Dynamic Collections & Server Patching 

In each environment depending on your size you will use different collection types. I will be addressing here the issue of how to build good dynamic Collections for your monthly deployment of System and Security Patches.

I saw many people using Static collection adding Servers by name to a certain collection and making groups to split their environment.

While this is manageable when servers are in a certain lower number, it still requires a lot of up-time, manual work to always maintain groups in order, balance and make sure no 2 servers from same pool/type (example: DC01 and DC02) reboot at same time causing you to loose your redundancy.

Steps to get full Dynamic Update Collections for your Server Patching Process:

1) Create a base Limiting collection.

Server - Limiting Collection

Server – Limiting Collection

Show Query Language:

SELECTSMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.ClientFROM SMS_R_System WHERE SMS_R_System.OperatingSystemNameandVersion LIKE “%Server%”

http://pastebin.com/i6EfGq6L#

2) Create your Folder Tree for Patching.

It is always good practice to keep track of your new environments, this can be easily done if you make a folder tree structure and organize your collections in there.

Folder Structure

Folder Structure

3) Make Dynamic Patching Groups.

Now this is where you will need to be extra careful. What servers go and where ?

I decided to split everything into 5 Patching Groups with 2 Subgroups each.

Patching Groups:

  • Pilot_Patching
    • This is the first Week, on Patch Tuesday when updates are coming from Microsoft.
    • Group made specially for Testing all new security and system updates that are released each month.
    • For obvious reasons this is the only collection that is Static and uses select customers Servers.
  • Patching_Group_1
    • 2nd Week after Microsoft’s Patch Tuesday release.
    • Dynamic Group with Servers. Target on Limiting Collection that you created at Step 1.
    • Here is how i created the Splitting for this group (Used all even GUID to make sure the servers are most random they can be and we do not have DC01 and DC02 in same group)
    • Name Query Target Show Query Language
      Domain Controllers Ending in 2,4,5,9 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.NetbiosName like “%4”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      DFS Ending in 4 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.NetbiosName like “%4”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      File Servers Ending in 1,2,4,6 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (    SMS_R_System.NetbiosName like “%1” or  SMS_R_System.NetbiosName like “%2” or   SMS_R_System.NetbiosName like “%4” or  SMS_R_System.NetbiosName like “%6”   )and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      Windows Terminal Servers Ending in 0,2, 4 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.NetbiosName like “%2” or  SMS_R_System.NetbiosName like “%4”  ) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      GUID Ending in 1,2, A,B select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where   (SMS_R_System.SMSUniqueIdentifier like “%1” or SMS_R_System.SMSUniqueIdentifier like “%2” or SMS_R_System.SMSUniqueIdentifier like “%A” or SMS_R_System.SMSUniqueIdentifier like “%B”) and SMS_R_System.ResourceId not in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      • Where XXX is your Limiting Collection for that specific group (DC/DFS…etc).
      • This collection is split into 2 subgroups Group_1_a and Group_1_b for different deadline on the Maintenance Window. This plus Deadline Randomization makes sure that all servers will reboot at different times so that your DataCenter will not plunge into chaos when 1000 Servers start to reboot at the same time.
  • Patching_Group_2
    • 3rd Week after Microsoft’s Patch Tuesday release.
    • Dynamic Group with Servers. Target on Limiting Collection that you created at Step 1
    • Name Query Target Show Query Language
      Domain Controllers Ending in 1 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.NetbiosName like “%1”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      DFS Ending in 1,3,5 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.NetbiosName like “%1” or   SMS_R_System.NetbiosName like “%3” or SMS_R_System.NetbiosName like “%5”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      File Servers Ending in 3,5 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.NetbiosName like “%3” or SMS_R_System.NetbiosName like “%5”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      Windows Terminal Servers Ending in 3,5 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.NetbiosName like “%3” or SMS_R_System.NetbiosName like “%5”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      GUID Ending in 3,C, 4,D select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.SMSUniqueIdentifier like “%3” or SMS_R_System.SMSUniqueIdentifier like “%4” or SMS_R_System.SMSUniqueIdentifier like “%C” or SMS_R_System.SMSUniqueIdentifier like “%D”) and SMS_R_System.ResourceId not in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      • Where XXX is your Limiting Collection for that specific group (DC/DFS…etc).
