Update Management in Windows Server 2012: Revealing Cluster-Aware Updating and the New Generation of WSUS

Erin ChapplePartner Group Program ManagerMicrosoft Corporation

Mallikarjun ChadalapakaSenior Program ManagerMicrosoft Corporation

WSV322

Session Overview

Updating continues to be an important investment area for Windows Server and our customersWindows Server 2012 contains several enhancements to Windows Server Update Services (WSUS)Increasing demand on server availabilityIntroduction of Cluster-Aware Updating (CAU) extends WSUS functionality to enable Zero Service interruption

Windows Server Update ServicesWhat’s new in Windows Server 2012

Most Deployed Update Solution in the World!

WSUS servers synching against Windows Update

Data based on Opt-in Option to WU/MU reporting

1+ Million

60+ Million

Double

Clients managed by WSUS

Adoption rate of WSUS 3.0 Service Pack 2 over previous release

What have we heard from customers?

Difficult to automate WSUS installation and configuration

Not delivered in-the-boxSeparate WSUS Setup UI (versus integration with Server Manager) Many steps manual, e.g. Running WSUS Cleanup

Desire for increased security between Windows Update and WSUS

What’s New with WSUSServer Manager Integration

WSUS now ships with Windows Server 2012 WSUS setup is fully integrated with the Server Manager UIInstallation options:

local machineremote machineto a VHD

What’s New with WSUSPowerShell Support

12 new cmdlets for common administration tasksSupported scenarios:

Getting the list of Product WSUS supportsSetting the updates for which WSUS should sync updatesRunning WSUS CleanupApproving Updates

Allows much simpler automation of basic WSUS tasks

What’s New with WSUSEnhanced Security

WSUS has been enhanced to verify files were not modified during download from WU using SHA256 hashesWindows 8 Windows Update Agent has been enhanced to use SHA256Windows 8 file signature verification has been enhanced to use SHA256 for Windows ComponentsOverall, system administrators can be more confident that updates are being delivered without tampering

demo

NameTitleMicrosoft Corporation

Installing and Managing WSUS using PowerShell

What is CAU?

Context, Introduction, Install & Update Types

CAU: Motivation & Introduction

#1 customer ask: Continuous Availability of clusters across Patch Tuesdays

Continuous Availability: survive planned moves or unplanned failures without errors, without losing data & while performing well at scale

CAU with Continuously Available workload Zero service impact, e.g.,

Hyper-V (Live Migration)File Server (Transparent Failover)

CAU is end-to-end cluster update orchestrationwithout impacting service availability

Positioning CAUWindows

Update (WU)

Windows

Windows Update Agent (WUA)

Windows Server Update Services (WSUS)

System Center

SCCM 2012

SCVMM 2012

SCO (Orchestrator) 2012

3rd Party

Other Vendor Solutions

Cluster-Aware Updating (CAU)

What is CAU?

Single-click launch of cluster-wide updating operation

Or a single PS cmdlet“Updating Run”Physical or VM clusters

CAU scans, downloads and installs applicable updates on each node

Restarts node as necessary One node at a timeRepeats for all cluster nodesCustomize pre-update & post-update behavior with PS scripts

Updating Run kick-off

Node n

Resuming & Failback

.

.

.

Node 1

Windows Server failover cluster

. . .

Windows Update or

WSUS

Draining the node

CAU

Apply updates on this cluster

CAU ≠ Reinventing Server Patching

Windows Update Agent

(WUA)

Windows Update/Microso

ft Update (WU/MU)

Windows Server Update

Services (WSUS)

Windows Installer

Component based Servicing APIs/CLIs….

Good News: None of these is changing with CAU!

CAU is about update orchestration across the cluster

Update types

Updates (GDRs) from Windows Update or WSUS

Hotfixes (QFEs) from a local File Share

Simple customization that installs almost any software update off a local File Share

**GDR = General Distribution Release**QFE = Quick Fix Engineering (nickname for hotfix)

Installing & Launching

Install clustering, and you are set for CAU!

Integration with Failover Clustering

FeatureToolsInstallation

Launch CAU GUI from Server Manager-Tools, or from Failover Cluster Manager

CAU Deep-diveAutomation, Modes, Self-updating, Hotfix internals

Cluster Update Automation with CAU

“Run Books” = IT process recipes

E.g. “Cluster Patching”

CAU is automation of your Cluster Updating Run Book

With CAU, clusters are easier to own, update and report on

Designed to leave the cluster with the same workload distribution as at the start

Cluster-Aware Updating GUI Cluster-Aware Updating

Windows PowerShell cmdlets

Cross-workflow coordination

business logic

Cluster workflow

s

Exception

workflows

. .

