WSUS 3.0 SP2: Understanding WSUS deployment topology

In order to counteract against outside threats such as bugs, malware,  spyware and vulnerabilities, systems administrators need to update the Microsoft products constantly. Microsoft Windows Software Update Services (WSUS) allows systems administrator centrally deploy windows products updates, hotfixes, service packs, features and patches. One of the importance benefits of using WSUS is that updates will only be deployed if they are authorized by the WSUS administrator. Microsoft Windows Software Update Services has advanced features like reporting, allowing the grouping of computers, setting up deployment time and auto installation. WSUS will make the life of a systems administrator a lot easier.

Microsoft Windows Software Update Services provides a robust, easy to deploy and easy to manage patch/update management system.Although there are third party products that accomplish the same thing, WSUS provides one advantage that none of its competitors provide and off course it’s free! In deploying WSUS 3.0, you have the option to create different topologies depending on your environment and specific needs. Most basic deployment is single server, Enterprise deployment using upstream and downstream server that is using multiple servers for load balancing, and most advance deployment would be multiple servers, remote database and WSUS contents in SAN.

Single Server Deployment

Single Server

In the single-server topology, WSUS 3.0 runs on a single-server that downloads updates directly from the Microsoft Update site and then distributes them to servers, desktops, and laptops throughout the internal network. the WSUS server synchronizes with the Windows Update site on the Web. During synchronization, WSUS determines if any new updates have been made available since it last performed synchronization. During the initial synchronization, the download can take an hour or longer, depending on the bandwidth of your organization. Regardless of the bandwidth, any additional synchronizations should be significantly shorter than the initial one.

Multiple Server Deployment


If you have a large organization but you don’t want to overload a single server, or your network covers multiple geographic locations. Server hierarchies probably make the most sense. In a server hierarchy setup, one server acts as the primary upstream server directly synchronizing with the Windows Update site. Downstream servers on the network then perform the same synchronization but with the upstream WSUS server and not the Windows Update site. You can also deploy branch cache server with this type deployment to save bandwidth.

Load Balancing using back end SQL server 

Database Design

This type of deployment include multiple WSUS servers, back end SQL and WSUS content in a SAN. This topology option involves failover capabilities. By using network load balancing servers, administrators can provide more reliability while also improving performance. It starts by setting a back-end SQL Server 2005 cluster, then installing multiple WSUS front-end systems with Network Load Balancing (NLB). Entire WSUS server farm share same SQL and WSUS contents. It will add more flexibility in terms of adding more servers and contents. An administrator will be able manage server farm using one WSUS console.

Roaming Clients Deployment

Roaming clients 

Laptops can be difficult to keep up to date on the newest patches and updates. These computers travel with their users (sales reps /support pros) from office to office and site to site. The roaming clients topology takes this into consideration. The roaming client topology allows the travelling laptop to pull its updates from the closest WSUS server, thereby reducing the chances of update traffic going across WAN lines. This topology is set up by entering (A) records in DNS for the WSUS servers but doing so with the same host name and different IP addresses. Once an administrator has done that, they set up netmask ordering and round robin on the DNS server. Netmask ordering restricts the name resolution to computers in the same subnet; if there is a location without a WSUS server, round robin will rotate through the list of available hosts on other subnets. As you see, there are many different setup options with WSUS that work in various network environments. This provides administrators with the flexibility they need to design and implement WSUS. Once the topology has been decided, we then need to install a WSUS server.

Relevant topics:

Install and configure WSUS 3.0 SP2 – Step-By-Step

Windows Server 2008: Windows Server Update Services Role–Step by Step Guide

Troubleshooting WSUS server

How to configure Windows Server Update Services (WSUS) to use BranchCache

share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

1 thought on “WSUS 3.0 SP2: Understanding WSUS deployment topology

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.