A Hyper-V cluster – or any cluster for that matter – have are notoriously painful to patch. This pain often results in administrators delaying patching their clusters. Well, Microsoft has heard your cries and simplified cluster patching in server 2012 R2 and Server 2016.
Patching servers in a cluster can be daunting and cause many administrators to delay updates. The time and effort required to move resources from one node to another result in many administrators ignoring those updates all together. Additionally, problems can arise from a lack of node visibility. Even if the machines are patched using a tool like WSUS or SCCM, the patching process is not aware of any virtual machine or service running on those guest systems. The lack of awareness often results in virtual machines being rebooted at inopportune times.
Most system administrators figured if the virtual machine or service was patched then why bother? In reality, the host is just as susceptible to attack as the guest. Even a core install of Hyper-V needs to be patched. Thankfully Microsoft has developed a solution.
Beginning in server 2012 R2 Microsoft has Cluster Aware Updating (CAU). CAU enables the host nodes to be patched while respecting the integrity of the services running on the virtual machines. So how does it work?
Cluster Aware Updating (CAU)
Once your cluster is created you will need to load Cluster Aware Updating. It takes just a few minutes.
- Disable any other updating methods – SCCM, WSUS or direct Microsoft updates
- Open Failover Cluster Manager and connect to your cluster.
- Click on Cluster Aware Updating to set-up the service
- You will need to add the role and a computer account. If you pre-staged this account, you can click that box and enter the account name. The Cluster Aware Updating is treated like any other clustered service role.
- Follow through the wizard and assign the date and time of patching. If you are not entirely sure of your update schedule yet, these setting can be changed later.
- Once you are done, it will run PowerShell in the background to configure all the parameters. If you are curious these are the steps that occur during patching:
- All nodes download updates in parallel
- A node is chosen to be updated Note: Documentation indicates that the node with the fewest roles goes first, then steps through to the next node. Another node is chosen as the coordinator.
- If the node has no patches available, the process on that node stops and jumps to step 10. Otherwise, it proceeds to step 4
- Pre-update scripts are run
- The node is placed into Maintenance Mode (roles are drained)
- Patches are applied
- The system is rebooted, if necessary
- Post-update scripts are run
- Maintenance Mode is ended and roles are retrieved
- If other nodes are available, the process starts over at step 2
Note: Cluster Aware Updating can use Windows Update or WSUS to get their updates. Additionally, you can click to see what updates will be applied to the cluster node before applying them. You can also kick of the patching manually, if you want to see how the process works.
As you can see, this allows you to schedule your cluster patching without worrying about taking down a virtual machine or clustered service and impacting your user base.
If you have any questions on implementing Cluster Aware Updating, we’re standing by to help. Email email@example.com to start the conversation.