SBS 2011 - VI. Group Policy, Service Packs, Additional Server Information

  • Article

**Small Business Server 2011 - Build Document VI - Patching Service Packs and Updates, Group Policy, Additional Server Information

**VI.  PATCHING, SERVICE PACKS AND UPDATES, GROUP POLICY, SERVICE PACKS, ADDITIONAL SERVER INFORMATION

A.  PATCHING: SERVICE PACKS AND UPDATES

     1.  General Suggestions for Patching 

  1. Do not install any updates during the installation process. Read the rest of this section, then the section below on "Getting Current with Updates".
  2. Immediately after the installation is finished, make a backup. Test that you can restore from it.
  3. Do not apply patches the first day you see them. Let the bravest few have the pleasure of finding any issues on their lab systems before applying them to your production server. Watch the forums or Susan Bradley's blog for information.
  4. In the WSUS application or the SBS Console, be careful what you disallow by unchecking the catagories. Review these settings and recommendations. http://blogs.technet.com/b/sbs/archive/2009/06/23/update-services-in-sbs-2008.aspx. To do otherwise can break the integration between WSUS and the Console.
  5. Apply current Service Packs and Rollups first, either the newest or the next to newest before slogging though all the patches since the product was released. See below.
  6. WSUS does not offer any Exchange Service Packs.  You must seek them out and install them manually.  Some have suggested that Exchange Rollups should also be installed manually, but no verifiable cases are known where such have been problematic on otherwise stable SBS systems.
  7. After ANY patch that includes ANY update to SharePoint Foundation on your SBS Standard, you must run the psconfig command found in the link below. You can do this before or after you reboot the SBS. http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/94c5f178-f020-4d0f-ba7c-11c415d0d862.
  8. Approve and install .net patches one at a time and only after a fresh backup between them. (Aside: Whenever possible, avoid installing .net 4 on SBS 2003 or Windows XP.)
  9. Run this program at least weekly: Start - Administrative Tools - Windows Update Services - Tools - Server Cleanup Wizard. Run the first one, "delete unused updates" independent of the others.
  10. You can schedule the Server Cleanup Wizard with the aid of the tools found here: http://wsus.codeplex.com/releases/view/17612. You should experiment with the command line switches for this tool before implementing to familiarize yourself with its possibilities.
  11. Exchange 2010 SP1 is already preinstalled on the box, thus you'll only need update rollups or later service packs now.
  12. Windows Server 2008 R2 SP1 is final and released -back up before applying this or any other service pack or updates in general.

2.   Getting Current with Updates 

(note:  we intend to keep this current, but as of April, 2013 the suggested order is as shown below)

a.  If not a migration, getting current is best done before putting the SBS into production, as this can be time consuming and there will be more to do after it becomes the center of your network.  If a migration, most of your post install tasks were done on the prior SBS so there will be time to get current after the migration is finished.

b.  Install SBS from downloaded or DVD media.

c.  Do at least one backup and at least one test restore.

e.  Install Server Readiness Tool - KB 947821

f.  Do Pre SP1 Checks and Updates.  http://technet.microsoft.com/en-us/library/ff817647(v=WS.10).aspx

g.  Run the SBS BPA and fix anything it finds.  http://support.microsoft.com/kb/2673284

h.  Install Server 2008 R2 SP1 – KB 976932 

i.  Then run the psconfig command as follows.  You can create a batch or command file to facilitate.

 cd:\Program Files\Common Files\Microsoft Shared\Web server extensions\12\BIN\
** psconfig -cmd upgrade -inplace b2b -wait –force**

 j.  Install SBS Rollup 3 – KB 2729100 then run the psconfig command as above.

 k.  Install Your Choice of:

 Exchange SP2  http://www.microsoft.com/en-us/download/details.aspx?id=28190

 Or if you like to be on the cutting edge,  then:

Exchange SP3 http://www.microsoft.com/en-us/download/details.aspx?id=36768

 l.  Install any additional SharePoint Updates  and run psconfig command  http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/94c5f178-f020-4d0f-ba7c-11c415d0d862.

 m.  Install remaining updates listed in Start - Administrative Tools - Windows Update Services

 n.  Install WSUS Update KB2734608 - Please read the documentation first.  http://support.microsoft.com/kb/2734608?wa=wsignin1.0

 o.  Revert to SBS Console for update maintenance.  If not already syncing, start a manual sync.

3.  Reclaim disk space after patching:

 a.  At least weekly run the Server Cleanup Wizard tools found at Start – Administrative Tools – Windows Update Services – Tools.  Because this is very intense, run the top one, “delete unused updates by itself, then the others as a group. 

You can automate this process with the code found here:  http://wsus.codeplex.com/releases/view/17612, just schedule the code as a task, perhaps on a day in the week when users are absent.  We strongly recommend you run the tool from the command line first and test the various switches to see how it works.  You may want to create two tasks to simulate running first the “delete unused updates, then the other four.

b.  Give some time to make sure you want to keep the patches installed. After you patch the server, you can reclaim disk space taken up by the patches by issuing the following command from an Administrative Command Prompt:  
dism /online /cleanup-image /spsuperseded
 

This tip came from here. If you get an error "You cannot service a running 64-bit operating system with a 32-bit version of DISM." try this command instead: c:\windows\sysnative\DISM /online /cleanup-image /spsuperseded

     B**.  USING GROUP POLICY**

  1. To view the event logs of Win7 or Vista workstations remotely, adjust the firewall rules and enable remote registry service.
  2. If you want to access the administrative shares of Vista/Win7 workstations, you'll need to edit the firewall as well.
  3. Tweak a GPO to allow SBS to talk to multiple subnets
  4. Lock down a windows 7 (kiosk) PC with group policy
  5. Want access to redirected users' My Document folders?  Read this and follow the GPO change recommended at the bottom of the post.

**    C.  ADDING ADDITIONAL SERVERS TO AN SBS 2011 NETWORK**

  1. Check this blog post for some great information on adding a Terminal Server to your SBS network.
    1.  You can add a Second Server to the RWA using this Tool .
    2. This blog post outlines additional information when adding a 2012 RDS Server (Remote Desktop Server /Terminal Server) to an SBS 2011 network.
  2. Tweaking that additional Member server for security.
  3. Adding an additional Member server?  Check this out for a WMI filter you can use.
  4. Guidance to install SQL 2008 on your SBS server.

**    D.  ANTIVIRUS HOWTO**

  1. If you use Trend Micro's products on your SBS networks, you need this guide (TM WFBS Advanced current version is 7.0 SP1)

 <in progress>

 To return to the outline of the SBS 2011 build document, click here.