Migrate WSUS Server from Server 2008/R2 to Server 2012/R2

The following procedure apply if you have an existing WSUS server installed on a Windows 2008 R2 OS with SQL Express and you wish to migrate to Windows Server 2012 R2 WSUS server and a separate backend database server.

Step1: Backup SQL DB of Old WSUS Server

Log on to existing WSUS server. Open SQL Management Studio>Connect to DB>Right Click SUSDB>backup full database.

clip_image002

Step2: Export metadata from old WSUS Server

The WSUS Setup program copies WSUSutil.exe to the file system of the WSUS server during installation. You must be a member of the local Administrators group and WSUS Administrator Group on the WSUS server to export or import metadata. Both operations can only be run from the WSUS server itself and during the import or export process, the Update Service is shut down.

Open command prompt as an administrator>go to C:\program Files\Update Services\Tools

Issue wsusutil.exe export c:\export.cab c:\export.log command

Move the export package you just created to the new Microsoft WSUS Server.

 

If you have .netFramework v.2 or v.4 but not configured in IIS Application. Then most likely above command will fail giving you some grief. Here is a solution for this.

Verify that WSUS is configured to use the .NET4 libraries in IIS>Application Pool

clip_image004

Create a file named wsusutil.exe.config in C:\Program Files\Update Services\Tools

Edit the file and add the following:

<configuration><startup><supportedRuntime version=”v4.0.30319″ /></startup></configuration>

If issue persists, please try to unapprove KB3020369 in WSUS Console then try again.

Re-run the wsusutil command but instead of making a CAB file make a .xml.gz file and all should be well.

clip_image006

clip_image008

Further reading 1

Further reading 2

 

Step3: Build New WSUS Server

Virtualize a new Windows Server 2012 R2 Server. Setup static IP, Join the server to domain. Install .NetFramework 4 in new server.Do not Configure WSUS at this stage. Go to Step4.

 

Step4: Restore SQL DB in New SQL Server (Remote and/or Local )

Log on to SQL Server. Open SQL Management Studio>Create a Database named SUSDB

Restore old SUSDB to new SUSDB with override option.

Assign sysadmin, setupadmin role to the person who will install WSUS role in new WSUS server.

clip_image013

image

clip_image018

clip_image020

Step5: Install WSUS Role & Run Initial Configuration Wizard.

Installation of WSUS

 Log on to the server on which you plan to install the WSUS server role by using an account that is a member of the Local Administrators group.

 In Server Manager, click Manage, and then click Add Roles and Features.

 On the Before you begin page, click Next.

 In the Select installation type page, confirm that Role-based or feature-based installation option is selected and click Next.

 On the Select destination server page, choose where the server is located (from a server pool or from a virtual hard disk). After you select the location, choose the server on which you want to install the WSUS server role, and then click Next.

 On the Select server roles page, select Windows Server Update Services. Add features that are required for Windows Server Update Services opens. Click Add Features, and then click Next.

 On the Select features page. Retain the default selections, and then click Next.

 On the Windows Server Update Services page, click Next.

 On the Select Role Services page, Select Windows Server Update Services and Database, and then click Next.

 On the Content location selection page, type a valid location to store the updates. For example, type E:\WSUS as the valid location.

 Click Next. The Web Server Role (IIS) page opens. Review the information, and then click Next. In Select the role services to install for Web Server (IIS), retain the defaults, and then click Next.

 On the Confirm installation selections page, review the selected options, and then click Install. The WSUS installation wizard runs. This might take several minutes to complete.

 Once WSUS installation is complete, in the summary window on the Installation progress page, click Launch Post-Installation tasks. The text changes, requesting: Please wait while your server is configured. When the task has finished, the text changes to: Configuration successfully completed. Click Close.

 In Server Manager, verify if a notification appears to inform you that a restart is required. This can vary according to the installed server role. If it requires a restart make sure to restart the server to complete the installation.

 

Post Configuration

Open Server Manager>Add/Remove program. It will provide you with previous installation Wizard. Launch Post Configuration Wizard.

 On the Welcome page, click Next.

 On the Installation Mode Selection page, select the Full server installation including Administration Console check box, and then click Next.

 Read the terms of the license agreement carefully. Click I accept the terms of the License agreement, and then click Next.

On the Select Update Source page, you can specify where client computers get updates. If you select the Store updates locally check box, updates are stored on WSUS, and you can select a location (E:\WSUS) in the file system where updates should be stored. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

Make your selection, and then click Next.

On the Database Options page, you select the software used to manage the WSUS database. Type <serverName>\<instanceName>, where serverName is the name of the server and instanceName is the name of the SQL instance. Simply type remote or local SQL Server Name and then click Next.

On the Web Site Selection page, you specify the Web site that WSUS will use to point client computers to WSUS. If you wish to use the default IIS Web site on port 80, select the first option. If you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option. Make your selection, and then click Next.

 On the Ready to Install Windows Server Update Services page, review your choices, and then click Next.

 The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. The final page of the installation wizard will tell you whether or not the WSUS 3.0 installation was completed successfully. After you click Finish the configuration wizard will be launched.

