Windows Patch Management, Software Update Services (Part 2) Page 2
For larger environments, consider setting up the SUS servers distributing patches to clients in a Network Load Balancing (NLB) cluster. NLB is a component included in the Windows 2000 Advanced Server and Datacenter Editions as well as all versions of Windows 2003 Server. The basic purpose of NLB clustering is to provide redundancy and load balancing by presenting a group of servers as a single logical unit. This is done by distributing incoming network traffic across all members of NLB cluster and assigning each with parameters that determine which node should process next network packet (for additional information on NLB solutions, refer to this overview of Windows Clustering Technologies found on the Microsoft Web site). An NLB cluster is represented to client computers by a single IP address, and clients requests for patch downloads are transparently load balanced to them across all members.
This provides several benefits. First, since clients are configured with the name of the NLB cluster, rather than with an individual server name, as long as at least one member of the cluster remains operational critical updates are delivered. This means you can shut down any of the cluster members servers for maintenance or emergencies without affecting the overall functionality. It also means you can add another server to the cluster without reconfiguring clients, since the servers always point to a single virtual IP address assigned to the cluster. In the NLB cluster-based SUS scenario, you would typically set up a single source of updates for each cluster member (this can be a parent SUS server pulling patches directly from Microsoft Windows Update Web site or a manually configured distribution point).
The Future of SUS
Instead of releasing the next version of SUS (initially planned as SUS 2.0), Microsoft decided to rebrand its product Windows Update Services (creating a rather tough-to-promote acronym). WUS is scheduled to enter an open evaluation program later this year, and you can participate in it by registering at the WUS web site. The Web site offers some preliminary information on the functionality of the current beta version, as well as an indication of changes to be introduced before final release.
In short, the new incarnation of the product will feature several important improvements, including the following:
- Updates for additional products (besides Windows operating systems) such as MS Office XP and 2003, MSDE 2000, SQL 2000, Exchange 2003 Server, and critical driver updates.
- Extended management capabilities that allow missing identifying patches and the systems to which these patches must be applied. Control over the managed environment will be more granular, providing the ability to create deployment groups to be targeted by specific patches, modify client update frequency, and set the dates by which the update should be completed (this effectively enforces installation by that date, preceded by a notification about the impending reboot to a logged on user). It will also be possible to rollback patches. On the client side, the number of reboots will be minimized by eliminating them altogether (for patches that do not require them) or by linking the installation of multiple patches into one, followed by a single reboot. On Windows XP SP2 systems, Microsoft will offer to defer reboots to the next regular, user-initiated shutdown. Centralized management of the SUS server hierarchy is possible by enabling or disabling inheritance of configuration settings by child servers from their parents.
- More comprehensive and administration-friendly reporting capabilities, including inventorying missing updates across groups of computers, with detailed information about operations involving clients (downloads and installations) or downstream servers (in more complex SUS hierarchies). You then have the option of creating reports for the entire hierarchy of SUS servers, since the statistics will be propagated from child servers to their parents. It will also be possible to load reporting data into SQL Server (or MSDE) for simplified retrieval and more robust storage.
- Optimized utilization of network bandwidth based on Background Intelligent Transfer Service (BITS) and Windows Installer technologies. This makes it possible for interrupted downloads to be continued after connectivity is re-established (rather than starting it from the beginning), use only the available portion of the bandwidth to prevent a negative impact on other network applications, and reduce the size of downloads with delta updates and improved compression. In addition, you will be able to selectively download only those updates that are of interest or even a list of updates only (to select the ones which should be copied by your clients directly from the Microsoft Update Web servers). This was not possible with previous versions of SUS, which required the download of the full collection of patches for the language versions selected, regardless of how many were approved for further deployment.
- Increased security uses encrypted inter-server and client-server communication and offers the ability to validate the identity of the parent SUS server.
This completes our review of the Microsoft Software Update Services. The next article in our series will look at Microsoft's enterprise-class solution for patch management: SUS Feature Pack for Systems Management Server 2.0 and Systems Management Server 2003.