Insights Configure Cluster-Aware Updating for Windows Server 2012 Failover Clusters

Configure Cluster-Aware Updating for Windows Server 2012 Failover Clusters

Keeping the members of a failover cluster up-to-date with hotfixes and patches has traditionally been an arduous and daunting task, but Windows Server 2012 introduces a new feature called Cluster-Aware Updating or “CAU” (pronounced “cow”), that will take care of patching your cluster members automatically.  This is a really easy way to keep your Hyper-V hosts or HA file shares or other kinds of failover clusters up to date automatically.

It will determine what updates are available and needed, put the cluster node in maintenance mode and drain the running roles (virtual machines in the case of Hyper-V clusters) to other nodes of the cluster, then apply the updates and reboot the server. When it comes back online it will restore cluster services on the node, make sure things are in working order and then move on to the next node until the entire cluster is up-to-date.

Ryan Doon has a nice pair of articles on more details of what CAU is, including a video demonstration.

Much like the cluster itself, CAU will operate as a Computer Object in Active Directory.  If you just run through the wizard it’ll auto-generate a pseudo random name, so if you’re like me and you want to use a specific name for CAU, then you will need to first pre-stage the account. To do this, open up the AD Users and Computer console and create a new Computer account with the name you want (this is not a User account).

I typically create a computer account that is the same as the Cluster name with “-CAU” appended to it.

Because each node of the cluster will need to be rebooted at some point by CAU, if you have the windows firewall enabled on your cluster nodes (and you should!) then you will need to enable a built-n group of exceptions called “Remote Shutdown”.  You can do this a number of ways, from manually opening the Windows Firewall with Advanced Security console and enabling the rules to using a Group Policy (which is my preference).

Of course you also have the option to use Powershell as demonstrated on Technet.  Simply run this on each host to enable the group of exceptions.

Set-NetFirewallRule -Group “@firewallapi.dll,-36751” -Profile Domain -Enabled true

Now that your hosts are prepared, it’s time to jump in!  Either from a node in the cluster or from a computer with the RSAT for Windows 8 installed with the Failover Clustering Tools feature, launch the Cluster-Aware Updating console.

Enter the name of your cluster and click on Connect, then select the cluster nodes and Analyze cluster updating readiness.  Be sure to remediate any errors that are listed and review the warnings. At the bottom of the window will be a link to give you more information on how to resolve any issues that were discovered.

Once you have all green checks, except perhaps for one warning that states “The machine proxy on each failover cluster node should be set to a local proxy server“. If you are not using an HTTP proxy, then there is nothing to do here, but the warning will remain so you can ignore it.

You also may have a warning that says “The CAU clustered role should be installed on the failover cluster to enable self-updating mode“. That’s ok, we’re going to do that next.

Now click the link for “Configure cluster self-updating options“.

Here you can add the CAU role and select the name of the Computer account you created earlier.

Configure how often to check for and apply updates. Microsoft regularly releases patches on the second Tuesday of every month. The default will apply updates on the third Tuesday. Unless you are particularly adventurous, I tend to change the schedule to the first Tuesday which will give several weeks before applying updates and allows plenty of time for other more adventurous IT folks to discover and announce any problems and workarounds that are discovered so I can be better prepared for the changes.

Leave the Advanced Options at their defaults.

Optionally include the Recommended updates along with the Critical / Severe updates. If you do this you may also end up installing new Hardware Drivers that Microsoft published via Windows Update.  For that reason I tend not to include recommended updates and just click Next.

Apply the settings to finish the wizard.

Back at the main CAU Console click the link for Preview Updates for the cluster.

If there are any available you can also click on “Apply updates to this cluster” and watch the magic happen. Later you can use the Generate Report link to see the history of updates being applied.