Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nathan Mercer Microsoft NZ blogs.technet.com/nmercer microsoft.com SVR317.

Published byAlexandrina O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Nathan Mercer Microsoft NZ blogs.technet.com/nmercer microsoft.com SVR317."— Presentation transcript:

1

2 Nathan Mercer Microsoft NZ blogs.technet.com/nmercer nathan.mercer @ microsoft.com SVR317

3 Overview of new WSUS3 features Deployment Architectures Migration from WSUS2 to WSUS3 Overview of WSUS3 deployment for Config Manager 2007 Managing/operations a WSUS 3.0 Deployment Take-aways for maintaining a WSUS 3.0 Server

4 Provide a simple, low cost, solution for distributing Microsoft Updates within a corporation A “free” RTW add-on for Windows Server; covered by the Windows server CAL Solution only distributes Microsoft Updates Distributing 3rd party patches require purchasing advanced management tools such as SCE (for MORGs) and Configuration Manager 2007 (for LORGS) Provide a foundation infrastructure for Update Management across Microsoft products: MBSA, WU, SBS, Forefront, … SCE, Configuration Manager 2007, MBSA, WU, SBS, Forefront, … Consistent scan results Upgrade path to advanced management products; SCE or Configuration Manager 2007

5 An integrated management solution for mid market Less than 500 computers or 30 servers, no scale out Upgrade from WSUS 2.0 or 3.0 Access to all content in WSUS Key Features Update Management Basic: Microsoft Updates via WSUS Advanced: 3 rd party updates, push-install Applications Deployment (E.g. LOB Applications) Inventory Operations Monitoring

6 A complete enterprise management solution (aka SMS) Key features for Software Update Management Basic: WSUS 3.0 integration; upgrade from WSUS 2.0 or 3.0 Advanced: Built on Desired Configuration Management infrastructure, 3 rd party updates, push-install, maintenance windows, delegated admin, wake-on-LAN, NAP Integration Other Configuration Manager Features OS Deployment Desired Configuration Management Application Deployment (E.g. LOB Applications) Inventory, Metering, Discovery Asset Management and many more…

7 Microsoft Update Many small businesses point their Windows machines directly to Microsoft Updates Microsoft Update catalog site “alpha” Can import updates “ala carte” into our management tools SBS SBS 2003 R2 has WSUS integrated with an additional, simplified UI SBS “Cougar” will have SCE integrated MBSA Analyse security compliance on a Windows machine Uses the Windows Update (WSUS) agent to determine update compliance

8 WSUS2 ranked as #1 Patch Management Product by readers of Windows IT Pro Magazine Used by approximately 70% MORG/LORG Over 350,000 distinct WSUS servers synched with Microsoft Update last month WSUS3 released April 30 2007 Huge improvements in performance, deployment options, reporting and UI. Easy in-place upgrade from WSUS2

9 Initial configuration wizard MMC-based UI, with advanced filtering and sorting Email notification of new updates (and/or compliance summary) Multiple, more granular, auto-approval rules Integrated reporting rollup Cleanup wizard Simplicity Access to more content – import from the MU catalog site MOM pack Improved logging and audit logging NLB and SQL clustering Best practices Operational Reliability Branch office /scale-out optimisations language subsetting content from MU sync more frequently (up to hourly) toggle replica mode Integrated reporting rollup Read-only administrative role (WSUS reporters) Enhanced targeting Upgrade to SCE or Configuration Manager 2007 Deployment Performance Native x64 support Vista BITS peer-caching Scalability improvements

10 Installing the WSUS Server requires: Windows 2003 SP1+ (full support), Windows Server 2008 beta3+ (beta support) SQL Server 2005 SP1+ (only if using full SQL) Internet Information Services 6.0.NET Framework 2.0 MMC 3.0 Report Viewer The server can manage: Windows 2000 SP4, Windows XP SP1, Vista Windows Server 2003, Windows Server 2008 beta3 x86 and x64 support parity All supported Windows locales

11 We’ll next discuss common network architectures Single server Remote SQL BITS Peer Caching NLB WSUS Hierarchies Branch Office Disconnected networks (DMZ) Roaming laptops

12 A single server can support up to 25k clients Console-only install for remote administration (e.g., from XP or Vista clients) Read-only WSUS access to non-admin members of the “WSUS Reporters” group Point machines to the server via Group Policy No need to deploy clients; the built-in WUA will “self- update” from the server on next sync Variety of WUA policies available, including sync rate (recommend twice/day), scheduled install (recommend daily for desktops), and reboot behaviour (can’t postpone reboots indefinitely because it’s not safe/supported) Enable BITS peer-caching policy for efficient network use. Internal MSFT deployment had 70% cache-hit rate.

13

14 SQL 2005 SP1 WSUS3 has a unified front-end/back-end setup No performance gain over built-in/default “Windows Internal Database” option Each WSUS client requires a SQL CAL Recommendation: Use only if available/convenient NLB Provides redundancy/no single-point of failure – not scale up. Multiple front-ends all point to the same SQL backend and shared content folder Recommendation: Use only if required since it’s easy to just rebuild a failed WSUS server

15 Used for scale-out or branch office support Autonomous servers get update binaries and metadata from parent “upstream” server (USS) Replica children also get approvals from USS New WSUS3 features for hierarchies Reporting roll-up across replicas More granular sync schedule; up to hourly Toggle replica mode DSS can sync a subset of USS language binaries DSS can get approvals from USS and binaries from MU; useful if DSS has broadband internet connection but only narrowband to USS

16

17 Same support as for WSUS2 Need one server to sync updates from MU Transfer updates to disconnected server: Make sure language and binary file settings match Export/import content folder via ntbackup Export/import metadata via WsusUtil.exe (shipped with WSUS); export, import, reset Export/import approvals and target groups via WsusMigrate SDK sample

18 Deploy internet-facing WSUS server Configure server to host content on MU SSL strongly recommended Further hardening via ISA proxy or remote SQL backend Roaming laptops configured to point to this server Can be replica of intranet facing WSUS server WSUS3 supports distinct content hosting settings Can configure laptops to get updates from the best available server: Client policy points to server alias Alias resolved to appropriate server name depending on location using DNS netmask ordering

19 On web farms or critical servers, patch installation may need to be orchestrated with other processes Configure WUA on server for download only (no scheduled install) Use WUA API to install applicable updates at the appropriate time Start with “Search, Download, Install” VB script on MSDN

20 From SUS1 Not directly supported Upgrading a single server In-place upgrade: WSUS2->WSUS3 on a single server Migration upgrade: WSUS2->WSUS3 on different servers Upgrading a server hierarchy Connected servers Disconnected servers

21 Setup supports in-place upgrade Preserves updates, settings, and approvals No need to deploy agents; clients automatically update to new versions when they contact the serve WsusMigrate SDK sample migrates target groups and approvals from one server to another Can be also be used for sync’ing disconnected servers. Server hierarchy is upgraded from top-down WSUS 2.0 Servers can synchronise updates from a 3.0 Server Setup supports unattended installs

22 Simply install WSUS3 on same server as WSUS2 In-place upgrade preserves settings, updates, and approvals Customised IIS settings must be re-applied after the upgrade (port, SSL, host headers). Clients “self-update” next time they sync Watch out: Uninstalling WSUS3 will not bring back WSUS2 If using SQL 2000, setup will fail; use migration upgrade If using remote SQL 2005, need to first uninstall the backend (leave DB behind), then upgrade Because WSUS3 has unified frontend/backend setup.

