Windows Server Update Services 3.

0 Improvements for Distributed Networks

Microsoft Corporation Published: June 2007 Author: Jeff Centimano

Abstract
This white paper highlights new and improved features in WSUS 3.0 that address update management for distributed networks. Distributed networks include businesses with multiple locations, or with a mobile workforce. Note: For more information about Windows Server Update Services 3.0, including deployment recommendations and a step-by-step

installation guide, please visit the WSUS TechCenter on Microsoft TechNet.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

2007 Microsoft Corporation. All rights reserved.

Microsoft, SQL Server, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Distributed Deployment Overview...................................................................................................................................5 Replica Servers............................................................................................................................................................5 Autonomous Servers...................................................................................................................................................5 Improved Deployment Flexibility......................................................................................................................................6 Replica Mode Improvements.......................................................................................................................................6 Automatic Update Client Improvements......................................................................................................................8 Scalability and High-Availability Improvements.............................................................................................................10 Other Deployment Considerations................................................................................................................................11 Roaming WSUS Clients.............................................................................................................................................11 Auditing WSUS Changes...........................................................................................................................................13 For More Information.....................................................................................................................................................13

Distributed Deployment Overview

Microsoft Windows Server Update Services (WSUS) 3.0 introduces a completely rewritten user interface with rich status information and highly-customized reporting. However, other improvements promise to be just as compelling for WSUS administrators especially those with distributed environments. This section highlights options for distributed WSUS deployments and is targeted at new WSUS administrators or those looking to expand their WSUS environment. Seasoned WSUS administrators may want to skip to the next section for an overview of whats changed in WSUS 3.0.

Replica Servers
Replica servers offer a simple way to extend the reach of your WSUS deployment without a corresponding increase in administrative overhead. Administrators with multiple physical locations can deploy replica servers to reduce bandwidth consumption, while still maintaining full control over the update experience. This is especially useful in remote locations with many computers, but no IT staff. Replica servers receive update approvals, computer groups, and update content from a parent server on a scheduled basis. Update content can include all, or only a subset of the languages available on the parent server. Computers can then download updates and report their status to a local replica server instead of communicating across the wide-area network (WAN). To facilitate organization-wide status reporting, replica servers upload detailed information about their local computers to a parent server during the normal synchronization process. Aside from initial setup and computer targeting, replica servers require very little ongoing management.

Autonomous Servers
Organizations with skilled IT staff in multiple locations may prefer to deploy autonomous WSUS servers. Aside from the ability to synchronize update content from a parent server (similar to replica server behavior), autonomous servers perform all other management and maintenance tasks locally. This includes approving updates, creating computer groups, and running status reports. Autonomous servers are also useful for test environments that are disconnected from the production network or the Internet. Update content and metadata from a production WSUS server is easily imported to a test environment using removable media. Note:

Autonomous servers only upload status summaries to their parent server. If your environment requires detailed reporting rollup, use replica servers instead.

Improved Deployment Flexibility

Replica Mode Improvements
Even though replica servers were introduced in WSUS 2.0, several key improvements in WSUS 3.0 make them even more desirable for distributed networks.

Built-In Reporting Rollup

Previously available as a separate download for WSUS 2.0, reporting rollup is now included and enabled by default in WSUS 3.0. Administrators can choose to display status information from replica servers globally (Figure 1), or on a one-off basis within the reporting interface (Figure 2). Aside from planning for the additional load created by downstream clients, no additional server configuration is required.

Figure 1: Global Reporting Rollup Setting

Figure 2: Reporting Interface Replica Visibility

Enable/Disable Replica Mode

In WSUS 2.0 the choice to deploy a replica server was only available during setup. If your network or business needs changed, the only way to enable/disable replica mode was to reinstall the product. WSUS 3.0 introduces the ability to toggle replica mode (Figure 3). Using a simple check-box, administrators can change a replica server to operate autonomously, or vice versa.

Figure 3: Configurable Replica Mode Setting

Being able to toggle replica mode also adds another layer to your WSUS 3.0 disaster recovery strategy. For example, if a parent server becomes unavailable due to hardware or software failure, a replica can be promoted on a temporary basis. This allows you to rebuild the failed parent server as a replica, synchronize update approvals and computer groups from the promoted server, and finally reconfigure all servers to their original roles. No disaster recovery plan should depend on this functionality; however, it may be useful when traditional server backups are not available.

Configurable Content Source

Many corporate WANs are characterized by a hub-and-spoke design, where branch offices connect to a headquarters location for all content. However, some WANs are more complex consisting of multiple hub locations, or branch offices with a private link to headquarters and a separate connection to the Internet. New functionality in WSUS 3.0 allows administrators to split replica server communication and content download across two different connections. For example, a replica server with a slow private WAN link but high-speed Internet connectivity can synchronize update metadata, computer groups, and status information across the private WAN then download approved update content from Microsoft Update servers using the high-speed Internet connection. This improved flexibility enables administrators to deploy replica servers where they were previously impractical because of limited WAN bandwidth.

Language Download Settings

Additional bandwidth savings can be achieved by only downloading updates in languages needed by clients in a particular location. In WSUS 3.0 replica servers now have the ability to synchronize a subset of the languages supported by the parent server. For global deployments, a best-practice design might include a parent server supporting all languages with geographical replica servers only downloading updates for their local language.

Automatic Update Client Improvements

WSUS 3.0 includes a new version of the Automatic Update (AU) client, which is automatically deployed the fist time a computer contacts WSUS 3.0. The new AU client contains improvements for all supported operating systems, including the ability to install non-Microsoft updates and to collect machine inventory data. Some features of the new AU client are only accessible via the WSUS Application Programming Interface (API), or through additional products such as Microsoft System Center Essentials.

Windows Vista Peer Caching

Improvements in the Windows Vista AU client and Background Intelligent Transfer Service (BITS) 3.0 offer additional capabilities not found in other operating systems. Specifically, Windows Vista can take advantage of BITS 3.0 peer caching when connected to a WSUS 3.0 server. Peer caching enables Windows Vista to share approved update content with other Windows Vista computers in the same domain, and on the same IP subnet. Peer caching is configurable through Group Policy (Figure 4).

Figure 4: BITS Peer Caching Group Policy Setting

Peer caching can significantly reduce the load on your WSUS 3.0 servers. In Microsofts internal WSUS 3.0 environment up to 80 percent of Windows Vista clients download update content from their peers, and not directly from WSUS 3.0. BITS 3.0 peer caching can also benefit branch office environments that do not have a local WSUS server. If a large percentage of branch office computers run Windows Vista you may decide to rely on peer caching instead of a WSUS replica server. More information on BITS 3.0 peer caching and other BITS best-practices is located in the WSUS 3.0 Operations Guide Appendix E

Windows Vista Windows Update Application

Windows Vista also offers a graphical Windows Update application (Figure 5) not found in other operating systems. This application allows users to view Windows Update status, and manually run a check for WSUS-hosted updates all without resorting to command line utilities. The Windows Update application can be customized in a number of different ways. For example, administrators can use Active Directory Group Policy to remove the option to check for updates on the public Microsoft Update site. This is important for organizations that want complete control over approved and installed updates. However, organizations without an Internetfacing WSUS server may prefer to deploy updates this way instead of leaving clients exposed to potential issues. Regardless of how you choose to use this feature, it is a welcome addition to the product.

10

Figure 5: Windows Update Application

Scalability and High-Availability Improvements

Large and highly-distributed networks often require additional capabilities that are not needed in smaller environments. This section addresses scalability and highavailability improvements in WSUS 3.0.

Native 64-Bit Support

WSUS 3.0 now comes in a native 64-bit version (x64) for use on Microsoft Windows Server 2003 x64 Edition. This version is appropriate for anyone running x64compatible hardware, and offers specific scale-up benefits for large environments. For example, up to 20,000 clients are supported on a single server using the x64 version of WSUS 3.0. See the WSUS 3.0 Deployment Guide for a complete list of hardware recommendations for 32-bit and 64-bit deployments.

Network Load Balancing Support

Support for Network Load Balancing (NLB) is back in WSUS 3.0. Previously available in Software Update Services (SUS) but missing from WSUS 2.0, this high-availability technology is appropriate for large environments with strict service level agreements. By using NLB, two to four front-end WSUS 3.0 servers present themselves a single

11

server to WSUS clients. If a front-end server goes offline for planned maintenance or an unplanned component failure clients continue to receive updates from the remaining NLB member(s). Note: NLB clustering requires that the WSUS 3.0 database be stored on a separate SQL Server 2005 server. Additionally, NLB clustering does not increase the total number of clients supported by a single WSUS server.

