PATCHING WINDOWS SERVER 2012 DOMAIN CONTROLLERS. Prepared By: Sainath K.E.V MVP Directory Services



Similar documents
Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

About Microsoft Windows Server 2003

Planning and Administering Windows Server 2008 Servers

Managing and Maintaining Windows Server 2008 Servers (6430) Course length: 5 days

Active Directory Infrastructure Design Document

Objectives. At the end of this chapter students should be able to:

Windows Server 2008/2012 Server Hardening

המרכז ללימודי חוץ המכללה האקדמית ספיר. ד.נ חוף אשקלון טל' פקס בשיתוף עם מכללת הנגב ע"ש ספיר

Lesson Plans Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

Planning and Administering Windows Server 2008 Servers

Monthly Fee Per Server 75/month 295/month 395/month Monthly Fee Per Desktop/Notebook/ 15/month 45/month 55/month

Managing and Maintaining a Windows Server 2003 Network Environment

Symantec Backup Exec 12.5 for Windows Servers. Quick Installation Guide

SIEMENS. Sven Lehmberg. ZT IK 3, Siemens CERT. Siemens AG 2000 Siemens CERT Team / 1

ICT Professional Optional Programmes

M6419 Configuring, Managing and Maintaining Windows Server 2008 Servers

NetIQ Advanced Authentication Framework. Maintenance Guide. Version 5.1.0

Configuring and Deploying a Private Cloud

Managing and Maintaining Windows Server 2008 Servers

Exam Ref Implementing an Advanced Server Infrastructure. Steve Suehring

Title Goes ASSET MANAGEMENT

Configuring Managing and Maintaining Windows Server 2008 Servers (6419B)

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

Network Computing Architects Inc. (NCA) Network Operations Center (NOC) Services

6419: Configuring, Managing, and Maintaining Server 2008

LEARNING SOLUTIONS website milner.com/learning phone

Avaya Patch Program Frequently Asked Questions (For All Audiences)

Patch Management Policy

Managed Service Plans

M6430a Planning and Administering Windows Server 2008 Servers

Configuring, Managing and Maintaining Windows Server 2008 Servers

Using WMI Scripts with BitDefender Client Security

NE-6425C Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

California Department of Technology, Office of Technology Services WINDOWS SERVER GUIDELINE

Windows Server on WAAS: Reduce Branch-Office Cost and Complexity with WAN Optimization and Secure, Reliable Local IT Services

Installing and Administering VMware vsphere Update Manager

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

Course Syllabus. Planning and Administering Windows Server 2008 Servers. Key Data. Audience. At Course Completion. Prerequisites. Recommended Courses

R3: Windows Server 2008 Administration. Course Overview. Course Outline. Course Length: 4 Day

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

ManageEngine Desktop Central Training

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

MS 10135B Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010

Installing, Configuring, and Managing a Microsoft Active Directory

Windows Server 2008 Essentials. Installation, Deployment and Management

Symantec Backup Exec 2010 R2. Quick Installation Guide

Configuring, Managing and Maintaining Windows Server 2008 Servers

VERITAS Backup Exec TM 10.0 for Windows Servers

Configuring, Managing and Maintaining Windows Server 2008 Servers

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

MOC 6419: Configuring, Managing, and Maintaining Windows Server 2008

Designing a Windows Server 2008 Applications Infrastructure

MCSA: Windows Server 2008

Course 6419A: Configuring, Managing and Maintaining Windows Server 2008 Servers

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Citrix XenServer 7 Feature Matrix

User Rights vjj 1

Managed Security Services SLA Document. Response and Resolution Times

Fundamentals, Security, and the Managed Desktop

Backup Exec 15: Administration

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

MS Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

ITP01 - Patch Management Policy

SSM6437 DESIGNING A WINDOWS SERVER 2008 APPLICATIONS INFRASTRUCTURE

Backup Exec System Recovery Management Solution 2010 FAQ

Using Emergency Restore to recover the vcenter Server has the following benefits as compared to the above methods:

Simplifying the Transition to Virtualization TS17

Windows Server 2008 R2 Essentials

Solution Brief Availability and Recovery Options: Microsoft Exchange Solutions on VMware

Migration from SharePoint 2007 to SharePoint 2010

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Xenith Software Installation

TECHNICAL VULNERABILITY & PATCH MANAGEMENT

MCSA/MCITP: Enterprise Windows Server 2008 Course 9952; 14 Days, Instructor-led

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

Configuring, Managing and Troubleshooting Microsoft Exchange Server 2010 Service Pack 2

System Center Configuration Manager

6425C - Windows Server 2008 R2 Active Directory Domain Services

Lesson Plans LabSim for Microsoft s Managing and Maintaining a Microsoft Windows Server 2003 Environment

MICROSOFT EXAM QUESTIONS & ANSWERS

The Importance of Information Delivery in IT Operations

MS 10751A - Configuring and Deploying a Private Cloud with System Center 2012

Transcription:

PATCHING WINDOWS SERVER 2012 DOMAIN CONTROLLERS Prepared By: Sainath K.E.V MVP Directory Services

TABLE OF CONTENTS 1 Introduction:... 3 2 Patch management process... 4 3 Patching active directory domain controllers... 7 3.1 Permission Requirement... 8

1 INTRODUCTION: Patch Management is one of the critical risk associated activity of day-day System Engineer / System Administrators managing 100 s to 1000 s of Servers every day. Its challenge which involves risk, complexities, outages and escalations. Over the years, there has been proven methodologies to patch Windows Servers and every organization would follow different testing strategies to apply Patches to their Servers. Microsoft stems Windows updates into different category each of them affect Windows components upon upgrade which leaves Organizations to carefully test their applications against the Windows updates. Microsoft releases the following types of windows updates Security Update : These are important updates and must be installed on Windows Servers Recommended Updates: These are sometimes optional updates but requires careful understanding of the update Service Packs: Combination of hotfixes bundled together which assist Administrators / Developers to test their Apps / build their Apps based on the Service Pack levels. Language Pack: Low impact optional updates which may be required by Application developers who build multi language applications to run on Operating Systems. This article lists the Patch management process which highlights the different phases involved before a patch is installed and list the recommended permissions required to install Windows Updates on Domain Controllers.

2 PATCH MANAGEMENT PROCESS I have written the framework based on proven methodology implemented by Enterprise Organizations to install patch on the Windows Servers. Following are the critical phases on Patch Management Process Phase 1: Receive Patch Notifications Phase 2: Patch Management Plan Phase 3: Release the Patch Phase 4: Evaluate the Patch Phase 5: Systems to be Patched Phase 6: Acquire the Patch Phase 7 : User Acceptance Test Phase 8: Schedule Patch Deployment Phase 9: Deploy the Patch Phase 10: Confirm Patch Deployment Phase 11: Document Changes Phase 12: Roll back procedures.

Patch Management Framework Receive Patch Notifications Patch Unavailable Patch Mitigation Plan Deploying Patches on Slow Links Patch available but device is out of NW Patch requires application code change Release The Patch Critical/Important/ Low Evaluate The Patch Software/Driver Hardware/Network Desktops/ Servers/ Applications Systems To Be Patched Network Appliances/ Hardware WSUS/BigFix Altiris Acquire The Patch PatchLink/CA/Foxit Risk Assesment User Acceptance Test Risk Treatment Risk Acceptance Risk Monitoring Schedule Patch Deployment Deploy The Patch Same site / Diff Site Confirm Deployment How To verify? Document The Changes Fig: Patch Management Framework

3 PATCHING ACTIVE DIRECTORY DOMAIN CONTROLLERS By following the Patch management process implemented in any Organization, there are certain requirements and checks needs to be in place before patching Domain controllers. When Windows Server gets promoted to Active Directory Domain Controller, the local groups get migrated to Active Directory owned groups and the conventional way of adding Users / Group to local administrator group no longer valid. The above scenario holds valid for the cases where Organizations employ Vendors to perform Patch Management and have to accommodate Vendors to be part of Builtin Administrators group on the Domain Controllers. Before listing down the permissions required, I would like to list out the Domain Administrators vs Builtin Administrator privileges which gives good level of understanding on the groups on Domain Controllers. Groups Administrators Domain Admins User Rights Access this computer from the network; Adjust memory quotas for a process; Allow log on locally; Allow log on through Terminal Services; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Force shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Manage auditing and security log; Modify firmware environment variables; Perform volume maintenance tasks; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and

directories; Shut down the system; Take ownership of files or other objects 3.1 PERMISSION REQUIREMENT Administrator group has full access to AD objects which is close to / equivalent to Domain Administrators group, along with the full System level permissions on the Domain Controllers. Active directory Administrators / Architects should evaluate before adding Vendors to Builtin Administrators group. The one notable difference between Domain Administrators and Builtin \ Domain Local Administrators is that, Domain Administrators are part of Local Administrators group on Non Domain Computers ( both domain Joined Client and Server Operating Systems ) where as Builtin\ domain local Administrators group doesn t have the permission on Non Domain Controllers. One of the requirement for installing patches is to have Administrator access on the Windows Server / Clients Operating Systems and Vendor accounts should be added to Builtin\administrators group on the Domain Controller. Is it safe to allow Vendors to Patch : It is always not safe to allow Vendors to perform Patch Management activity on the Production Domain Controllers as they have complete access to Active Directory objects. But a strict monitoring in place can allow Vendors account to allow patching Domain Controllers for the update schedule time and disable the account. The other alternate and possible safe approach is to allow Domain Administrators to patch the Domain Controllers. Note: The above procedure is for the environments where there are no automated Patch management process in place.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information