WSUS 3 "rebooting" servers without ask... "KayZer sOZE" <KS[ at ]THESUSPECTS.COM> 12/12/2008 3:50:29 PM I have several Win2003 R2 SP2 servers rebooting without warning. The owners of the applications uses the server daily via RDP (TS, and APP Servers running "home-made" apps) The user does NOT click to restart, but even clicking in the "restart later", the computer reboots and the "WindowsUpdate.log" shows ================================================== 948 17b4 CltUI AU client reboot notification: user clicked Restart Later 774 AU WARNING: Initiating reboot since no user logged on 774 AU AU invoking RebootSystem (OnRebootNow) 774 Misc WARNING: SUS Client is rebooting system. 774 AU AU invoking RebootSystem (OnRebootRetry) ================================================== Why? Can i avoid this? Sometimes a server with pending patch must be online for months... without interruptions and users need to connect via RDP make some maintainance and Logoff but without "trigger" a "restart"

Re: WSUS 3 "rebooting" servers without ask... "Lawrence Garvin \(MVP\)" <lawrence[ at ]news.postalias> 12/12/2008 9:26:12 PM "KayZer sOZE" <KS[ at ]THESUSPECTS.COM> wrote in message news:OQCqeFHXJHA.5084[ at ]TK2MSFTNGP03.phx.gbl... [Quoted Text] > I have several Win2003 R2 SP2 servers rebooting without warning. You've answered your own question in the log entries you cited: > 774 AU WARNING: Initiating reboot since no user logged on > Why? Can i avoid this? Sometimes a server with pending patch must be > online > for months... without interruptions and users need to connect via RDP make > some maintainance and Logoff but without "trigger" a "restart" Then you need to rethink your patching strategy and procedures. My suggestion is to not install patches to a machine until it's in a position to reboot. Installing patches and not rebooting is the same thing as not installing patches at all. Why invest the unnecessary effort in pretending to secure an insecure/vulnerable server, if it's not really happening anyway? Furthemore, if you have servers with a requirement to "be online for months.. without interruptions", then it follows that these servers ought to be in server FARMS, with clustering or NLB implemented. To wit, it then becomes a non-issue that one node of such an environment is rebooted once a month while the other node(s) remain online. If you don't have clustering or NLB implemented, then the idea that the servers "...must be online for months .. without interruptions.." is just a fantasy, and the only reason it's still not been burst is because you've been Very Lucky. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Re: WSUS 3 "rebooting" servers without ask... DaveMills <DaveMills[ at ]newsgroup.nospam> 12/13/2008 1:40:38 AM Please do not post multiple times to different groups. Cross post instead. This way everyone can see that you have already posted to the other group and not waste their time forwarding you posts. On Fri, 12 Dec 2008 13:50:29 -0200, "KayZer sOZE" <KS[ at ]THESUSPECTS.COM> wrote: [Quoted Text] > >I have several Win2003 R2 SP2 servers rebooting without warning. > >The owners of the applications uses the server daily via RDP >(TS, and APP Servers running "home-made" apps) > >The user does NOT click to restart, but even clicking in the "restart >later", the computer reboots and the "WindowsUpdate.log" shows > >================================================== >948 17b4 CltUI AU client reboot notification: user clicked Restart Later >774 AU WARNING: Initiating reboot since no user logged on >774 AU AU invoking RebootSystem (OnRebootNow) >774 Misc WARNING: SUS Client is rebooting system. >774 AU AU invoking RebootSystem (OnRebootRetry) >================================================== > > >Why? Can i avoid this? Sometimes a server with pending patch must be online >for months... without interruptions and users need to connect via RDP make >some maintainance and Logoff but without "trigger" a "restart" > > > > -- Dave Mills There are 10 types of people, those that understand binary and those that don't.

Re: WSUS 3 "rebooting" servers without ask... "Hank Arnold (MVP)" <rasilon[ at ]aol.com> 12/14/2008 12:25:38 PM Lawrence Garvin (MVP) wrote: [Quoted Text] > > Installing patches and not rebooting is the same thing as not installing > patches at all. > It's worse. By installing a patch and not rebooting, you are leaving the server in a potentially unstable environment. I agree, never install an update (one that requires a reboot) without rebooting the server... -- Regards, Hank Arnold Microsoft MVP Windows Server - Directory Services

Re: WSUS 3 "rebooting" servers without ask... "Lawrence Garvin \(MVP\)" <lawrence[ at ]news.postalias> 12/14/2008 4:26:03 PM "Hank Arnold (MVP)" <rasilon[ at ]aol.com> wrote in message news:OQMIVceXJHA.1532[ at ]TK2MSFTNGP03.phx.gbl... [Quoted Text] > Lawrence Garvin (MVP) wrote: >> >> Installing patches and not rebooting is the same thing as not installing >> patches at all. > It's worse. By installing a patch and not rebooting, you are leaving the > server in a potentially unstable environment. While I don't disagree, it's a controversial discussion (the keyword being "potentially"), and lately I've been opting to avoid that particular discussion unless specifically germane. It's much simpler, and less controversial, to simply point out the machine still contains the (security) vulnerabilities, than it is to potentially get into a discussion over whether the machine is additionally unstable, or not. In this case, it was just as functional to take the higher road and point out the machines were simply not being updated at all, because of the "up for months without a reboot" SLA. :-) And, even more significantly, the fantasy that such an SLA was sustainable without NLB or clustering -- and if NLB or clustering existed, then the "reason" was void on the surface, since rebooting one node of a NLB or cluster farm would have zero visibility to the service consumers. -- Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP Principal/CTO, Onsite Technology Solutions, Houston, Texas Microsoft MVP - Software Distribution (2005-2009) MS WSUS Website: http://www.microsoft.com/wsus My Websites: http://www.onsitechsolutions.com; http://wsusinfo.onsitechsolutions.com My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