 

Step6: Match the Advanced Options on the old WSUS Server & the new WSUS Server

Ensure that the advanced synchronization options for express installation files and languages on the old server match the settings on the new server by following the steps below:

  1. In the WSUS console of the old WSUS server, click the Options tab, and then click Advanced in the Update Files and Languages section.
  2. In the Advanced Synchronization Settings dialog box, check the status of the settings for Download express installation files and Languages options.
  3. In the WSUS console of the new server, click the Options tab, and then click Advanced in the Update Files and Languages section.
  4. In the Advanced Synchronization Settings dialog box, make sure the settings for Download express installation files and Languages options match the selections on the old server.

Step7: Copy Updates from File System of the old WSUS Server to the new WSUS server

To back up updates from file system of old WSUS server to a file, follow these steps:

  1. On your old WSUS server, click Start, and then click Run.
  2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
  3. Click the Backup tab, and then specify the folder where updates are stored on the old WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\.
  4. In Backup media or file name, type a path and file name for the backup (.bkf) file.
  5. Click Start Backup. The Backup Job Information dialog box appears.
  6. Click Advanced. Under Backup Type, click Incremental.
  7. From the Backup Job Information dialog box, click Start Backup to start the backup operation.
  8. Once completed, move the backup file you just created to the new WSUS server.

To restore updates from a file to the file system of the new server, follow these steps:

  1. On your new WSUS server, click Start, and then click Run.
  2. In the Run dialog box, type ntbackup. The Backup or Restore Wizard starts by default, unless it is disabled. You can use this wizard or click the link to work in Advanced Mode and use the following steps.
  3. Click the Restore and Manage Media tab, and select the backup file you created on the old WSUS server. If the file does not appear, right-click File, and then click Catalog File to add the location of the file.
  4. In Restore files to, click Alternate location. This option preserves the folder structure of the updates; all folders and subfolders will appear in the folder you designate. You must maintain the directory structure for all folders under \WSUSContent.
  5. Under Alternate location, specify the folder where updates are stored on the new WSUS server. By default, WSUS stores updates at WSUSInstallationDrive:\WSUS\WSUSContent\. Updates must appear in the folder on the new WSUS server designated to hold updates; this is typically done during installation.
  6. Click Start Restore. When the Confirm Restore dialog box appears, click OK to start the restore operation.

Alternative option would be use FastCopy Software. Copy and paste WSUS content from old server to new server.

Step8: Copy Metadata from the Database on the old WSUS Server to the new WSUS Server

To import metadata into the database of the new Microsoft Windows Server Update Services Server, follow these steps:.

Copy export.xml.gz or export.cab file from old server to new server using copy/Paste or FastCopy software.

Note: It can take from 3 to 4 hours for the database to validate content that has just been imported.

At a command prompt on the new WSUS server, navigate to the directory that contains WSUSutil.exe. Type the following: wsusutil.exe import packagename logfile (For example: wsusutil.exe import export.cab import.log or wsusutil.exe import export.xml.gz export.log)

Step9: Point your Clients to the new WSUS Server

Next you need to change the Group policy and make it point top the new server.  To redirect Automatic Updates to a WSUS server, follow these steps:

  1. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.
  2. In the details pane, click Specify Intranet Microsoft update service location.
  3. Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. With the new server details and port For example, type http(s)://newservername :Port in both boxes.

Step10: Invoke GPUpdate

Open PowerShell command prompt as an administrator in any computer. Run Invoke-GPUpdate Servername to synchronise server with new WSUS Server.

Windows Server 2012: WSUS Client Not Yet Sync

Issue: Client Not Yet Sync WSUS error

Resolution:

Step1:  Download KB2720211 x64 and apply on WSUS server using the following steps in command prompt with administrative privilege:

  • iisreset/stop
  • net stop wsusservice
  • WSUS-KB2720211-x64.exe /q C:MySetup.log
  • iisreset
  • net start wsusservice

Step2: Open elevated command prompt, type the following. Detailed available on KB958046

net stop wuauserv
cd %systemroot%SoftwareDistribution
ren Download Download.old
net start wuauserv

Step3: Detect and authorize client to WSUS Server. Run the following in elevated command prompt.

wuauclt /resetauthorization /detectnow

gpupdate /force

Before you authorize, make sure WSUS GPO is applied to the clients with following GPO Configuration:

Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update

  • Configure Automatic Update—–Enabled
  • Specify intranet Microsoft update service location…… Enabled
  • Enable Client side target……Enabled.

Resolved: WSUS Post Deployment Failed on Windows Server 2012

Error:

2013-11-21 09:43:36  Config file did not contain a value “ContentDirectory”
2013-11-21 09:43:36  Microsoft.UpdateServices.Administration.CommandException: A required configuration value was not found in the system. This is usually caused by installing WSUS through PowerShell and not specifying a configuration file. Review the article Managing WSUS Using PowerShell at TechNet Library (http://go.microsoft.com/fwlink/?LinkId=235499) for more information on the recommended steps to perform WSUS installation using PowerShell.
   at Microsoft.UpdateServices.Administration.PostInstall.GetConfigValue(String filename, String item)

Issue: This is a known issue on Windows Server 2012. Microsoft WSUS team posted an work around to resolve the issue.

