Embed Size (px)
Citation preview
Deploying and Managing Microsoft Windows Server Update Services 30
Server
Michael KleefBlogstechnetcommkleefTechnology AdvisorMicrosoft Australia
Managing a WSUS 30 Deployment
Take-aways for maintaining a WSUS 30 Server
Session Objectives and Agenda
Deployment Architectures
Migration from WSUS2 to WSUS3
Overview of WSUS3 deployment for Config Manager 2007
WSUS 30 Goals
Build on the momentum of Windows Server Update Services (WSUS) 20
WSUS 20 Ranked as 1 Patch Management Product by readers of Windows IT Pro magazine
Continue to provide a simple low cost solution for distributing Microsoft Updates to Windows
Address top customer asks and feedback
Enhance the infrastructure to support advanced management products
Microsoft System Center Configuration Manager 2007
Microsoft System Center Essentials
Third-party products
Support Windows Vista and Windows Server 2008 (Beta 3)
Initial configuration wizard
MMC-based UI with advanced filtering and sorting
Email notification of new updates (andor compliance summary)
Multiple more granular auto-approval rules
Integrated reporting rollup
Cleanup wizardSimplicity
New WSUS 30 Features
Access to more content ndash import from the MU catalog siteMOM packImproved logging and audit logging
NLB and SQL clustering
Best practicesOperational Reliability
Branch office scale-out optimizations
language subsetting
content from MU
sync more frequently (up to hourly)
toggle replica mode
Integrated reporting rollup
Read-only administrative role (WSUS reporters)
Enhanced targeting
Upgrade to SCE or Configuration Manager 2007
Deployment
Performance
Native x64 supportVista BITS peer-cachingScalability improvements
Supported Platforms
bull Installing the WSUS Server requiresbull Windows 2003 SP1+ (full support) Windows Server
2008 beta3+ (beta support)bull SQL Server 2005 SP1+ (only if using full SQL)bull Internet Information Services 60bull NET Framework 20bull MMC 30bull Report Viewer
bull The server can managebull Windows 2000 SP4 Windows XP SP1 Vistabull Windows Server 2003 Windows Server 2008 beta3
bull x86 and x64 support paritybull All supported Windows locales
Update Management - Basics
Server Default is to auto-approve all updates for detectionRecommendation
Configure auto-approvals for Critical security and definition updatesConfigure desktops to be scheduled installation every day (with ldquoimmediate installationrdquo enabled)Configure servers for download and notifyUse sample scripts to control server install behaviors
DEMOWSUS 30 Console
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Managing a WSUS 30 Deployment
Take-aways for maintaining a WSUS 30 Server
Session Objectives and Agenda
Deployment Architectures
Migration from WSUS2 to WSUS3
Overview of WSUS3 deployment for Config Manager 2007
WSUS 30 Goals
Build on the momentum of Windows Server Update Services (WSUS) 20
WSUS 20 Ranked as 1 Patch Management Product by readers of Windows IT Pro magazine
Continue to provide a simple low cost solution for distributing Microsoft Updates to Windows
Address top customer asks and feedback
Enhance the infrastructure to support advanced management products
Microsoft System Center Configuration Manager 2007
Microsoft System Center Essentials
Third-party products
Support Windows Vista and Windows Server 2008 (Beta 3)
Initial configuration wizard
MMC-based UI with advanced filtering and sorting
Email notification of new updates (andor compliance summary)
Multiple more granular auto-approval rules
Integrated reporting rollup
Cleanup wizardSimplicity
New WSUS 30 Features
Access to more content ndash import from the MU catalog siteMOM packImproved logging and audit logging
NLB and SQL clustering
Best practicesOperational Reliability
Branch office scale-out optimizations
language subsetting
content from MU
sync more frequently (up to hourly)
toggle replica mode
Integrated reporting rollup
Read-only administrative role (WSUS reporters)
Enhanced targeting
Upgrade to SCE or Configuration Manager 2007
Deployment
Performance
Native x64 supportVista BITS peer-cachingScalability improvements
Supported Platforms
bull Installing the WSUS Server requiresbull Windows 2003 SP1+ (full support) Windows Server
2008 beta3+ (beta support)bull SQL Server 2005 SP1+ (only if using full SQL)bull Internet Information Services 60bull NET Framework 20bull MMC 30bull Report Viewer
bull The server can managebull Windows 2000 SP4 Windows XP SP1 Vistabull Windows Server 2003 Windows Server 2008 beta3
bull x86 and x64 support paritybull All supported Windows locales
Update Management - Basics
Server Default is to auto-approve all updates for detectionRecommendation
Configure auto-approvals for Critical security and definition updatesConfigure desktops to be scheduled installation every day (with ldquoimmediate installationrdquo enabled)Configure servers for download and notifyUse sample scripts to control server install behaviors
DEMOWSUS 30 Console
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
WSUS 30 Goals
Build on the momentum of Windows Server Update Services (WSUS) 20
WSUS 20 Ranked as 1 Patch Management Product by readers of Windows IT Pro magazine
Continue to provide a simple low cost solution for distributing Microsoft Updates to Windows
Address top customer asks and feedback
Enhance the infrastructure to support advanced management products
Microsoft System Center Configuration Manager 2007
Microsoft System Center Essentials
Third-party products
Support Windows Vista and Windows Server 2008 (Beta 3)
Initial configuration wizard
MMC-based UI with advanced filtering and sorting
Email notification of new updates (andor compliance summary)
Multiple more granular auto-approval rules
Integrated reporting rollup
Cleanup wizardSimplicity
New WSUS 30 Features
Access to more content ndash import from the MU catalog siteMOM packImproved logging and audit logging
NLB and SQL clustering
Best practicesOperational Reliability
Branch office scale-out optimizations
language subsetting
content from MU
sync more frequently (up to hourly)
toggle replica mode
Integrated reporting rollup
Read-only administrative role (WSUS reporters)
Enhanced targeting
Upgrade to SCE or Configuration Manager 2007
Deployment
Performance
Native x64 supportVista BITS peer-cachingScalability improvements
Supported Platforms
bull Installing the WSUS Server requiresbull Windows 2003 SP1+ (full support) Windows Server
2008 beta3+ (beta support)bull SQL Server 2005 SP1+ (only if using full SQL)bull Internet Information Services 60bull NET Framework 20bull MMC 30bull Report Viewer
bull The server can managebull Windows 2000 SP4 Windows XP SP1 Vistabull Windows Server 2003 Windows Server 2008 beta3
bull x86 and x64 support paritybull All supported Windows locales
Update Management - Basics
Server Default is to auto-approve all updates for detectionRecommendation
Configure auto-approvals for Critical security and definition updatesConfigure desktops to be scheduled installation every day (with ldquoimmediate installationrdquo enabled)Configure servers for download and notifyUse sample scripts to control server install behaviors
DEMOWSUS 30 Console
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Initial configuration wizard
MMC-based UI with advanced filtering and sorting
Email notification of new updates (andor compliance summary)
Multiple more granular auto-approval rules
Integrated reporting rollup
Cleanup wizardSimplicity
New WSUS 30 Features
Access to more content ndash import from the MU catalog siteMOM packImproved logging and audit logging
NLB and SQL clustering
Best practicesOperational Reliability
Branch office scale-out optimizations
language subsetting
content from MU
sync more frequently (up to hourly)
toggle replica mode
Integrated reporting rollup
Read-only administrative role (WSUS reporters)
Enhanced targeting
Upgrade to SCE or Configuration Manager 2007
Deployment
Performance
Native x64 supportVista BITS peer-cachingScalability improvements
Supported Platforms
bull Installing the WSUS Server requiresbull Windows 2003 SP1+ (full support) Windows Server
2008 beta3+ (beta support)bull SQL Server 2005 SP1+ (only if using full SQL)bull Internet Information Services 60bull NET Framework 20bull MMC 30bull Report Viewer
bull The server can managebull Windows 2000 SP4 Windows XP SP1 Vistabull Windows Server 2003 Windows Server 2008 beta3
bull x86 and x64 support paritybull All supported Windows locales
Update Management - Basics
Server Default is to auto-approve all updates for detectionRecommendation
Configure auto-approvals for Critical security and definition updatesConfigure desktops to be scheduled installation every day (with ldquoimmediate installationrdquo enabled)Configure servers for download and notifyUse sample scripts to control server install behaviors
DEMOWSUS 30 Console
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Supported Platforms
bull Installing the WSUS Server requiresbull Windows 2003 SP1+ (full support) Windows Server
2008 beta3+ (beta support)bull SQL Server 2005 SP1+ (only if using full SQL)bull Internet Information Services 60bull NET Framework 20bull MMC 30bull Report Viewer
bull The server can managebull Windows 2000 SP4 Windows XP SP1 Vistabull Windows Server 2003 Windows Server 2008 beta3
bull x86 and x64 support paritybull All supported Windows locales
Update Management - Basics
Server Default is to auto-approve all updates for detectionRecommendation
Configure auto-approvals for Critical security and definition updatesConfigure desktops to be scheduled installation every day (with ldquoimmediate installationrdquo enabled)Configure servers for download and notifyUse sample scripts to control server install behaviors
DEMOWSUS 30 Console
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Update Management - Basics
Server Default is to auto-approve all updates for detectionRecommendation
Configure auto-approvals for Critical security and definition updatesConfigure desktops to be scheduled installation every day (with ldquoimmediate installationrdquo enabled)Configure servers for download and notifyUse sample scripts to control server install behaviors
DEMOWSUS 30 Console
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
DEMOWSUS 30 Console
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Update Compliance - Basics
Rich Set of Deployment Status ReportsPer updateGroup of computerssingle computerBy approval type
Centralized ReportingUpdate deployment status across all servers in an organization (roll-up)Drilldown capabilities
Read-only report access through new ldquoReportersrdquo user roleProactive status through configurable E-Mail NotificationsExport reports to XLS or PDF
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
DEMOWSUS 30 Reporting
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server Maintenance
WSUS servers require very little ongoing maintenanceThree key areas
Client computersDynamic environments will need to manage computers appearing and disappearing
Update contentPurging of supersededexpireddeclined content
DatabaseBackup
Defragmentation of indexes
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server Maintenance - Computers
Why clean up clientsComputers enter and leave the environment due to repurposing or retirement
Stale computers will slow reporting increase DB size and add unneeded ldquonoiserdquo
Simplest approach is to use the Server Cleanup WizardWill remove computers that have not contacted the server in 30 days
API samples available for finer controlClean Stale Computers
Populate computers from AD
httpwwwmicrosoftcomtechnetwindowsserverwsusdefaultmspx
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server Maintenance - Updates
WhyUnapproving or Declining updates does not delete update content
Remove content for superseded updates that you no longer need
Reduce disk space requirements
From the UI unapprove superseded updates that are not needed by any computers
Run the Server Cleanup Wizard which will deleteMetadata for expired updates that havenrsquot been approved for 90 days
Old revisions of updates
Unneeded files for updates that are not in use on the server and are not needed by a Downstream Server
Decline expired updates that are unneeded and have been unapproved for at least 30 days
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server Maintenance - Database
Periodically defrag the DBHave a disaster recover plan
Many customers plan is to reinstallAlternative is to backup the server database
For the Windows Internal Database you will have to run a SQLCMD script to backup the database
Download the SQL Management Studio for easier management of the Windows Internal Database or SQL Express
Location of the WID backup windirSYSMSISSEEMSSQL2005MSSQLSchemaSigWSUSSignDb
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Backup and Defragmenting
Backup Windows Internal Database
SQLCMD -S nppipeMSSQL$MICROSOFTSSEEsqlquery -E -Q ldquobackup database SUSDB to disk=rsquocsusdbbakrsquordquo
Index Defrag example
httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server Maintenance ndash Best Practices
Run the Cleanup wizardPeriodically especially after rolling out a new SPAfter 20 -gt UpgradeComputers
Clean up from the bottom of your hierarchy to the top
UpdatesAlways start at the top of the hierarchy and work down
Content deletion does not replicate
Have a Disaster Recovery plan
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
DEMOCleanup Wizard
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server Monitoring
