Service
packs (SPs) and updates for both the operating system and applications
are vital parts to maintaining availability, reliability, performance,
and security. Microsoft packages these updates into SPs or individually.
An administrator can update a
system with the latest SP or update in several ways: Automatic Windows
Updates, CD-ROM, manually entered commands, or Microsoft Windows Server
Update Services (WSUS).
Note
Thoroughly test and
evaluate SPs and updates in a lab environment before installing them on
production servers and client machines. Also, install the appropriate
SPs and updates on each production server and client machine to keep all
systems consistent.
Manual Update or CD-ROM Update
Manual updating is typically
done when applying service packs, rather than hotfixes. Service packs
tend to be significantly larger than updates or hotfixes, so many
administrators will download the service pack once and then apply it
manually to their servers, or the service pack can be obtained on
CD-ROM.
When a Service Pack CD-ROM
is inserted into the drive of the server, it will typically launch an
interface to install the service pack.
In the case of downloaded service
packs or of CD-ROM-based service packs, the service pack can also be
applied manually via a command line. This allows greater control over
the install (see Table 1), such as by preventing a reboot or to not back up files to conserve space.
Table 1. Update.exe Command-Line Parameters
| Update.exe Parameter | Description |
|---|
| -f | Forces applications to close at shutdown. |
| -n | Prevents the system files from being backed up. This keeps SPs from being uninstalled. |
| -o | Overwrites OEM files. |
| -q | Indicates Quiet mode; no user interaction is required. |
| -s | Integrates the SP in a Windows Server 2008 R2 share. |
| -u | Installs SP in Unattended mode. |
| -z | Keeps the system from rebooting after installation. |
Automatic Updates
Windows
Server 2008 R2 can be configured to download and install updates
automatically using Automatic Windows Updates. With this option enabled,
Windows Server 2008 R2 checks for updates, downloads them, and applies
them automatically on a schedule. The administrator can just have the
updates downloaded, but not installed, to give the administrator more
control over when they are installed. Windows Update can also download
and install recommended updates, which is new for Windows Server 2008
R2.
When the Windows Server 2008 R2 operating system is installed, Windows Update is not configured and, as shown in Figure 1,
the Server Manager Security Information section shows the Windows
Update as Not Configured. This can be an insecure configuration, as
security updates will not be applied.
Windows Updates can be configured using the following steps:
1. | Launch Server Manager.
|
2. | Click on the Configure Updates link in the Security Information section.
|
3. | Click on the Have Windows Install Updates Automatically to have the updates downloaded and installed.
|
4. | The Windows Updates status will change to Install Updates Automatically Using Windows Updates.
|
The configuration of Windows
Update can be reviewed by clicking on the Configure Updates link again.
The Windows Update console appears (shown in Figure 2).
The figure shows that updates will be installed automatically at 3:00
a.m. every day. The console also shows when updates were checked for
last. In the console, the administrator can also do the following:
- Manually check for updates.
- Change the Windows Updates settings.
- View the update history.
- See installed updates.
- Get updates for more products.
The link to get updates
for more products allows the administrator to check for updates not just
for the Windows Server 2008 R2 platform, but also for other products,
such as Microsoft Exchange and Microsoft SQL. Clicking the link launches
a web page to authorize the server to check for the broader range of
updates.
Clicking the Change Settings link allows the Windows Update setting to be changed. The Change Settings window, shown in Figure 3,
enables the administrator to adjust the time of installs, to install or
just download, and whether to install recommended updates.
The
Windows Updates functionality is a great tool for keeping servers
updated with very little administrative overhead, albeit with some loss
of control.
Windows Server Update Services
Realizing the increased
administration and management efforts administrators must face when
using Windows Update to keep up with SPs and updates for anything other
than small environments, Microsoft has created the Windows Server Update
Services (WSUS) client and server versions to minimize administration,
management, and maintenance of mid- to large-sized organizations. WSUS
3.0 SP1 communicates directly and securely with Microsoft to gather the
latest SPs and updates.
Microsoft Windows Server Update Services provides a number of features to support organizations, such as the following:
Support for a broad
range of products such as Windows operating system family, Exchange
messaging, SQL Server, Office, System Center family, and Windows
Defender.
Automatic download of updates.
Administrative
control over which updates are approved, removed, or declined; the
remove option permits updates to be rolled back.
Email notification of updates and deployment status reports.
Targeting of updates to specific groups of computers for testing and for control of the update process.
Scalability to multiple WSUS servers controlled from a single console.
Reporting on all aspects of the WSUS operations and status.
Integration with Automatic Windows Updates.
The SPs and updates
downloaded onto WSUS can then be distributed to either a lab server for
testing (recommended) or to a production server for distribution. After
these updates are tested, WSUS can automatically update systems inside
the network.
The following steps install the Windows Server Update Services role:
1. | Open the Server Manager console.
|
2. | Select the Roles folder and click Add Roles.
|
3. | In
the Add Roles Wizard, select Windows Server Update Services and follow
the instructions onscreen. The wizard will install WSUS 3.0 SP1 and any
required components, including Web Server (IIS), if needed.
|
Unlike other server roles,
the binaries for WSUS 3.0 SP1 are downloaded from Microsoft. This
ensures that any time WSUS is installed, you will always be installing
the most current version.
