Windows Server 2003 Enterprise, GPO, Slow question

[kcnychief]

It works now, logins occur within 10 seconds. I did implement alot of changes, but after toying with a few different things, and then changing it back, I narrowed it down to the DNS settings.

I assigned the the DC as the DNS server on the workstation, then used the outbound DNS server as a Forwarder on the DC itself. Once I did that, BAM, instant logon. Thanks to all for your help!

Now, onto implementing WSUS...

 

[Electronic Punk]

Very strange!

 

[madmatt]

Now, onto implementing WSUS...

Now the fun begins.

 

[kcnychief]

OK so I setup WSUS, real neat utility. I configured a seperate GPO for it as suggested, my only question would be about approval status. The server holds 984 updates, and as that would be a pain to test/approve each one, I figured I would set them to "detect only". As far as I can tell, that means if the machine needs it, it gets it. Any thoughts on if this is the right way to go or other suggestions?

 

[madmatt]

Detect Only will not install the updates. It will only report back to you if a server or workstation needs it.

If a server or workstation needs it you have to set the status to Install.

I configured multiple groups. One for Servers (2000), Servers (2003), Workstations (2000), Workstations (XP), and finally a Test Group.

Then when you go into approve an update you leave the approval for All Computers at Detect Only and choose Install for only the groups that need it (Most 2000 workstations need the same set of updates, etc.).

I'll post screenshots of my WSUS setup.

 

[madmatt]

Here are screenshots of my WSUS setup.

 

[kcnychief]

Detect Only will not install the updates. It will only report back to you if a server or workstation needs it.

If a server or workstation needs it you have to set the status to Install.

I configured multiple groups. One for Servers (2000), Servers (2003), Workstations (2000), Workstations (XP), and finally a Test Group.

Then when you go into approve an update you leave the approval for All Computers at Detect Only and choose Install for only the groups that need it (Most 2000 workstations need the same set of updates, etc.).

I'll post screenshots of my WSUS setup.

Interesting, what are you saying makes sense, thanks. I would love to see the screenshots....

 

[kcnychief]

Here are screenshots of my WSUS setup.

So would I be correct in assuming you tested or made best-judgement on each individual update? That is best practice, was just wondering about your through process. I currently have 984 updates on my WSUS server, but I think I am going to restrict that a little bit.

 

[madmatt]

And I only have my WSUS server download the updates I need. It took some time to get used to. A lot more advanced than previous versions of SUS. The reporting feature alone is money.

 

[madmatt]

So would I be correct in assuming you tested or made best-judgement on each individual update? That is best practice, was just wondering about your through process. I currently have 984 updates on my WSUS server, but I think I am going to restrict that a little bit.

The majority of these updates were already installed through SUS. I setup WSUS on a new server and changed over the GPO's to look at the new server. However, I have on Test Server (on Windows 2000 Server) and one Test Workstation (on Windows 2000 Professional) and any new updates that come out will be applied there first.

However, any thing that comes out for Windows Server 2003 or XP will be rolled right out. I don't have the resources available to setup a Test Server on 2003 and we only have two XP clients getting updates from our WSUS server (one being mine).

 

[kcnychief]

Yeah it is great so far. What are your takes, as in which ones do you select on the following for types of updates....

• Critical Updates (obviously)
• Drivers (I don't see a point, and from my experience MS usually messes up drivers anyways)
• Feature Packs - From what I can tell, this isn't needed.
• Security Updates - This is a good one to go with, but what are the differences between Security Updates and Critical Updates? Scary to think that Security isn't considered critical....
• Service Packs - obviously - Can I push Service Packs or would I still have to do that as an .MSI through GPO?
• Tools - I'm sure I can get away with not doing this
• Update Rollups - From what I understand, these are updates to updates, (haha)
• Updates - These are updates that are "non-critical" I believe, such as new versions of WMP, etc. correct?

Also, since I had 984 updates the first time because I had like EVERYTHING selected, should I delete all downloaded and re-synchronize? I know the setting is only related to synchronization, but i don't want updates or files I downloaded previously to be pushed out going forward. Also, will cut my updates down that I have to scroll through.

Thanks for all your help, it's much appreciated

 

[kcnychief]

The majority of these updates were already installed through SUS. I setup WSUS on a new server and changed over the GPO's to look at the new server. However, I have on Test Server (on Windows 2000 Server) and one Test Workstation (on Windows 2000 Professional) and any new updates that come out will be applied there first.

However, any thing that comes out for Windows Server 2003 or XP will be rolled right out. I don't have the resources available to setup a Test Server on 2003 and we only have two XP clients getting updates from our WSUS server (one being mine).

Interesting. For me, I am studying for my MCSE. I know it is best to have the job for 12-18 months (as I have read in the books they assume you have). My environment is a DC, and I have one XP workstation and one XP laptop. So my testing environment is small, but i'm learning so much and I love it.

 

[madmatt]

I only selected the "products" that are in my environment so that cut down on the number of updates my WSUS server is looking for and I selected all "classifications" except "Drivers".

My WSUS server holds 464 updates but it has only downloaded 389 of them.

As for starting over. I would have to look into methods for doing so. I know you can't delete the folders within the WSUS store where the updates are stored (the WSUS DB looks to those folders for confirmation and such).

 

[kcnychief]

I only selected the "products" that are in my environment so that cut down on the number of updates my WSUS server is looking for and I selected all "classifications" except "Drivers".

My WSUS server holds 464 updates but it has only downloaded 389 of them.

As for starting over. I would have to look into methods for doing so. I know you can't delete the folders within the WSUS store where the updates are stored (the WSUS DB looks to those folders for confirmation and such).

Holds 464 but holds 389, do you mean that your WSUS has synchronized and downloaded 464, but only 389 are approved for deployment?

 

[madmatt]

Holds 464 but holds 389, do you mean that your WSUS has synchronized and downloaded 464, but only 389 are approved for deployment?

My WSUS server has only sync'd for 464 updates (meaning there are only 464 updates for the products I selected to sync for) but I have approved 389 of those for deployment (so it downloaded 389).

 

[kcnychief]

As for starting over. I would have to look into methods for doing so. I know you can't delete the folders within the WSUS store where the updates are stored (the WSUS DB looks to those folders for confirmation and such).

Well, for experimental purposes, here is what I did.

I un-installed WSUS, rebooted and tried to delete the folder that it was installed in, no dice. However I was able to re-install, to a different path, and then re-sync the updates. I have yet been able to delete that folder *grumble*