Use the MOM 2005 WSUS Management pack for advanced monitoring needs
Provides alerts and health information for the server Limited monitoring of individual client health
MonitorsDatabase health ndash 11000 Series eventsCore server component health ndash 10000 series events
Content sync agent -- 10030
Meta data sync agent -- 10020
E-mail -- 10050
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server Monitoring
Monitors contWeb service health ndash12000 series events
Reporting Web Service ndash 12000
API remoting Web Service ndash 12010
Client Web Service ndash 12020
Server Sync Web Service ndash 12030
SimpleAuth Web Service ndash 12040
DSS Auth Web Service -- 12050
Clients ndash 13000 series eventsAlerts if clients have a gt10 failure rate for updates --13001
Self update failures --13040
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Server TroubleshootingServer reports
E-mail reports
Sync Reports
Computers and Updates reports
SoftwareDistributionlog
Change log
ClientsUpdate and Computer reports
Client WindowsUpdatelog
Custom Reporting from APIrsquos and client log collections
Use Server Diagnostics Tool to check the server
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Lessons learnedCommon Client Issues
Client ldquoNot Yet ReportedrdquoTwo main issues
Self Update failing
Cant contact the server properly
Usually latency issue
Wuauclt detectnow
Rare cases require client reset
Automatic Update Agent not updatingPermissions on directory
Wrong port specified in GP
Versions less than 5437901000 indicates AU version 10 is installed
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Lessons learnedProcess to check client
Run Client Diagnostics Toolhttptechnetmicrosoftcomen-uswsusbb466192aspx
Check WUAU version
Confirm ports in GP match the server itselfhttpwsusserver8530
Gpupdate force
Run a wuaucltexe detectnow and waithellipLook in the windowsupdatelog
Check for any errors
wuaucltexe resetauthorization detectnowWaithellip
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Lessons learnedIf the client has lost the plothellip
Stop the Automatic Updates ServiceDelete the SoftwareDistribution DirectoryDelete the reg keys
Go to HKLMSOFTWAREMicrosoftWindowsCurrentVersionWin dowsUpdate
PingID
AccountDomainSid
SusClientId
Delete the client record in WSUSRestart the Automatic Updates ServicesWuauclt detectnowWait 20minshellipRecheck logs
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Deployment Architectures
Common network architecturesbull Single serverbull Remote SQLbull BITS Peer Cachingbull NLBbull WSUS Hierarchiesbull Branch Office
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Single Server
bull A single server can support up to 25k clientsbull Console-only install for remote administration (eg from
XP or Vista clients)bull Read-only WSUS access to non-admin members of the
ldquoWSUS Reportersrdquo group
bull Point machines to the server via Group Policybull No need to deploy clients the built-in WUA will ldquoself-
updaterdquo from the server on next syncbull Variety of WUA policies available including sync rate
(recommend twiceday) scheduled install (recommend daily for desktops) and reboot behavior (canrsquot postpone reboots indefinitely because itrsquos not safesupported)
bull Enable BITS peer-caching policy for efficient network use Internal MSFT deployment had 70 cache-hit rate
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Advanced Deployment Options
bull SQL 2005 SP1bull WSUS3 has a unified front-endback-end setupbull No performance gain over built-indefault ldquoWindows
Internal Databaserdquo optionbull Each WSUS client requires a SQL CALbull Recommendation Use only if availableconvenient
bull NLBbull Provides redundancyno single-point of failure ndash not
scale upbull Multiple front-ends all point to the same SQL backend
and shared content folderbull Recommendation Use only if required since itrsquos easy to
just rebuild a failed WSUS server
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
WSUS Hierarchies
bull Used for scale-out or branch office supportbull Autonomous servers get update binaries and metadata
from parent ldquoupstreamrdquo server (USS)bull Replica children also get approvals from USS
bull New WSUS3 features for hierarchiesbull Reporting roll-up across replicasbull More granular sync schedule up to hourlybull Toggle replica modebull Downstream Server (DSS) can sync a subset of USS
language binariesbull DSS can get approvals from USS and binaries from MU
useful if DSS has broadband internet connection but only narrowband to USS
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Upgrade Scenarios
From SUS1Not directly supported
Upgrading a single serverIn-place upgrade WSUS2-gtWSUS3 on a single serverMigration upgrade WSUS2-gtWSUS3 on different servers
Upgrading a server hierarchyConnected serversDisconnected servers
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
In-place Upgrade
Simply install WSUS3 on same server as WSUS2In-place upgrade preserves settings updates and approvalsCustomized IIS settings must be re-applied after the upgrade (port SSL host headers)Clients ldquoself-updaterdquo next time they sync
Watch outUninstalling WSUS3 will not bring back WSUS2If using SQL 2000 setup will fail use migration upgradeIf using remote SQL 2005 need to first uninstall the backend (leave DB behind) then upgrade
Because WSUS3 has unified frontendbackend setup
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Migration Upgrade
Install WSUS3 on a new serverMigrate updates and approvalsbull Exportimport content folder via ntbackupbull Sync the WSUS3 server to get the latest metadatabull Exportimport approvals and target groups via
WsusMigrate SDK sample
Point clients to the new serverChange GPO to point clients to the new serverportClients will ldquoself-updaterdquo next time they sync
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Upgrading a Hierarchy
Upgrade must be performed top-downWSUS 20 Servers can synchronize updates from a 30 Server (but not vice versa)
Watch-outDSS must be WSUS2 SP1 or have KB910847 installed (else replica sync may fail after USS upgrade)
Post-upgrade take advantage of new WSUS3 deployment options
Reporting rollup (on by default)DSS can sync a subset of languageDSS sync from MU but host locally (for narrowband connections to USS)Can synch more frequently
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Configuration Manager 2007Software Update Management (SUM) built on WSUS 3
Full Microsoft update catalog
Can also manage non-Microsoft software updatesIncluded as Managed Server role in site hierarchy
Full benefits of site management Binary Delta Replication etc
No need to configuremanage WSUS directly
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Software Update Management End-to-End
SUM Admin UI
4 Scan results are stored in
WMI
8 Admin UI is used to deploy
updates
13 Updates are automatically installed on schedule or directly
by end user
Client UI
1 WSUS gets Update
Metadata Catalog from MU
2 WSUS syncs Metadata
Catalog with Site Server
3 WUA scans client for missing updates against WSUS server
7 Compliance reports show aggregated scan results
16 Deployment reports show aggregated enforcement
results
9 Binaries are downloaded
from MU
10 Updates are placed in a Deployment Package on Distribution
Point
11 Client gets policy for
deployment
14 Enforcement State messages are sent to MP
5 Compliance State messages are sent to MP
12 Client gets update binaries
from deployment package and
stores them in cache on client
15 Enforcement State messages are sent to DB
6 Compliance State messages are sent to DB
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Summary
WSUS 30 requires very little maintenanceA little bit of love will help your server run more happily
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
Resources
Technical Communities Webcasts Blogs Chats amp User Groupshttpwwwmicrosoftcomcommunitiesdefaultmspx
Microsoft Developer Network (MSDN) amp TechNet httpmicrosoftcommsdn httpmicrosoftcomtechnet httpwwwmicrosoftcomtechnetscriptcenterscriptssusserversusvvb01mspxmfr=true
Trial Software and Virtual Labshttpwwwmicrosoftcomtechnetdownloadstrialsdefaultmspx
Microsoft Learning and Certificationhttpwwwmicrosoftcomlearningdefaultmspx
MicrosoftPublicWindowsServerUpdate_Services httpblogstechnetcomwsus
My contact informationhttpblogstechnetcommkleef
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
QampA
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
copy 2007 Microsoft Corporation All rights reserved Microsoft Windows Windows Vista and other product names are or may be registered trademarks andor trademarks in the US andor other countriesThe information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation Because Microsoft must respond to changing market
conditions it should not be interpreted to be a commitment on the part of Microsoft and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation MICROSOFT MAKES NO WARRANTIES EXPRESS IMPLIED OR STATUTORY AS TO THE INFORMATION IN THIS PRESENTATION
