It would be nice if MS could settingle on a single subnet for updates

Discussion in 'Windows Vista Security' started by Leythos, Jul 26, 2007.

  1. Niiice... so that's one SBS box, WSUS built in!

    Error Messages Are Your Friends
     
    cquirke (MVP Windows shell/user), Aug 4, 2007
    #21
    1. Advertisements

  2. Leythos

    Kerry Brown Guest


    An SBS install is a fairly complicated procedure and takes a few tries to
    get it right the first time. WSUS is not installed by default. You have to
    install it. If you follow the instructions in the readme files it is
    installed. If you stick the first CD in (or the only DVD) and just let the
    install run clicking on "Next" it doesn't get installed. WSUS does need
    quite a bit of resources. The SQL instance it uses will grow to a point
    where it is hogging all the free RAM if you don't throttle it back manually.
    It takes a lot of disk space. You also spend quite a bit of time managing it
    approving updates. Because of this you may not want it on a heavily loaded
    server. A full SBS install is a heavily loaded server - Domain Controller,
    Exchange, SharePoint, Web (for intranet and RWW), SQL, file server, WSUS,
    ISA, and probably more I've forgotten. It needs a lot of hardware to run all
    this. At a minimum you need 2GB of RAM (4 is preferred), at least two fairly
    large drives mirrored (preferably more with RAID 5), and a server class CPU
    (dual core Opteron or Xeon, preferably two). Given this hardware yes, all on
    one box :)

    Of course Microsoft says it will run on a 750 MHz CPU with 512 MB of RAM and
    16 GB of hard drive space. I have actually seen an IBM server configured
    like this. It was delivered from IBM setup this way. It was unbelievably
    unstable and slow. Even their minimum recommended system of a 1 GHz CPU
    with 1 GB of RAM is woefully inadequate.
     
    Kerry Brown, Aug 4, 2007
    #22
    1. Advertisements

  3. OK... a bit like USBSupp.exe in Win95 SR2, or NetBEUI in XP ;-)
    Hmmm... not just a "fat bump in the power cord" then...
    This is interesting, as I thought SBS was a "leaner" option compared
    to formal Windows Server, but maybe not, if it has so much work to do?
    Hmm... 1 x S-ATA 320G, 1G RAM, 2GHz Core 2 Duo any good? Will
    boosting RAM to 2G help? Won't 4G need 64-bit?
    Interesting the RAM requirements are so high, but I guess that's a
    "server thing", after all - especially as ad-hoc requests from client
    PCs will be hard to predict and optimise.

    Heh - just as off-the-peg hardware grows up to cope fairly easily with
    all this, there will be a new (Longhorn) version of the OS ;-)


    "We have captured lightning and used
    it to teach sand how to think."
     
    cquirke (MVP Windows shell/user), Aug 5, 2007
    #23
  4. Leythos

    Kerry Brown Guest

    SBS is anything but lean. Until SBS was released it was the "best practice"
    to have at least four or five servers to run all this.
    SBS will run but if you have more than a couple of users it may be slow. My
    server at home with only two users has a P4 1.6 GHz and 1 GB RAM. I am using
    SBS 2003 SP1 with no SQL other than the two default MSDE instances and no
    ISA. It is fine for two users. I wouldn't install it for a customer. A
    server in a business can be a single point of failure. Because of this you
    want as much redundancy as possible. I'd add a second drive as a mirror. I'd
    also stay away from desktop motherboards and cases/PSU's. With most
    motherboards I've used with SBS 2003 R2 and a 64 bit CPU, 4 GB of RAM shows
    up as 4 GB despite the 32 bit limit. Server motherboards usually support
    relocating the address space for the hardware. Even a desktop board I tested
    recently showed 3.99 GB. It would be interesting to find out the technical
    details but I've never bothered.
    It's all the "servers" that are running on one computer. Four SQL instances,
    Domain Controller, Exchange, ISA, WSUS, file server, print server, etc..
    The Longhorn version of SBS will be 64 bit only so it will require new
    hardware. I don't think the minimums have been decided on yet or at least
    not announced publicly but I expect they are much higher :)

    Don't get me wrong. I really like SBS and recommend it for business' as
    small as four or five users. It is however a real server and needs real
    server equipment to work properly. Note this needn't be drastically
    expensive. I can build a decent server for less than $1,500 CDN for the
    hardware. I can build a server that will run SBS right up to the max number
    of users for less than $2,500 CDN.
     
