It would be nice if MS could settingle on a single subnet for updates

  • Thread starter Thread starter Leythos
  • Start date Start date
Re: It would be nice if MS could settingle on a single subnet for updates

On Thu, 2 Aug 2007 20:50:42 -0700, "Kerry Brown"
>"cquirke (MVP Windows shell/user)" wrote in

>> Sounds good - by "one server", do you mean a server dedicated to this
>> task alone, or can that be the only server you have? Will it run on
>> SBS, or is there a different solution for that?

>SBS 2003 R2 comes with WSUS out if the box.

Niiice... so that's one SBS box, WSUS built in!


>--------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
>--------------- ----- ---- --- -- - - -
 
Re: It would be nice if MS could settingle on a single subnet for updates

"cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org> wrote in
message news:v369b31gdcq1569ifmdndl1n09hjp1jgn4@4ax.com...
> On Thu, 2 Aug 2007 20:50:42 -0700, "Kerry Brown"
>>"cquirke (MVP Windows shell/user)" wrote in
>
>>> Sounds good - by "one server", do you mean a server dedicated to this
>>> task alone, or can that be the only server you have? Will it run on
>>> SBS, or is there a different solution for that?
>
>>SBS 2003 R2 comes with WSUS out if the box.
>
> Niiice... so that's one SBS box, WSUS built in!
>
>


An SBS install is a fairly complicated procedure and takes a few tries to
get it right the first time. WSUS is not installed by default. You have to
install it. If you follow the instructions in the readme files it is
installed. If you stick the first CD in (or the only DVD) and just let the
install run clicking on "Next" it doesn't get installed. WSUS does need
quite a bit of resources. The SQL instance it uses will grow to a point
where it is hogging all the free RAM if you don't throttle it back manually.
It takes a lot of disk space. You also spend quite a bit of time managing it
approving updates. Because of this you may not want it on a heavily loaded
server. A full SBS install is a heavily loaded server - Domain Controller,
Exchange, SharePoint, Web (for intranet and RWW), SQL, file server, WSUS,
ISA, and probably more I've forgotten. It needs a lot of hardware to run all
this. At a minimum you need 2GB of RAM (4 is preferred), at least two fairly
large drives mirrored (preferably more with RAID 5), and a server class CPU
(dual core Opteron or Xeon, preferably two). Given this hardware yes, all on
one box :-)

Of course Microsoft says it will run on a 750 MHz CPU with 512 MB of RAM and
16 GB of hard drive space. I have actually seen an IBM server configured
like this. It was delivered from IBM setup this way. It was unbelievably
unstable and slow. Even their minimum recommended system of a 1 GHz CPU
with 1 GB of RAM is woefully inadequate.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca
 
Re: It would be nice if MS could settingle on a single subnet for updates

On Sat, 4 Aug 2007 10:14:17 -0700, "Kerry Brown"
>"cquirke (MVP Windows shell/user)" wrote in
>> On Thu, 2 Aug 2007 20:50:42 -0700, "Kerry Brown"
>>>"cquirke (MVP Windows shell/user)" wrote in

>>>> Sounds good - by "one server", do you mean a server dedicated to this
>>>> task alone, or can that be the only server you have? Will it run on
>>>> SBS, or is there a different solution for that?

>>>SBS 2003 R2 comes with WSUS out if the box.

>> Niiice... so that's one SBS box, WSUS built in!

>An SBS install is a fairly complicated procedure and takes a few tries to
>get it right the first time. WSUS is not installed by default. You have to
>install it. If you follow the instructions in the readme files it is installed.

OK... a bit like USBSupp.exe in Win95 SR2, or NetBEUI in XP ;-)

>WSUS does need quite a bit of resources. The SQL instance it
>uses will grow to a point where it is hogging all the free RAM if
>you don't throttle it back manually.

Hmmm... not just a "fat bump in the power cord" then...

>It takes a lot of disk space. You also spend quite a bit of time managing it
>approving updates. Because of this you may not want it on a heavily loaded
>server. A full SBS install is a heavily loaded server - Domain Controller,
>Exchange, SharePoint, Web (for intranet and RWW), SQL, file server, WSUS,
>ISA, and probably more. It needs a lot of hardware to run all this.

