How to configure Windows Server Update Services (WSUS) to use BranchCache


What is branchCache? BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

  1. Install and configure back end SQL Server
  2. Create DFS share
  3. Install and configure front end WSUS Server
  4. Configure GPO for WSUS client

Branch Office:

  1. Install and configure Branchcache File Server
  2. Configure GPO for Branchcache
  3. Install and configure front end WSUS server
  4. Configure GPO for WSUS client

Installing BranchCache File Server

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Using Group Policy to configure BranchCache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Using the Registry Editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Setting the BranchCache support tag on a file share

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Client configuration using Group Policy

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Configuring a Branch WSUS server to use BranchCache

In addition to enabling BranchCache in your environment, the WSUS server must be configured to store update files locally (both the update metadata and the update files are downloaded and stored locally on the WSUS server). This ensures that the clients get the update files from the WSUS server rather than directly from Microsoft Update.

Install SQL Server 2005/2008 with Management Studio Express on the back-end computer

  1. Click Start, point at All Programs, point at SQL Server 2005, point at Configuration Tools, and select SQL Server Surface Area Configuration.

  2. Choose Surface Configuration for Services and Connections.

  3. In the left window, click the Remote Connections node.

  4. Select Local and remote connections and then select Using TCP/IP only.

  5. Click OK to save the settings.

To ensure administrative permissions on SQL Server

  1. Start SQL Server Management Studio (click Start, click Run, and then type sqlwb).

  2. Connect to the SQL Engine on the server where SQL Server 2005 was installed in Step 1.

  3. Select the Security node and then select Logins.

  4. The right pane will show a list of the accounts that have database access. Check that the person who is going to install WSUS 3.0 on the front-end computer has an account in this list.

  5. If the account does not exist, then right-click the Logins node, select New Login, and add the account.

  6. Set up this account for the roles needed to set up the WSUS 3.0 database. The roles are either dbcreator plus diskadmin, or sysadmin. Accounts belonging to the local Administrators group have the sysadmin role by default.

Install Branch WSUS Server

To install WSUS on the front-end computer At the command prompt, navigate to the folder containing the WSUS Setup program, and type:

WSUSSetup.exe /q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server\instance CREATE_DATABASE=0

Here, Server\instance is the name of the remote SQL server that is holding the instance of WSUS database. If you do not want silent installation then don’t use /q switch and follow WSUS installation link

Important! Microsoft recommend 1GB free space for Systems Partition and 30GB for WSUS contents. But this minimum recommended space will create havoc when WSUS log, database log and content grow over the years. So, I used 50GB as systems partition and 100GB as WSUS contents in DFS share.

To configure the proxy server on WSUS front-end servers

  1. In the WSUS administration console, select Options, then Update Source and Proxy Server.

  2. Select the Proxy Server tab, then enter the proxy server name, port, user name, domain, and password, then click OK.

  3. Repeat this procedure on all the front-end WSUS servers.

To specify where updates are stored

  1. In the left pane of the WSUS Administration console, click Options.

  2. In Update Files and Languages, click the Update Files tab.

  3. If you want to store updates in WSUS, select the Store update files locally on this server check box.

To specify whether updates are downloaded during synchronization or when the update is approved

  1. In the left pane of the WSUS Administration console, click Options.

  2. In Update Files and Languages, click the Update Files tab.

  3. If you want to download only metadata about the updates during synchronization, select the Download updates to this server only when updates are approved check box.

To specify language options

  1. In the left pane of the WSUS Administration console, click Options.

  2. In Update Files and Languages, click the Update Languages tab.

  3. In the Advanced Synchronization Options dialog box, under Languages, select one of the following language options, and then click OK.

  4. Select Download updates only in these languages: This means that only updates targeted to the languages you select will be downloaded during synchronization.

How to configure automatic updates by using Group Policy

Log on to Domain Controller using Administrative Privilege. Open GPO management Console>Select Organisational unit>Right client>create and link a new GPO> Name it as WSUS policy>right click>Edit. Go to Computer Configuration\Administrative Templates\Windows Components\Windows Updates\

Now Specify Client target group, Intranet update server location i.e. http://servername:8530 , update schedule, installation schedule.

To set up a DFS share

Note:This DFS share will be used by all front end WSUS servers.

  1. Go to Start, point at All Programs, point at Administrative Tools, and click Distributed File System.

  2. You will see the Distributed File System management console. Right-click the Distributed File System node in the left pane and click New Root in the shortcut menu.

  3. You will see the New Root Wizard. Click Next.

  4. In the Root Type screen, select Stand-alone root as the type of root, and click Next.

  5. In the Host Server screen, type the name of the host server for the DFS root or search for it with Browse, and then click Next.

