Update Management in Windows Server 2012: Revealing Cluster ...
Transcript of Update Management in Windows Server 2012: Revealing Cluster ...
Update Management in Windows Server 2012: Revealing Cluster-Aware Updating and the New Generation of WSUSErin ChapplePartner Group Program ManagerMicrosoft Corporation
Mallikarjun ChadalapakaSenior Program ManagerMicrosoft Corporation
WSV322
Session Overview
Updating continues to be an important investment area for Windows Server and our customersWindows Server 2012 contains several enhancements to Windows Server Update Services (WSUS)Increasing demand on server availabilityIntroduction of Cluster-Aware Updating (CAU) extends WSUS functionality to enable Zero Service interruption
Windows Server Update ServicesWhat’s new in Windows Server 2012
Most Deployed Update Solution in the World!
WSUS servers synching against Windows Update Data based on Opt-in Option to WU/MU reporting
1+ Million
60+ Million DoubleClients managed by WSUS
Adoption rate of WSUS 3.0 Service Pack 2 over previous release
What have we heard from customers?
Difficult to automate WSUS installation and configuration
Not delivered in-the-boxSeparate WSUS Setup UI (versus integration with Server Manager) Many steps manual, e.g. Running WSUS Cleanup
Desire for increased security between Windows Update and WSUS
What’s New with WSUSServer Manager Integration
WSUS now ships with Windows Server 2012 WSUS setup is fully integrated with the Server Manager UIInstallation options:
local machineremote machineto a VHD
What’s New with WSUSPowerShell Support
12 new cmdlets for common administration tasksSupported scenarios:
Getting the list of Product WSUS supportsSetting the updates for which WSUS should sync updatesRunning WSUS CleanupApproving Updates
Allows much simpler automation of basic WSUS tasks
What’s New with WSUSEnhanced Security
WSUS has been enhanced to verify files were not modified during download from WU using SHA256 hashesWindows 8 Windows Update Agent has been enhanced to use SHA256Windows 8 file signature verification has been enhanced to use SHA256 for Windows ComponentsOverall, system administrators can be more confident that updates are being delivered without tampering
demo
NameTitleMicrosoft Corporation
Installing and Managing WSUS using PowerShell
What is CAU?Context, Introduction, Install & Update Types
CAU: Motivation & Introduction#1 customer ask: Continuous Availability of clusters across Patch Tuesdays
Continuous Availability: survive planned moves or unplanned failures without errors, without losing data & while performing well at scale
CAU with Continuously Available workload Zero service impact, e.g.,
Hyper-V (Live Migration)File Server (Transparent Failover)
CAU is end-to-end cluster update orchestrationwithout impacting service availability
Positioning CAUWindows
Update (WU)
Windows
Windows Update Agent (WUA)
Windows Server Update Services (WSUS)
System Center
SCCM 2012
SCVMM 2012
SCO (Orchestrator) 2012
3rd Party
Other Vendor Solutions
Cluster-Aware Updating (CAU)
What is CAU?Single-click launch of cluster-wide updating operation
Or a single PS cmdlet“Updating Run”Physical or VM clusters
CAU scans, downloads and installs applicable updates on each node
Restarts node as necessary One node at a timeRepeats for all cluster nodesCustomize pre-update & post-update behavior with PS scripts
Updating Run kick-off
Node n
Resuming & Failback
.
.
.
Node 1
Windows Server failover cluster
. . .
Windows Update or
WSUS
Draining the node
CAU
Apply updates on this cluster
CAU ≠ Reinventing Server Patching
Windows Update Agent
(WUA)
Windows Update/Microso
ft Update (WU/MU)
Windows Server Update
Services (WSUS)
Windows Installer
Component based Servicing APIs/CLIs….
Good News: None of these is changing with CAU!
CAU is about update orchestration across the cluster
Update typesUpdates (GDRs) from Windows Update or WSUS
Hotfixes (QFEs) from a local File Share
Simple customization that installs almost any software update off a local File Share
**GDR = General Distribution Release**QFE = Quick Fix Engineering (nickname for hotfix)
Installing & Launching Install clustering, and you are set for CAU!
Integration with Failover Clustering
FeatureToolsInstallation
Launch CAU GUI from Server Manager-Tools, or from Failover Cluster Manager
CAU Deep-diveAutomation, Modes, Self-updating, Hotfix internals
Cluster Update Automation with CAU“Run Books” = IT process recipes
E.g. “Cluster Patching”
CAU is automation of your Cluster Updating Run Book
With CAU, clusters are easier to own, update and report on
Designed to leave the cluster with the same workload distribution as at the start
Cluster-Aware Updating GUI Cluster-Aware Updating
Windows PowerShell cmdlets
Cross-workflow coordination
business logic
Cluster workflow
s
Exception
workflows
. .