23 Install WSUS3 on a new server Migrate updates and approvals: Export/import content folder via ntbackup Sync the WSUS3 server to get the latest metadata Export/import approvals and target groups via WsusMigrate SDK sample Point clients to the new server Change GPO to point clients to the new server/port Clients will “self-update” next time they sync

24 Upgrade must be performed top-down WSUS 2.0 Servers can synchronize updates from a 3.0 Server (but not vice versa) Watch-out: DSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade) Post-upgrade, take advantage of new WSUS3 deployment options Reporting rollup (on by default) DSS can sync a subset of language DSS sync from MU but host locally (for narrowband connections to USS) Can synch more frequently

25 Software Update Management (SUM) built on WSUS 3 Full Microsoft update catalog Can also manage non-Microsoft software updates Included as Managed Server role in site hierarchy Full benefits of site management, Binary Delta Replication etc. No need to configure/manage WSUS directly

26 Windows Updates Agent needs updating to version required by WSUS 3.0* * Client Deployment does this, except for Vista clients in Beta 2, WUA self-update via Automatic Updates is required Site Server Role Wizard used to configure WSUS as Software Update Point WSUS 3.0 admin console required for all remote Site Servers WSUS 3.0 server installation is prerequisite for all Software Update Points

27 SUP = WSUS + Installed Configuration Manager component Can use existing WSUS servers Uppermost SUP will sync with Microsoft Update Software Update Point (SUP) Role SUP co-located with Site Server on same machine SUP on remote machine from Site Server Advanced: Internet-facing, native mode Supported configurations WSUS can be configured across NLB NLB supports failover up to 100,000 clients SQL clusters are supported Each WSUS server supports 25,000 clients Regional roaming only (secondary site) - no global roaming between sites Offset scan times to avoid clients hitting WSUS at the same time Clients will always use assigned site SUP

28 Server Default is to auto-approve all updates for detection Recommendation Configure auto-approvals for Critical, security and definition updates Configure desktops to be scheduled installation every day (with “immediate installation” enabled) Configure servers for download and notify Use sample scripts to control server install behaviours

29 Ensuring Update Deployment by a specific time Use deadlines Deadlines override all other policy and client configuration settings Use with caution on servers! Ensuring Updates are applied Do not delay reboots, always reboot as soon as possible after applying an update that requires rebooting Use the client schedule options to schedule installing updates at the least impactful time, to avoid the need to delay reboots For servers and other reboot sensitive computers, use Option #3 Emergency update deployment Use a deadline set in the past Use scripts to start a detection cycle Deploying drivers or other updates Use “Import from …” Microsoft Update Catalog capability

30 WSUS servers require very little ongoing maintenance Three key areas: Client computers Dynamic environments will need to manage computers appearing and disappearing Update content Purging of superseded/expired/ declined content Database Backup Defragmentation of indexes

31 Why clean up clients? Computers enter and leave the environment due to repurposing or retirement Stale computers will slow reporting, increase DB size, and add unneeded “noise” Simplest approach is to use the Server Cleanup Wizard Will remove computers that have not contacted the server in 30 days API samples available for finer control Clean Stale Computers Populate computers from AD http://www.microsoft.com/technet/windowsserver/wsus/default. mspx

32 Why? Unapproving or Declining updates does not delete update content Remove content for superseded updates that you no longer need Reduce disk space requirements From the UI, unapprove superseded updates that are not needed by any computers Run the Server Cleanup Wizard, which will delete: Metadata for expired updates that haven’t been approved for 90 days Old revisions of updates Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server Decline expired updates that are unneeded and have been unapproved for at least 30 days

33 Periodically defrag the DB Have a disaster recover plan Many customers plan is to reinstall Alternative is to backup the server database: For the Windows Internal Database you will have to run a SQLCMD script to backup the database Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express. Location of the WID backup: %windir%\SYSMSI\SSEE\MSSQL.2005\MSSQL\ SchemaSig\WSUSSignDb.*

34 Backup Windows Internal Database SQLCMD -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query -E - Q “backup database SUSDB to disk=’c:\susdb.bak’”\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query Index Defrag example: http://www.microsoft.com/technet/scriptcenter/scripts/sus/ server/susvvb01.mspx?mfr=true

35 Run the Cleanup wizard: Periodically, especially after rolling out a new SP After 2.0 -> Upgrade Computers: Clean up from the bottom of your hierarchy to the top Updates: Always start at the top of the hierarchy and work down Content deletion does not replicate! Have a Disaster Recovery plan

36

37 WSUS 3 is a huge improvement over WSUS 2 Simple in-place upgrade from WSUS2 to WSUS3 Can later upgrade to System Center Essentials or Configuration Manager 2007

38 Technical Communities, Webcasts, Blogs, Chats & User Groups NewsGroup: Microsoft.Public.Windows.Server.Update_Services http://blogs.technet.com/wsus/ http://www.wsuswiki.com/ http://blogs.technet.com/mu/ Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://www.microsoft.com/technet/scriptcenter/scripts/sus/server/susvvb01.mspx?mfr=true http://www.microsoft.com/technet/windowsserver/wsus/default.mspx Trial Software and Virtual Labs http://www.microsoft.com/technet/downloads/trials/default.mspx Starting point for all WSUS information http://www.microsoft.com/updateservices Product overview Links to our great documentation, including: Step-by-step guide (for simple deployment) Deployment guide (many details on advanced deployments) Many other docs; ops guide, API, SDK, … Links to community pages

39

40

41 © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Nathan Mercer Microsoft NZ blogs.technet.com/nmercer microsoft.com SVR317."

Similar presentations

3/31/2017 5:38 PM Deploying and Managing Microsoft Windows Server Update Services 3.0 Server Michael Kleef Blogs.technet.com/mkleef Technology Advisor.

3/31/2017 5:38 PM Deploying and Managing Microsoft Windows Server Update Services 3.0 Server Michael Kleef Blogs.technet.com/mkleef Technology Advisor.
The System Center Family Microsoft. Mobile Device Manager 2008.

The System Center Family Microsoft. Mobile Device Manager 2008.
SSRS 2008 Architecture Improvements Scale-out SSRS 2008 Report Engine Scalability Improvements.

SSRS 2008 Architecture Improvements Scale-out SSRS 2008 Report Engine Scalability Improvements.
Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.

1. 2 Branch Office Network Performance Caches content downloaded from file and Web servers Users in the branch can quickly open files stored in the cache.
Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation

Dan Stolts IT Pro Evangelist US DPE - North East Microsoft Corporation
4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.

4/17/2017 7:07 AM © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered.
Chris Sfanos Program Manager Forefront Client Security Microsoft Session Code: SW17.

Chris Sfanos Program Manager Forefront Client Security Microsoft Session Code: SW17.
Visit our Focus Rooms Evaluation of Implementation Proposals by Dynamics AX R&D Solution Architecture & Industry Experts Gain further insights on Dynamics.

Visit our Focus Rooms Evaluation of Implementation Proposals by Dynamics AX R&D Solution Architecture & Industry Experts Gain further insights on Dynamics.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
02 | Install and Configure Team Foundation Server Anthony Borton | ALM Consultant, Enhance ALM Steven Borg | Co-founder & Strategist, Northwest Cadence.

02 | Install and Configure Team Foundation Server Anthony Borton | ALM Consultant, Enhance ALM Steven Borg | Co-founder & Strategist, Northwest Cadence.
Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.

Exchange 2010 Overview Name Title Group. What You Tell Us Communication overload Globally distributed customers and partners High cost of communications.
Understanding Active Directory

Understanding Active Directory
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)

Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)
Understanding Active Directory

Understanding Active Directory
Module 16: Software Maintenance Using Windows Server Update Services.

Module 16: Software Maintenance Using Windows Server Update Services.

Similar presentations

Ads by Google