advise: howto config WSUS on production servers

I thought I had it figured out, but at 9am this morning, both servers in by
Lotus cluster restarted! wonderful failover setup- reboot both boxes at the
same time? I thought everything would be OK b/c yesterday, I manually
(/detectnow) on the passive server, restarted, then WSUS'd the active server,
when it shutdown, the failover worked and then I had a second round of
patches on that serverand I left the office after the 2nd restart.

question: how do I completely disable autorestart but still get to use
WSUS?

I know a "patch isn't complete until restart" but who needs an outsider
causing a DOS attack when you can rely on MS to do it for you? 3am
unattended restarts of critical servers are also undesireable. I'd rather be
here on a Sunday afternoon to monitor a restart, then to come in to crisis on
a weekday AM (or get a page at 3am any day!)

thanks
--
system engineer

Hi Craig -

In the future, the proper NG for this type of post would be the
microsoft.public.windows.server.update_services group...

But, since you asked...!

I would set your servers up with option '3' under the 'configure automatic
updates' gpo setting. This way, you would need to perform a manual
installation on your servers, rather than relying upon the WSUS server to
install the updates for you.

Usually the practice of installing and rebooting later is not recommended
because of the 'not quite patched' state until restart, and the mere fact
that lots of admins just like to be there when anything gets installed.
Also, if at all possible, they will restart their servers prior to
installing the updates, just so they can eliminate the possibility that the
update caused any 'at-boot' issues. Obviously, the more servers you have,
the harder this becomes...but you get the idea.

Also, see this (beginner's Admin FAQ for WSUS):
http://uphold2001.brinkster.net/vbshf/wsus/wsus_faq.htm

Hope this helps,
Rob


"craig" <craig@discussions.microsoft.com> wrote in message
news:146FF652-FD52-45F8-977B-02D6F3259ED4@microsoft.com...
>I thought I had it figured out, but at 9am this morning, both servers in by
> Lotus cluster restarted! wonderful failover setup- reboot both boxes at
> the
> same time? I thought everything would be OK b/c yesterday, I manually
> (/detectnow) on the passive server, restarted, then WSUS'd the active
> server,
> when it shutdown, the failover worked and then I had a second round of
> patches on that serverand I left the office after the 2nd restart.
>
> question: how do I completely disable autorestart but still get to use
> WSUS?
>
> I know a "patch isn't complete until restart" but who needs an outsider
> causing a DOS attack when you can rely on MS to do it for you? 3am
> unattended restarts of critical servers are also undesireable. I'd rather
> be
> here on a Sunday afternoon to monitor a restart, then to come in to crisis
> on
> a weekday AM (or get a page at 3am any day!)
>
> thanks
> --
> system engineer

Max,
I didn't realize I was in the wrong group- a seach for "no restart" took me
out of the right group, then I just posted.... oops.

thanks for the tip- I will try that for Dec. I thought that by doing my
own detectnow and the subsequent restart, I was in the clear. Thanks for the
tip on a pre reboot. it is windows and one can never get enough reboots.

always feel like I am neglecting my Netware servers. looks like it has been
144 days since I replaced the UPS and had to down the NW5.1 server for a
couple of minutes. about 256 days prior to that...
--
system engineer


"maximillianx" wrote:

> Hi Craig -
>
> In the future, the proper NG for this type of post would be the
> microsoft.public.windows.server.update_services group...
>
> But, since you asked...!
>
> I would set your servers up with option '3' under the 'configure automatic
> updates' gpo setting. This way, you would need to perform a manual
> installation on your servers, rather than relying upon the WSUS server to
> install the updates for you.
>
> Usually the practice of installing and rebooting later is not recommended
> because of the 'not quite patched' state until restart, and the mere fact
> that lots of admins just like to be there when anything gets installed.
> Also, if at all possible, they will restart their servers prior to
> installing the updates, just so they can eliminate the possibility that the
> update caused any 'at-boot' issues. Obviously, the more servers you have,
> the harder this becomes...but you get the idea.
>
> Also, see this (beginner's Admin FAQ for WSUS):
> http://uphold2001.brinkster.net/vbshf/wsus/wsus_faq.htm
>
> Hope this helps,
> Rob
>
>
> "craig" <craig@discussions.microsoft.com> wrote in message
> news:146FF652-FD52-45F8-977B-02D6F3259ED4@microsoft.com...
> >I thought I had it figured out, but at 9am this morning, both servers in by
> > Lotus cluster restarted! wonderful failover setup- reboot both boxes at
> > the
> > same time? I thought everything would be OK b/c yesterday, I manually
> > (/detectnow) on the passive server, restarted, then WSUS'd the active
> > server,
> > when it shutdown, the failover worked and then I had a second round of
> > patches on that serverand I left the office after the 2nd restart.
> >
> > question: how do I completely disable autorestart but still get to use
> > WSUS?
> >
> > I know a "patch isn't complete until restart" but who needs an outsider
> > causing a DOS attack when you can rely on MS to do it for you? 3am
> > unattended restarts of critical servers are also undesireable. I'd rather
> > be
> > here on a Sunday afternoon to monitor a restart, then to come in to crisis
> > on
> > a weekday AM (or get a page at 3am any day!)
> >
> > thanks
> > --
> > system engineer
>
>
>