How I automate windows updates/reboots on my home lab



As my home lab has grown, so has the amount of time that I spend manually patching/rebooting each server, no fun!

So last weekend, I came up with a means to automate the process with active directory groups, group policy and powershell. 

The goals
  1. Automate patching / rebooting of all vmware/hyper-v guest operating systems in my home lab
  2. As I've got about 20 VM's across 4 physical hypervisors, separating the guests into two reboot windows was ideal
  3. Dynamically update the reboot windows as I add/remove servers
Implementation
  1. Created AD group called "Sat AM patching servers"
  2. Created AD group called "Sun AM patching servers"
  3. Created GPO called "Sat AM Patching" at top-level OU that sets the following:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update  > Configure Automatic Updates - Sat @ 5 am
  4. Within the "DELEGATION" tab, I set "Sat AM patching servers" to have read/apply group policy rights on the GPO
  5. To stop the "Sat AM patching" GPO from applying to servers in the Sun group, I then set the "Sun AM patching" servers group to DENY for read and "apply this GPO"
  6. Created GPO called "Sun AM patching" at top-level OU that sets the following:

    Computer Configuration > Administrative Templates > Windows Components > Windows Update  > Configure Automatic Updates - Sun @ 5 am
  7. Within the "DELEGATION" tab, and set "Sun AM patching servers" to have read/apply group policy rights on the GPO
  8. To stop the "Sun AM patching" GPO from applying to servers in the SAT group, I then set the "Sat AM patching" servers group to DENY for read and "apply this GPO"

    Note:
     Additional info on the above GPO settings is available here
  9. Steps 1-8 address goals 1 & 2 , which left goal 3 ; to automate the process by which servers would be added/removed from the SAT and SUN global groups ; powershell to the rescue! 
  10. Step 10 was the creation of a new Powershell script, full details are below:

For years, I've been naming any virtual servers created on my esxi/hyperv hosts to include either a "1" or "2" in their name. The servers are spread out across multiple OU's. For instance, my Citrix OU has VDA1, VDA2, my SQL servers are in another OU, and called SQL1, SQL2, my AD controllers are in another OU, and called ADDC1, ADDC2, etc, you get the idea

The actual Powershell code to achieve this was less than 40 lines, here its:

### Filter out servers that we don't want to regularly patch
$Servers = Get-ADComputer -Filter * | Sort DNSHostname `
| Where {$_.DNShostName -notlike "*GOL*"} `
| Where {$_.DNShostName -notlike "*ESX*"}

### Filter $Servers to include servers with the # 1 in their name
$Servers2AddtoGrp1 = $Servers | Where {$_ -like "*1*"}

### Filter $Servers to include servers with the # 2 in their name
$Servers2AddtoGrp2 = $Servers | Where {$_ -like "*2*"}

### Create object for patching group 1
$ADGrp1 = Get-ADGroup -Filter * | Where {$_.name -eq "SAT AM Patching"}

### Create object for patching group 2
$ADGrp2 = Get-ADGroup -Filter * | Where {$_.name -eq "SUN AM Patching"}

### Reset Patching Group 1 members
Get-ADGroupMember $ADGrp1 | ForEach {

    Remove-ADGroupMember $ADGrp1 -members $_ -Confirm:$False

}

### Reset Patching Group 2 members
Get-ADGroupMember $ADGrp2 | ForEach {

    Remove-ADGroupMember $ADGrp2 -members $_ -Confirm:$False

}

### Add all entries from $Servers2AddtoGrp1
Add-ADGroupMember $ADGrp1 -Members $Servers2AddtoGrp1

### Add all entries from $Servers2AddtoGrp2

Add-ADGroupMember $ADGrp2 -Members $Servers2AddtoGrp2

The script resides on GitHub, HERE
So, we have a script that reads ALL computer accounts in my home lab domain, filters out those with names I don't want to patch (like esx*), resets their respective AD groups, then adds the servers
The above covers step 10

Step 11, was just to create a scheduled task on my ADDC1 and ADDC2 to run the Powershell script 1 hour before Sat/Sun patch window kicks in!

Hopefully you found the above useful, it wasn't TOO much work. I was done in the time I took my to consume about 2 servings of Jameson Irish Whiskey/ Dr Pepper (2 hours?) Whiskey purists will scoff @ me, but I won't see said scoffs, as this is the internet :p

Owen

Comments