WSUS: Best practice guide lines for WSUS installation, configuration and management

Windows Server Update Services (WSUS) is highly important services in a Microsoft infrastructure. WSUS provides automated delivery of service packs, hot fixes and update rollups to desktops and servers and keep them up to date. When you configure WSUS in an enterprise you have to consider maximum benefits you can get it from using minimum bandwidth and resources. However, you must provide WSUS server enough resources to run in optimum conditions and deliver up to the expectation over the years.

Capacity Planning

Capacity planning is the step 1 before deploying WSUS in an enterprise. There are number of factors you have to consider before deploying WSUS. The following hardware and database requirements are driven by the need of an organization.

1. Number of clients and servers
2. Frequency of update delivery
3. Single server or multiple server deployment

Minimum requirements:

1. CPU – Minimum 1 GHz, 1.5 GHz or faster is recommended
2. RAM – Minimum 1 GB, 2 GB or more is recommended
3. Both the system partition and the partition on which you install WSUS 3.0 SP2 must be formatted with the NTFS file system
4. Minimum 1 GB of free space on the system partition
5. Minimum 2 GB of free space on the volume on which database files will be stored
6. Minimum 20 GB of free space on the volume on which content is stored, 30 GB is recommended
7. Notice that WSUS 3.0 SP2 cannot be installed on compressed drives.
8. Database – internal or SQL Express

But with this minimum hardware, WSUS server will not perform well when content and Data base log start growing. Recommended Systems that supports up to 25k clients:

1. CPU- Intel Core 2 or Quad or Xeon
2. RAM – 4GB
3. Disk – at least 50 GB or more free space in Systems partition and 150GB or more disk space for WSUS content in separate partitions or DFS.
4. Database – SQL Remote database or local SQL Express 2005 or later
5. Windows Server 2003 (x64 or X86) or Windows Server 2008
6. un-compressed NTFS Partitions

Bandwidth Management

WSUS is a bandwidth hungry systems in whole infrastructure. The decisions you make about how to synchronize with Microsoft Update have a dramatic effect on the efficient use of bandwidth. Set Synchronization schedule and download option when update is approve. To do this log on to WSUS front end Server as an administrator.

Start menu>Administrative Tools>WSUS>Update Services>Options>Synchronization Schedule

►Set Synchronisation schedule on later at night when nobody is at work.

Start menu>Administrative Tools>WSUS>Update Services>Options>Update Files and Languages

►Set download files to this server only when update is approved

►Download update only in these languages (check preferred language)

In a chain of WSUS servers (head office and branch office deployment) , WSUS automatically sets all downstream servers to use the deferred download option that is selected on the highest upstream server—in other words, the server that is directly connected to Microsoft Update. I would recommend not to use express installation option because this will download larger files then preferred download.

 Update Delivery: To manage bandwidth of internal networks, it’s better to deliver update based on internal network uses i.e. set update time when there will be no bottle neck in internal infrastructure.

Firewall Management

You have to configure the firewall (ISA or Forfront) that is positioned between Front End WSUS and the Internet to allow WSUS traffic pass through. Because WSUS initiates and synchronize with Microsoft update using port 80 and 443. there is no need to configure Windows Firewall on the WSUS server or Windows client. Only you have to allow WSUS server connect the following websites .

http://windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

http://download.microsoft.com

http://*.download.windowsupdate.com

http://wustat.windows.com

http://ntservicepack.microsoft.com

Group Policy Management

Managing GPO for WSUS client is easy. But you must not modify Default Domain Controller GPOs to add WSUS settings. After you set up a client computer, it will take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with an Active Directory-based GPO, it will take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0–30 minutes. For Windows XP SP2 and Windows Server SP2, you don’t need load administrative template of windows update in GPO.

To configure the behaviour of Automatic Updates

1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. 2. In the details pane, click Configure Automatic Updates. 3. Click Enabled and select one of the following options: Set Auto download and schedule the install. If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation. 4. Click OK.

To redirect Automatic Updates to a WSUS server

1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. 2. In the details pane, click Specify Intranet Microsoft update service location. 3. Click Enabled and type the HTTP URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http//WSUS:8530 in both WSUS server stat server. 4. Click OK.

To reschedule Automatic Update scheduled installation

1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. 2. In the details pane, click Reschedule Automatic Update scheduled installations, click Enabled, and type the number of minutes to wait. 3. Click OK.

