We are a fairly large company with about 1400 servers we are currently patching. Patching is becoming more difficult because of the size and number of patches that are now being pushed out. We are still able to patch by times. During a production cycle, we kick off a baseline every 15 minutes to a group of 50 or fewer servers, with 50 or fewer patches in each baseline.
The “50” in the groups came from a previous admin at the 7.x version of the software dictated by a training session that he attended and the instructor suggested no more than 50 servers in a group.
My question is does this still a “Best Practice” to have only 50 servers in a group? We are trying to figure out ways to cram more patches into a small window. We currently do Dev the week the patches are released, Prod the next week, then Prod SQL the week after. We have multiple other systems that are being squeezed in between the weeks for .NET and application patching.
It depends what you mean by “groups.” Are these automatic groups, manual groups, or just sets of computers that you are targeting by name?
Generally, we would recommend using maintenance window settings set on each computer, and then target a baseline at all computers (or all computers of the same OS). You would set the maintenance window property as a constraint and enable pre-caching. Then each server will kick off the action when their maintenance window is reached, and will have the downloads already available so they can spend the maintenance window on actually installing.
Our groups are manual. For example, our groups are by the time they are patched. 2AM group (contains 50 Servers), 2;15 groups (contains 48 servers) etc. The baseline is applied to each of the groups at their specific times.
So what is the number of servers in manual groups that IBM would recommend? i.e. 200 servers in a group and we apply a baseline to the group and let it kick off.
We have 15 primary auto groups based on a “Win_Patch_Group” custom property with roughly 400-700 servers in each. One group is actually over 1100 servers. The baselines are tailored to each group as they they are grouped by server roles.
The maintenance window method is interesting. Gonna look into that.
The majority of our servers reside on our Isilon or FalconStor volumes in our Data center (about 700 virtual servers). When you push out your patches I assume you are stagger option in the action?
We have from 5 hours to patch 900ish servers. Currently we do 50 every 15 minutes to spread the work load out. If I could bump it up to 400 and hour that would be beneficial.
Check out the Maintenance Window Dashboard to get started with maintenance windows. This is what I would encourage you to use versus trying to manage a lot of manual groups
There isn’t really a size limit to manual groups, so you could certainly go larger than 50 per group, they just tend to be a lot of work to maintain since it all has to be done manually (thus the name). If you are deploying the same baseline to each manual group, then it is quite inefficient vs using maintenance windows which would allow you to deploy the baseline once to all computers with a start/end time matching your 5 hour window and a ‘Run only when’ constraint for ‘In Maintenance Window’ = True.