    Kerry Brown, Aug 6, 2007
    #24
  5. Leythos

    Leythos Guest

    LOL - and when used by 70-75 users, that $2500 server, with users that
    hit the SQL database hard, have tons of email, etc... will crawl and
    they will complain non-stop - at least if they've ever used anything
    fast :)

    I've got customers, about 40 with SBS 2003 Prem, and Dual CPU, 5xSATA,
    4GB RAM, LTO-2 or DAT-72 tape min, and Dual 550W PSU units is going to
    run a little more than $2500 in most all cases :)

    --

    Leythos
    - Igitur qui desiderat pacem, praeparet bellum.
    - Calling an illegal alien an "undocumented worker" is like calling a
    drug dealer an "unlicensed pharmacist"
    (remove 999 for proper email address)
     
    Leythos, Aug 8, 2007
    #25
  6. Leythos

    Kerry Brown Guest

    Here's one I just built for under $2,500 CDN

    Chassis - Intel SC5299BRPNA
    Motherboard - Intel SC5000SASATA
    CPU - 2 x Intel Xeon 5130A Dual Core
    RAM - 4 GB total, 4 x Kingston KVR667D2D8F5 ECC DDR2 667 MHz
    Hard Drives - 2 x Seagate ST3320620S Sata-II configured as RAID 1
    LG 18X DVDRW drive
    Logitech keyboard and mouse
    AOC LM760 17" LCD monitor
    Belkin 1500 VA UPS
    2 x 320 GB USB drives for backup

    Originally they had 4 drives configured as RAID 10 but decided to use two of
    the drives for USB backup drives. They don't have 75 users but if they grow
    to that size it would just be a matter of adding more drives.
     
    Kerry Brown, Aug 9, 2007
    #26
  7. Ah, OK; now I get it... almost more like the server equivalent of
    Windows + Office rather than a Windows "Lite".
    Can you de-select what is installed? It's crazy to have to ask, but
    with the trend from Win9x to WinME through XP to Vista, one has to.
    Every new Windows gives us less control over such things.
    A single PC at home IS a single point of failure, which is why I
    insist on these being treated with more respect than the cavalier way
    most sysadmins treat their desktop systems.
    I can see the logic of that, though RAID1 only pays off the narrow
    case of a HD failure. Anything else will trash or lose both HDs
    equally, and if you have that risk properly hedged (which is easier
    said than done) you could drop the RAID1 factor unless you are after
    the ability to hot-swap a sick HD to maintain uptime.
    Hmm... I've been using Intel motherboards (and am fussy about the
    chipsets) since the bad capacitors thing, before which I used
    fussily-chosen Intel chipsets on decent 3rd-party boards.

    But IKWYM; you're referring to designated server-grade hardware.
    That's interesting....
    Hmm, OK. It still seems to me that going server-centric is one hell
    of a capital outlay for a 3-5 seat business, creating a nasty
    dependency on admin expertise to run the thing.
    I can't remember the Canadian $ rate, but if I assume US rates, that
    looks OK-ish (I assume you're excluding OS cost there), similar to
    what a video-editing PC (without the special video editing hardware
    and software) might cost. I usually do those starting with matched
    system and data HDs that are destined to become a data RAID0 pair with
    a future larger HD for system (where system is on a small C: and the
    rest of the physical HD is "parking space").


    Error Messages Are Your Friends
     
    cquirke (MVP Windows shell/user), Aug 12, 2007
    #27
  8. Catching up while in Auckland for TechEd New Zealand.

    Chris, certainly you understand that, short of using IPsec, there's no way
    to trust the IP addresses of *anyone's* update distribution servers? And
    certainly you understand that the updates we supply are digitally signed?
    And that the update mechanism will discard any download whose signature
    fails validation? This is the only way to ensure the integrity of an update.
    We have indeed changed the update servers' IP addresses in the past
    specifically because attackers *were* trying to "hijack the pipe," and
    someday we might have to do that again.

    Also (and if I'm reading correctly, this is more in reply to what a previous
    poster wrote), what's wrong with letting clients get their updates from us?
    After all, how do you think we Microsoft employees receive updates? Through
    Microsoft Update, of course! We have no scaling problems. We do, however,
    also use SMS as a backup, to force updates on clients that don't get updated
    from MU/WU.

    Patch management makes sense for servers--you don't want them rebooting in
    the middle of the night. But for clients? Well, a lot of folks (not
    everyone, I realize this) run pretty standard desktop/notebook setups that
    probably don't require any special patch testing beyond what we do. So if
    this describes you, then why not outsource your client patch management to
    Microsoft. Go ahead and turn on Microsoft Update. We'd love to take that
    work off your hands. :)

    Steve Riley

    http://blogs.technet.com/steriley
     
    Steve Riley [MSFT], Aug 15, 2007
    #28
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.