Database Management

I would prefer to install SQL Express version with Management studio Express because it free and serve my purpose. So no to Windows Internal Database (WID). SQL Express will deliver optimum performance. For large scale deployment you can create separate SQL database server and use remote database in all front end servers.  The WSUS database i.e. Server\SUSDB stores the following types of information:

1. WSUS server configuration information
2. Metadata that describes each update
3. Information about client computers, updates, and client interaction with updates

Set Proper security in SUSDB as shown below

Backup SUSDB regularly to save all config and client info as shown below.

Cleanup WSUS Server

You have to clean up WSUS server on and off to remove expired updates, downloads and computers. you can freed up storage by running clean up wizard. To run clean up wizard, Log on the WSUS server. Go to Start menu>Administrative Tools>WSUS SP2>Update Services>Options>Server Clean Up Wizard>Check Specific Options you want>Next>Finish. 

Management of WSUS server

WSUS supports deployments in both central and distributed management models. Centre Management means Front End WSUS server placed in head office will manage everything including update approval, database and also facing proxy and windows update. Rest of WSUS servers are place in branches and replicating main WSUS server. Distributed WSUS means every WSUS server placed in branch and head office works independently.

The WSUS 3.0 SP2 administration console installed in Admin PC can be used to manage any WSUS server or Front End WSUS server placed in head office. WSUS can be managed from one of the following supported operating systems: Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 SP2 or later, Windows Small Business Server 2008 or 2003, Windows Vista, or Windows XP SP3. Also prerequisite must be installed.

1. Microsoft .NET Framework 2.0 or later
2. Microsoft Management Console 3.0
3. Microsoft Report Viewer Redistributable 2008

To open the WSUS administration console

1. Click Start, point to Control Panel, point to Administrative Tools, and then click Windows Server Update Services 3.0 Sp2. 2. If you are bringing up the remote console for the first time, you will see only Update Services in the left pane of the console. 3. To connect to a WSUS server, in the Actions pane click Connect to Server. 4. In the Connect To Server dialog box, type the name of the WSUS server and the port 8530 on which you would like to connect to it. 5. If you wish to use SSL to communicate with the WSUS server, select the Use Secure Sockets Layer (SSL) to connect to this server check box. In this case use port 8531. 6. Click Connect to connect to the WSUS server. 7. You may connect to as many servers as you need to manage through the console.

Related References:

Minimum Systems Requirement Guide 

Prerequisite software

Install and configure WSUS SP2— Step by Step

IIS Planning

How to set computer naming policy in Windows Deployment Services (WDS)

In old remote installation services, you have the options to customize computer name or select automatic installation while running RIS on a client. similarly, new Windows deployment services has the option for you to set naming policy in Windows Deployment Services server. In WDS server, by default naming policy set to %Username%# that means WDS will create computer name using username who logged on when running remote installation process and # is the number 1,2,3..up to 999 will be added after username. To Set naming policy and  default organisational unit in Active Directory. Log on to WDS server using domain admin credentials.

Start menu>Administrative Tools>Windows Deployment Services>Expand Servers>Right click on WDS server>Property>Directory Services Tab

Set Automated name add the string you want and browse and point the OU in Active Directory you want to place computers.

 

   

To set custom name and approval process for WDS client. Click PXE Response settings Tab. Check For unknown clients, notify administrator and respond after approval then apply and ok.

Warning! Apply this may result all unknown computers and manually added computers (computer didn’t use WDS for windows installation) in Active Directory will auto boot up to WDS services without pressing F12.

 

Now boot an unknown client i.e. new client in the network. Client will  automatically boot using WDS. Log on to WDS server and go to pending devices as shown here. Select and right click the computer that’s waiting for approval, click name and approve. Type Name and Approve this pending device. If you want to place this computer in a specific OU in Active Directory then click location and place in that OU.

