Presentation on theme: "Managing a WSUS 3.0 Deployment Take-aways for maintaining a WSUS 3.0 Server Deployment Architectures Migration from WSUS2 to WSUS3 Overview of WSUS3 deployment."— Presentation transcript:
Managing a WSUS 3.0 Deployment Take-aways for maintaining a WSUS 3.0 Server Deployment Architectures Migration from WSUS2 to WSUS3 Overview of WSUS3 deployment for Config Manager 2007
Build on the momentum of Windows Server Update Services (WSUS) 2.0 WSUS 2.0 Ranked as #1 Patch Management Product by readers of Windows IT Pro magazine Continue to provide a simple, low cost, solution for distributing Microsoft Updates to Windows Address top customer asks and feedback Enhance the infrastructure to support advanced management products Microsoft System Center Configuration Manager 2007 Microsoft System Center Essentials Third-party products Support Windows Vista and Windows Server 2008 (Beta 3)
Initial configuration wizard MMC-based UI, with advanced filtering and sorting notification of new updates (and/or compliance summary) Multiple, more granular, auto-approval rules Integrated reporting rollup Cleanup wizard Simplicity Access to more content – import from the MU catalog site MOM pack Improved logging and audit logging NLB and SQL clustering Best practices Operational Reliability Branch office /scale-out optimizations language subsetting content from MU sync more frequently (up to hourly) toggle replica mode Integrated reporting rollup Read-only administrative role (WSUS reporters) Enhanced targeting Upgrade to SCE or Configuration Manager 2007 Deployment Performance Native x64 support Vista BITS peer-caching Scalability improvements
Installing the WSUS Server requires: Windows 2003 SP1+ (full support), Windows Server 2008 beta3+ (beta support) SQL Server 2005 SP1+ (only if using full SQL) Internet Information Services 6.0.NET Framework 2.0 MMC 3.0 Report Viewer The server can manage: Windows 2000 SP4, Windows XP SP1, Vista Windows Server 2003, Windows Server 2008 beta3 x86 and x64 support parity All supported Windows locales
MMC 3.0 based Local and remote options Key Capabilities Update Management Computer Management Administrative tasks (Notifications, To do tasks) Reports Multi-server management Server Maintenance
Server Default is to auto-approve all updates for detection Recommendation Configure auto-approvals for Critical, security and definition updates Configure desktops to be scheduled installation every day (with immediate installation enabled) Configure servers for download and notify Use sample scripts to control server install behaviors
Rich Set of Deployment Status Reports Per update Group of computers/single computer By approval type Centralized Reporting Update deployment status across all servers in an organization (roll-up) Drilldown capabilities Read-only report access through new Reporters user role Proactive status through configurable Notifications Export reports to XLS or PDF
WSUS servers require very little ongoing maintenance Three key areas: Client computers Dynamic environments will need to manage computers appearing and disappearing Update content Purging of superseded/expired/ declined content Database Backup Defragmentation of indexes
Why clean up clients? Computers enter and leave the environment due to repurposing or retirement Stale computers will slow reporting, increase DB size, and add unneeded noise Simplest approach is to use the Server Cleanup Wizard Will remove computers that have not contacted the server in 30 days API samples available for finer control Clean Stale Computers Populate computers from AD
Why? Unapproving or Declining updates does not delete update content Remove content for superseded updates that you no longer need Reduce disk space requirements From the UI, unapprove superseded updates that are not needed by any computers Run the Server Cleanup Wizard, which will delete: Metadata for expired updates that havent been approved for 90 days Old revisions of updates Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server Decline expired updates that are unneeded and have been unapproved for at least 30 days
Periodically defrag the DB Have a disaster recover plan Many customers plan is to reinstall Alternative is to backup the server database: For the Windows Internal Database you will have to run a SQLCMD script to backup the database Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express. Location of the WID backup: %windir%\SYSMSI\SSEE\MSSQL.2005\MSSQL\ SchemaSig\WSUSSignDb.*
Backup Windows Internal Database SQLCMD -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query -E -Q backup database SUSDB to disk=c:\susdb.bak\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query Index Defrag example: server/susvvb01.mspx?mfr=true
Run the Cleanup wizard: Periodically, especially after rolling out a new SP After 2.0 -> Upgrade Computers: Clean up from the bottom of your hierarchy to the top Updates: Always start at the top of the hierarchy and work down Content deletion does not replicate! Have a Disaster Recovery plan
Use the MOM 2005 WSUS Management pack for advanced monitoring needs Provides alerts and health information for the server Limited monitoring of individual client health Monitors Database health – Series events Core server component health – series events Content sync agent Meta data sync agent
Monitors cont. Web service health –12000 series events Reporting Web Service – API remoting Web Service – Client Web Service – Server Sync Web Service – SimpleAuth Web Service – DSS Auth Web Service Clients – series events Alerts if clients have a >10% failure rate for updates Self update failures
Server reports reports Sync Reports Computers and Updates reports SoftwareDistribution.log Change log Clients Update and Computer reports Client WindowsUpdate.log Custom Reporting from APIs and client log collections Use Server Diagnostics Tool to check the server
Common Client Issues Client Not Yet Reported Two main issues Self Update failing Cant contact the server properly Usually latency issue Wuauclt /detectnow Rare cases require client reset Automatic Update Agent not updating Permissions on directory Wrong port specified in GP Versions less than indicates AU version 1.0 is installed
Process to check client Run Client Diagnostics Tool Check WUAU version Confirm ports in GP match the server itself Gpupdate /force Run a wuauclt.exe /detectnow and wait…. Look in the windowsupdate.log Check for any errors wuauclt.exe /resetauthorization /detectnow Wait….
If the client has lost the plot… Stop the Automatic Updates Service Delete the SoftwareDistribution Directory Delete the reg keys Go to: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Win dowsUpdate PingID AccountDomainSid SusClientId Delete the client record in WSUS Restart the Automatic Updates Services Wuauclt /detectnow Wait 20mins… Recheck logs
Common network architectures Single server Remote SQL BITS Peer Caching NLB WSUS Hierarchies Branch Office
A single server can support up to 25k clients Console-only install for remote administration (e.g., from XP or Vista clients) Read-only WSUS access to non-admin members of the WSUS Reporters group Point machines to the server via Group Policy No need to deploy clients; the built-in WUA will self- update from the server on next sync Variety of WUA policies available, including sync rate (recommend twice/day), scheduled install (recommend daily for desktops), and reboot behavior (cant postpone reboots indefinitely because its not safe/supported) Enable BITS peer-caching policy for efficient network use. Internal MSFT deployment had 70% cache-hit rate.
SQL 2005 SP1 WSUS3 has a unified front-end/back-end setup No performance gain over built-in/default Windows Internal Database option Each WSUS client requires a SQL CAL Recommendation: Use only if available/convenient NLB Provides redundancy/no single-point of failure – not scale up. Multiple front-ends all point to the same SQL backend and shared content folder Recommendation: Use only if required since its easy to just rebuild a failed WSUS server
Used for scale-out or branch office support Autonomous servers get update binaries and metadata from parent upstream server (USS) Replica children also get approvals from USS New WSUS3 features for hierarchies Reporting roll-up across replicas More granular sync schedule; up to hourly Toggle replica mode Downstream Server (DSS) can sync a subset of USS language binaries DSS can get approvals from USS and binaries from MU; useful if DSS has broadband internet connection but only narrowband to USS
Same support as for WSUS2 Need one server to sync updates from MU Transfer updates to disconnected server: Make sure language and binary file settings match Export/import content folder via ntbackup Export/import metadata via WsusUtil.exe (shipped with WSUS); export, import, reset Export/import approvals and target groups via WsusMigrate SDK sample
From SUS1 Not directly supported Upgrading a single server In-place upgrade: WSUS2->WSUS3 on a single server Migration upgrade: WSUS2->WSUS3 on different servers Upgrading a server hierarchy Connected servers Disconnected servers
Simply install WSUS3 on same server as WSUS2 In-place upgrade preserves settings, updates, and approvals Customized IIS settings must be re-applied after the upgrade (port, SSL, host headers). Clients self-update next time they sync Watch out: Uninstalling WSUS3 will not bring back WSUS2 If using SQL 2000, setup will fail; use migration upgrade If using remote SQL 2005, need to first uninstall the backend (leave DB behind), then upgrade Because WSUS3 has unified frontend/backend setup.
Install WSUS3 on a new server Migrate updates and approvals: Export/import content folder via ntbackup Sync the WSUS3 server to get the latest metadata Export/import approvals and target groups via WsusMigrate SDK sample Point clients to the new server Change GPO to point clients to the new server/port Clients will self-update next time they sync
Upgrade must be performed top-down WSUS 2.0 Servers can synchronize updates from a 3.0 Server (but not vice versa) Watch-out: DSS must be WSUS2 SP1 or have KB installed (else replica sync may fail after USS upgrade) Post-upgrade, take advantage of new WSUS3 deployment options Reporting rollup (on by default) DSS can sync a subset of language DSS sync from MU but host locally (for narrowband connections to USS) Can synch more frequently
Software Update Management (SUM) built on WSUS 3 Full Microsoft update catalog Can also manage non-Microsoft software updates Included as Managed Server role in site hierarchy Full benefits of site management, Binary Delta Replication etc. No need to configure/manage WSUS directly
Software Update Management End-to-End
WSUS 3.0 requires very little maintenance A little bit of love will help your server run more happily!
Technical Communities, Webcasts, Blogs, Chats & User Groups Microsoft Developer Network (MSDN) & TechNet Trial Software and Virtual Labs Microsoft Learning and Certification Microsoft.Public.Windows.Server.Update_Services My contact information