ESXi

 View Only
  • 1.  Questions regarding Templates and patching templates

    Posted Sep 22, 2015 05:02 PM

    I am having a discussion with a co-worker on when/if we should be patching our templates. We use templates for the OS only, no applications are installed. We simply built the VM, ran MS updates, set a few settings to match our environment and shut the VM down. We converted the VM to template and then use it to deploy new servers (Windows 2012 R2). We did not join to the domain before converting to template, it's just a basic server. When we deploy from the template, we do not do a custom deploy. We bring the new VM up, set the IP address info, run patches then join to the domain. I believe that we should be routinely converting the templates back to VMs and running MS updates every 2 or 3 months. My co-worker claims that doing this is no different than creating a template from a template and we will have issues with SIDs and other items. I'm hoping someone here can help me understand what direction we should be going.

    Thanks in advance.



  • 2.  RE: Questions regarding Templates and patching templates

    Posted Sep 22, 2015 06:10 PM

    Even though it is a template, you can have an IP assigned to it.  Once a month, or however often you want, you can convert it to a VM, power it on, patch it manually or via automated process, and then power it back off and convert it back to a template.  Only thing I would recommend is taking a snapshot prior to patching.  Otherwise, this is what the convert operation is made to do .... convert it back and forth from a template to a VM for maintenance.



  • 3.  RE: Questions regarding Templates and patching templates

    Posted Sep 22, 2015 06:52 PM

    So converting the template back to a VM does nothing to change the SISs or any other identifiers on the VM correct? My co-worker is adamant that this should not be done.



  • 4.  RE: Questions regarding Templates and patching templates

    Posted Sep 22, 2015 07:12 PM

    If you apply customization when it is converted back to a VM, you can generate a new SID at that point.

    Take a look at the guide here for some more details: https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.vm_admin.doc%2FGUID-F3E382AB-72F6-498A-BD26-7EC0BFE320A0.html

    An relevant excerpt from the guide for you is: "Duplicate SIDs do not cause problems when the computers are part of a domain and only domain user accounts are used. However, if the computers are part of a Workgroup or local user accounts are used, duplicate SIDs can compromise file access controls".

    Hopefully that helps.



  • 5.  RE: Questions regarding Templates and patching templates

    Posted Sep 22, 2015 07:43 PM

    No, simply going from template to VM does not generate a new SID.  Do it a few times and run psGetSID.  You should see the same results over and over unless you specifically run a customization script to generate a new one.



  • 6.  RE: Questions regarding Templates and patching templates

    Posted Sep 22, 2015 07:12 PM

    If u want to patch templated ,u need to convert to vm and patch.If it's temple not required patching