Microsoft SQL Server 2005 Cluster Support

WSUS 3.0 now supports Microsoft SQL Server 2005 clustering to provide highavailability for environments with a back-end database server. Microsoft SQL Server 2005 clustering can be used with a single front-end WSUS 3.0 server, or as part of a fully-redundant design with NLB front-end servers. Note: Unlike the Windows Internal Database included with WSUS 3.0, Microsoft SQL Server 2005 requires separate server and client access licenses. Contact your Microsoft Account Manager or a Microsoft Certified Partner for more information.

Other Deployment Considerations

Roaming WSUS Clients
Many organizations are concerned about keeping mobile computers updated when they roam between corporate locations, and onto the public Internet. The solutions listed below are just a couple possible ways to address this issue.

DNS Netmask Ordering

The DNS Netmask Ordering function in Windows Server 2003 allows roaming WSUS clients to be directed to the closest WSUS server (based on IP subnet). This type of design implies multiple WSUS servers preferably a parent server at the network hub and replica servers in other locations. All WSUS servers must have host records in DNS with the same fully-qualified domain name, but different IP addresses. Once DNS and WSUS are correctly configured, all name resolution requests for WSUS will return an IP address on the clients subnet. If a local WSUS server does not exist, DNS Round

12

Robin will choose one at random. More information about DNS Netmask Ordering and Round Robin is located in Windows Server 2003 Help and Support.

Publishing WSUS 3.0 Using Microsoft ISA Server

Although DNS Netmask Ordering is helpful when roaming between locations on the internal network, another solution is needed to accommodate WSUS clients outside the corporate firewall. One option is to publish WSUS 3.0 on the Internet using Microsoft Internet Security and Acceleration (ISA) Server. If you decide to implement this solution you can simply publish an internal WSUS server, or use a replica server in a demilitarized zone (DMZ) network. Regardless of which server you publish, SSL is recommended so roaming computers can verify the identity of your WSUS server. Step-by-step instructions to publish WSUS using Microsoft ISA Server are available in the Microsoft whitepaper Implementing WSUS with ISA Server 2004 to Manage Remote Clients. Although this whitepaper was written for WSUS 2.0 the concepts are still valid for WSUS 3.0. However, important information in the ISA Server web publishing section is out-of-date. Please refer to Table 1 on the following page for a correct list of WSUS 3.0 virtual directories to publish.

Virtual Directory /Content/* /Selfupdate/* /ClientWebService/* /Inventory/* /SimpleAuthWebService/* /ReportingWebService/*

Publish HTTP?

Publish HTTPS?

Table 1: Correct List of WSUS 3.0 Virtual Directories

Note: The following virtual directories should not be exposed to the Internet: /ApiRemoting30 Used for API access, including the WSUS Administration Console /DssAuthWebService Allows other WSUS servers to authenticate to the server

13

/ServerSyncWebService Allows other WSUS servers to sync with the server

Auditing WSUS Changes

Large organizations often have multiple administrators who are responsible for software update management. These organizations may also be subject to industry regulations on computer security. In such environments it is important to maintain an audit trail of when updates are approved, and by whom. WSUS 3.0 includes a new log file to record this type of information. The file name is Change.log and by default it is located in the %ProgramFiles%\UpdateServices\LogFiles directory. In addition to update approval changes, the file records content synchronization, computer group additions/deletions, and server configuration changes.

For More Information

WSUS 3.0 is a compelling software update management tool for organizations of any size. The following information will help you evaluate and deploy WSUS 3.0 in your environment: The WSUS TechCenter on Microsoft TechNet (late-breaking information) WSUS 3.0 Documentation: o o o o o Release Notes for Microsoft WSUS 3.0 Microsoft WSUS 3.0 Overview Step-by-Step Guide to Getting Started with Microsoft WSUS 3.0 Deploying Microsoft WSUS 3.0 WSUS 3.0 Operations Guide

WSUS 3.0 Download (x86 and x64) Management Pack Catalog (for organizations running MOM 2005 or SCOM 2007)