Active Directory/Service Groups/WSUS/Target Groups

From WolfTech
Revision as of 22:22, 20 March 2009 by Djgreen (talk | contribs)
Jump to navigation Jump to search

Beginning in April 2009, the Central WSUS Service began using a new tagging convention for its WSUS target groups: Early, Normal, Late.

The intention of these naming groups is to allow the WSUS Administrators to approve patches at specific time intervals to select groups of machines that the OU Administrators will subscribe their computers to. The timelines and approval processes are well known to all involved, and will allow for a flexibility not available in previous WSUS servers.

Naming conventions remain in place -- an OU Administrator is still expected to place his computers into a target group starting with the name of his OU, but the addition of the tag is now also required. For example, within the ECE department, it would be expected to find "ECE-Normal" or "ECE-Early" as potential groups. Should a group be created without a timing tag, it is presumed to be "Normal" and will be approved as such. Groups wishing to include additional information in their target group are not barred from doing so ("ECE-Teaching Labs-Early"), but these most still contain both the OU name and the timing tag.

Early

Computers in groups with the "Early" tag will receive patches immediately. Once the WSUS admins see the patch is available, they push it to the “Early” groups.

OU Admins with "Early" groups are expected to join the wolftech-patches@lists.ncsu.edu mailing list. Every patch the WSUS server downloads is sent to this list. Please note that you will likely receive hourly emails from this list -- you'll see not just security patches, but also definition updates which are automatically approved. However, this list will also be the only forewarning you will receive of patches that might cause your computer to reboot at night.

It is recommended that you limit the number of workstations you place in an "Early" group -- perhaps only join those workstations (likely the desktops of your IT folks) which you wish to test patches on ahead of time. Any patches which cause issues should be brought to the attention of the WSUS Administrators, or announced on the Active Directory mailing list.

Normal

Computers within "Normal" target groups will receive patches on the Thursday morning following Patch Tuesday. WSUS Administrators are expected to approve patches for these computers between 8am and 9:30am that morning. They will be required to post to Sysnews once they have done so.

Late

Patches for this group will release the Tuesday following Patch Tuesday (3rd Tues of the Month). Once again, WSUS Administrators are expected to approve patches for these computers between 8am and 9:30am that morning. A notification will be sent to the Active Directory mailing list to remind OU Admins of the patch release. A notification to Sysnews will not be made.