This is interesting, as I thought SBS was a "leaner" option compared
to formal Windows Server, but maybe not, if it has so much work to do?

>At a minimum you need 2GB of RAM (4 is preferred), at least two fairly
>large drives mirrored (preferably more with RAID 5), and a server class CPU
>(dual core Opteron or Xeon, preferably two). Given this hardware yes, all on
>one box :-)

Hmm... 1 x S-ATA 320G, 1G RAM, 2GHz Core 2 Duo any good? Will
boosting RAM to 2G help? Won't 4G need 64-bit?

>Of course Microsoft says it will run on a 750 MHz CPU with 512 MB of RAM and
>16 GB of hard drive space.

:-)

>I have actually seen an IBM server configured like this. It was delivered
>from IBM setup this way. It was unbelievably unstable and slow. Even
>their minimum recommended system of a 1 GHz CPU with 1 GB of
>RAM is woefully inadequate.

Interesting the RAM requirements are so high, but I guess that's a
"server thing", after all - especially as ad-hoc requests from client
PCs will be hard to predict and optimise.

Heh - just as off-the-peg hardware grows up to cope fairly easily with
all this, there will be a new (Longhorn) version of the OS ;-)



>--------------- ---- --- -- - - - -
"We have captured lightning and used
it to teach sand how to think."
>--------------- ---- --- -- - - - -
 
Re: It would be nice if MS could settingle on a single subnet for updates

"cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org> wrote in
message news:mggcb3t6jjtq2kfkagnh7gmh98sm2r81c9@4ax.com...
> On Sat, 4 Aug 2007 10:14:17 -0700, "Kerry Brown"
>>"cquirke (MVP Windows shell/user)" wrote in
>>> On Thu, 2 Aug 2007 20:50:42 -0700, "Kerry Brown"
>>>>"cquirke (MVP Windows shell/user)" wrote in
>
>>>>> Sounds good - by "one server", do you mean a server dedicated to this
>>>>> task alone, or can that be the only server you have? Will it run on
>>>>> SBS, or is there a different solution for that?
>
>>>>SBS 2003 R2 comes with WSUS out if the box.
>
>>> Niiice... so that's one SBS box, WSUS built in!
>
>>An SBS install is a fairly complicated procedure and takes a few tries to
>>get it right the first time. WSUS is not installed by default. You have to
>>install it. If you follow the instructions in the readme files it is
>>installed.
>
> OK... a bit like USBSupp.exe in Win95 SR2, or NetBEUI in XP ;-)
>
>>WSUS does need quite a bit of resources. The SQL instance it
>>uses will grow to a point where it is hogging all the free RAM if
>>you don't throttle it back manually.
>
> Hmmm... not just a "fat bump in the power cord" then...
>
>>It takes a lot of disk space. You also spend quite a bit of time managing
>>it
>>approving updates. Because of this you may not want it on a heavily loaded
>>server. A full SBS install is a heavily loaded server - Domain Controller,
>>Exchange, SharePoint, Web (for intranet and RWW), SQL, file server, WSUS,
>>ISA, and probably more. It needs a lot of hardware to run all this.
>
> This is interesting, as I thought SBS was a "leaner" option compared
> to formal Windows Server, but maybe not, if it has so much work to do?
>

SBS is anything but lean. Until SBS was released it was the "best practice"
to have at least four or five servers to run all this.

>>At a minimum you need 2GB of RAM (4 is preferred), at least two fairly
>>large drives mirrored (preferably more with RAID 5), and a server class
>>CPU
>>(dual core Opteron or Xeon, preferably two). Given this hardware yes, all
>>on
>>one box :-)
>
> Hmm... 1 x S-ATA 320G, 1G RAM, 2GHz Core 2 Duo any good? Will
> boosting RAM to 2G help? Won't 4G need 64-bit?
>

SBS will run but if you have more than a couple of users it may be slow. My
server at home with only two users has a P4 1.6 GHz and 1 GB RAM. I am using
SBS 2003 SP1 with no SQL other than the two default MSDE instances and no
ISA. It is fine for two users. I wouldn't install it for a customer. A
server in a business can be a single point of failure. Because of this you
want as much redundancy as possible. I'd add a second drive as a mirror. I'd
also stay away from desktop motherboards and cases/PSU's. With most
motherboards I've used with SBS 2003 R2 and a 64 bit CPU, 4 GB of RAM shows
up as 4 GB despite the 32 bit limit. Server motherboards usually support
relocating the address space for the hardware. Even a desktop board I tested
recently showed 3.99 GB. It would be interesting to find out the technical
details but I've never bothered.

