Windows Server Patching Procedure
I have a few questions about installing Windows security updates on Windows servers (we call it as patching here).
Before asking questions, I would like to give a brief details about our Windows infrastructure and the procedure we follow for patching.
- We have about 550 Windows servers (a few of them are Windows 2003 and rest are 2008) in our domain
- We patch these servers twice a year (July and December)
- We use LANDesk patch Manager for the patch deployment
- LANDesk Provisioning Templates are useful in case of server reboots in the middle. Details are at http://community.landesk.com/support/docs/DOC-9485
- We follow the below patching schedule (in phases)
- All QA/DEV/TEST servers in one phase (over a weekend)
- All PROD servers in two weeks (over two weekends) with a gap of a week
- Once the patching is complete in each phase, we verify a few critical applications/services to make sure they are up. We take the end user help in testing their applications if required.
So, my questions are below:
- Though we verify a few critical services, in the next business day of patching we get a few user calls about their applications not working. We will identify the services and bring them up.
- I am wondering how this patching activity taken care in the rest of the world, so that we can improve our process
- What procedure will be followed by the companies with a few thousands of Windows servers? Is there a better way we can ensure that the Windows server health is not changed after the patching activity (as part of which the server might be restarted a couple of times).
I am really sorry for such a lengthy post and thanks a lot for reading it. In case if anyone has any suggestions/inputs on this would be greatly appreciated.