Pre-staging an approval of a client:

1. To open Active Directory Users and Computers

2. In the console tree, right-click the organizational unit that will contain the new client computer.

3. Click New, and then click Computer.

4. Type the client computer name, click Next, and then click This is a managed computer.

5. In the text entry field, type the client computer’s globally unique identifier (GUID/UUID) and then click Next.

6. Click one of the following options to specify which server or servers will support this client computer. Check The following remote installation server and Type WDS server’s FQDN

7. Click Next, and then click Finish.

Important! The term GUID usually refers to Microsoft‘s implementation of the Universally Unique Identifier (UUID) standard. A UUID is a 16-byte (128-bit) number. The number of theoretically possible UUIDs is therefore about 3 × 10³⁸. In its canonical form, a UUID consists of 32 hexadecimal digits, displayed in 5 groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters (32 digits and 4 hyphens). For example:

24bdba81-4a3f-11cb-8abf-bed9eae25fcf

Screen Shots for further help:

 

Note: Typed without ‘-‘ (hyphen)

 

Now this re-image this computer by pressing F12 while booting.

To find UUID:

1. Log on to Windows XP Machine. Open Command Prompt>Change directory to  C:\Windows\system32\wbem  Type wbemtest.exe hit enter.
2. Click Connect. Change root\default to root\cimv2 >hit connect.
3. Click Enum Classes button>choose Recursive>Click ok.
4. A Query Result will appear, scroll down, select Win32_ComputerSystemProduct then Double click it then Object editor for win32 will appear
5. In the Properties box scroll down, choose UUID and click Instances button. In the Query Result, Select Win32_ComputerSystemsProduct double click on it and another Object Editor will appear and  it contains desired UUID for the computer.

It’s painful process but you may find UUID in some computer and laptop’s bios. For example, on IBM R61 laptop I got UUID in bois. 

Relevant Article on Windows Deployment Services 

Share this on 

How to configure Windows Server Update Services (WSUS) to use BranchCache

What is branchCache? BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

1. Install and configure back end SQL Server
2. Create DFS share
3. Install and configure front end WSUS Server
4. Configure GPO for WSUS client

Branch Office:

1. Install and configure Branchcache File Server
2. Configure GPO for Branchcache
3. Install and configure front end WSUS server
4. Configure GPO for WSUS client

Installing BranchCache File Server

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Using Group Policy to configure BranchCache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Using the Registry Editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Setting the BranchCache support tag on a file share

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator). 2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Client configuration using Group Policy

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Configuring a Branch WSUS server to use BranchCache

In addition to enabling BranchCache in your environment, the WSUS server must be configured to store update files locally (both the update metadata and the update files are downloaded and stored locally on the WSUS server). This ensures that the clients get the update files from the WSUS server rather than directly from Microsoft Update.

Install SQL Server 2005/2008 with Management Studio Express on the back-end computer

1. Click Start, point at All Programs, point at SQL Server 2005, point at Configuration Tools, and select SQL Server Surface Area Configuration.

2. Choose Surface Configuration for Services and Connections.

3. In the left window, click the Remote Connections node.

4. Select Local and remote connections and then select Using TCP/IP only.

5. Click OK to save the settings.

To ensure administrative permissions on SQL Server

1. Start SQL Server Management Studio (click Start, click Run, and then type sqlwb).

2. Connect to the SQL Engine on the server where SQL Server 2005 was installed in Step 1.

3. Select the Security node and then select Logins.

4. The right pane will show a list of the accounts that have database access. Check that the person who is going to install WSUS 3.0 on the front-end computer has an account in this list.

5. If the account does not exist, then right-click the Logins node, select New Login, and add the account.

6. Set up this account for the roles needed to set up the WSUS 3.0 database. The roles are either dbcreator plus diskadmin, or sysadmin. Accounts belonging to the local Administrators group have the sysadmin role by default.

Install Branch WSUS Server

To install WSUS on the front-end computer At the command prompt, navigate to the folder containing the WSUS Setup program, and type:

WSUSSetup.exe /q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server\instance CREATE_DATABASE=0

Here, Server\instance is the name of the remote SQL server that is holding the instance of WSUS database. If you do not want silent installation then don’t use /q switch and follow WSUS installation link

Important! Microsoft recommend 1GB free space for Systems Partition and 30GB for WSUS contents. But this minimum recommended space will create havoc when WSUS log, database log and content grow over the years. So, I used 50GB as systems partition and 100GB as WSUS contents in DFS share.