Re: WSUS 3 "rebooting" servers without ask... <augusto.alvarez82[ at ]gmail.com> 12/14/2008 11:03:29 PM I've learned a lot from these guys (Lawrence and Hank, as well as many others) participating on these forums from the last months, and I have to agree in several ways with their comments. But the bottom line about updates is that it is a sensitive issue after all (specially if the actual vulnerability is hacked, there's no time for regrets at that point) and doing the right thing it is always the best thing to do... meaning on this case, do not leave an un-restarted server with updates applied. Microsoft about updates and their release works like this: Tuesday: Update is released Wednesday: Installation on test environment Thursday: Test it Friday: Install on production servers Weekend: Restart servers Cheers everyone -- augusto alvarez | it professional MCP - MCTS - MCITP DBA http://blog.augustoalvarez.com.ar/ "Lawrence Garvin (MVP)" <lawrence[ at ]news.postalias> escribió en el mensaje de noticias:uHsbpigXJHA.760[ at ]TK2MSFTNGP02.phx.gbl... [Quoted Text] > "Hank Arnold (MVP)" <rasilon[ at ]aol.com> wrote in message > news:OQMIVceXJHA.1532[ at ]TK2MSFTNGP03.phx.gbl... > >> Lawrence Garvin (MVP) wrote: >>> >>> Installing patches and not rebooting is the same thing as not installing >>> patches at all. > >> It's worse. By installing a patch and not rebooting, you are leaving the >> server in a potentially unstable environment. > > While I don't disagree, it's a controversial discussion (the keyword being > "potentially"), and lately I've been opting to avoid that particular > discussion unless specifically germane. It's much simpler, and less > controversial, to simply point out the machine still contains the > (security) vulnerabilities, than it is to potentially get into a > discussion over whether the machine is additionally unstable, or not. > > In this case, it was just as functional to take the higher road and point > out the machines were simply not being updated at all, because of the "up > for months without a reboot" SLA. :-) > > And, even more significantly, the fantasy that such an SLA was sustainable > without NLB or clustering -- and if NLB or clustering existed, then the > "reason" was void on the surface, since rebooting one node of a NLB or > cluster farm would have zero visibility to the service consumers. > > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus > My Websites: http://www.onsitechsolutions.com; > http://wsusinfo.onsitechsolutions.com > My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin >

Re: WSUS 3 "rebooting" servers without ask... "KayZer sOZE" <KS[ at ]THESUSPECTS.COM> 12/17/2008 10:44:55 AM What i did: Add a second GPO (aimed to servers in this situation) to not install scheduled "patches". Install only based on "Human Choice" when logging on "Lawrence Garvin (MVP)" <lawrence[ at ]news.postalias> escreveu na mensagem news:e5gRDBKXJHA.5064[ at ]TK2MSFTNGP02.phx.gbl... [Quoted Text] > "KayZer sOZE" <KS[ at ]THESUSPECTS.COM> wrote in message > news:OQCqeFHXJHA.5084[ at ]TK2MSFTNGP03.phx.gbl... > >> I have several Win2003 R2 SP2 servers rebooting without warning. > > You've answered your own question in the log entries you cited: > >> 774 AU WARNING: Initiating reboot since no user logged on > > >> Why? Can i avoid this? Sometimes a server with pending patch must be >> online >> for months... without interruptions and users need to connect via RDP >> make some maintainance and Logoff but without "trigger" a "restart" > > Then you need to rethink your patching strategy and procedures. > > My suggestion is to not install patches to a machine until it's in a > position to reboot. > > Installing patches and not rebooting is the same thing as not installing > patches at all. > > Why invest the unnecessary effort in pretending to secure an > insecure/vulnerable server, if it's not really happening anyway? > > Furthemore, if you have servers with a requirement to "be online for > months.. without interruptions", then it follows that these servers ought > to be in server FARMS, with clustering or NLB implemented. To wit, it then > becomes a non-issue that one node of such an environment is rebooted once > a month while the other node(s) remain online. > > If you don't have clustering or NLB implemented, then the idea that the > servers "...must be online for months .. without interruptions.." is just > a fantasy, and the only reason it's still not been burst is because you've > been Very Lucky. > > > -- > Lawrence Garvin, M.S., MCITP(x2), MCTS(x5), MCP(x7), MCBMSP > Principal/CTO, Onsite Technology Solutions, Houston, Texas > Microsoft MVP - Software Distribution (2005-2009) > > MS WSUS Website: http://www.microsoft.com/wsus > My Websites: http://www.onsitechsolutions.com; > http://wsusinfo.onsitechsolutions.com > My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin >