Professional Documents
Culture Documents
Best Practices in Architecting and Implementing Windows Server Update Services (WSUS)
Best Practices in Architecting and Implementing Windows Server Update Services (WSUS)
Agenda
Topics
Part I: Architecting and Implementing
WSUS
Part II: Troubleshooting WSUS
Part III: Tips and Tricks for Using WSUS
part 1
WSUS Momentum
Over 500,000 distinct WSUS servers
synched with Microsoft Update last
month
Used by over 60% medium/large orgs
and
built into SBS
WSUS 3 released April 30 2007
Huge improvements in performance,
deployment
options, reporting and UI
Easy in-place upgrade from WSUS2
WSUS Lifecycle/Roadmap
Support lifecycle
Version
Support ends
Comment
SUS 1.0
Not supported
WSUS2 RTM
Not supported
WSUS2 SP1
Not supported
WSUS3 RTM
Not supported
WSUS3 SP1
TBD
demo
Elements of Architecture
Why Architecture?
Simple Architecture
Single, well-connected site
WSUS Updates from MU
Clients update from WSUS
WSUS Chaining
Chaining involves downstream servers
getting updates (and sometimes Group
data) from upstream servers
Options for chaining
Distributed vs. Centralized model
Autonomous Mode vs. Replica Mode
Centralized Architecture
Downstream
servers are replicas
of
primary server
Little downstream
control over servers
Downstream
administrators drop
machines into
predefined groups
All update
approvals
and schedule done
Distributed Architecture
Downstream servers obtain
updates from primary
server, except:
Update approvals do not
flow down. Assigned at
each
site individually
Downstream admins have
greater control. Can
create groups and assign
approvals
Disconnected Architecture
Many environments dont have Internet
connectivity
Test/dev, government, classified, air gap
environments
Disconnected Architecture
Match advanced options between source and target
Express installation files & languages must match
Roaming Architecture
Manages updates for
external resources
WSUS servers distribute
approval metadata
Clients download
updates from Windows
Update directly
Extra security for
internet-facing WSUS
server
Useful separate
architecture for mostly
off-net clients
Laptop
WSUS
Laptops
Roaming Architecture
Four Steps to
Internet-facing
WSUS
Build server in DMZ
and position behind
ISA proxy
Locate database on
server not
reachable from
Internet
Enable SSL for
communications
Host content on
Laptop
WSUS
Laptops
High Availability
Architecture
WSUS 3.0 includes native support for high
availability
Upgrade Deployment
WSUS 3 SP1 setup supports in-place upgrade
One-way upgrade (no rollback)
Cant be done from WSUS 2 on Server 2000 or using SQL
2000
part 2
Troubleshooting WSUS
part 3
Potential solutions:
Ensure downloading only the languages you need
Configure patch distribution to occur in the evenings
Stagger patch distributions between tiered sites
Express installation files can exacerbate this
The bandwidth savings in express installation files occurs
from WSUS server to client, not between WSUS servers
Throttle BITS
Throttling BITS
BITS can be throttled either on the WSUS server or
additionally on all the clients
Alleviates network saturation during update distribution
and during client installation
Be aware that this does slow down update distributions!
Server Tuning
Run cleanup and DB defrag every few months
Cleanup wizard is a new feature in WSUS 3
Removes stale computers and updates
DB index defrag script available on ScriptCenter
keeps the server running fast
Look out:
Take care to not remove computers that are still active
(but having trouble contacting the server)
Populate from AD sample tool can help
limits exposure/risk
People typically arent surfing on servers
The RAID 1 Undo Trick
Three methods:
Client-initiated
WSUS-initiated
Script-initiated
Two methodologies:
Scheduled reboots vs.
rebooting for patch installation
Handling Reboots
RebootFile = "computers.txt
LogFile = "results.txt"
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile(RebootFile, 1, True)
Set objTextFile = fso.OpenTextFile(LogFile, 2, True)
On Error resume next
Do While f.AtEndOfLine <> True
strComputer = f.ReadLine
Set objWMIService = GetObject("winmgmts:" & _
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
If Err.Number <> 0 Then
objTextFile.WriteLine(strComputer & " is not responding.")
Err.Clear
Else
Set colOperatingSystems = objWMIService.ExecQuery("Select *
from _
Win32_OperatingSystem")
objTextFile.WriteLine(strComputer & " is rebooting.")
For Each objOperatingSystem in colOperatingSystems
ObjOperatingSystem.Reboot()
Next
End If
Loop
Custom Reports
UI supports basic customization
(filters)
Advanced customization can be built
on
WSUS (.Net) API
Can use of PowerShell scripts to generate
reports
Agent Control
Use WUA API to control the agent
Custom install schedules
Updating servers in web farms
Implementing install now functionality
On-Demand Patching
(You Patch Now!)
Summary
WSUS is simple to use, but scales to enterprise
Flexible server deployment options
Single server, scale up, branch office, scale out,
disconnected, roaming laptops
question &
answer
Resources
www.microsoft.com/teched
www.microsoft.com/learning
http://microsoft.com/techne
t
http://microsoft.com/ms
dn
www.microsoft.com/learning
Resources
for IT Professionals
Complete an
evaluation on
CommNet
and enter to
win!
2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S.
and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information
provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.