>>Of course Microsoft says it will run on a 750 MHz CPU with 512 MB of RAM
>>and
>>16 GB of hard drive space.
>
> :-)
>
>>I have actually seen an IBM server configured like this. It was delivered
>>from IBM setup this way. It was unbelievably unstable and slow. Even
>>their minimum recommended system of a 1 GHz CPU with 1 GB of
>>RAM is woefully inadequate.
>
> Interesting the RAM requirements are so high, but I guess that's a
> "server thing", after all - especially as ad-hoc requests from client
> PCs will be hard to predict and optimise.

It's all the "servers" that are running on one computer. Four SQL instances,
Domain Controller, Exchange, ISA, WSUS, file server, print server, etc..

>
> Heh - just as off-the-peg hardware grows up to cope fairly easily with
> all this, there will be a new (Longhorn) version of the OS ;-)

The Longhorn version of SBS will be 64 bit only so it will require new
hardware. I don't think the minimums have been decided on yet or at least
not announced publicly but I expect they are much higher :-)

Don't get me wrong. I really like SBS and recommend it for business' as
small as four or five users. It is however a real server and needs real
server equipment to work properly. Note this needn't be drastically
expensive. I can build a decent server for less than $1,500 CDN for the
hardware. I can build a server that will run SBS right up to the max number
of users for less than $2,500 CDN.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca
 
Re: It would be nice if MS could settingle on a single subnet for updates

In article <#CHW67E2HHA.5164@TK2MSFTNGP05.phx.gbl>, kerry@kdbNOSPAMsys-
tems.c*a*m says...
> I can build a server that will run SBS right up to the max number
> of users for less than $2,500 CDN.

LOL - and when used by 70-75 users, that $2500 server, with users that
hit the SQL database hard, have tons of email, etc... will crawl and
they will complain non-stop - at least if they've ever used anything
fast :)

I've got customers, about 40 with SBS 2003 Prem, and Dual CPU, 5xSATA,
4GB RAM, LTO-2 or DAT-72 tape min, and Dual 550W PSU units is going to
run a little more than $2500 in most all cases :)

--

Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)
 
Re: It would be nice if MS could settingle on a single subnet for updates

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.2123b4f7e1e8fc9e9898c8@adfree.Usenet.com...
> In article <#CHW67E2HHA.5164@TK2MSFTNGP05.phx.gbl>, kerry@kdbNOSPAMsys-
> tems.c*a*m says...
>> I can build a server that will run SBS right up to the max number
>> of users for less than $2,500 CDN.
>
> LOL - and when used by 70-75 users, that $2500 server, with users that
> hit the SQL database hard, have tons of email, etc... will crawl and
> they will complain non-stop - at least if they've ever used anything
> fast :)
>
> I've got customers, about 40 with SBS 2003 Prem, and Dual CPU, 5xSATA,
> 4GB RAM, LTO-2 or DAT-72 tape min, and Dual 550W PSU units is going to
> run a little more than $2500 in most all cases :)
>

Here's one I just built for under $2,500 CDN

Chassis - Intel SC5299BRPNA
Motherboard - Intel SC5000SASATA
CPU - 2 x Intel Xeon 5130A Dual Core
RAM - 4 GB total, 4 x Kingston KVR667D2D8F5 ECC DDR2 667 MHz
Hard Drives - 2 x Seagate ST3320620S Sata-II configured as RAID 1
LG 18X DVDRW drive
Logitech keyboard and mouse
AOC LM760 17" LCD monitor
Belkin 1500 VA UPS
2 x 320 GB USB drives for backup

Originally they had 4 drives configured as RAID 10 but decided to use two of
the drives for USB backup drives. They don't have 75 users but if they grow
to that size it would just be a matter of adding more drives.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca
 
Re: It would be nice if MS could settingle on a single subnet for updates

On Mon, 6 Aug 2007 10:26:50 -0700, "Kerry Brown"
>"cquirke (MVP Windows shell/user)" wrote
>> (ping-pong attributions as above)

>> This is interesting, as I thought SBS was a "leaner" option compared
>> to formal Windows Server, but maybe not, if it has so much work to do?

>SBS is anything but lean. Until SBS was released it was the "best practice"
>to have at least four or five servers to run all this.

Ah, OK; now I get it... almost more like the server equivalent of
Windows + Office rather than a Windows "Lite".

>> Hmm... 1 x S-ATA 320G, 1G RAM, 2GHz Core 2 Duo any good? Will
>> boosting RAM to 2G help? Won't 4G need 64-bit?
>
>SBS will run but if you have more than a couple of users it may be slow. My
>server at home with only two users has a P4 1.6 GHz and 1 GB RAM. I am using
>SBS 2003 SP1 with no SQL other than the two default MSDE instances and no
>ISA. It is fine for two users. I wouldn't install it for a customer.

Can you de-select what is installed? It's crazy to have to ask, but
with the trend from Win9x to WinME through XP to Vista, one has to.
Every new Windows gives us less control over such things.

>A server in a business can be a single point of failure.

A single PC at home IS a single point of failure, which is why I
insist on these being treated with more respect than the cavalier way
most sysadmins treat their desktop systems.

>Because of this you want as much redundancy as possible. I'd add
>a second drive as a mirror.

I can see the logic of that, though RAID1 only pays off the narrow
case of a HD failure. Anything else will trash or lose both HDs
equally, and if you have that risk properly hedged (which is easier
said than done) you could drop the RAID1 factor unless you are after
the ability to hot-swap a sick HD to maintain uptime.

>I'd also stay away from desktop motherboards and cases/PSU's.

Hmm... I've been using Intel motherboards (and am fussy about the
chipsets) since the bad capacitors thing, before which I used
fussily-chosen Intel chipsets on decent 3rd-party boards.

But IKWYM; you're referring to designated server-grade hardware.

>With most motherboards I've used with SBS 2003 R2 and a
>64 bit CPU, 4 GB of RAM shows up as 4 GB despite the 32 bit limit.

That's interesting....

>> Interesting the RAM requirements are so high, but I guess that's a
>> "server thing", after all - especially as ad-hoc requests from client
>> PCs will be hard to predict and optimise.
>
>It's all the "servers" that are running on one computer. Four SQL instances,
>Domain Controller, Exchange, ISA, WSUS, file server, print server, etc..

Hmm, OK. It still seems to me that going server-centric is one hell
of a capital outlay for a 3-5 seat business, creating a nasty
dependency on admin expertise to run the thing.

>Don't get me wrong. I really like SBS and recommend it for business' as
>small as four or five users. It is however a real server and needs real
>server equipment to work properly. Note this needn't be drastically
>expensive. I can build a decent server for less than $1,500 CDN for the
>hardware. I can build a server that will run SBS right up to the max number
>of users for less than $2,500 CDN.

I can't remember the Canadian $ rate, but if I assume US rates, that
looks OK-ish (I assume you're excluding OS cost there), similar to
what a video-editing PC (without the special video editing hardware
and software) might cost. I usually do those starting with matched
system and data HDs that are destined to become a data RAID0 pair with
a future larger HD for system (where system is on a small C: and the
rest of the physical HD is "parking space").



>--------------- ----- ---- --- -- - - -
Error Messages Are Your Friends
>--------------- ----- ---- --- -- - - -
 
Re: It would be nice if MS could settingle on a single subnet for updates

Catching up while in Auckland for TechEd New Zealand.