  6. In the Root Name screen, type the name of the DFS root, and then click Next.

  7. In the Root Share screen, select the folder that will serve as the share, or create a new one. Click Next.

  8. In the last screen of the wizard, review your selections before clicking Finish.

  9. You will see an error message if the Distributed File System service has not yet been started on the server. You can start it at this time.

  10. Make sure that the domain account of each of the front-end WSUS servers has change permissions on the root folder of this share.

Important! If you are using a DFS share, be careful when uninstalling WSUS from one but not all of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.

To configure IIS for remote access on the front-end WSUS servers

  1. On each of the servers, go to Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.

  2. You will see the Internet Information Services (IIS) Manager management console.

  3. Click the server node, then the Web Sites node, then the node for the WSUS Web site (either Default Web Site or WSUS Administration).

  4. Right-click the Content node and select Properties.

  5. In the Content Properties dialog box, click the Virtual Directory tab. In the top frame you will see The content for this resource should come from:

  6. Select A share located on another computer and fill in the UNC name of the share.

  7. Click Connect As, and enter the user name and password that can be used to access that share.

  8. Be sure to follow these steps for each of the front-end WSUS servers that are not on the same machine as the DFS share.

To move the content directories on the front-end WSUS servers

  1. Open a command window.

  2. Go to the WSUS tools directory on the WSUS server:

    cd \Program Files\Update Services\Tools

  3. Type the following command:

    wsusutil movecontent DFSsharename logfilename

    where DFSsharename is the name of the DFS share to which the content should be moved, and logfilename is the name of the log file.

To configure Network Load Balancing

1. Enable Network load balancing

  • a) Click Start, then Control Panel, Network Connections, Local Area Connection, and click Properties.
  • b) Under This connection uses the following items, you may see an entry for Network Load Balancing. If you do not, click Install, then (on the Select Network Component Type screen) select Service, then click Add, then (on the Select Network Service screen) select Network Load Balancing, then OK.
  • c) On the Local Area Connection Properties screen, select Network Load Balancing, and then click OK.

2. On the Local Area Connection Properties screen, select Network Load Balancing, and then click Properties.

3. On the Cluster Parameters tab, fill in the relevant information (the virtual IP address to be shared among the front end computers, and the subnet mask). Under Cluster operation mode, select Unicast.

4. On the Host Parameters tab, make sure that the unique host identifier is different for each member of the cluster.

5. On the Port Rules tab, make sure that there is a port rule specifying single affinity (the default). (Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.)

6. Click OK, and return to the Local Area Connection Properties screen.

7. Select Internet Protocol (TCP/IP) and click Properties, and then click Advanced.

8. On the IP Settings tab, under IP addresses, add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.

9. On the DNS tab, clear the Register this connection’s addresses in DNS checkbox. Make sure that there is no DNS entry for the IP address.

Share this on Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Relevant Article: Install and configure WSUS—Step by Step

About Raihan Al-Beruni

My Name is Raihan Al-Beruni. I am working as an Infrastructure Architect in Data Center Technologies in Perth, Western Australia. I have been working on Microsoft technologies for more than 15 years. Other than Microsoft technologies I also work on Citrix validated solution and VMware data center virtualization technologies. I have a Masters degree in E-Commerce. I am certified in Microsoft, VMware, ITIL and EMC. My core focus is on cloud technologies. In my blog I share my knowledge and experience to enrich information technology community as a whole. I hope my contribution through this blog will help someone who wants more information on data center technologies.
This entry was posted in Windows Server and tagged , , , , . Bookmark the permalink.

4 Responses to How to configure Windows Server Update Services (WSUS) to use BranchCache

  1. Oceaser69 says:

    How would you configure wsus server over a wan? Each branch as its own wsus server which will be setup as a replica server. I would also like that each branch client get there updates from there branch wsus server.

    Like

    • Raihan says:

      To deploy WSUS in an enterprize such as head office and branches, you must have own corporate intranet, domain and DNS. Then you can achieve what you looking for regardless of geographic boundaries. Anyway, install and config WSUS server in head office and branch office. If you want WSUS to replicate head office then log on to branch WSUS server. Open Administrative Tools>WSUS Sp2>Options>Update Source and Proxy Server>Check update from another Windows Server Update Services Server>Apply>OK. Now right client on Synchronization>Synchronize with head office.
      Configure GPO for branch client pointing http://branchserver:8530 and client target group specified in branch WSUS server.
      Note: WSUS is dependent on DNS records, so make sure head office WSUS and branch wsus server ping each other by name. WSUS is also bandwidth hungry application!!
      Hope that helps. Thanks for visiting my site.

      Regards,
      Raihan

      Like

  2. Ammar says:

    If you have cluster file server or nlb web farms,you use set passphrase in order to make sure all servers use same server key so that segment identifiers for same data are identicalls right?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s