Node workflo

ws

“Update Coordinator” Failover

Cluster

Run options

Self-Updating Mode

Node 2Node 1

Node 4Node 3

CAU Update Coordinator

Failover Cluster

Requires no real-time user attention

CAU Update Coordinator process runs on a clustered node

Installs updates on a custom schedule

Cluster-in-a-box appliances (hint: branch office scenarios)

Self-Updating Internals

Adds CAU clustered roleJust like any other clustered workloadResilience to planned and unplanned failures

Not mutually exclusive with on-demand updating Analogy: Windows Update scan on your PC with AU auto-installBut possible conflicts with Updating Runs in progress

“Configured, but on hold” functionality

Compatible with VCO Prestaging**VCO= Virtual Computer Object

Remote-Updating Mode

CAU Update Coordinator

Node 2Node 1

Node 4Node 3

CAU Update Coordinator process remotely connects to the cluster

User-initiated Updating Run, allowing real time monitoring

Rich progress updates

Minimal Server Core (no .Net or PS dependency) on nodes

Failover Cluster

Which Mode When?

Self-Updating Remote-Updating

Try CAU & monitor what it does

Cannot afford real-time attention

Resilient Cluster updating

Branch office scenarios

Minimal Server Core without .Net or PS

Richer progress updates as Run happens

“Hotfix” Support Internals

Rich/extensible Hotfix installationMicrosoft QFEs, or third-party driver updates, or even Firmware/BIOS updates…

Select hotfix behavior at start. Two key inputs:1. Root Folder: on an SMB File Share2. Configuration xml file: defines the Rules

Configuration Rules are the key to flexibilityEasy to specify new Rules

hotfix installer name, install options, reboot behavior, return values etc.

Hotfixes & Security

Strict ACL Checking (Optional)

Kerberos Mutual Authentication (Required)

Data integrity checking (Required)

SMB Signing or SMB Encryption

Privacy with SMB Encryption (Optional)

SMB Encryption is new in Windows Server 2012

CAU Hotfix Root Folder

CAUHotfix_All

<Node Name1>

Hotfixes applicable to all nodes

Hotfixes applicable just to <Node Name1>

Extension Rules<MSU><MSI><MSP>

Folder Rules<MySwUpdateType>

Hotfix Config File

MySwUpdateType

Special software updates

demo

Mallikarjun ChadalapakaSenior Program Manager

Continuous Availability with CAU

CAU Demo SetupWindows Server 2012 File Server ClusterNode 1 Node 2

SMB CA Share

Cluster-Aware Updating

Database Server

SQL Databas

e

Demo ObjectiveSQL app should continue to operate on database stored on an SMB CA (Continuously Available) Share……

while we update the File Server cluster with CAU

Using & ExtendingRelating, Building on, and Extending, Deployment

CAU across deployments

Mid-market to Enterprise LOB applications

Hyper-V, File Server, Replication, DFS-N, SQL clusters

Impacts LOB SLAs, business-critical down time

Self-Updating &Remote-Updating

PS cmdlets

Private Clouds and Hosting scenarios

Hyper-V, File Server and SQL clusters

Impacts customer SLAs, significant business impact

Self-Updating &Remote-Updating

PS cmdlets & GUI

Branch-office and Small Business

Cluster-in-a-box (CiB) appliances

Long business disruption , with no local IT experts

Self-Updating

GUI

Failover clusters in a typical deployment

Downtime for updating cluster

CAU usage fit

CAU usage via

Perspectives

With CAU, I can:

•Update multiple clusters in parallel

•“Tap into” a Run in progress •Deliver on my SLAs with Josh!

Ted, Cluster administrator

Josh, LOB app owner

With CAU and CA workloads:

•No negotiation on planned downtime

•No updating-forced downtime•No complex contingency planning

Building on CAU cmdlets

Multi-cluster “Patch Tuesday” workflows

E2E data center provisioning workflows

Service Desk and other ITIL automation workflows

Cluster-Aware Updating (CAU) PS

cmdlets

Cmdlet Name What it does

Add-CauClusterRole

Adds the the self-updating functionality to a cluster (supports prestaging)

Invoke-CauRun

Set-CauClusterRole -UpdateNow

Installs the applicable updates on each cluster node (remote-updating only)

Installation (self-updating only)

Get-CauReportRetrieve the report for one or more updating runs

Export-CauReport

Export the report in html or csv formats, for one or more Updating Runs

Check out the PS cmdlet help reference for all other CAU cmdlets.

Extending CAU to work with your patch Solution “Plug-in” is functionality that can be added on

to shipping featureGet-CauPluginRegister-CauPluginUnregister-CauPlugin

Plug-in: looks for, downloads and installs a specific type of update (e.g. hotfix MSU)

Typically needs an installation tool (e.g. WUA)

CAU ships with two plug-insWindows Update: Installs GDRsHotfix: Installs QFEs and 3rd party updates

It is easy to add new Plug-ins to extend CAUPlug-in API: http://msdn.microsoft.com/en-us/library/hh418084(VS.85).aspx Plugin Sample: http://code.msdn.microsoft.com/windowsdesktop/Cluster-Aware-Updating-6a8854c9 How CAU Plug-ins work: http://technet.microsoft.com/en-us/library/jj134213

Windows Server 2012 computer

“Update Coordinat

or”Cluster-Aware Updating

(CAU) core

Cluster Node

WUA

Clustering

SMB CA File Server

CAU WMIv2 Provider

Cluster Node

WUA

Clustering

SMB CA File Server

CAU WMIv2 Provider

Cluster Node

WUA

Clustering

Clustered Role

CAU WMIv2 Provider

Windows Server 2012 Failover Cluster

Custom 3rd Party

tool

Windows Update Plug-in

Custom 3rd Party

Plug-inHotfix Plug-

in

CAU Plug-in API

Mix and match Plug-ins

One CAU plug-in one update “type” (GDR, Hotfix,…)

Why?Installing multiple types in one Run faster; fewer rebootsNew “RC” feature based on customer feedback

Examples:Invoke-CauScan -ClusterName CONTOSO-FC1 -CauPluginName Microsoft.WindowsUpdatePlugin, Microsoft.HotfixPlugin -CauPluginArguments @{}, @{ 'HotfixRootFolderPath' = '\\CauHotfixSrv\shareName'; 'HotfixConfigFilePath' = '\\CauHotfixSrv\shareName\DefaultHotfixConfig.xml' } -RunPluginsSerially -VerboseInvoke-CauRun -ClusterName CONTOSO-FC1 -CauPluginName Microsoft.WindowsUpdatePlugin, Microsoft.HotfixPlugin -CauPluginArguments @{ 'IncludeRecommendedUpdates' = 'True' }, @{ 'HotfixRootFolderPath' = '\\CauHotfixSrv\shareName'; 'HotfixConfigFilePath' = '\\CauHotfixSrv\shareName\DefaultHotfixConfig.xml' } -MaxRetriesPerNode 2 -StopOnPluginFailure –Force

Options: RunPluginsSerially, StopOnPluginFailure, SeparateReboots

Deployment Considerations - 1

CAU supports only Windows Server 2012 clustersCan be installed on Windows 8 Client RSAT package

Make CAU the only tool updating the cluster Concurrent updates by other tools: e.g., WSUS, WUA, SCCM might cause downtime

For a WSUS-based deployment:WSUS 4.0: needs a workaround with Beta builds (only) http://social.technet.microsoft.com/wiki/contents/articles/7891.how-wsus-and-cluster-aware-updating-are-affected-by-windows-server-8-beta-updates.aspx WSUS 3.0SP2 (on W2K8R2): not yet compatible with Windows Server 2012

Deployment Considerations - 2

System (not admin user) http proxy must be set-upCAU WMIv2 provider needs system http proxy for patch downloadsNetsh winhttp set proxy <proxy-IP>:<port> "<local>"

Nodes configured for remote management: "WINRM QUICKCONFIG -q" Default for servers

Think about firewalls on nodes!Windows Firewall Beta (or non-Windows firewall): create a firewall rule and enable it for domain-scope, wininit.exe program, dynamic RPC endpoints, TCP protocolWindows Firewall RC: Enable the "Remote Shutdown" firewall rule group for the Domain profile, or pass the “-EnableFirewallRules” parameter to Invoke-CauRun, Add-CauClusterRole or Set-CauClusterRole cmdletsMake sure GPOs agree

Cluster-Aware Updating: Summary

CAU ships in Windows Server 2012 – CAU previews, applies, and reports on updates for a cluster, through cluster-wide orchestration

Ships with a rich set of PS cmdlets and a powerful GUI.

Two modes of operation: Self-updating & Remote-updatingSelf-updating: offloading administrators comfortable with increased automation, and to enable branch-office scenarios; updating itself is resilientRemote-updating: targeted for traditional scenarios where closer administrator attention is preferred or warranted

Extensible Integrate with your patching tools with new plug-insUse for new scenarios with hotfix plug-inPer-node pre-update and post-update scripts

For More Information

CAU: Understand and Troubleshoot Guide: http://www.microsoft.com/download/en/details.aspx?id=29015

CAU Scenario Overview: http://technet.microsoft.com/en-us/library/hh831694.aspx

CAU Windows PowerShell cmdlets‘Update-Help’ downloads the full cmdlet help for CAU cmdletsOnline: http://go.microsoft.com/fwlink/p/?LinkId=237675

Starting with Cluster-Aware Updating: Self-Updating: http://blogs.technet.com/b/filecab/archive/2012/05/17/starting-with-cluster-aware-updating-self-updating.aspx

Related Content

Breakout Sessions (session codes and titles)

WSV328, The Path to Continuous Availability with Windows Server 2012WSV303 Windows Server 2012 High-Performance, Highly-Available Storage Using SMBWSV324 Building a Highly Available Failover Cluster Solution with Windows Server 2012 from the Ground UPHow to Increase SQL Availability and Performance Using Window Server 2012 SMB 3.0 SolutionsWSV310 Windows Server 2012: Cluster-in-a-Box, RDMA, and More WSV410 Continuously Available File Server: Under the Hood

SIA, WSV, and VIR Track Resources

Talk to our Experts at the TLC

#TE(sessioncode)

DOWNLOAD Windows Server 2012 Release Candidate

microsoft.com/windowsserverHands-On Labs

DOWNLOAD Windows Azure

Windowsazure.com/teched

Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

MS Tag

Scan the Tagto evaluate thissession now onmyTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.