Windows Client OS Life Cycle

End of Support of Windows Client Operating Systems

8

End of Sales of Windows Client Operating Systems

1

Reference: Windows lifecycle fact sheet

How to deploy VDI using Microsoft RDS in Windows Server 2012 R2

Remote Desktop Services is a server role consists of several role services. Remote Desktop Services (RDS) accelerates and securely extends desktop and applications to any device and anyplace for remote and roaming worker. Remote Desktop Services provide both a virtual desktop infrastructure (VDI) and session-based desktops.

In Windows Server 2012 R2, the following roles are available in Remote Desktop Services: 

Role service name Role service description
RD Virtualization Host RD Virtualization Host integrates with Hyper-V to deploy pooled or personal virtual desktop collections
RD Session Host RD Session Host enables a server to host RemoteApp programs or session-based desktops.
RD Connection Broker RD Connection Broker provides the following services

  • Allows users to reconnect to their existing virtual desktops, RemoteApp programs, and session-based desktops.
  • Enables you to evenly distribute the load among RD Session Host servers in a session collection or pooled virtual desktops in a pooled virtual desktop collection.
  • Provides access to virtual desktops in a virtual desktop collection.
RD Web Access RD Web Access enables you the following services

  • RemoteApp and session-based desktops Desktop Connection through the Start menu or through a web browser.
  • RemoteApp programs and virtual desktops in a virtual desktop collection.
RD Licensing RD Licensing manages the licenses for RD Session Host and VDI.
RD Gateway RD Gateway enables you to authorized users to connect to VDI, RemoteApp

For a RDS lab, you will need following servers.

  • RDSVHSRV01- Remote Desktop Virtualization Host server. Hyper-v Server.
  • RDSWEBSRV01- Remote Desktop Web Access server
  • RDSCBSRV01- Remote Desktop Connection Broker server.
  • RDSSHSRV01- Remote Desktop Session Host Server
  • FileSRV01- File Server to Store User Profile

This test lab consist of 192.168.1.1/24 subnets for internal network and a DHCP Client i.e. Client1 machine using Windows 8 operating system. A test domain called testdomain.com. You need a Shared folder hosted in File Server or SAN to Hyper-v Cluster as Virtualization Host server. All RD Virtualization Host computer accounts must have granted Read/Write permission to the shared folder. I assume you have a functional domain controller, DNS, DHCP and a Hyper-v cluster. Now you can follow the steps below.

Step1: Create a Server Group

1. Open Server Manager from Task bar. Click Dashboard, Click View, Click Show Welcome Tile, Click Create a Server Group, Type the name of the Group is RDS Servers

2. Click Active Directory , In the Name (CN): box, type RDS, then click Find Now.

3. Select RDSWEBSRV01, RDSSHSRV01, RDSCDSRV01, RDSVHSRV01 and then click the right arrow.

4. Click OK.

Step2: Deploy the VDI standard deployment

1. Log on to the Windows server by using the testdomain\Administrator account.

2. Open Server Manager from Taskbar, Click Manage, click Add roles and features.

3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.

4. On the Select Installation Type page, click Remote Desktop Services scenario-based Installation, and then click Next.

clip_image002

5. On the Select deployment type page, click Standard deployment, and then click Next. A standard deployment allows you to deploy RDS on multiple servers splitting the roles and features among them. A quick start allows you to deploy RDS on to single servers and publish apps.

clip_image004

6. On the Select deployment scenario page, click Virtual Desktop Infrastructure, and then click Next.

clip_image006

7. On the role services page, review roles then click Next.

clip_image008

8. On the Specify RD Connection Broker server page, click RDSCBSRV01.Testdomain.com, click the right arrow, and then click Next.

clip_image010

9. On the Specify RD Web Access server page, click RDSWEBSRV01.Testdomain.com, click the right arrow, and then click Next.

clip_image012

10. On the Specify RD Virtualization Host server page, click RDSVHSRV01.Testdomain.com, click the right arrow, and then click Next. RDSVHSRV01 is a physical machine configured with Hyper-v. Check Create a New Virtual Switch on the selected server.

clip_image014

11. On the Confirm selections page, Check the Restart the destination server automatically if required check box, and then click Deploy.

clip_image016

12. After the installation is complete, click Close.

clip_image018

 

 

Step3: Test the VDI standard deployment connectivity

You can ensure that VDI standard deployment deployed successfully by using Server Manager to check the Remote Desktop Services deployment overview.

1. Log on to the DC1 server by using the testdomain\Administrator account.

2. click Server Manager, Click Remote Desktop Services, and then click Overview.

3. In the DEPLOYMENT OVERVIEW section, ensure that the RD Web Access, RD Connection Broker, and RD Virtualization Host role services are installed. If there is an icon and not a green plus sign (+) next to the role service name, the role service is installed and part of the deployment

clip_image020

 

Step4: Configure FileSRV1

You must create a network share on a computer in the testdomain domain to store the user profile disks. Use the following procedures to connect to the virtual desktop collection:

  • Create the user profile disk network share
  • Adjust permissions on the network share

Create the user profile disk network share

1. Log on to the FileSRV1 computer by using the TESTDOMAIN\Administrator user account.

2. Open Windows Explorer.

3. Click Computer, and then double-click Local Disk (C:).

4. Click Home, click New Folder, type RDSUserProfile and then press ENTER.

5. Right-click the RDSUSERPROFILE folder, and then click Properties.

6. Click Sharing, and then click Advanced Sharing.

7. Select the Share this folder check box.

8. Click Permissions, and then grant Full Control permissions to the Everyone group.

9. Click OK twice, and then click Close.

Setup permissions on the network share

1. Right-click the RDSUSERPROFILE folder, and then click Properties.

2. Click Security, and then click Edit.

3. Click Add.

4. Click Object Types, select the Computers check box, and then click OK.

5. In the Enter the object names to select box, type RDSVHSRV01.Testdomain.com, and then click OK.

6. Click RDSVHSRV01, and then select the Allow check box next to Modify.

7. Click OK two times.

Step5: Configure RDSVHSRV01

You must add the virtual desktop template to Hyper-V so you can assign it to the pooled virtual desktop collection.

Create Virtual Desktop Template in RDSVHSRV01

1. Log on to the RDSVHSRV01 computer as a Testdomain\Administrator user account.

2. Click Start, and then click Hyper-V Manager.

3. Right-click RDSVHSRV01, point to New, and then click Virtual Machine.

4. On the Before You Begin page, click Next.

5. On the Specify Name and Location page, in the Name box, type Virtual Desktop Template, and then click Next.

clip_image022

6. On the Assign Memory page, in the Startup memory box, type 1024, and then click Next.

clip_image024

7. On the Configure Networking page, in the Connection box, click RDS Virtual, and then click Next.

clip_image026

8. On the Connect Virtual Hard Disk page, click the Use an existing virtual hard disk option.

clip_image028

9. Click Browse, navigate to the virtual hard disk that should be used as the virtual desktop template, and then click Open. Click Next.

clip_image030

10. On the Summary page, click Finish.

Step6: Create the managed pooled virtual desktop collection in RDSVHSRV01

Create the managed pooled virtual desktop collection so that users can connect to desktops in the collection.

1. Log on to the RDSCBSRV01 server as a TESTDOMAIN\Administrator user account.

2. Server Manager will start automatically. If it does not automatically start, click Start, type servermanager.exe, and then click Server Manager.