Node workflo
ws
“Update Coordinator” Failover
Cluster
Run options
Self-Updating Mode
Node 2Node 1
Node 4Node 3
CAU Update Coordinator
Failover Cluster
Requires no real-time user attention
CAU Update Coordinator process runs on a clustered node
Installs updates on a custom schedule
Cluster-in-a-box appliances (hint: branch office scenarios)
Self-Updating InternalsAdds CAU clustered role
Just like any other clustered workloadResilience to planned and unplanned failures
Not mutually exclusive with on-demand updating Analogy: Windows Update scan on your PC with AU auto-installBut possible conflicts with Updating Runs in progress
“Configured, but on hold” functionality
Compatible with VCO Prestaging **VCO= Virtual Computer Object
Remote-Updating Mode
CAU Update Coordinator
Node 2Node 1
Node 4Node 3
CAU Update Coordinator process remotely connects to the cluster
User-initiated Updating Run, allowing real time monitoring
Rich progress updates
Minimal Server Core (no .Net or PS dependency) on nodes
Failover Cluster
Which Mode When?
Self-Updating Remote-Updating
Try CAU & monitor what it does
Cannot afford real-time attentionResilient Cluster updating Branch office scenariosMinimal Server Core without .Net or PS
Richer progress updates as Run happens
“Hotfix” Support InternalsRich/extensible Hotfix installation
Microsoft QFEs, or third-party driver updates, or even Firmware/BIOS updates…
Select hotfix behavior at start. Two key inputs:1. Root Folder: on an SMB File Share2. Configuration xml file: defines the Rules
Configuration Rules are the key to flexibilityEasy to specify new Rules
hotfix installer name, install options, reboot behavior, return values etc.
Hotfixes & SecurityStrict ACL Checking (Optional)
Kerberos Mutual Authentication (Required)
Data integrity checking (Required)
SMB Signing or SMB Encryption
Privacy with SMB Encryption (Optional)
SMB Encryption is new in Windows Server 2012
CAU Hotfix Root Folder
CAUHotfix_All
<Node Name1>
Hotfixes applicable to all nodes
Hotfixes applicable just to <Node Name1>
Extension Rules<MSU><MSI><MSP>
Folder Rules<MySwUpdateType>
Hotfix Config File
MySwUpdateTypeSpecial software updates
demo
Mallikarjun ChadalapakaSenior Program Manager
Continuous Availability with CAU
CAU Demo SetupWindows Server 2012 File Server ClusterNode 1 Node 2
SMB CA Share
Cluster-Aware Updating
Database Server
SQL Databas
e
Demo ObjectiveSQL app should continue to operate on database stored on an SMB CA (Continuously Available) Share……
while we update the File Server cluster with CAU
Using & ExtendingRelating, Building on, and Extending, Deployment
CAU across deploymentsMid-market to Enterprise LOB applications
Hyper-V, File Server, Replication, DFS-N, SQL clustersImpacts LOB SLAs, business-critical down timeSelf-Updating &Remote-UpdatingPS cmdlets
Private Clouds and Hosting scenarios
Hyper-V, File Server and SQL clusters
Impacts customer SLAs, significant business impactSelf-Updating &Remote-UpdatingPS cmdlets & GUI
Branch-office and Small Business
Cluster-in-a-box (CiB) appliances
Long business disruption , with no local IT experts
Self-Updating
GUI
Failover clusters in a typical deploymentDowntime for updating cluster
CAU usage fit
CAU usage via
PerspectivesWith CAU, I can:
•Update multiple clusters in parallel
•“Tap into” a Run in progress •Deliver on my SLAs with Josh!
Ted, Cluster administrator
Josh, LOB app owner
With CAU and CA workloads:•No negotiation on planned
downtime•No updating-forced downtime
•No complex contingency planning
Building on CAU cmdletsMulti-cluster “Patch Tuesday” workflows
E2E data center provisioning workflows
Service Desk and other ITIL automation workflows
Cluster-Aware Updating (CAU) PS
cmdlets
Cmdlet Name What it does
Add-CauClusterRole
Adds the the self-updating functionality to a cluster (supports prestaging)
Invoke-CauRun
Set-CauClusterRole -UpdateNow
Installs the applicable updates on each cluster node (remote-updating only)
Installation (self-updating only)
Get-CauReportRetrieve the report for one or more updating runs
Export-CauReport
Export the report in html or csv formats, for one or more Updating RunsCheck out the PS cmdlet help reference for all other CAU cmdlets.
