintained by the central IT organisation, but the users of those machines (DBAs, WebAdmins, LOBAdmins, etc.) were to be given a say at what point their servers would be taken down for maintenance. The central organisation defined SLAs regarding patching (two weeks after release a patch had to be installed), and Server Owners were to be free to choose any point within this timeframe to conduct maintenance. Components
Prerequisites
Process overviewMBSA files syncSynchronization of MBSA source files (containing all available patches for all supported platforms and applications) is done via an advertisement running against the SMS central site server itself. In order to be able to download these files, a logged on user (on the console!) is neccessary, as "Internet Options" are queried for proxy settings and the like. MBSA scan on all clientsA recurring advertisement is run on all Windows-SMS-clients to store MBSA scan results in local WMI. These values are brought to the SMS database via hardware inventory. Downloading patchesDownload patches into an existing package to maintain structure. If there is no package for a given language / product, create a new one where the others are located and observe the naming convention. To be able to transfer only those patches to child sites which are really needed, we split platform / product and language. F.ex. like W2k3 Patches English. Advertising patches via scriptThere is a script attached, which can be used to create a new set of advertisements targeting the 22 maintenance slot collections. Monitoring successWeb Reporting, Admin Console, etc How to use the scriptRun the script with cscript and
What does a Server Owner have to do?The first thing to do is to select a server boot slot. If new patches are applicable for his system, the server will automatically install the patch and reboot itself (if necessary) at this time. One may start this process any time sooner, if convenient. Aside from that: Nothing! There are 14 days and 22 possible timeslots to select from. If you want aserver to be patched and rebooted on the morning of the second Monday, you select slot number "20". To make the actual change, you modify your server's registry at:
How does the patch process workThe patch process is based on a two week rhythm. Microsoft releases new patches on Tuesday, so this process begins on Tuesday, too. Within 14 days all servers are patched. In case of emergency this time limit needs to be shortened. Modifications to the systemYou can use the script to distribute programs outside security patches, without deleting current patches. To do so, change the comment inserted in each advertisement, which is used to identify which advertisements are created via the script. If you plan to include a program that should run alongside a new round of patches you need to be aware that patches boot after a countdown of 5 minutes. If your program is not finished within that time, your advertisement will fail. In such a case it might be better to use the "run another program first" property of the patch program.
By mirko at 11.06.2006 - 14:35 | Systems Management Server | login to post comments
|