Solution: In the WSUS server, open PowerShell, type the following depending on which database you have:

For WID
%programfiles%update servicestoolswsusutil.exe postinstall CONTENT_DIR=C:Wsus

SQL Server databases
%programfiles%update servicestoolswsusutil.exe postinstall CONTENT_DIR=C:Wsus SQL_INSTANCE_NAME=<database server name>

Here content_dir is your real directory where you would like to install WSUS and pointed that directory during WSUS installation and rest are self explanatory. Once you do that you will see output in the logs available in C:UsersthermomixadminAppDataLocalTemp directory.

2013-11-21 09:56:46 Postinstall started

2013-11-21 09:56:46 Detected role services: Api, Database, UI, Services

2013-11-21 09:56:46 Start: LoadSettingsFromParameters

2013-11-21 09:56:46 Content local is: True

2013-11-21 09:56:46 Content directory is: E:WSUS

2013-11-21 09:56:46 SQL instname is: SQL Server Name

2013-11-21 09:56:49 Value is E:WSUS

2013-11-21 09:56:49 Fetching group SIDs…

2013-11-21 09:56:49 Fetching WsusAdministratorsSid from registry store

2013-11-21 09:56:49 Value is S-1-5-2

2013-11-21 10:17:41 Saving Subscription

2013-11-21 10:17:52 Creating default subscription succeeded.

2013-11-21 10:17:54 Populating Auto-Approval Rules.

2013-11-21 10:18:18 Populating Auto-Approval Rules Succeeded.

2013-11-21 10:18:23 StartServer completed successfully.

2013-11-21 10:18:23 Marking PostInstall done for UpdateServices-Services in the registry…

2013-11-21 10:18:23 Mark initialization done in database…

2013-11-21 10:18:25 End: Run

2013-11-21 10:18:25 Postinstall completed

Windows Server Patching Best Practices

This article provides actionable advice about how to manage patches to reduce downtime while still maintaining the security of software services through the proactive reduction of dependencies and the use of workaround solutions.

Patching Requirements

Windows Server patches, hotfixes and service pack is critical for compliance, service level agreement and security purposes. Keeping an operating systems and application up to date is the key to align your infrastructure with latest software. Patches and hotfixes also enable you to prevent any security breaches and malware infection.

Windows Patch Classification

The following are strongly recommended patches:

  1. Critical
  2. Security
  3. Definition Updates for malware
  4. Service packs

Windows Product Classification

It is highly recommended that you patch Windows Servers, Windows Clients, Office, Applications (Silverlight, .Net Framework, SQL, Exchange, SharePoint, FF TMG).

Patching Groups

Consultants should take time to test the patches in a non-production environment prior to being deployed to production. This will help to gauge the impact of such changes. Ideally you will have the following patching groups:

1. UAT (UAT1, UAT2, etc)

2. Test Environment (Test1, Test2, etc)

3. Development Environment (Dev1, Dev2 etc)

4. Production (Prod1, Prod2, etc)

If you have clustered environment like SQL, Exchange and SharePoint then create Prod1, prod2 group and place each node on each group.

Change Management

System administrators should maintain a log, written or electronic, of all changes to the operating environment, to include hardware, system security software, operating system, and applications. Prior to any changes being implemented on a system, the system administrator should receive approval of stakeholders.

Backup

Why am I discussing backup with patching best practice? In case of emergency you can rollback completely and restore a server to its original state if necessary. It is very important that servers be backed up on a regular basis. Depending on the use of the server, it may be adequate to backup the server once per week. A backup of a more critical environment may be needed daily, and possibly continuously. The backup program provided with Windows is capable of backing up to virtually any writable media, which can include network drives provided by a server in another physical location. This program is also capable of scheduling backups which can ensure backups occur on a regular interval.

Microsoft strongly recommends that you create the following backups before you install an update rollup, service pack and patch on Exchange and SQL:

  • A full backup of all databases on the server.
  • A full backup of transaction log and log backup
  • A system state backup of the server.
  • A snapshot of virtualized exchange server. Delete snapshot after successful patching and updating.

Application Compatibility

Read release notes of each hotfixes you are going to apply so that you are compliant with the application installed on the server. Consult with application vendor before applying service pack to any server if the server is hosting specific business application. Consult with application engineer about the importance of server patching. Inform and educate application engineer as much as possible to avoid conflict of interest.

Documentation

Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. These should be printed off and attached to change control procedures as supporting documentation.

Back out Plan

A back-out plan will allow the system and enterprise to return to their original state, prior to the failed implementation. It is important that these procedures are clear, and that contingency management has tested them, because in the worst case a faulty implementation can make it necessary to activate contingency options. Historically, service packs have allowed for uninstalling, so verify there is enough free hard disk space to create the uninstall folder. Create a back out plan electronically and attach with change management software.

User Notifications

You need to notify helpdesk staff and support agencies of the pending changes so they may be ready for arising issues or outages.