Extending CAU to work with your patch Solution “Plug-in” is functionality that can be added on to
shipping featureGet-CauPluginRegister-CauPluginUnregister-CauPlugin
Plug-in: looks for, downloads and installs a specific type of update (e.g. hotfix MSU)
Typically needs an installation tool (e.g. WUA)
CAU ships with two plug-insWindows Update: Installs GDRsHotfix: Installs QFEs and 3rd party updates
It is easy to add new Plug-ins to extend CAUPlug-in API: http://msdn.microsoft.com/en-us/library/hh418084(VS.85).aspx Plugin Sample: http://code.msdn.microsoft.com/windowsdesktop/Cluster-Aware-Updating-6a8854c9 How CAU Plug-ins work: http://technet.microsoft.com/en-us/library/jj134213
Windows Server 2012 computer
“Update Coordinat
or”Cluster-Aware Updating (CAU) core
Cluster Node
WUA
Clustering
SMB CA File Server
CAU WMIv2 Provider
Cluster Node
WUA
Clustering
SMB CA File Server
CAU WMIv2 Provider
Cluster Node
WUA
Clustering
Clustered Role
CAU WMIv2 Provider
Windows Server 2012 Failover Cluster
Custom 3rd Party
tool
Windows Update Plug-in
Custom 3rd Party
Plug-inHotfix Plug-
in
CAU Plug-in API
Mix and match Plug-insOne CAU plug-in one update “type” (GDR, Hotfix,…)
Why?Installing multiple types in one Run faster; fewer rebootsNew “RC” feature based on customer feedback
Examples:Invoke-CauScan -ClusterName CONTOSO-FC1 -CauPluginName Microsoft.WindowsUpdatePlugin, Microsoft.HotfixPlugin -CauPluginArguments @{}, @{ 'HotfixRootFolderPath' = '\\CauHotfixSrv\shareName'; 'HotfixConfigFilePath' = '\\CauHotfixSrv\shareName\DefaultHotfixConfig.xml' } -RunPluginsSerially -VerboseInvoke-CauRun -ClusterName CONTOSO-FC1 -CauPluginName Microsoft.WindowsUpdatePlugin, Microsoft.HotfixPlugin -CauPluginArguments @{ 'IncludeRecommendedUpdates' = 'True' }, @{ 'HotfixRootFolderPath' = '\\CauHotfixSrv\shareName'; 'HotfixConfigFilePath' = '\\CauHotfixSrv\shareName\DefaultHotfixConfig.xml' } -MaxRetriesPerNode 2 -StopOnPluginFailure –Force
Options: RunPluginsSerially, StopOnPluginFailure, SeparateReboots
Deployment Considerations - 1CAU supports only Windows Server 2012 clusters
Can be installed on Windows 8 Client RSAT package
Make CAU the only tool updating the cluster Concurrent updates by other tools: e.g., WSUS, WUA, SCCM might cause downtime
For a WSUS-based deployment:WSUS 4.0: needs a workaround with Beta builds (only) http://social.technet.microsoft.com/wiki/contents/articles/7891.how-wsus-and-cluster-aware-updating-are-affected-by-windows-server-8-beta-updates.aspx WSUS 3.0SP2 (on W2K8R2): not yet compatible with Windows Server 2012
Deployment Considerations - 2System (not admin user) http proxy must be set-up
CAU WMIv2 provider needs system http proxy for patch downloadsNetsh winhttp set proxy <proxy-IP>:<port> "<local>"
Nodes configured for remote management: "WINRM QUICKCONFIG -q" Default for servers
Think about firewalls on nodes!Windows Firewall Beta (or non-Windows firewall): create a firewall rule and enable it for domain-scope, wininit.exe program, dynamic RPC endpoints, TCP protocolWindows Firewall RC: Enable the "Remote Shutdown" firewall rule group for the Domain profile, or pass the “-EnableFirewallRules” parameter to Invoke-CauRun, Add-CauClusterRole or Set-CauClusterRole cmdletsMake sure GPOs agree
Cluster-Aware Updating: SummaryCAU ships in Windows Server 2012 – CAU previews, applies, and reports on updates for a cluster, through cluster-wide orchestration
Ships with a rich set of PS cmdlets and a powerful GUI.
Two modes of operation: Self-updating & Remote-updatingSelf-updating: offloading administrators comfortable with increased automation, and to enable branch-office scenarios; updating itself is resilientRemote-updating: targeted for traditional scenarios where closer administrator attention is preferred or warranted
Extensible Integrate with your patching tools with new plug-insUse for new scenarios with hotfix plug-inPer-node pre-update and post-update scripts
For More InformationCAU: Understand and Troubleshoot Guide: http://www.microsoft.com/download/en/details.aspx?id=29015
CAU Scenario Overview: http://technet.microsoft.com/en-us/library/hh831694.aspx
CAU Windows PowerShell cmdlets‘Update-Help’ downloads the full cmdlet help for CAU cmdletsOnline: http://go.microsoft.com/fwlink/p/?LinkId=237675
Starting with Cluster-Aware Updating: Self-Updating: http://blogs.technet.com/b/filecab/archive/2012/05/17/starting-with-cluster-aware-updating-self-updating.aspx
Related ContentBreakout Sessions (session codes and titles)
WSV328, The Path to Continuous Availability with Windows Server 2012WSV303 Windows Server 2012 High-Performance, Highly-Available Storage Using SMBWSV324 Building a Highly Available Failover Cluster Solution with Windows Server 2012 from the Ground UPHow to Increase SQL Availability and Performance Using Window Server 2012 SMB 3.0 SolutionsWSV310 Windows Server 2012: Cluster-in-a-Box, RDMA, and More WSV410 Continuously Available File Server: Under the Hood
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidatemicrosoft.com/windowsserverHands-On Labs
DOWNLOAD Windows AzureWindowsazure.com/teched
Resources
Connect. Share. Discuss.http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
TechNet
Resources for IT Professionalshttp://microsoft.com/technet
Resources for Developershttp://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.