3. In the left pane, click Remote Desktop Services, and then click Collections.

4. Click Tasks, and then click Create Virtual Desktop Collection.

clip_image031

5. On the Before you begin page, click Next.

6. On the Name the collection page, in the Name box, type Testdomain Managed Pool, and then click Next.

clip_image033

7. On the Specify the collection type page, click the Pooled virtual desktop collection option, ensure that the Automatically create and manage virtual desktops check box is selected, and then click Next.

clip_image035

8. On the Specify the virtual desktop template page, click Virtual Desktop Template, and then click Next.

clip_image037

9. On the Specify the virtual desktop settings page, click Provide unattended settings, and then click Next. In this step of the wizard, you can also choose to provide an answer file. A Simple Answer File can be obtained from URL1 and URL2

10. On the Specify the unattended settings page, enter the following information and retain the default settings for the options that are not specified, and then click Next.

§ In the Local Administrator account password and Confirm password boxes, type the same strong password.

§ In the Time zone box, click the time zone that is appropriate for your location.

11. On the Specify users and collection size page, accept the default selections, and then click Next.

12. On the Specify virtual desktop allocation page, accept the default selections, and then click Next.

13. On the Specify virtual desktop storage page, accept the default selections, and then click Next.

14. On the Specify user profile disks page, in the Location user profile disks box, type \\FileSRV01\RDSUserProfile, and then click Next. Make sure that the RD Virtualization Host computer accounts have read and write access to this location.

15. On the Confirm selections page, click Create.

Step8: Test Remote Desktop Services connectivity

You can ensure the managed pooled virtual desktop collection was created successfully by connecting to the RD Web Access server and then connecting to the virtual desktop in the Testdomain Managed Pool collection.

1. Open Internet Explorer.

2. In the Internet Explorer address bar, type https://RDSWEBSRV01.Testdomain.com/RDWeb, and then press ENTER.

3. Click Continue to this website (not recommended).

clip_image039

4. In the Domain\user name box, type TESTDOMAIN\Administrator.

5. In the Password box, type the password for the TESTDOMAIN\Administrator user account, and then click Sign in.

6. Click Testdomain Managed Pool, and then click Connect.

Relevant Configuration

Remote Desktop Services with ADFS SSO

Remote Desktop Services with Windows Authentication

RDS With Windows Authentication

VMware vSphere 6.0 VS Microsoft Hyper-v Server 2012 R2

Since the emergence of vSphere 6.0, I would like to write an article on vSphere 6.0 vs Windows Server 2012 R2. I collected vSphere 6.0 features from few blogs and VMware community forum. Note that vSphere 6.0 is in beta program which means VMware can amend anything before final release. New functionalities of vSphere 6.0 beta are already available in Windows Server 2012 R2. So let’s have a quick look on both virtualization products.

Features vSphere 6.0 Hyper-v Server 2012 R2
Certificates

 

Certificate Authority Active Directory Certificate Services
Certificate Store Certificate Store in Windows OS
Single Sign on VMware retained SSO 2.0 for vSphere 5.5 Active Directory Domain Services
Database vPostgres database for VC Appliance up to 8 vCenter Microsoft SQL Server

No Limitation

Management Tools Web Client & VI

VMware retained VI

SCVMM Console & Hyper-v Manager
Installer Combined single installer with all input upfront Combined single installer with all input upfront
vMotion Long distance Migration up to 100+ms RTTs Multisite Hyper-v Cluster and Live Migration
Storage Migration Storage vMotion with shared and unshared storage Hyper-v Live Storage Migration between local and shared storage
Combined Cloud Products Platform Services Controller (PSC) includes vCenter, vCOPs, vCloud Director, vCoud Automation Microsoft System Center combined App Controller, Configuration Manager, Data Protection Manager, Operations Manager, Orchestrator, Service Manager, Virtual Machine Manager
Service Registration View the services that are running in the system. Windows Services
Licensing Platform Services Controller (PSC) includes Licensing Volume Activation Role in Windows Server 2012 R2
Virtual Datacenters A Virtual Datacenter aggregates CPU, Memory, Storage and Network resources. Provision CPU, Memory, Storage and network using create Cloud wizard

Another key feature to be compared here that those who are planning to procure FC Tape library and maintain a virtual backup server note that vSphere doesn’t support FC Tape even with NPIV and Hyper-v support FC Tape using NPIV.

