Help

Best Practices: Installing MS Windows Updates on Windows JSS Server

dstranathan
Valued Contributor II

Posted on ‎02-24-2016 10:54 AM

For those out there running your JSS on a Microsoft Windows physical or VM server...

I have 2 JSS servers running Windows Server 2012 R2 - 1 is on the LAN (JSS master) and 1 server is in my DMZ.

1) How often do you run Windows updates? Monthly? Quarterly?

2) Do you have your Windows updates scheduled to run/install automatcaily in a maintnence window situation, or do you run them manually?

3) Have you ever had a MS Windows update bork your JSS or related componenets? Any horror stories?

My Windows infrastructure team does monthly maintennce on the last Saturday night of each month. Typically, most Windows servers get all (vetted) patches and updates at this time. We try and keep fairly up-to-date (espcially with secuirty patches).

Some of our Windows servers run updates automtically during our IT maintenance window, others are manually installed by the team lead on the server. Im the "JAMF dude" so I need to document and archetict my update planning to my boss.

Im tempted to just run the WIndows updates on my (2) JSS servers manually each month as needed. Im not sure I trust have the server doing it automatically (and rebooting etc).

My main JSS (LAN) gets a WSUS policy from AD (along with most Win servers). However, my DMZ JSS is not on the LAN and thus not in AD - so it would pull from Microsoft with no internal WSUS vetting.

Does MySQL, Tomcat, Java, etc play nice on Windows server in terms of MS patches?

Thoughts?

0 Kudos
4 REPLIES 4

Aziz
Valued Contributor

Posted on ‎02-24-2016 11:19 AM

We have two JSS servers. One for internal clients (Master JSS), the other one is NATted and allows external clients to communicate. Both have the SCCM client on them and are on the domain.

Public JSS is on Windows Server 2012 R2 and in Production Group C.
Master JSS is on Windows Server 2012 R2 and in Production Group A.

Our patching schedule is monthly and depending on the production group, either restarts on Thursday (A), Friday (B) or Saturday (C) during the maintenance window.

We make our updates available on Monday, so people can manually update using Software Center a couple days before the deadline. If you don't want to update manually, SCCM will automatically install updates on the deadline specified (Wednesday/Friday at 11PM for me) and it will reboot during the maintenance window. I let SCCM take care of everything for me. Our maintenance window is between 1AM to 4 AM.

We haven't had a single issue with Java, MySQL or Tomcat. As for Windows Updates, we have a server pilot group! So far, no problems with our JSS.

0 Kudos

andrew_nicholas
Valued Contributor

Posted on ‎02-24-2016 12:53 PM

Same setup as both described here. Only ever had one problem with DMZ server where the Tomcat Directory lost all of its files and so Apache couldn't start. Copied over the same directory from the master and restarted Tomcat with no other issues. Wasn't sure what caused the problem but otherwise haven't had any issues with monthly patching.

0 Kudos

powellbc
Contributor II

Posted on ‎02-25-2016 04:58 AM

We patch all Windows (including the JSS and our DB server) servers monthly using Configuration Manager, using maintenance windows. This works well.

As for a horror story:

This is something that occurred yesterday and I certainly am missing something, but I thought I might share it anyway. Last month's patching seemed to not complete in an adequate amount of time for the maintenance window. What happened was servers installed the patches did not reboot before the window ended, leaving them in a pending reboot state. The JSS was one of these servers.

Because of this we proactively restarted the JSS manually. After the reboot was complete, I noticed that Tomcat would not start. After some investigation, all of the required .jar files were missing from C:Program FilesJSSTomcatin. I ended up having to reinstall the JSS to get it going again. Was this because of a Windows update? Or the time it was in pending reboot status (over a month)? Who knows, but it was very odd.

0 Kudos

dstranathan
Valued Contributor II

Posted on ‎02-25-2016 06:22 AM

Thanks everyone. Appreciated.

Sounds like I'm on the right track in terms of best practice and general expectations. I'm not a "Windows guy" per se, so I tend to play MS-centric maintenence & patches fairly conservatively.

Of course it goes without saying: Ill take VM snapshots before I patch my Windows JSSs too (for good measure).

0 Kudos