To configure the proxy server on WSUS front-end servers

1. In the WSUS administration console, select Options, then Update Source and Proxy Server.

2. Select the Proxy Server tab, then enter the proxy server name, port, user name, domain, and password, then click OK.

3. Repeat this procedure on all the front-end WSUS servers.

To specify where updates are stored

1. In the left pane of the WSUS Administration console, click Options.

2. In Update Files and Languages, click the Update Files tab.

3. If you want to store updates in WSUS, select the Store update files locally on this server check box.

To specify whether updates are downloaded during synchronization or when the update is approved

1. In the left pane of the WSUS Administration console, click Options.

2. In Update Files and Languages, click the Update Files tab.

3. If you want to download only metadata about the updates during synchronization, select the Download updates to this server only when updates are approved check box.

To specify language options

1. In the left pane of the WSUS Administration console, click Options.

2. In Update Files and Languages, click the Update Languages tab.

3. In the Advanced Synchronization Options dialog box, under Languages, select one of the following language options, and then click OK.

4. Select Download updates only in these languages: This means that only updates targeted to the languages you select will be downloaded during synchronization.

How to configure automatic updates by using Group Policy

Log on to Domain Controller using Administrative Privilege. Open GPO management Console>Select Organisational unit>Right client>create and link a new GPO> Name it as WSUS policy>right click>Edit. Go to Computer Configuration\Administrative Templates\Windows Components\Windows Updates\

Now Specify Client target group, Intranet update server location i.e.
http://servername:8530
, update schedule, installation schedule.

To set up a DFS share

Note:This DFS share will be used by all front end WSUS servers.

1. Go to Start, point at All Programs, point at Administrative Tools, and click Distributed File System.

2. You will see the Distributed File System management console. Right-click the Distributed File System node in the left pane and click New Root in the shortcut menu.

3. You will see the New Root Wizard. Click Next.

4. In the Root Type screen, select Stand-alone root as the type of root, and click Next.

5. In the Host Server screen, type the name of the host server for the DFS root or search for it with Browse, and then click Next.

6. In the Root Name screen, type the name of the DFS root, and then click Next.

7. In the Root Share screen, select the folder that will serve as the share, or create a new one. Click Next.

8. In the last screen of the wizard, review your selections before clicking Finish.

9. You will see an error message if the Distributed File System service has not yet been started on the server. You can start it at this time.

10. Make sure that the domain account of each of the front-end WSUS servers has change permissions on the root folder of this share.

Important! If you are using a DFS share, be careful when uninstalling WSUS from one but not all of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.

To configure IIS for remote access on the front-end WSUS servers

1. On each of the servers, go to Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.

2. You will see the Internet Information Services (IIS) Manager management console.

3. Click the server node, then the Web Sites node, then the node for the WSUS Web site (either Default Web Site or WSUS Administration).

4. Right-click the Content node and select Properties.

5. In the Content Properties dialog box, click the Virtual Directory tab. In the top frame you will see The content for this resource should come from:

6. Select A share located on another computer and fill in the UNC name of the share.

7. Click Connect As, and enter the user name and password that can be used to access that share.

8. Be sure to follow these steps for each of the front-end WSUS servers that are not on the same machine as the DFS share.

To move the content directories on the front-end WSUS servers

1. Open a command window.

2. Go to the WSUS tools directory on the WSUS server:

   cd \Program Files\Update Services\Tools

3. Type the following command:

   wsusutil movecontent DFSsharename logfilename

   where DFSsharename is the name of the DFS share to which the content should be moved, and logfilename is the name of the log file.

To configure Network Load Balancing

1. Enable Network load balancing

• a) Click Start, then Control Panel, Network Connections, Local Area Connection, and click Properties.
• b) Under This connection uses the following items, you may see an entry for Network Load Balancing. If you do not, click Install, then (on the Select Network Component Type screen) select Service, then click Add, then (on the Select Network Service screen) select Network Load Balancing, then OK.
• c) On the Local Area Connection Properties screen, select Network Load Balancing, and then click OK.

2. On the Local Area Connection Properties screen, select Network Load Balancing, and then click Properties.

3. On the Cluster Parameters tab, fill in the relevant information (the virtual IP address to be shared among the front end computers, and the subnet mask). Under Cluster operation mode, select Unicast.

4. On the Host Parameters tab, make sure that the unique host identifier is different for each member of the cluster.

5. On the Port Rules tab, make sure that there is a port rule specifying single affinity (the default). (Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.)

6. Click OK, and return to the Local Area Connection Properties screen.

7. Select Internet Protocol (TCP/IP) and click Properties, and then click Advanced.

8. On the IP Settings tab, under IP addresses, add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.

9. On the DNS tab, clear the Register this connection’s addresses in DNS checkbox. Make sure that there is no DNS entry for the IP address.