Chris, certainly you understand that, short of using IPsec, there's no way
to trust the IP addresses of *anyone's* update distribution servers? And
certainly you understand that the updates we supply are digitally signed?
And that the update mechanism will discard any download whose signature
fails validation? This is the only way to ensure the integrity of an update.
We have indeed changed the update servers' IP addresses in the past
specifically because attackers *were* trying to "hijack the pipe," and
someday we might have to do that again.

Also (and if I'm reading correctly, this is more in reply to what a previous
poster wrote), what's wrong with letting clients get their updates from us?
After all, how do you think we Microsoft employees receive updates? Through
Microsoft Update, of course! We have no scaling problems. We do, however,
also use SMS as a backup, to force updates on clients that don't get updated
from MU/WU.

Patch management makes sense for servers--you don't want them rebooting in
the middle of the night. But for clients? Well, a lot of folks (not
everyone, I realize this) run pretty standard desktop/notebook setups that
probably don't require any special patch testing beyond what we do. So if
this describes you, then why not outsource your client patch management to
Microsoft. Go ahead and turn on Microsoft Update. We'd love to take that
work off your hands. :)

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley


"cquirke (MVP Windows shell/user)" <cquirkenews@nospam.mvps.org> wrote in
message news:oas0b3pgjqdp3cb1vrrr6mb405jq3nen3r@4ax.com...
> On Fri, 27 Jul 2007 15:13:52 +0100, "Mike Brannigan"
>>"Leythos" <void@nowhere.lan> wrote in message
>>> Mike.Brannigan@localhost says...
>
> This thread is about the collision between...
>
> No automatic code base changes allowed
>
> ...and...
>
> Vendors need to push "code of the day"
>
> Given the only reason we allow vendors to push "code of the day" is
> because their existing code fails too often for us to manage manually,
> one wonders if our trust in these vendors is well-placed.
>
> A big part of this is knowing that only the vendor is pushing the
> code, and that's hard to be sure of. If malware were to hijack a
> vendor's update pipe, it could blow black code into the core of
> systems, right pas all those system's defenses.
>
> With that in mind, I've switched from wishing MS would use open
> standards for patch transmission to being grateful for whatever they
> can do to harden the process. I'd still rather not have to leave
> myself open to injections of "code of the day", though.
>
>>NO never ever ever in a production corporate environment do you allow ANY
>>of
>>your workstations and servers to directly access anyone for patches
>>I have never allowed this or even seen it in real large or enterprise
>>customers. (the only place it may crop up is in mom and pop
>>10 PCs and a Server shops).
>
> And there's the problem. MS concentrates on scaling up to enterprise
> needs, where the enterprise should consolodate patches in one location
> and then drive these into systems under their own in-house control.
>
> So scaling up is well catered for.
>
> But what about scaling down?
>
> Do "mom and pop" folks not deserve safety? How about single-PC users
> which have everything they own tied up in that one vulnerable box?
> What's best-practice for them - "trust me, I'm a software vendor"?
>
> How about scaling outwards?
>
> When every single vendor wants to be able to push "updates" into your
> PC, even for things as trivial as prinyers and mouse drivers, how do
> you manage these? How do you manage 50 different ad-hoc update
> delivery systems, some from vendors who are not much beyond "Mom and
> Pop" status themselves? Do we let Zango etc. "update" themselves?
>
> The bottom line: "Ship now, patch later" is an unworkable model.
>
>>As you said your only problem is with Microsoft then the solution I have
>>outlined above is the fix - only one server needs access through your
>>draconian firewall policies. And you get a real secure enterprise patch
>>management solution that significantly lowers the risk to your
>>environment.
>
> That's prolly the best solution, for those with the resources to
> manage it. It does create a lock-in advantage for MS, but at least it
> is one that is value-based (i.e. the positive value of a
> well-developed enterprise-ready management system).
>
> However, I have to wonder how effective in-house patch evaluation
> really is, especially if it is to keep up with tight time-to-exploit
> cycles. It may be the closed-source equivalent of the open source
> boast that "our code is validated by a thousand reviewers"; looks good
> on paper, but is it really effective in practice?
>
>
>
>>--------------- ----- ---- --- -- - - -
> To one who has never seen a hammer,
> nothing looks like a nail
>>--------------- ----- ---- --- -- - - -
 
Back
Top