VMware Cloud Community
RCorgiat
Contributor
Contributor
‎09-22-2015 10:01 AM

Questions regarding Templates and patching templates

I am having a discussion with a co-worker on when/if we should be patching our templates. We use templates for the OS only, no applications are installed. We simply built the VM, ran MS updates, set a few settings to match our environment and shut the VM down. We converted the VM to template and then use it to deploy new servers (Windows 2012 R2). We did not join to the domain before converting to template, it's just a basic server. When we deploy from the template, we do not do a custom deploy. We bring the new VM up, set the IP address info, run patches then join to the domain. I believe that we should be routinely converting the templates back to VMs and running MS updates every 2 or 3 months. My co-worker claims that doing this is no different than creating a template from a template and we will have issues with SIDs and other items. I'm hoping someone here can help me understand what direction we should be going.

Thanks in advance.

0 Kudos
5 Replies
greco827
Expert
Expert
‎09-22-2015 11:09 AM

Even though it is a template, you can have an IP assigned to it.  Once a month, or however often you want, you can convert it to a VM, power it on, patch it manually or via automated process, and then power it back off and convert it back to a template.  Only thing I would recommend is taking a snapshot prior to patching.  Otherwise, this is what the convert operation is made to do .... convert it back and forth from a template to a VM for maintenance.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos
RCorgiat
Contributor
Contributor
‎09-22-2015 11:51 AM

So converting the template back to a VM does nothing to change the SISs or any other identifiers on the VM correct? My co-worker is adamant that this should not be done.

0 Kudos
SARAVANAN_O
Enthusiast
Enthusiast
‎09-22-2015 12:11 PM

If u want to patch templated ,u need to convert to vm and patch.If it's temple not required patching

0 Kudos
mcrape
Enthusiast
Enthusiast
‎09-22-2015 12:11 PM

If you apply customization when it is converted back to a VM, you can generate a new SID at that point.

Take a look at the guide here for some more details: https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.vm_admin.doc%2FGUID-F3E382A...

An relevant excerpt from the guide for you is: "Duplicate SIDs do not cause problems when the computers are part of a domain and only domain user accounts are used. However, if the computers are part of a Workgroup or local user accounts are used, duplicate SIDs can compromise file access controls".

Hopefully that helps.

0 Kudos
greco827
Expert
Expert
‎09-22-2015 12:43 PM

No, simply going from template to VM does not generate a new SID.  Do it a few times and run psGetSID.  You should see the same results over and over unless you specifically run a customization script to generate a new one.

If you find this or any other answer useful please mark the answer as correct or helpful https://communities.vmware.com/people/greco827/blog
0 Kudos