References:

http://www.wooditwork.com/2014/08/27/whats-new-vsphere-6-0-vcenter-esxi/

https://araihan.wordpress.com/2014/03/25/vmware-vs-hyper-v-can-microsoft-make-history-again/

https://araihan.wordpress.com/2013/01/24/microsofts-hyper-v-server-2012-and-system-center-2012-unleash-ko-punch-to-vmware/

https://araihan.wordpress.com/2015/08/20/hyper-v-server-2016-whats-new/

How to configure SMB 3.0 Multichannel in Windows Server 2012 Step by Step

SMB Multichannel

The SMB protocol follows the client-server model; the protocol level is negotiated by the client request and server response when establishing a new SMB connection. Windows Server 2012 introduces a feature called SMB 3.0 Multichannel. Multichannel provides link aggregation and fault tolerance.

SMB 3.0 introduces multipath I/O (MPIO) where multiple TCP connections can be established with given SMB session. Benefits include increase bandwidth, enable transparent network interface failover and load balancing per session.

SMB Encryption

Open following registry key

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

  • If value of EncryptData DWORD is set to 0 then communication between SMB client and server is encrypted
  • If value of RejectUnencryptedAccess DWORD is set to 1 then communication between SMB client and server is rejected.

SMB Multichannel Requirement:

  • At least two computers that run on Windows Server 2012 R2, Windows Server 2012, or Windows 8 operating systems. No additional features have to be installed—SMB Multichannel is enabled by default.
  • Multiple network adapters in all hosts
  • One or more network adapters that support Receive Side Scaling (RSS)
  • One of more network adapters that are configured by using NIC Teaming
  • One or more network adapters that support remote direct memory access (RDMA)
  • Both NICs must be in different subnets
  • Enable NICs for client access
  • Dedicated subnets SMB storage
  • Dedicated Storage VLAN depending on if/how you do converged fabrics
  • VNX File OE version 7.1.65 and later or SMB 3.0 compliant storage
  • Port Channel Group configured in Cisco switch

TCP/IP session without Multichannel Session

  • No Automatic failover or Automatic failover if NICs are teamed
  • No Automatic failover if RDMA capability is not used
  • Only one NIC engaged
  • Only one CPU engaged
  • Can not use combined NIC bandwidth

TCP/IP session without Multichannel Session

  • Automatic failover or faster automatic failover if NICs are teamed
  • Automatic failover if RDMA capability is used. Multiple RDMA connection
  • All NICs engaged
  • CPU work load shared across all CPU cores
  • Combine NIC bandwidth

Which one to use, RDMA or RSS?

If you are looking fault tolerance and throughput then obvious choice is NIC teaming with RSS.

Adding a SMB Share in VNX Storage

  1. Create a network. Go to Settings -> Network -> Settings for File, Setup your network information
  2. Go to Storage -> Storage Configuration -> File Systems to create storage. Setup your storage configuration
  3. Go to CIFS Servers tab and create your Server configuration.
  4. Go back to your CIFS Share configuration and assign your CIFS Server as allowed and allow SMB protocol.
  5. Connect your CIFS Share with \\CIFSServer\CIFSShare and your new administrator password.

Adding a port channel group in Switch

Configuration of Cisco Switch with 2 network ports (If you have Cisco)

Switch#conf t
Switch(config)#Int PORT (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active
Switch(config)#Int port (a.e. Gi3/1)
Switch(config)#switchport mode access
Switch(config)#spanning-tree portfast
Switch(config)#channel-group <40> mode active

Configuration of HP Procurve with 2 network ports (If you have HP)

PROCURVE#conf ter
PROCURVE# trunk PORT1-PORT2 (a.e. C1/C2) Trk<ID> (a.e. Trk99) LACP
PROCURVE# vlan <VLANID>
PROCURVE# untagged Trk<ID> (a.e. Trk99)
PROCURVE# show lacp
PROCURVE# show log lacp

Adding SMB 3.0 Share in Hyper-v

  1. From Server Manager, click Tools and then click Hyper-V Manager
  2. Click Hyper-v Settings, Click Virtual Hard Disk, Type UNC path of SMB 3.0. Click Virtual Machine, Type UNC path of SMB 3.0
  3. Click Ok.
  4. Open PowerShell Prompt, Enable Multichannel using the following cmdlets.
  5. Configure SMB Multichannel using Windows PowerShell

Get-SmbClientConfiguration | Select EnableMultichannel

Get-SmbServerConfiguration | Select EnableMultichannel

    6. Enable Multichannel

Set-SmbServerConfiguration -EnableMultiChannel $true

Set-SmbClientConfiguration -EnableMultiChannel $true

   7. Verify Multichannel

Get-SmbConnection

Get-SmbMultichannelConnection

Data Deduplication in Windows Storage Server 2012 R2

Deduplication in Windows Server: Data deduplication involves finding and removing duplication within data without compromising its fidelity or integrity. The goal is to store more data in less space by segmenting files into small variable-sized chunks (32–128 KB), identifying duplicate chunks, and maintaining a single copy of each chunk. Redundant copies of the chunk are replaced by a reference to the single copy. The chunks are compressed and then organized into special container files in the System Volume Information folder.

Enhanced Dedupe features in Windows Server 2012 R2

  • Data deduplication for remote storage of Virtual Desktop Infrastructure (VDI) workloads
  • Expand an optimized file on its original path.

When using the Data Deduplication feature for the first time or migrating from a previous version of Windows Server, be sure to consider the following related technologies and issues:

  • BranchCache
  • Failover Clusters
  • DFS Replication
  • FSRM quotas
  • Single Instance Storage or NAS Box

Install and Configure Data Deduplication using GUI

1. Open Server Manager, From the Add Roles and Features Wizard, under Server Roles, select File and Storage Services.

2. Select the File Services check box, and then select the Data Deduplication check box.

3. Click Next until the Install button is active, and then click Install.

4. From the Server Manager dashboard, right-click a data volume and choose Configure Data Deduplication. The Deduplication Settings page appears.

5. In the Data deduplication box, select the workload you want to host on the volume. Select General purpose file server for general data files or Virtual Desktop Infrastructure (VDI) server when configuring storage for running virtual machines.

6. Enter the number of days that should elapse from the date of file creation until files are deduplicated, enter the extensions of any file types that should not be deduplicated, and then click Add to browse to any folders with files that should not be deduplicated.

7. Click Apply to apply these settings and return to the Server Manager dashboard, or click the Set Deduplication Schedule button to continue to set up a schedule for deduplication.

Install and Configure Data Deduplication using Windows PowerShell

Start Windows PowerShell. Right-click the Windows PowerShell icon on the taskbar, and then click Run as Administrator.

Import-Module ServerManager | Add-WindowsFeature -name FS-Data-Deduplication

Import-Module Deduplication

Enable-DedupVolume E: -UsageType HyperV

Enable-DedupVolume E: -UsageType Default

Set-Dedupvolume E: -MinimumFileAgeDays 20

Get-DedupVolume | fl

Start-DedupJob E: –Type Optimization –Wait

References:

Windows Server 2012 R2 NAS Box with Deduplication Capacity

Introduction to Windows Deduplication

Windows PowerShell Cmdlet for Deduplication

Microsoft Virtual Machine Converter: Switching from vSphere to Hyper-v Made Easy

    Are you having difficulty funding a renewal license of expensive VMware vSphere? There is an alternative brand that adds greater value to the business reducing costs, and accelerating your journey to the cloud. Making the shift from VMware to Microsoft could be the wise decision you ever made after years of working as a CIO or IS Manager. By migrating from VMware to Microsoft, you gain a unified infrastructure licensing model and simplified vendor management, off course it gives you less pain in your wallet too.
    Whether you are looking to add value to your organisation, save cost, support grown or you are a fanatical environmentalist reducing carbon foot print, Hyper-V is the correct choice for you. A move to Microsoft’s virtualization and management platform can help you better meet your business needs. Simply buying Windows Server 2012 data center, you get the cloud computing benefits of unlimited virtualization and lower costs consistently and predictably over time.
    System Center 2012 enables physical, virtual, private cloud, and public cloud management using a single platform. It offers support for multi-hypervisor management, third-party integration and process management, and deep application diagnostics and insight. You can see what is happening inside the performance of your applications, remediate issues faster, and achieve increased agility for your organization.
    With the help of free tools like Microsoft Assessment and Planning Toolkit (MAP), and with the Microsoft Virtual Machine Converter (MVMC), you can quickly, easily and safely migrate over to Hyper-V.  For enterprise customers with large numbers of virtual machines to migrate, the Migration Automation Toolkit (MAT) provides the scalability to handle mass migrations in an automated fashion. System Center 2012 and Hyper-v Server 2012 support guest virtual machine of all major Linux and Unix distribution inclusive Microsoft OS off course.
    In a nutshell Microsoft Virtual Machine Converter:
  • Provides a quick, low-risk option for VMware customers to evaluate Hyper-V.
  • Converts VMware virtual machines to Hyper-V virtual machines.
  • Convert virtual hardware and keep same configuration of original virtual machine.
  • Supports a clean migration to Hyper-V with un-installation of VMware tools on the source virtual machine.
  • Provides GUI or scriptable CLI and Windows PowerShell, making it simple to perform virtual machine conversion.
  • Installs integration services for Windows 2003 guests that are converted to Hyper-V virtual machines.
  • Supports conversion of virtual machines from VMware vSphere 4.1 and 5.0 hosts.
  • Support migration of guest machine that is part of a failover cluster.
  • Supports offline conversions of VMware-based virtual hard disks (VMDK) to a Hyper-V-based virtual hard disk file format (.vhd file).
      • Relevant Articles
        Microsoft Virtual Machine Converter Solution Accelerator
        Migration Automation Toolkit (MAT)
        Cost Calculator
        Download Windows Server 2012
        Download System Center 2012
        Hyper-v vs vSphere
        Is VMware’s fate heading towards Novell?

        Windows Server Patching Best Practices

        This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.

        Patching Requirements

        Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.

        Windows Patch Classification

        The following are strongly recommended patches:

        1. Critical
        2. Security
        3. Definition Updates for malware
        4. Service packs

        Windows Product Classification

        It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).

        Patching Groups

        Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

        1. UAT (UAT1, UAT2, etc)

        2. Test Environment (Test1, Test2, etc)

        3. Development Environment (Dev1, Dev2 etc)

        4. Production (Prod1, Prod2, etc)

        If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.

        Change Management

        System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.

        Backup

        Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.

        Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

        • A full backup of all databases on the server.
        • A full backup of transaction log and log backup
        • A system state backup of the server.
        • A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating.

        Application Compatibility

        Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.

        Documentation

        Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.

        Back out Plan

        A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.

        User Notifications

        You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.

        Consistency across Servers

        Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.

        Routine Maintenance Window

        A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.

        Patching Tools

        I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.

        Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.

        Automate, Automate and Automate!

        Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.

        Standardize Patch Management Processes

        Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.

        Reboot Windows Computer

        Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.

        X86 and X64 Windows Systems

        The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.

        Antivirus and Antispyware

        Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.

        Audit Practices

        Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.

        Log Retention

        Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.

        Installing Updates on a single Exchange Server

        Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information

        Check for publisher’s certificate revocation

        1. Start Internet Explorer.

        2. On the Tools menu, click Internet Options.

        3. Click the Advanced tab, and then locate the Security section.

        4. Clear the Check for publisher’s certificate revocation check box, and then click OK.

        5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.

        Pre-check before installing

        1. Determine which update rollup packages are installed on your Exchange server roles

        2. Determine whether any interim updates are installed

        3. Review interim updates

        4. Obtain the latest update rollup package

        5. Apply on a Test Exchange Server

        Install Exchange Update

        1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.

        2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.

        Install Exchange Update on DAG Member

        To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.

        .StartDagServerMaintenance.ps1 <ServerName>

        Install the update rollup

        1. Close all Exchange management tools.

        2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.

        3. On the Welcome page, click Next.

        4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.

        5. On the Completion page, click Finish.

        Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed

        .RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution

        When the installation is finished, complete the following tasks:

        • Start the Services MMC snap-in, and then verify that all the Exchange-related services are started successfully.
        • Log on to Outlook Web App to verify that it’s running correctly.
        • Restore Outlook Web App customizations, and then check Outlook Web App for correct functionality.
        • After the update rollup installation is complete, select the Check for publisher’s certificate revocation option in Internet Explorer. See “Certificate Revocation List” earlier in this topic.
        • Check Exchange 2010 version information
        • View Update rollup in Control Panel>Programs and Features

        Patching Microsoft Failover Cluster

        You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.

        Procedure to install Windows service pack or hotfixes in Windows Server 2003:

        1. Check the System event log for errors and ensure proper system operation.
        2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
        3. Expand Node A, and then click Active Groups. In the left pane, right-click the groups, and then click Move Group to move all groups to Node B.
        4. Open Cluster Administrator, right-click Node A, and then click Pause Node.
        5. Install the service pack on Node A, and then restart the computer.
        6. Check the System event log for errors. If you find any errors, troubleshoot them before continuing this process.
        7. In Cluster Administrator, right-click Node A, and then click Resume Node.
        8. Right-click Node B, and then click Move Group for all groups owned by Node B to move all groups to Node A.
        9. In Cluster Administrator, right-click Node B, and then click Pause Node.
        10. Install the service pack on Node B, and then restart the computer.
        11. Check the system event log for errors. If you find any errors, troubleshoot them before continuing this process.
        12. In Cluster Administrator, right-click Node B, and then click Resume Node.
        13. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

        Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:

        1. Check the event log for errors and ensure proper system operation.
        2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
        3. On Node A, Expand Services and Applications, and then click the service or application
        4. Under Actions (on the right), click Move this service or application to another node, then choose the node or select Best possible.
        5. In the Failover Cluster Manager snap-in, right-click Node A, and then click Pause.
        6. Install the service pack/hotfixes on Node A, and then restart the computer.
        7. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
        8. In Failover Cluster Manager snap-in, right-click Node A, and then click Resume.
        9. Under Actions (on the right), click Move this service or application to another node, then choose the node.
          Note: As the service or application moves, the status is displayed in the results pane (in the center pane). Follow the Step 9 and 10 for each service and application configured on the cluster.
        10. Install the service pack/hotfixes on Node B, and then restart the computer.
        11. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
        12. From the Failover Cluster Manager snap-in, right-click Node B, and then click Pause.
        13. In Failover Cluster Manager, right-click Node B, and then click Resume.
        14. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

        You can use the following PowerShell Cmdlet to accomplish the same.

        1. Load the module with the command: Import-Module FailoverClusters

        2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA

        3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group

        4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA

        5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group

        6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB

        7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB

        Conclusion

        It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.

        Bottom line

        1. Read all related documents.

        2. Use a change control process.

        3. Apply updates that are needed.

        4. Test patches and hotfixes on test environment.

        5. Don’t get more than 2 service packs behind.

        6. Target non-critical servers first.

        7. Service Pack (SP) level consistency.

        8. Latest SP instead of multiple hotfixes.

        9. Apply only on exact match.

        10. Subscribe to Microsoft email notification.

        11. Always have a back-out plan.

        12. Have a working Backup and schedule production downtime.

        13. Consistency across Domain Controllers and application servers.

        Additional Readings:

        SQL Server failover cluster rolling patch and service pack process

        Patch Management on Business-Critical Servers