Presentation on theme: "3/31/2017 5:38 PM Deploying and Managing Microsoft Windows Server Update Services 3.0 Server Michael Kleef Blogs.technet.com/mkleef Technology Advisor."— Presentation transcript:
3WSUS 3.0 GoalsBuild on the momentum of Windows Server Update Services (WSUS) 2.0WSUS 2.0 Ranked as #1 Patch Management Product by readers of Windows IT Pro magazineContinue to provide a simple, low cost, solution for distributing Microsoft Updates to WindowsAddress top customer asks and feedbackEnhance the infrastructure to support advanced management productsMicrosoft System Center Configuration Manager 2007Microsoft System Center EssentialsThird-party productsSupport Windows Vista and Windows Server 2008 (Beta 3)
5Supported Platforms Installing the WSUS Server requires: Windows 2003 SP1+ (full support), Windows Server beta3+ (beta support)SQL Server 2005 SP1+ (only if using full SQL)Internet Information Services 6.0.NET Framework 2.0MMC 3.0Report ViewerThe server can manage:Windows 2000 SP4, Windows XP SP1, VistaWindows Server 2003, Windows Server 2008 beta3x86 and x64 support parityAll supported Windows localesX64 support is native not mixed mode.Even though the server uses .NET 2.0, WSUS 3.0 will ship with the WSUS 2.0 API set that work against .NET 1.1 for backward compatibility with custom applications that were written for WSUS 2.0.wYukon is the replacement for the wMSDE database.
6The Administration Console MMC 3.0 basedLocal and remote optionsKey CapabilitiesUpdate ManagementComputer ManagementAdministrative tasks (Notifications, To do tasks)ReportsMulti-server managementServer Maintenance
7Update Management - Basics Server Default is to auto-approve all updates for detectionRecommendationConfigure auto-approvals for Critical, security and definition updatesConfigure desktops to be scheduled installation every day (with “immediate installation” enabled)Configure servers for download and notifyUse sample scripts to control server install behaviors
11Server MaintenanceWSUS servers require very little ongoing maintenanceThree key areas:Client computersDynamic environments will need to manage computers appearing and disappearingUpdate contentPurging of superseded/expired/ declined contentDatabaseBackupDefragmentation of indexes
12Server Maintenance - Computers Why clean up clients?Computers enter and leave the environment due to repurposing or retirementStale computers will slow reporting, increase DB size, and add unneeded “noise”Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 daysAPI samples available for finer controlClean Stale ComputersPopulate computers from AD
13Server Maintenance - Updates Why?Unapproving or Declining updates does not delete update contentRemove content for superseded updates that you no longer needReduce disk space requirementsFrom the UI, unapprove superseded updates that are not needed by any computersRun the Server Cleanup Wizard, which will delete:Metadata for expired updates that haven’t been approved for 90 daysOld revisions of updatesUnneeded files for updates that are not in use on the server and are not needed by a Downstream ServerDecline expired updates that are unneeded and have been unapproved for at least 30 days
14Server Maintenance - Database Periodically defrag the DBHave a disaster recover planMany customers plan is to reinstallAlternative is to backup the server database:For the Windows Internal Database you will have to run a SQLCMD script to backup the databaseDownload the SQL Management Studio for easier management of the Windows Internal Database or SQL Express.Location of the WID backup: %windir%\SYSMSI\SSEE\MSSQL.2005\MSSQL\ SchemaSig\WSUSSignDb.*
15Backup and Defragmenting Backup Windows Internal Database SQLCMD -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query -E -Q “backup database SUSDB to disk=’c:\susdb.bak’” Index Defrag example: server/susvvb01.mspx?mfr=true
16Server Maintenance – Best Practices Run the Cleanup wizard:Periodically, especially after rolling out a new SPAfter 2.0 -> UpgradeComputers:Clean up from the bottom of your hierarchy to the topUpdates:Always start at the top of the hierarchy and work downContent deletion does not replicate!Have a Disaster Recovery plan
18Server MonitoringUse the MOM 2005 WSUS Management pack for advanced monitoring needsProvides alerts and health information for the serverLimited monitoring of individual client healthMonitorsDatabase health – Series eventsCore server component health – series eventsContent sync agentMeta data sync agent
19Server Monitoring Monitors cont. Web service health –12000 series eventsReporting Web Service – 12000API remoting Web Service – 12010Client Web Service – 12020Server Sync Web Service – 12030SimpleAuth Web Service – 12040DSS Auth Web ServiceClients – series eventsAlerts if clients have a >10% failure rate for updatesSelf update failures
20Server Troubleshooting Server reportsreportsSync ReportsComputers and Updates reportsSoftwareDistribution.logChange logClientsUpdate and Computer reportsClient WindowsUpdate.logCustom Reporting from API’s and client log collectionsUse Server Diagnostics Tool to check the server
21Lessons learned Common Client Issues Client “Not Yet Reported” Two main issuesSelf Update failingCant contact the server properlyUsually latency issueWuauclt /detectnowRare cases require client resetAutomatic Update Agent not updatingPermissions on directoryWrong port specified in GPVersions less than indicates AU version 1.0 is installed
22Lessons learned Process to check client Run Client Diagnostics Tool Check WUAU versionConfirm ports in GP match the server itselfGpupdate /forceRun a wuauclt.exe /detectnow and wait….Look in the windowsupdate.logCheck for any errorswuauclt.exe /resetauthorization /detectnowWait….
23Lessons learned If the client has lost the plot… Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keysGo to: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Win dowsUpdatePingIDAccountDomainSidSusClientIdDelete the client record in WSUSRestart the Automatic Updates ServicesWuauclt /detectnowWait 20mins…Recheck logs
24Deployment Architectures Common network architecturesSingle serverRemote SQLBITS Peer CachingNLBWSUS HierarchiesBranch OfficeX64 support is native not mixed mode.Even though the server uses .NET 2.0, WSUS 3.0 will ship with the WSUS 2.0 API set that work against .NET 1.1 for backward compatibility with custom applications that were written for WSUS 2.0.wYukon is the replacement for the wMSDE database.
25Single Server A single server can support up to 25k clients Console-only install for remote administration (e.g., from XP or Vista clients)Read-only WSUS access to non-admin members of the “WSUS Reporters” groupPoint machines to the server via Group PolicyNo need to deploy clients; the built-in WUA will “self- update” from the server on next syncVariety of WUA policies available, including sync rate (recommend twice/day), scheduled install (recommend daily for desktops), and reboot behavior (can’t postpone reboots indefinitely because it’s not safe/supported)Enable BITS peer-caching policy for efficient network use. Internal MSFT deployment had 70% cache-hit rate.X64 support is native not mixed mode.Even though the server uses .NET 2.0, WSUS 3.0 will ship with the WSUS 2.0 API set that work against .NET 1.1 for backward compatibility with custom applications that were written for WSUS 2.0.wYukon is the replacement for the wMSDE database.
26Advanced Deployment Options SQL 2005 SP1WSUS3 has a unified front-end/back-end setupNo performance gain over built-in/default “Windows Internal Database” optionEach WSUS client requires a SQL CALRecommendation: Use only if available/convenientNLBProvides redundancy/no single-point of failure – not scale up.Multiple front-ends all point to the same SQL backend and shared content folderRecommendation: Use only if required since it’s easy to just rebuild a failed WSUS serverX64 support is native not mixed mode.Even though the server uses .NET 2.0, WSUS 3.0 will ship with the WSUS 2.0 API set that work against .NET 1.1 for backward compatibility with custom applications that were written for WSUS 2.0.wYukon is the replacement for the wMSDE database.
27WSUS Hierarchies Used for scale-out or branch office support Autonomous servers get update binaries and metadata from parent “upstream” server (USS)Replica children also get approvals from USSNew WSUS3 features for hierarchiesReporting roll-up across replicasMore granular sync schedule; up to hourlyToggle replica modeDownstream Server (DSS) can sync a subset of USS language binariesDSS can get approvals from USS and binaries from MU; useful if DSS has broadband internet connection but only narrowband to USS
28Disconnected servers/DMZ Same support as for WSUS2Need one server to sync updates from MUTransfer updates to disconnected server:Make sure language and binary file settings matchExport/import content folder via ntbackupExport/import metadata via WsusUtil.exe (shipped with WSUS); export, import, resetExport/import approvals and target groups via WsusMigrate SDK sample
29Upgrade Scenarios From SUS1 Upgrading a single server Not directly supportedUpgrading a single serverIn-place upgrade: WSUS2->WSUS3 on a single serverMigration upgrade: WSUS2->WSUS3 on different serversUpgrading a server hierarchyConnected serversDisconnected servers
30In-place Upgrade Simply install WSUS3 on same server as WSUS2 In-place upgrade preserves settings, updates, and approvalsCustomized IIS settings must be re-applied after the upgrade (port, SSL, host headers).Clients “self-update” next time they syncWatch out:Uninstalling WSUS3 will not bring back WSUS2If using SQL 2000, setup will fail; use migration upgradeIf using remote SQL 2005, need to first uninstall the backend (leave DB behind), then upgradeBecause WSUS3 has unified frontend/backend setup.
31Migration Upgrade Install WSUS3 on a new server Migrate updates and approvals:Export/import content folder via ntbackupSync the WSUS3 server to get the latest metadataExport/import approvals and target groups via WsusMigrate SDK samplePoint clients to the new serverChange GPO to point clients to the new server/portClients will “self-update” next time they sync
32Upgrading a Hierarchy Upgrade must be performed top-down Watch-out: WSUS 2.0 Servers can synchronize updates from a 3.0 Server (but not vice versa)Watch-out:DSS must be WSUS2 SP1 or have KB installed (else replica sync may fail after USS upgrade)Post-upgrade, take advantage of new WSUS3 deployment optionsReporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
33Configuration Manager 2007 Software Update Management (SUM) built on WSUS 3Full Microsoft update catalogCan also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchyFull benefits of site management, Binary Delta Replication etc.No need to configure/manage WSUS directly