Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 74
Reply with quote  #1 
Hi again,
I'm looking for a substitute for WSUS, just cannot afford to license another copy of Server 2016 and so was looking to see if going the Linux route is feasible.  There seems to be a few Linux packages that claim the capability of rolling out updates the same way that WSUS does but I have absolutely no experience with any of them.  I also do not think they integrate directly with Active Directory.

Recommendations??
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 300
Reply with quote  #2 
Quote:
Originally Posted by Jon_AK
Hi again,
I'm looking for a substitute for WSUS, just cannot afford to license another copy of Server 2016 and so was looking to see if going the Linux route is feasible.  There seems to be a few Linux packages that claim the capability of rolling out updates the same way that WSUS does but I have absolutely no experience with any of them.  I also do not think they integrate directly with Active Directory.
Recommendations??


Hi,

first, WSUS doesn't "integrate" with Active Directory either as there is nothing in WSUS that requires authentication.

second, the biggest advantage of WSUS, right along with having to only download patches once, is the ability to selectively approve them and have them shipped out based on what the clients actually request. This you won't get with any other package.

I would just colocate WSUS with some existing server role. It does need some compute resources and disk space but then you would have to allocate those anyway.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #3 
+1 on what Evgenij says.
WSUS will patch windows irrespective of Domain or workgroup.
Spacewalk one of the Linux versions is good for Linux but too hard to get working for Windows.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 74
Reply with quote  #4 
Active directory was the first thing that came to mind in my post.  I understand that control of WSUS - call it integration if you will - can be accomplished via Group Policy and my end goal is to ensure that all clients have any updates applied during the work day and if a reboot is necessary, it occurs right afterward.  Inconvenient yes but is better than having to spend 2 - 4 hours the next day performing repairs.  Each client has a scheduled shutdown task to occur 30 minutes after their respective backup is completed - Upper management required workstations to turn off at night to conserve power.  What seems to have happened on a couple instances during the shutdown is a system update was in the middle of installing when the shutdown event occured and am assuming this is what caused the particular system to become corrupted.  That's the 2 - 4 hours of time the following day that occurs since it has resulted in a system restore operation to run.  I'm not a code master and so I do not know how to check that an update is being performed and thereby postpone the shutdown.

We have just 1 server which already serves as the DC, file server & Azure Acitve Directory sync and am skeptical of placing an additional load of IIS running to function as a WSUS server.  Of course, it may be that I am left with no other option.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #5 
Any and all patching is something that needs some work. Your power off task trumps all others so you'll need to update before that kicks in, maybe an hour before.
I saw this but not followed up fully yet.
https://docs.microsoft.com/en-us/azure/automation/automation-update-management
Might help a little more.

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 245
Reply with quote  #6 
Also consider the MS online updates site as your source.

The advantage of using WSUS is:
1.  you can approve patches.
2.  a local copy (only one server does the download, so you don't waste bandwith or data volume).
3.  the firewall only has to allow one device (the WSUS server) to download the patches. 

If none of these are important to you, you could stick with updating from the Microsoft online update sites.  And regarding the advantages of WSUS:
1.  I often see automatic approval for every hotfix.
2.  Maybe your firewall has a caching mechanism, so this isn't an issue anymore.
3.  In many companies all internal clients have access for HTTP(S) to every site.

__________________
Pieter Demeulemeester
0
jsclmedave

Administrator
Registered:
Posts: 468
Reply with quote  #7 
We"had" a multi-million dollar Linux based product for patching all Windows and Linux devices.  After multiple updates and millions on failed support it is now going out the door.

Keep it simple - for the Windows side especially - and use WSUS.

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 74
Reply with quote  #8 
Have decided to bite the bullet and utilize the server we have and have it perform as the WSUS server.  Memory is plentiful so the only issue would be the resources that IIS imposes.  Thanks for all the feedback.
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 74
Reply with quote  #9 
Quote:
Any and all patching is something that needs some work. Your power off task trumps all others so you'll need to update before that kicks in, maybe an hour before.
I saw this but not followed up fully yet.
https://docs.microsoft.com/en-us/azure/automation/automation-update-management
Might help a little more.


Started reading up on this to see how it would apply to our AAD.  Not really well versed with AAD and its intricasies but what I understand from the MS documents on WSUS, I can control the updating as well as forcing a restart to complete any updates.  That in itself will hopefully save me hours of repair work on top of an already busy schedule.
0
msandlie

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #10 
We use Wsus but we substitute it with Ivanti patch for windows servers.  Ivanti is more of a manual patch push but allows you to enter in a pre patch message, and it does not require a client on each machine.  It offers a ton of customization, you can even set an option allowing your end users to add additional time to the count down before it forces a restart.  I only have 2 issues with it.  not completely Ivanti's fault.

1. patching with Ivanti can trigger the message built into windows patch service stating your machine has been patched, restart your machine.  The end user will restart their machine before all patches have been installed causing them to have to restart again.  for this we send out a warning stating to not restart until you see ivanti's message. 

2.  Windows 10 still needs to some how automatically check for updates by reaching out to Microsoft servers, or your wsus server.  So either you use wsus by pointing your domain pc's to it via policy, maintain patches, and also use something like Ivanti, OR, you use wsus by pointing your domain pc's to it via policy and not maintain patches, and only use something like Ivanti.. or you have all pc's simply update directly from Microsoft risking a good chance Microsoft is going to provide you with a business busting bug. 
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 74
Reply with quote  #11 
Thanks for the suggestion.  Went and looked but not sure about getting involved with that one yet, at least not until I can get a handle on WSUS.
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #12 
Quote:
Upper management required workstations to turn off at night to conserve power.


I don't want to hijack the thread but you have to be kidding. I could see requiring the monitors to be shut but not the towers. A cost estimate of leaving a PC on 24/7 in 2005 was $167 per year. It has to be far less now with newer technology. Interrupting updates cost far more.
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 74
Reply with quote  #13 
Nah, you're not hijacking at all and nope, not kidding.  In actuality if you think about it, the average Windows PC draws on the average 150 - 200 watts plus the monitor which I know these days isn't like the old CRT's of DOS days.  A power supply in a PC is a power supply, these haven't changed much over the past forever and with 10 client workstations running 24/7 that is like burning a 2,000 watt electric heater non-stop.  Here in Honolulu, electricity is much more expensive that most places in the mainland so I can empathize with management when trying to reign in costs.  For me, I'm just trying to find a method to make my job a bit easier to deal with each day......
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #14 
Suggest solar power. If there isn't enough sun in Honolulu, there isn't enough sun anywhere.
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 74
Reply with quote  #15 
Quote:
Suggest solar power. If there isn't enough sun in Honolulu, there isn't enough sun anywhere.

You would think so but the electric utiility here decides whether or not they will allow you to install solar panels.... 
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.