Share this on

Relevant Article: Install and configure WSUS—Step by Step

Support for Windows XP SP2,Windows 2000 and Windows Vista ends this year

Windows XP was first released on October 25, 2001 and over 400 million copies were in use in January 2006, according to an estimate in that month by an IDC analyst. It was succeeded by Windows Vista, which was released to volume license customers on November 8, 2006 and worldwide to the general public on January 30, 2007. Direct OEM and retail sales of Windows XP ceased on June 30, 2008. Microsoft continued to sell XP through their System Builders (smaller OEMs who sell assembled computers) program until January 31, 2009. Windows XP may continue to be available as these sources run through their inventory or by purchasing Windows Vista Ultimate or Business and then downgrading to Windows XP.

Updating your Windows 2000, Windows XP and Windows Vista based machine before the end of mainstream support dates will ensure that your machine stay supported and receive security updates. Migrating to Windows 7 provides the longest support lifecycle for your organization helping to ensure protection, support, and timely updates.

Support for Windows Vista RTM ends on April 13, 2010 . To help ensure your Windows Vista PCs stay secure and up to date, make sure they are running Windows Vista Service Pack 1 (SP1) or Service Pack 2 (SP2).
Support for Windows XP SP2 and Windows 2000 ends July 13, 2010. If you are running Windows XP, stay more secure by moving to Windows XP Service Pack 3 (SP3) or migrating to Windows 7.

Microsoft Continuously improve operating systems for their customer. Service Pack, hotfix and Support comes with every operating systems. We are close to finish a chapter. Each phase of technology pass by and leave its legacy. Those who still wants to stay on with Windows XP. Deploy Windows XP SP3 in your organisation to keep it safe and up-to-date. For more information, you may visit Windows Service Pack Road Map and Windows Road Map . That was past and to see the future visit Windows 7 Technical Library Roadmap .

Share this on

How to Configure WSUS for Roaming Clients

If there are many roaming WSUS clients on your network, who often log on to your network from different locations, you may want to configure WSUS so that these computers always get their updates from the nearest WSUS server. This procedure presupposes that you have several different DNS subnets in your network and that you want to install WSUS servers in the subnets. There is one WSUS server per region and each region is a DNS subnet. All clients are pointed to the same WSUS server name, which resolves in each subnet to the nearest WSUS server. 

Warning: DNS setup involve in these procedure. Don’t modify DNS if you aren’t sure what you doing.

Identify the servers to use as WSUS servers

Identify one server in each of the subnets that you plan to use as a WSUS server. Keep a record of their IP addresses and hostnames. Just to keep it simple, use port 8530 in all the hosts.

Set up the host names on the DNS server

Set up as many DNS host (A) resource records as there are planned WSUS servers. Make sure that each of the planned WSUS servers has the same host name. To set up the host names on the DNS server

1. Launch the DNS console. 2. Click Action, and then click New Host (A). 3. In the New Host dialog box, type the server name in the Name box. 4. Type the appropriate IP address in the IP address box. 5. Click Add Host. 6. Repeat this procedure for the rest of the planned WSUS servers.

Set up the DNS server for netmask ordering and round robin

With netmask ordering, you restrict name resolution to computers in the same subnet, if there are any. With round robin, if there are multiple name resolutions, the result that is returned will rotate through the list of available hosts. Therefore, if there is a subnet without a WSUS server, host name resolution for clients in that subnet will rotate through the list of WSUS servers in the other subnets. To set up netmask ordering and round robin on the DNS server

1. In the DNS console, right-click the DNS server node, click Properties, and then click the Advanced tab. 2. In the Server options box, select the Enable round robin and Enable netmask ordering check boxes. 3. Click OK.

Install and configure the WSUS servers

Set up and configure the WSUS servers in the different subnets. See complete step by step guide on How to Install and configure WSUS 3.0 SP2 for details.

Configure WSUS clients to use the same host name

WSUS Clients OS are Windows XP SP2, Vista, Windows7, Windows server 2003 SP2 and Windows Server 2008. When you set up WSUS client computers (see the link mentioned in step4 for GPO config), make sure to use the same host name you have set up as the WSUS server. Configure GPO and WSUS to deliver Windows update to clients. All the clients should point to
http://ServerName:8530
and target group.