cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Monthly Windows Patching: Who?

tj_wilkinson2
Participant

on ‎08-23-2011 9:36 PM

0 Kudos

Hello,

I'm curious how you all manage the monthly Windows patching. Do you all, as the basis team, perform the patching? Or do you have Windows systems engineers do the patching?

If the Windows systems engineers do the patching, are there scripts in place to end the SAP systems before the patching, or do the Windows engineers do that as well?

We're starting our journey into the world of SAP on Windows and are trying to determine how / who should handle the monthly patching. Thank you.

~TJ

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Former Member
‎09-02-2011 12:42 PM
0 Kudos

I have few windows systems which have monthly patch schedules.

In fact we have 4hr downtime for this patching activity every month, My team (BASIS) will stop the application and database before patching and restarts after patching.

And every patch doesn't need downtime (they don't reboot every time) but its a periodic and scheduled patching activity.

So we follow the process.

Regards,

Nick Loy

Show replies
Show replies
xymanuel
Active Participant
‎08-31-2011 3:56 PM
0 Kudos

Hello,

we have an official maintenance time at one weekend every month.

For us it is the same kind as for Brian Walker (except the MSCS, we have to stop SAP during DB Server patching)

The Windows Team chooses the needed patches and release them by WSUS.

The Basis Team is responsible for shuting down SAP, appling the Windows Patches and restarting SAP.

Nevertheless, we are planning to use a global job scheduler to do all the work. (like APX)

Kind regards

Manuel

Show replies
Show replies
Former Member
‎08-30-2011 3:18 PM
0 Kudos

Hi TJ!

I could see that you had some good answers! Just for completeness, let me refer you to my Knowledge Base Article 1525654. To say, that whoever does finally apply the patches, it is a good idea to have the basis admin to take a glance for SAP notes on the patches that are going to be applied, to avoid applying a patch whose adverse effects are already known. The risk is low, but sometimes it happened in the past (as explained in the KBA).

Cheers!

--Jesú

Show replies
Show replies
brian_walker
Active Participant
‎08-23-2011 10:05 PM
0 Kudos

Hello! First, we patch quarterly and not monthly unless a really bad security vulnerability is in one of the patch cycles. Our Windows Infrastructure team is responsible for deciding which patches get applied during the quarterly update and the Basis team is responsible for shutting down SAP, running the Windows patches and rebooting, and starting SAP on all of the SAP servers.

We run MSCS for our production systems, so we don't take downtime to do the patching. For production we move all the workload to 1 of the MSCS members, patch the other, move the workload to the patched member and then patch the remaining MSCS member. We use SAP login groups and remove half of the app servers from the group, wait for the connections to drain (half a day to a day), shutdown SAP on them, patch and reboot, restart SAP, add the app servers back to the login group and then repeat for the other half of the app servers.

For non-production we just shutdown SAP before the start of the automatic patching window, let the systems patch and reboot themselves and then start SAP back after the patching window has ended.

Brian

Show replies
Show replies
tj_wilkinson2
Participant
‎08-24-2011 12:45 PM
0 Kudos

Thank you Brian. Do you use any scripts to manage the stop / start of the SAP applications? Or do you manage that manually? How many Windows servers do you have to patch and how big is your basis team?

brian_walker
Active Participant
‎08-24-2011 2:44 PM
0 Kudos

We don't use any scripts to shutdown SAP on the systems. We manage ~30 total SAP SIDs, ~8 of which are production. There are probably just shy of 100 total servers for our SAP landscape, but many of the non-production servers are virtual.

We've found it is pretty easy to use the SAP Management Console (SAP MC) to shutdown and start SAP systems from our desktops. As mentioned previously, we handle the production systems manually using cluster failover and login groups (usually the week before the weekend patching) and for non-production we just shutdown SAP before the automatic patch window and start SAP an hour or two later when the patch window is complete. Using the SAP MC it takes less than 10 minutes to stop or start all of the non-production systems.

Our company is quite "lean", so our Basis team has 3 full-time people (including me).

Brian

former_member204746
Active Contributor
‎08-24-2011 3:59 PM
0 Kudos

Hi,

our Windows team take care of patching. They do it monthly using WSUS.

Basis team provided them with scripts to stop SAP and Oracle.

Process was quite easy to setup/

tj_wilkinson2
Participant
‎08-25-2011 1:06 PM
0 Kudos

Thanks guys; I appreciate the responses. Right now it looks like we're headed down the path of us (basis) performing the patching, but I didn't know if that was the normal approach, and didn't want to set that precident if it wasn't. It sounds like it could go either way.

brian_walker
Active Participant
‎08-25-2011 8:05 PM
0 Kudos

It could easily go either way, especially if you scripted the shutdown and startup of SAP, but... When it comes down to it (for us at least), the Basis team owns whether or not SAP is working. Since that is the case, we prefer to shut things down, apply the patches and reboot, and then start SAP back. If there is a chance we'll get called anyway because one of the SAP systems won't come back up or is acting strangely after it restarts, we'd rather just own the process and know who is "on call" to perform the patching. If there are issues with the patches themselves, our Windows team also has someone available during the patch window that we can work with.

Just my 2c.

Brian

former_member204746
Active Contributor
‎08-25-2011 8:39 PM
0 Kudos

We reboot at 2am... so, we prefer to let scripts handle everything... if at 3am system is still down, we let the monitoring tool "page" the Basis guy that is on-call.

Ask a Question