Consistency across Servers

Always install the same service packs or hotfixes to each SQL server node, Exchange DAG member and Domain Controller.

Routine Maintenance Window

A scheduled maintenance window must be agreed with business so that application outage and server reboot can maintain a respectable Service Level Agreement (SLA). If you have a large infrastructure with thousands of servers and many regions working round the clock then you must consider application dependencies. A patching schedule can be considered in between every Friday of every month at 6:00 P.M. Friday to 6:00 A.M Monday. Setup maintenance window in system center or deadline for WSUS to make sure patches are applied when you want instead of when patch is available. In this way you will have a complete control over change windows approved by change advisory board (CAB). Do not allow end users to update patches on their client machine according to their wishes and happiness! then user will never install any patch.

Patching Tools

I strongly recommend that you spend few $$$ to buy Microsoft System Center 2012 to manage and deploy Windows patches, service pack and hotfixes. However you can use Windows Server Update Services (WSUS) as poor man’s patching solutions.

Patching DMZ server can be accomplished using WSUS offline patching solutions available for free to download from http://download.wsusoffline.net/.

Automate, Automate and Automate!

Automated patch management using System Center could enable a single IT administrator to access a pre-populated patch policy. He then could execute the command and with the press of a single button, download the patches from Microsoft’s website, install them on a test machine and test for compatibility issues. Meanwhile, an automatic inventory check could search for systems with the affected software, wake them up, check their readiness and push the verified patches out to waiting machines. The patches would then be automatically installed on each system, and they’d reboot as necessary. The final step is an automated report on the status of the remediated devices.

Standardize Patch Management Processes

Standardized patch management processes could allow for daily assessment and remediation of client devices and weekly assessment and remediation for servers. Reports can then be generated to validate system status on a weekly or bi-weekly schedule. A systems monitoring task that used to take days now takes minutes, and patches are deployed more completely and consistently across the entire IT environment. A single IT administrator can proactively manage thousands of systems tasks in the same amount of time it took an entire team to do the tasks manually.

Reboot Windows Computer

Some application may require reboot of server before patching such as RSA Secure Console. However most of the server must be rebooted after patching. Do not suppress reboot after patching in any circumstances or you will have a messy environment and broken clusters.

X86 and X64 Windows Systems

The most prominent 32-bit application you’re likely to see on a 64-bit Windows system is Office. In this sort of situation System Center benefits most because you can adjust and make decision based on architecture and compliance as well. You can approve patches based on “Needed and Not Installed”. If a server or client need update it will install if not then it will not installed. It’s safe to do so.

Antivirus and Antispyware

Servers are vulnerable to many forms of attack. Implementation and standardization of security methods should be developed to allow early and rapid deployment on servers. It’s important that a Windows server be equipped with a latest centrally managed Antivirus program. Antivirus update must be scheduled with the same maintenance window to update antivirus with latest definition.

Audit Practices

Servers have a powerful auditing feature built in. Typically, server managers would want the auditing system to capture logins, attempted logins, logouts, administrative activities, and perhaps attempts to access or delete critical system files. Auditing should be limited to gathering just the information that is needed, as it does require CPU and disk time for auditing to gather information. Log Management software should be used, if possible, for ease of managing and analysing information. Report can be generated from Systems Center and WSUS as proof of patching cycle.

Log Retention

Servers keep multiple logs and, by default, may not be set to reuse log file entries. It is a good practice to expand the size of the allowed log file and to set it to reuse space as needed. This allows logging to continue uninterrupted. How far back your log entries go will depend on the size of the log file and how quickly you are accumulating log data. If your server environment is critical, you may wish to ensure that the log file size is sufficient to store about 30 days of logging information, and then rotate log files once per month.

Installing Updates on a single Exchange Server

Download Exchange Update from Microsoft Download Center. Record Current Exchange Version information

Check for publisher’s certificate revocation

1. Start Internet Explorer.

2. On the Tools menu, click Internet Options.

3. Click the Advanced tab, and then locate the Security section.

4. Clear the Check for publisher’s certificate revocation check box, and then click OK.

5. After the update rollup installation is complete, select the Check for publisher’s certificate revocation option.

Pre-check before installing

1. Determine which update rollup packages are installed on your Exchange server roles

2. Determine whether any interim updates are installed

3. Review interim updates

4. Obtain the latest update rollup package

5. Apply on a Test Exchange Server

Install Exchange Update

1. Ensure that you have downloaded the appropriate rollup to a local drive on your Exchange servers, or on a remote network share.

2. Run the Windows Installer *.msp Setup file that you downloaded in step 1.

Install Exchange Update on DAG Member

To update all DAG members, perform the following procedures on each DAG member, one at a time. Set the member server in maintenance mode using this PowerShell Command.

.StartDagServerMaintenance.ps1 <ServerName>

Install the update rollup

1. Close all Exchange management tools.

2. Right-click the Exchange update rollup file (.msp file) you downloaded, and then select Apply.

3. On the Welcome page, click Next.

4. On the License Terms page, review the license terms, select I accept the License Terms, and then click Next.

5. On the Completion page, click Finish.

Once installed exit from maintenance mode run the StopDagServerMaintenance.ps1 script. Run the following command to re-balance the DAG, as needed

.RedistributeActiveDatabases.ps1 -DagName <DAGName> -BalanceDbsByActivationPreference -ShowFinalDatabaseDistribution

When the installation is finished, complete the following tasks:

  • Start the Services MMC snap-in, and then verify that all the Exchange-related services are started successfully.
  • Log on to Outlook Web App to verify that it’s running correctly.
  • Restore Outlook Web App customizations, and then check Outlook Web App for correct functionality.
  • After the update rollup installation is complete, select the Check for publisher’s certificate revocation option in Internet Explorer. See “Certificate Revocation List” earlier in this topic.
  • Check Exchange 2010 version information
  • View Update rollup in Control Panel>Programs and Features

Patching Microsoft Failover Cluster

You can install Windows service packs on Windows Server Failover Cluster nodes using the following procedure. Administrative privilege is required to perform the following tasks.

Procedure to install Windows service pack or hotfixes in Windows Server 2003:

  1. Check the System event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. Expand Node A, and then click Active Groups. In the left pane, right-click the groups, and then click Move Group to move all groups to Node B.
  4. Open Cluster Administrator, right-click Node A, and then click Pause Node.
  5. Install the service pack on Node A, and then restart the computer.
  6. Check the System event log for errors. If you find any errors, troubleshoot them before continuing this process.
  7. In Cluster Administrator, right-click Node A, and then click Resume Node.
  8. Right-click Node B, and then click Move Group for all groups owned by Node B to move all groups to Node A.
  9. In Cluster Administrator, right-click Node B, and then click Pause Node.
  10. Install the service pack on Node B, and then restart the computer.
  11. Check the system event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. In Cluster Administrator, right-click Node B, and then click Resume Node.
  13. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

Procedure to install Windows service pack or hotfixes in Windows Server 2008 and Windows Server 2012:

  1. Check the event log for errors and ensure proper system operation.
  2. Make sure you have a current backup and updated emergency repair disk for each system. In the event of corrupt files, power outage, or incompatibility, it may be necessary to revert back to the state of the system prior to attempting to install the service pack/hotfixes.
  3. On Node A, Expand Services and Applications, and then click the service or application
  4. Under Actions (on the right), click Move this service or application to another node, then choose the node or select Best possible.
  5. In the Failover Cluster Manager snap-in, right-click Node A, and then click Pause.
  6. Install the service pack/hotfixes on Node A, and then restart the computer.
  7. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  8. In Failover Cluster Manager snap-in, right-click Node A, and then click Resume.
  9. Under Actions (on the right), click Move this service or application to another node, then choose the node.
    Note: As the service or application moves, the status is displayed in the results pane (in the center pane). Follow the Step 9 and 10 for each service and application configured on the cluster.
  10. Install the service pack/hotfixes on Node B, and then restart the computer.
  11. Check the event log for errors. If you find any errors, troubleshoot them before continuing this process.
  12. From the Failover Cluster Manager snap-in, right-click Node B, and then click Pause.
  13. In Failover Cluster Manager, right-click Node B, and then click Resume.
  14. Right-click each group, click Move Group, and then move the groups back to their preferred owner.

You can use the following PowerShell Cmdlet to accomplish the same.

1. Load the module with the command: Import-Module FailoverClusters

2. Suspend (Pause) activity on a failover cluster nodeA: Suspend-ClusterNode nodeA

3. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeA | Get-ClusterGroup | Move-Cluster Group

4. Resume activity on nodeA that was suspended in step 5: Resume-ClusterNode nodeA

5. Move a clustered service or application (a resource group) from one node to another: Get-ClusterNode NodeB | Get-ClusterGroup | Move-Cluster Group

6. Suspend (Pause) activity on other failover cluster node: Suspend-ClusterNode nodeB

7. Resume activity on nodeB that was suspended in step 10 above: Resume-ClusterNode nodeB

Conclusion

It is critical that when service packs, hotfixes, and security patches are required to be installed, that these best practices be followed.

Bottom line

1. Read all related documents.

2. Use a change control process.

3. Apply updates that are needed.

4. Test patches and hotfixes on test environment.

5. Don’t get more than 2 service packs behind.

6. Target non-critical servers first.

7. Service Pack (SP) level consistency.

8. Latest SP instead of multiple hotfixes.

9. Apply only on exact match.

10. Subscribe to Microsoft email notification.

11. Always have a back-out plan.

12. Have a working Backup and schedule production downtime.

13. Consistency across Domain Controllers and application servers.

Additional Readings:

SQL Server failover cluster rolling patch and service pack process

Patch Management on Business-Critical Servers

WSUS Health Check

Group Policy: Group Policies are the easiest way to configure automatic update settings for client systems in an Active Directory environment. To check WSUS policy has been applied or not, log on to client computer. Open command prompt>type gpresult.exe>hit enter. You will be presented with a list applied GPO in that machine including WSUS policy. Alternatively, you can do the followings.

