How should I deploy UpdateEXPERT in a large environment?

What is Large?

A large environment is typically 1000+ machines in one or more domains. A large environment often requires more than one "patch administrator," ie., delegated responsibility. If different administrators will manage different domains, then they each need their own instance (Master-Agent) of UpdateEXPERT, or they can share a central instance of UpdateEXPERT (one Master-Agent) , and each have their own "Console" (GUI). See the following articles:

• Does each admin have their own console view?

• What resources does a Console control?

• What resources does a Master-Agent control?

In addition to a large machine count and dispersed networks, large environments often need to use Leaf-Agents for secured environments, well-placed secondary Master-Agents for machines accessed over a slow link, and packaged-updates for isolated networks that have no internet access meaning you need another way to keep UpdateEXPERT up-to-date with new database information. See the following articles:

• When should I use Leaf-Agents?

• What's useful about multiple Master-Agents?

• How do I maintain UpdateEXPERT in an isolated network?

Scope Control

If new to using UpdateEXPERT, it may be best to focus on a specific machine set, ie., domain, while you get familiar with the product, then expand your use.

Initial deployment in a large environment is the most challenging stage of UpdateEXPERT usage in many ways. This is when you discover the "actual" service-pack and patch status of the machines in your network, discover machines that are off, discover admin account issues, and discover machines with disabled "Services". The good news is you end up learning a lot about your network as you resolve the issues and get machines up to current service-pack and patch levels. You end up feeling in control of your network, not the other way around!

Using Subnets

Using MLF files, it is possible to identify subnet address ranges and import them into UpdateEXPERT as a "domain". Note that currently, UpdateEXPERT does not validate whether the subnet address is valid or not. Querying will run a little slower because of slowish TCP/IP timeouts on non-existent machines. If you have a utility that will scan your network for valid addresses, you can improve the accuracy of your MLF file.

Initial Querying

After installing an instance of UpdateEXPERT, establishing internet connectivity, and updating to the most current UpdateEXPERT database from St. Bernard Software, you'll want to enumerate and query some or all of your network. If you have a large network, you may want to limit your querying to a specific domain or domains at first. You WILL have querying issues for a variety of reasons. A red icon for a machine typically means it is down or rebooting. Yellow usually indicates a remote access problem to the target machine. For specifics on why target machines won't query, see:

• Why does my query fail?

Profiling

Following initial querying, it is valuable to "profile" your network machines. Typically, profiles are set up to group NT, Win2K, and XP targets by OS and Service-Pack level. This allows easy identification of machines that are not up to the current service-pack level for their respective OS. For example, less than SP6 for NT machines is "not current". Less than SP4 for Win2k is "not current", and less than SP1 for XP is "not current."

Visually grouping machines by OS/SP-level is extremely helpful. You can rapidly make decisions about which machines to target for service-pack deployment. Deploying service-packs puts a heavy load on your network and typically requires hundreds of megabytes of "free space" on the target for file transfer and temporary workspace while the service-pack runs.

To fully understand what will happen when you select many machines and deploy a service-pack or individual patches, see the following articles:

• How does UpdateEXPERT deploy patches?

• Optimizing Patch Deployment

Using Groups

It may be useful to identify and group Servers running IIS, Exchange, SQL, or ISA. Also, patch deployment to clustered servers should be handled with care. See this article if you have clustered servers in your network.

• What about Clusters?

Patch Deployment Errors

When querying, there can be issues with the target that are not readily apparent from the generic "access is denied" message typically shown. That is why we have the "Why does my Query Fail?" article. On the other hand, when deploying patches, specific error messages will be shown in the deployment status window, often with an error number. See "TroubleShooting Quick Reference" for these messages.

Once you get large numbers of machines up to the current service-pack level, you'll find it easy to deploy smaller patches to larger numbers of machines on an ongoing basis.

When the OSes are done

Also, once the OS is "current" you can turn your attention to other products that are server or client oriented, or both. Most people concentrate on patching server-side software first.

Server-Oriented

• Exchange Server (email)

• IIS Server (web)

• SQL Server (database)

Client-Oriented

• Outlook

• IE

• Office

For a complete up-to-date listing of supported platforms and applications, see "UpdateEXPERT Supported Patches" on our web site.