      • This collection is split into 2 subgroups Group_2_a and Group_2_b for different deadline on the Maintenance Window. This plus Deadline Randomization makes sure that all servers will reboot at different times so that your DataCenter will not plunge into chaos when 1000 Servers start to reboot at the same time.
  • Patching_Group_3
    • 4th Week after Microsoft’s Patch Tuesday release.
    • Dynamic Group with Servers. Target on Limiting Collection that you created at Step 1
    • Name Query Target Show Query Language
      Domain Controllers Ending in 4,6,8 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.NetbiosName like “%6” or  SMS_R_System.NetbiosName like “%8″or  SMS_R_System.NetbiosName like “%4”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      DFS Ending in 0,2,6,8 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (    SMS_R_System.NetbiosName like “%0” or  SMS_R_System.NetbiosName like “%2” or  SMS_R_System.NetbiosName like “%6” or  SMS_R_System.NetbiosName like “%8”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      File Servers Ending in 0,8 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.NetbiosName like “%0” or  SMS_R_System.NetbiosName like “%8”  ) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      Windows Terminal Servers Ending in 1,6,8 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.NetbiosName like “%1” or  SMS_R_System.NetbiosName like “%6” or  SMS_R_System.NetbiosName like “%8”  ) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      GUID Ending in 5,E,6,F select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.SMSUniqueIdentifier like “%5” or SMS_R_System.SMSUniqueIdentifier like “%6” or SMS_R_System.SMSUniqueIdentifier like “%E” or SMS_R_System.SMSUniqueIdentifier like “%F”) and SMS_R_System.ResourceId not in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘xxx’)
      • Where XXX is your Limiting Collection for that specific group (DC/DFS…etc).
      • This collection is split into 2 subgroups Group_3_a and Group_3_b for different deadline on the Maintenance Window. This plus Deadline Randomization makes sure that all servers will reboot at different times so that your DataCenter will not plunge into chaos when 1000 Servers start to reboot at the same time.
  • Patching_Group_4
    • 1st Week after Microsoft’s Patch Tuesday release.
    • Dynamic Group with Servers. Target on Limiting Collection that you created at Step 1
    • Name Query Target Show Query Language
      Domain Controllers Ending in 0,3,7 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.NetbiosName like “%0” or   SMS_R_System.NetbiosName like “%3” or  SMS_R_System.NetbiosName like “%7” or  SMS_R_System.NetbiosName like “%9”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      DFS Ending in 7, 9 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.NetbiosName like “%7” or  SMS_R_System.NetbiosName like “%9”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      File Servers Ending in 7, 9 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (SMS_R_System.NetbiosName like “%7” or  SMS_R_System.NetbiosName like “%9”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      Windows Terminal Servers Ending in 0,7, 9 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.NetbiosName like “%0” or  SMS_R_System.NetbiosName like “%7” or  SMS_R_System.NetbiosName like “%9”) and SMS_R_System.ResourceId in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      GUID Ending in 0,7,8,9 select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where (  SMS_R_System.SMSUniqueIdentifier like “%0” or SMS_R_System.SMSUniqueIdentifier like “%7” or SMS_R_System.SMSUniqueIdentifier like “%8” or SMS_R_System.SMSUniqueIdentifier like “%9”) and SMS_R_System.ResourceId not in (select ResourceID from SMS_FullCollectionMembership where collectionid = ‘XXX’)
      • Where XXX is your Limiting Collection for that specific group (DC/DFS…etc).
      • This collection is split into 2 subgroups Group_4_a and Group_4_b for different deadline on the Maintenance Window. This plus Deadline Randomization makes sure that all servers will reboot at different times so that your DataCenter will not plunge into chaos when 1000 Servers start to reboot at the same time.

NOTE:

  • There will be increased numbers of Servers with 1 and 2 at the end then with 8 or 9. That is why these groups have been split as much as possible to have a certain balance.
  • Target on Limiting Collection that you created at Step; this will make your groups auto-complete with each new server added to the infrastructure, making your work a lot easier and also being sure that all servers receive patching.
  • Pilot and Patching_Group_4 will be same week sometimes but take into account that Pilot will get the new months updates, while Patching_Group_4 will get the last month updates.

Additional Collections for Patching.

It is absolutely necessary to have additional collections for Servers that should be Excluded from Patching and also Servers that want a Available regime (meaning they want to install patches manually, but still have the updates in Software Center).

These collection are static and should be filled according to your needs and requests.

Follow on Feedly