1. Click Start>Administrative Tools>Group Policy Management.
The Group Policy Management Console will come up.
2. At the bottom of the Console Tree, you will see a node called Group
Policy Results. Right-click on it and choose Group Policy Results
Wizard.
3. It will come up to the Welcome to the Group Policy Results Wizard screen. Just click Next.
4. Now you will come to the Computer Selection screen. You have the choice of This computer or Another computer. Now click Next.

5. Now you can select a specific user or check Do not display policy settings for the selected computer in the results (display user policy
settings only). Since you are only interested in whether the Updates GPO
has run, you will not select a user.
6. Next the Summary of Selections screen comes up, allowing you to review your selections. Once you’ve verified them, click Next and the Completing the Group Policy Results Wizard will come up. Click Finish.

7.at the right, under Summary, click on Group Policy Objects> Applied GPOs. You should see the list of applied GPOs. In this case you are looking for the GPO WSUS Updates.

E-mail Notifications: WSUS 3.0 can send e-mail notifications of new updates and provide status reports to an administrator. To set this up do the following:
1. Create a user account for the WSUS server to use as an e-mail account. For instance, in our example we created a user account with a mailbox in our domain called WSUS.
2. Now open the WSUS Administrative Console, go to Options in the
Console Tree area, then in the Details Pane select E-mail Notifications.
3. In the General tab of E-mail Notifications, as seen in Figure 3.59, put a check beside Send e-mail notification when new updates are synchronized and type the e-mail addresses of the recipients. If you have more than one recipient, separate them by commas.
4. If you are sending status reports to these recipients, put a check beside Send status reports. Select the frequency with which each report is sent (Weekly or Daily) and the time the reports are to be sent, and type in the names of the recipients. You can also select which language you wish the reports to be sent in.

5. Now that the information on the General tab is complete, go to the E-mail Server tab and enter the information about the SMTP server, its port number, the sender’s name and e-mail address, and the username and password of the user that you created for the WSUS account earlier. 6. Once you’ve entered the correct information, click the Test button to verify your settings are correct. If everything looks correct, click OK and you’re done.

Personalization : If you want to personalize the way information is displayed for a WSUS server you can do so by clicking on Personalization within Options. This option allows administrators to choose how server rollup data is displayed, what items will be listed in the To Do list and how validation errors are displayed.

Automatic Approvals:  The Automatic Approvals option allows an administrator to automatically approve updates to be installed based on product and classification, and gives the ability to target which computers to set the automatic approval for. Automatic approvals are based on rules.

1. To create a new rule, first click on Automatic Approvals, found in Options.
2. In the Update Rules tab, select New Rule.

3. There are two steps in the Add Rule box. The first step is to select properties. For our example, we chose an update based on product, so we selected When an update is in a specific product. We could also specify a certain classification if we wanted to. Type Name of Rule such as Windows 7 Approval
4. The second step is to edit the properties or values. Click on the link for any product and in the list of products remove the check from All Products. Now scroll down to the listing for Windows and select Windows 7 Client. Click Approve the update for link and select Windows 7 Computer Group, Click when update is in and select update rollups, features or whatever you need. When click OK.
5. We are now back at the Add Rule box. Click Windows 7 approval rule>click run rule.

6. Repeat step2 to step 5 for all other computer groups such windows server 2008 x64.

Server Cleanup Wizard:  The Server Cleanup Wizard is used to help administrators manage their disk space by removing unused updates and revisions, deleting computers not contacting the server, deleting unneeded update files, declining expired updates, and declining superseded updates.

Important!  If you have WSUS 3.0 downstream servers, you may see discrepancies in both upstream and downstream servers. Be extra careful when cleaning server.

Reports and logs : You can monitor WSUS events information in the Application Event Log of Windows. You can check detailed update reports, computers reports and synchronization report from WSUS console>reports.

share this  Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Troubleshooting WSUS server

Are you straggling to troubleshoot WSUS server. Those who followed the steps, I mentioned in my previous posting Install and Configure WSUS—Step by Step but couldn’t get it going and still got issue with deployment. you might have few issues with WSUS. Here are solutions for you.

Client not showing in WSUS Server:

There are several reasons client don’t pop up in WSUS server. a) GPO and WSUS miss-configured. b) Proper prerequisite has not been meet both for server and client as I mentioned in my post.

Log on to WSUS sever as Domain Admin. Open WSUS Console>Option>Computers>Select use group policy or registry settings on computers>Apply>ok.

WSUS Console>Server Name>computers>All Computers>Add Proper Computer Groups, I mean client target group you have mentioned in GPO.

Are all the computers and Server pointing proper client target group as you mentioned in GPO? Did you configure parent GPO and computers pointing child GPO???  Check group policy object using GPO management console to find out any miss-configuration!!! Make sure the computer you are looking WSUS console is placed in right GPO. Run gpresult.exe from command prompt to find out computer and user config. Wait until GPO refresh time and you will see client in WSUS console.

Another way to see client quickly in WSUS console is to log on to Windows XP SP2 (Must have SP2) client. Run WUAUCLT /DETECTNOW and GPUPDATE /FORCE  from command prompt. Reboot client. Log back again.

