01 April 2010

Installing Windows Server Update Services


Centralised Windows updates for a LAN setup.
I have a number of windows machines for development purposes and by far the biggest pain is keeping them all updated. Windows Server Update Services (WSUS) provides a centralised location to manage them.
As usual, the installation requires a few hoop jumps so here are my notes on the process.
Requirements
NB: By default Win2008 Server you’ll need to turn off IE enhanced security to download files: Server Manager/Security/Configure IE ESC
  • Windows server OS e.g. Windows Server 2008 (Although the management client will run on non-server OS the agent itself must be installed on a server.
  • SQL Server, Express or Windows Internal Database. I went for Win Internal so the update server is self contained (i.e. not reliant on my database server). Originally I tried SQL Express but I couldn’t get the configuration to work and also it has a 4GB limit which might create gremlins later on. I get the impression WSUS was designed for Win Internal, see: Choose the Database Used for WSUS 3.0. Windows Internal Database is included in the installation.
  • .Net Framework. As of writing it requires 3.5 SP2 and 4.0, downloadable at: http://www.microsoft.com/net
  • IIS: but not just the basic ‘add role’ IIS, you need to also configure it. See P.30 in the WSUS Deployment Guide for more information but in brief you’ll need:
    • Common HTTP Features (including Static Content)
    • Application Development/ASP.NET, ISAPI Extensions, and ISAPI Features
    • Security/Windows Authentication
    • Management Tools/IIS 6 Management Compatibility/IIS Metabase Compatibility
    • NB: in the WSUS deployment guide there is a bit about changing the config files. I found this was not necessary.
  • Microsoft Report Viewer Redistributable (only required for the Admin interface).
  • Admin Interface:You can’t install the admin console alone using Roles/Add Role but you can download/install it directly: WSUS Download
Installation
I would recommend installing .Net and then IIS independently first and checking for updates/rebooting in between so they are installed and fully updated before you start the WSUS install.
To install the WSUS role go to Server Manager and select Roles/Add Role then select install.

Once installed configure the sync (Update Services/[Server name]/Options) to coincide with the update release approx 10am P.S.T. i.e. 18:00 GMT. Consider how many syncs you want daily, I use between 12 and 24.



DNS Alias
If you creat a DNS alias for your WSUS server you can change your actual WSUS server without having to alter the GPO
e.g. wsus.[intranet domain name] –> IP of WSUS server


Schedule Deployment of Auto Updates via GPO
MS recommends scheduling the updates via a (WSUS specific) Group Policy object (GPO). If your computer is not part of a domain then this isn't relevant.

Update Services
In Start/Administration/Update Services:
  • Expand Update Services/[Server name]/Options
  • Click on Computers and select “Use Group Policy…”
  • Create a group for computers e.g. Assigned, Workstations, or Servers. This will be used to add the computers via the Group Policy.


Group Policy
In Start/Administration/Group Policy Management:
  • Expand GP Management/[Forest name]/Domains/[Domain name]; right click on Domain name; select “Create a GPO in this domain…”
  • A new GPO should appear under Group Policy Objects. Call it WSUS
  • Right click and select Edit.
  • Navigate to Computer Configuration/Policies/Administrative Templates/Windows Components/Windows Updates
  • Edit:
    • Required:
      • Configure Automatic Updates Properties: Select Enabled and Auto download and schedule the install” then set a time to install. Remember to ensure this is after the WSUS server’s update schedule (see above).
      • Specify intranet Microsoft update service location: enter the DNS alias (and port if necessary e.g. 8530). You’ll probably use the same value for the stats server. This is how your clients know to use your server and not MS directly. I liike to use an alias and set that in my DNS server, so I can move WSUS without altering the policy e.g. wsus.[active directory domain]
    • Recommended:
      • Do not display 'Install Updates and Shut Down': Disabled
      • Automatic Updates detection frequency: Enabled every hour/few hours. Remember this is only an internal request now so it's more important to catch the computer turned on than to conserve bandwidth.
      • Allow Automatic Updates immediate installation: Enabled
      • Turn on recommended updates via Automatic Updates: Enabled
      • No auto-restart with logged on users for scheduled..: Disabled (warming: they restart themselves whilst the user is logged in but with a warming).
      • Re-prompt for restart: Enabled and set to 30mins: I find the 10 minute interval too short.
      • Enable client-side-targeting: specify the WSUS group created above eg. Assigned or Workstations.
If the computers show a status of “Not logged in” in WSUS then don’t worry: it can take a couple of hours for the changes to take effect.

References
WSUS Deployment Guide
Windows Server Update Services Tools and Utilities

No comments:

Post a Comment