Friday, 11 February 2011

How to Setup a Simple WSUS Server on Server 2008 R2

In its most basic form, a WSUS deployment consists of a single server on the local intranet inside the DMZ and inside the Internet firewall. This server will be used to connect to Microsoft Update and download available updates in a process that is called synchronization. You will synchronize the WSUS server with the Windows Update servers on a regular basis, and the WSUS server will verify that available updates have been synchronized to the WSUS server. The initial synchronization will take an extended period of time if your Internet connection speed is good and longer if it is not. Subsequent synchronizations will be faster
because the WSUS server is only synchronizing new updates that have been made available.

WSUS uses port 80 and 443 to obtain updates from Microsoft Update servers. You can change them (which I have needed to do). Automatic Updating is the client-side part of WSUS deployments. The service has to use the port assigned to the WSUS website in IIS. If there are no websites running on the server where you install WSUS, you can choose to use the default website (port 80) or a custom website and ports.

WSUS on Server 2008 R2 uses Computer Groups to target client machines that require the updates. There are two default groups that are defined: All Computers and Unassigned Computers. You can create additional groups assigned specific computers to these groups so that WSUS can target specific client needs.

WSUS servers can be chained together in larger networks. This takes on two methods:
  1. In autonomous mode, the upstream server, or the server connected to Microsoft Update, shares synchronization information with its downstream partner but does not share its computer group information. This way, the available updates are passed from WSUS server to WSUS server while maintaining the integrity of the individual computer groups.
  2. In replica mode, the upstream server shares its synchronization information and its computer group information with its downstream partners. The downstream partners hold the same information and are thus functional replicas of the upstream WSUS server.
Servers/clients not Connected to The Network.
If you machines that live in isolation, you can export the updates to external media (flash,drive,CD etc.) and sneakernet to the isolated network. You then import the updates to a isolated WSUS server and deploy the updates from there.

Space Requirements - Keep it Local
Microsoft recommends that you haveat least 20GB of local storage at a minimum and actually recommends 30GB. Keep in mind that these numbers are only estimates and could go higher than 30GB depending on your network needs and particular situation. 1GB minimum free space on the system partition is recommended. 2GB minimum free space on the volume on which the database files will be stored is recommended.

WSUS uses the Background Intelligent Transfer Service 2.0 (BITS 2.0) protocol for all of its file transfer needs. Each time files are downloaded from servers to clients, they are moved using “spare” bandwidth. This technology also makes it possible to continue downloads, even if the computer is shut down in the middle of a download, once the computer is restarted.

Software Requirements
Before installing WSUS in your environment, you must ensure that both the WSUS server(s) and clients meet the minimum software requirements.

The WSUS servers must have at least the following installed:
  • Windows Server 2003 with Service Pack 1, Windows Server 2008, or Windows Server 2008 R2.
  • Internet Information Services (IIS).
  • Windows Installer 3.1 or newer.
  • .NET Framework 2.0 or newer.
  • If you are using a separate database server, you must have a computer installed that is running SQL Server 2005 with Service Pack 2 or newer. We will use an Internal Database.
To run the WSUS Administration Console, you must have the following installed:
  • Windows XP with Service Pack 2, Windows Vista, Windows Server 2003, Windows Server 2008 Windows Server 2008 R2, or Windows 7
  • Microsoft Management Console 3.0
  • Microsoft Report Viewer Redistributable 2005
WSUS clients must be running one of the following operating systems:
  • Windows 7
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows Vista
  • Windows XP
  • Windows 2000 with Service Pack 4
The Windows Internal Database does not support remote connections, so you will not be able to install the WSUS Administration Console on another computer if you are using the Windows Internal Database.

Configuring Prerequisites for WSUS 3.0
You will need to install IIS and Report Viewer 2008 SP1Redistributable (at time of writing)
  1. Log on to the computer as a member of the local Administrators group
  2. Select Start Administrative Tools Server Manager.
  3. In the Roles Summary section, click Add Roles.
  4. On the Before You Begin page, click Next.
  5. Select the Web Server (IIS) check box, click Add Required Features, and then click Next.
  6. Read the Web Server (IIS) page. On the Select Role Services page, ensure that only the following check boxes are selected:
  • Static Content
  • Default Document
  • .NET Extensibility
  • ISAPI Extensions
  • ISAPI Filters
  • Windows Authentication
  • Request Filtering
  • Dynamic Content Compression
  • IIS 6 Metabase Compatibility
      7. Click Install. This may take a few minutes to complete.
      8. When the installation is complete, click Close

Finally, you can install the Report Viewer 2008 SP1 Redistributable
  1. Download the Microsoft Report Viewer Redistributable from
  2. Double-click ReportViewer.exe, and then click Next to start the installation.
  3. Select the “I have read and accept the license terms” check box, and then click Install.
  4. When the installation is complete, click Finish
Installing and Configuring WSUS 3.0
WSUS 3.0 is packaged as a stand-alone installer available from the Microsoft Download Center. On Server 2008 R2 (thats what were using here) it is included as a role:
  1. Log on to the computer as a member of the local Administrators group
  2. Select Start Administrative Tools Server Manager.
  3. In the Roles Summary section, click Add Roles.
  4. Select the WSUS role and click Next (this might take a while).
  5. Click Install
  6. On the Welcome to the Windows Server Update Services 3.0 SP2 Setup Wizard click Next
  7. Select the I Agree radio button and click next
  8. Select the appropriate Update Source (Store Updates Locally)
  9. Select Install Windows Internal Database on this Computer and leave the default path
  10. Select Create a Windows Server Update Services 3.0 SP2 Web Site (NB The listening port of 8530)
  11. Click Next and Finish
  12. On the Windows Server Update Services Configuration Wizard consider your firewall settings and Internet connectivity and click Next
  13. On the Join the Microsoft Update Improvement Program deselect the checkbox and click next
  14. Choose the Upstream Server by synchronizing from Microsoft Update
  15. On Specify Proxy Server, do not configure and click next
  16. On the Connect to Upstream Server click Start Connecting
  17. On the Choose Languages select Download Languages Only in these Languages and select English
  18. On Choose Products choose your update types. By default, WSUS chooses all Windows and
    Microsoft Office updates.
  19. Choose the classification of updates. By default, WSUS chooses only critical updates, definition updates, and security updates. Click Next.
  20. On the Set Sync Schedule page, choose the “Synchronize manually” option, and then click Next. If you would rather choose automatic synchronization, you can do it from this step in the configuration wizard.
  21. On the Finished page, click Finish to launch the WSUS Administration Console and begin initial synchronization.

Pointing Your Clients to the WSUS Server
Client computers use the Windows automatic updating client to receive WSUS updates and can be configured by using a Group Policy object.
  1. In the Group Policy Object Editor, navigate to Computer Configuration\Administrative  Templates\Windows Components\Windows Update.
  2. Double-click Configure Automatic Updates, and then select the Enabled option.
    > For the “Configure automatic updating” box, select the appropriate setting. The choices are “Notify for download and notify for install,” “Auto download and notify for install,” “Auto download and schedule the install,” and “Allow local admin to choose setting.”
      > If you choose “Auto download and schedule the install,” you must enter the day and time for which the updates are scheduled.

      The other GPO configuration needed is "Specify Intranet Microsoft Update Location". Supply server FQDN names in both fields as shown below

      Once the clients have restarted and obtained the above cofigurations, they will be found in the unassigned computer groups. You can create additional groups and move these computers into those groups. You can then approve updates to the various groups.

      1 comment:

      1. Andrew, is there away to configure both Windows Updates and Forefront Client Security Updates from the same WSUS server and GPOs?