Start menu>run>Type regedit.exe>ok. Now go to HKEY_Local_Machine\Software\Policies\Microsoft\Windows\Windows Update

You are suppose to see

client target group REG_SZ Group Name in GPO say Desktop, WindowsXP, Windows7, Server, etc
ClientGroupEnabled REG_DWORD 0x00000001(1)
WUServer REG_SZ Http://ServerName:8530
WUStatusSever REG_SZ Http://ServerName:8530

This mean this client is reporting to WSUS server.

Another critical point to note here, don’t use default configuration port that is 80. Use port 8530 because in ISA server or corporate firewall might be pointing this port to corporate web site unless web publisher added in ISA.

WSUS database full of BugCheck Dump causing WSUS to stop functioning:

***This file is generated by Microsoft SQL Server version 9.00.4035.00 upon detection of fatal unexpected error. Please return this file,  the query or program that produced the bugcheck, the database and the error log, and any other pertinent information with a Service Request***

***Stack Dump being sent to c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLDump0154.txt***

I am one of the victim of this SQL error. This will occupy entire disk space in system partition causing WSUS to stop working. This error got nothing to do with WSUS. This is purely SQL problem. It happens when WSUS is running long and you don’t run clean up wizard to clean database and WSUS. I have to be honest here. I am not an SQL Expert. I found some clues by searching books and google, this SQL error occur when SQL index is corrupt. I logged to SQL server using management studio express and follow this Microsoft link and run DBCC CHECKDB.  But this will not solve this issue. Basically, SQL database is screwed. You have to backup database, reinstall WSUS and restore will solve this issue. But my best suggestion would be fresh installation of everything….. start from scratch.

You may also try this link if you require re-indexing database.

Connection Error

“An error occurred trying to connect the WSUS server. This error can happen for a number of reasons. Check connectivity with the server. Please contact your network administrator if the problem persists.
Click Reset Server Node to connect the server again.”

Reason: WSUS-related Web services (IIS) may stop working when you upgrade a Windows Server 2003-based computer to Windows Server 2008

Solutions:

Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.

Try removing the persisted preferences for the console by deleting the wsus file under C:\Documents and Settings\%username%\Application data\Microsoft\MMC\

To work around this problem, uninstall the ASP.NET role service in IIS, and then use Service Manager to reinstall the service. To do this, follow these steps:

  1. Click Start, click Administrative Tools, and then click Server Manager.
  2. Expand Roles, and then click Web Server (IIS).
  3. In the Role Services section, click Remove Role Services.
  4. Disable the ASP.NET check box, and then click Next.
  5. Click Remove.
  6. Wait for the removal process to finish, and then click Close.
  7. In the same Role Services section, click Add Role Services.
  8. Enable the ASP.NET check box, and then click Next.
  9. Click Install.
  10. Wait for the installation process to finish, and then click Close
  11. Restart all WSUS related services such as IIS, SQL, Update services (Location Administrative Tools>Services)

WSUS debug tools Download WSUS debug tools from Microsoft WSUS sites. Extract Clientdiag.exe in client machine and WSUS server diagnostic tools in WSUS server. In both case extract in %windir%\system32 location. Open command prompt>change directory to %windir%\system32. Run clientdiag.exe (client machine) and wsusdebugtool.exe (WSUS server) from command prompt. You can run both in wsus server to test whether wsus server is contacting itself for update or not. If you see checking machine state PASS that means client is contacting wsus.

Share this on Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Install and configure WSUS 3.0 SP2 – Step-By-Step

Microsoft Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2) enables information technology administrators to deploy the latest Microsoft updates, hotfixes and service packs to computers running Microsoft Windows Server 2003 family, Windows Server 2008, Microsoft Windows Vista family,  Microsoft Windows XP with Service Pack 2 operating systems. By using WSUS, administrators can fully manage and take control of the distribution of updates that are released through Microsoft Update.

Prerequisites for WSUS server

  • Windows Server 2003 SP1 or Windows Server® 2008
  • Microsoft Internet Information Services (IIS) 6.0 or later
  • Windows Installer 3.1 or later
  • Microsoft .NET Framework 2.0
  • Microsoft Report Viewer Redistributable 2005
  • Microsoft Management Console 3.0
  • SQL Server 2005 SP1 or later

Prerequisites for WSUS clients (x86 and x64)

  • Windows XP SP2, Windows Vista, Windows 7
  • Windows Server 2003 or Windows Server 2008

WSUS Deployment Scenarios

WSUS is flexible enough to deploy starting from small to enterprise organisation. just you need to make sure active directory, DNS and DHCP working perfect. If port 80 is occupied by your company web site you can use port 8530. I used port 8530 on WSUS server. I have ISA 2004 so I will show how to add WSUS publishing rule in ISA 2004 also.

Install Prerequisites

1. IIS installation

go to add/remove windows component and select Application server

click next

Select as above. you must select ASP.net and IIS,  then check Internet Information Services and click Details.

Check BITS, check IIS manager and click on details

Check ASP and WWW and click ok.

2. MMC 3.0 installation

no need to install you installed service pack on your server

3. .net framework installation

Download .net 2 framework from the link http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en

run installation, click next, accept EULA and follow the installation screen.

image

4. MS report viewer installation, Download report viewer from  the Link

run installation, click next, accept EULA and follow the installation screen.

5. SQL Server 2005 SP1 installation

download SQL server 2005 from the link

image

Click next and click install, click  next again

image

follow installation screen until finish.

1

Now you have fulfil prerequisite as mention above.

WSUS installation

download WSUS from http://connect.microsoft.com/directory/ website. sign in using hotmail or live account. download x86 or x64 as you prefer. here I am installing x86 version.

Click on run

click next

Check Full server installation radio button, click next

Accept EULA

You must have two partition in your server as you can see above. I selected D:\WSUS . click next

Check use existing database. It is required for enterprise deployment. internal database will not work if you have large number of desktop and server. click next.

image

Click next

On the next screen “web site selection” check create Microsoft Windows Server Update Services Web Site on port 8530

DO NOT CHECK RECOMMENDED

untitled

Click next

clip_image001[5]

Click next , Click next again

Click finish. WSUS config wizard will start next

click next

Click next

Provide proxy server IP and credentials above if you have proxy server. in my case I typed my ISA server IP, port 80 and my domain admin credentials.

Click on start connecting and wait until finish, click next and follow the config screen to select your language, products, classification

3

wait until synchronisation finish. It might take 30/40 minutes depending on speed of your internet.

Setup IIS Security

Now set permission in IIS in WSUS server, you may set anonymous logon. Don’t worry its inside  your firewall.

17

18

Configure WSUS

open WSUS management console. In the Left hand side pan, click on Options then click on Change Update File and Language. Check Download Update files to the server when updates are approved. Select appropriate language. Then Click Apply and Ok.

4

2

Click on Automatic Approval and create new rules and run the rules. In my case I have two custom rules.

33

5

In the left hand side pan right click on All Computers, Click on Add Computer Group. For example, I have three computer groups; desktop, Windows7 and Server.

Group Policy Configuration

This part describes how to use GPO to deliver Automatic Updates 

6

Open group policy management console, Right click on the Group policy objects container and click new. create policies for each of computer groups. For Example, WSUS Policy for desktop, WSUS Policy for Windows 7 and WSUS Server policy.

8

 

 

 

 

 

 

 

 

 

 

 

 Now right click on WSUS policy that is desktop policy you just created and change settings of four GPO that are enabled here on screen

9

 

 

 

 

 

 

 

 

 

 

 

Configure Auto download and schedule installation that fit for you

10

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Point WSUS server and port as http://yourserver:8530 in both the box

11

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Type target group to populate desktop/pc in WSUS Server.

12

 

 

 

 

 

 

 

 

 

 

 

 

 

Check enabled in following box not to reboot machine if user logged on

13

Repeat this process for WSUS server policy, Windows 7 Policy and so on.

In GPO management console, Right click on the organisational unit that contain desktop/workstation and link existing WSUS policy you created in above steps with this organisational unit.

14

 

 

 

 

 

 

 

 

 

 

 

 Link it with WSUS policy

15

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Repeat same steps for all other organisational unit in GPO management console. Now you may close GPO now.

Important! Do NOT link WSUS policy in child OU. Link directly to the top of OU hierarchy otherwise workstation will not populate. 

16

 

 

 

 

 

 

 

 

 

 

 Publish WSUS policy in ISA Server

If you have ISA 2004/2006 or Forefront TMG 2010, you have to set WSUS policy in ISA firewall access rule. so that ISA doesn’t block communication between server and client. You don’t need to do it if nothing blocking between Client and Server communication and don’t have a firewall.

To publish WSUS policy, Open ISA management console

Go to Network Object and expand WEB listener,  right click on web listener click new. Type Name of WSUS server. Name should be netbios name of WSUS server. Follow the screen shot.

image

image

image

Click next, click finish.

In the right hand side Tasks Pan, Click on publish a web server and follow the screen shot

22

23

24

25

26

On the next screen shot select the web listener (WSUS server) you added in the previous steps.

27

28

29

Right click on the WSUS Publishing policy, click on property>Click Bridging Tab and check web server and port 8530

30

On the paths add these path if these aren’t exist already

31

32

uncheck verify and block option. Apply Changes and click ok.

Troubleshooting

Go to client machine, run gpupdate /force if client not showing on WSUS

Run wuauclt /resetauthorization /detectnow command from client machine.

Check Registry of client.

image

 

 

 

 

 

 

 

 

 

 

Conclusion

Auto update and patch up gives administrator more time to concentrate other things without spending time on patching up servers and pc. I enjoyed deploying WSUS. I hope these instruction would be handy for you.

Relevant Articles:

WSUS 3.0 SP2: Understanding WSUS deployment topology

How to configure automatic updates by using Group Policy or registry settings

How to configure Windows Server Update Services (WSUS) to use BranchCache

How to Configure WSUS for Roaming Clients

Troubleshooting WSUS server

Windows Server 2008: Windows Server Update Services Role–Step by Step Guide

WSUS: Best practice guide lines for WSUS installation, configuration and management

WSUS Health Check

Beer mugAdd to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine