2 Replies Latest reply on Feb 14, 2013 8:35 PM by pigeon

    Our Hands Free Setup

    SolarWinds Community Team

      We have been using EminentWare for over a year now and have been very happy with the product.  David and John have been great and super quick to respond to issues and have taken our feature requests to heart and have done everything they can to continue to make the product more and more usable.  With that said, I would like to share our setup really quick.  We currently only push windows updates to all of our machines.  We run Citrix for all of our applications so third party updates are not really essential right now, however getting critical MS patches out in a timely manner is. We have a little over 100 servers and approx 200 thick and laptop clients that we patch, and another 300ish thin clients that are currently managed via WDM (however we plan to add them to the EminentWare loop very soon)

       

      First,  We have a single WSUS server.  We have created the following groups:

       

       

      Pilot Servers

       

      Regular Servers

       

      Specialty Servers

       

      Workstation Testing

       

      AutoApprove (do not put machines here)

       

       

       

      We then assign machines to the appropriate groups.  We put our Priority 3 servers in our "Pilot Server" group and make sure we have at least one of each role in there (IIS, File, DC...)

       

      We then put the rest of our servers in the "Regular Server" group

       

      The Last server group "Specialty Servers" is reserved for servers that need a little more finese to patch IE clusters, servers with certain maintence windows or boot orders

       

      Work station testing consist of a selection of workstations with users from various departments that are willing to let us know if they see any issues.

       

      The last group "AutoApprove" has no machines assigned in it.  This group is created so we can have an auto approve rule in WSUS that automatically approves critical and security patches.  Once the patches are "approved" WSUS automatically downloads them to the box so they are ready for the next step.

       

       

       

      Now that WSUS is configured it is pretty hands off except for adding new machines to the appropriate groups and verifying occasionally that some of the patches for the "AutoApprove" group that require user intervention get accepted. 

       

      Now we open up EminentWare and expand each group in WSUS.  We started with the "Pilot Servers" group.  Right click and select "Update Management Wizard"  We use the option "Download and install all needed security and critical updates"  Sense we have configured the "auto approve" option in WSUS all the patches have already been downloaded and are ready for deployment.  We then go to the next page, and make sure we reboot if required and select planning mode.  We then schedule this to run at 9:00AM the first Monday morning of every month and send out an email with the results attached to the server owners.  This gives them a heads up and basically says your server is getting these patches tonight and may be rebooted.  This gives them all day to come and say hey, I don’t want that or there may be an issue.  If nothing is heard the exact same job with exception to the run in planning mode is run the first Tue morning at 3:00AM

       

      We then run a similar schedule on the second week for our regular server groups.  This gives us one full week to verify there were no issues with patches the prior week. 

       

      Finally our "specialty servers" have their own individual schedules with a similar setup, 1 in planning mode the morning before the patch and the actual patch the next morning.  These you will need to configure according to your environment, but for example, we have a cluster setup.  In order to patch the cluster, we patch the primary server at night which forces a reboot.  During the reboot the cluster fails over.  One hour later, we have a scheduled job to reboot the secondary server (I know, this is risky without logic to test whether the primary is up, but it works for us) an hour later.  This forces the cluster to fail back to the primary by itself.  We then push the same patches to the secondary a few days later when we know there are no issues with the patch on the primary.

       

      Our workstations are patched a little different but also very hands off with our setup.  We have our patches automatically configured for our test group of workstations on the first Tue of every month.  We then have a job scheduled that patches our entire "workstations" OU in AD Tue and Thru the remaining weeks.  This covers all of the rest of our workstations.

       

       

       

      I hope this helps someone else out.  I know this may not work for everyone, but it has been working excellent for us.  The only time I ever go to EminentWare lately is to run a report and verify that a patch was pushed to our machines for management.  I'd also like to mention that every time I have ran these reports, the patch was already pushed, or had at least been pushed to the pilots and was ready to be deployed on our current deployment schedule to the rest of our workstations or servers.