Solved

Deploying SUS

Posted on 2004-10-01
9
988 Views
Last Modified: 2012-06-21
What is the best way to setup SUS for 300 clients?

We have a mix of 2000 and XP Pro clients, and 90% of our users are NOT local admins on their machines. I am looking for a way to setup the clients so auto updates are enabled and pulling from the SUS server.

Thanks,

Justin
0
Comment
Question by:Justin Durrant
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 19

Expert Comment

by:Zaheer Iqbal
Comment Utility
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
Comment Utility
Easy.

SUS works best with Group Policies.  Install SUS on a server.  Then read over this easy, graphical explanation of what to do next.

http://www.bris.ac.uk/is/services/computers/operatingsystems/sus/configuring.html

Basically it summarizes setting up the GPO settings and the possibly needed .adm file.

Then you put the GPO on an OU - or if you want to be bold, the whole site or domain.  (I recommend start slow by making a GPO for testing it try it out on a few machines so you can see how it's working.  Then move it to domain or site level).
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
The documentation on SUS is actually rather good. What's important in your case is that you need to import the wuau.adm file that you can download from the MS SUS site as well into the group policy editor and configure the clients to point to your internal SUS server for the updates. That's the obvious part.
The not so obvious part is that only one of the scheduling options will install the updates completely automatically, the others require an administrator to log on and approve of the updates. The setting you're looking for is number 4, Download automatically and install according to this schedule (or similar, not using an English version).
0
 
LVL 23

Author Comment

by:Justin Durrant
Comment Utility
we are still on a nt domain
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
Ah... then I see your problem.  GPOs really are the best way of doing it but you need a 2000 domain.  

I would recommend, especially if you're not the decision maker in these matters, that you use this in part of an argument to move to a 2000 or 2003 domain.  Aside from the fact that Microsoft has essentially stopped supporting NT, an AD domain would make this MUCH easier.

That said, try reading over this site:
http://www.bris.ac.uk/is/services/computers/operatingsystems/sus/config-reg.html

You can use the information there to preconfigure your Windows client registries so that they know where the server is and how often to update/etc.  As for getting these settings on the client, you should be able to script them using PSEXEC (www.sysinternals.com freeware utility - part of PSTOOLS).  The script would be a single file that goes through a list of computer names and remotely runs the registry update.  If you aren't familiar with PSTOOLS you can run the tool with a /? for an explanation of how to use it.  And if you need, I can write the script for you.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
You can still deploy the SUS settings with a rgular NT4 system policy. Open the wuau.adm in notepad, save it again as ANSI (the file comes in Unicode format, which the NT4 poledit can't handle). Then import it into poledit, and adjust your ntconfig.pol file accordingly. The one major problem with an NT4 domain and system policies is that you can't group computers, so you'll either have to use SUS on all of your machines by configuring the Default Computer object, or you'll have to add a computer into ntconfig.pol for every machine you want to deploy it on. There's a third possibility as well, though; that involves disabling the system policies or redirecting them to another .pol file on machines you don't want the SUS policies to apply.

Guide to MS Windows NT 4.0 Profiles and Policies
http://www.microsoft.com/technet/prodtechnol/winntas/maintain/prof_pol.mspx

This applies to XP as well:
Group Policies for Windows 2000 Professional Clients in Windows NT 4.0 Domain or Workgroups
http://support.microsoft.com/?kbid=274478
0
 
LVL 23

Author Comment

by:Justin Durrant
Comment Utility
thanks guys.. will the wuau.reg work witn 2000 and XP machines? Will any client reboots be required?

Justin
0
 
LVL 23

Author Comment

by:Justin Durrant
Comment Utility
Ok.. I am trying to call the reg file from a network location, and I get:

C:\>psexec -s \\S_east \\svfile\ittools\wuau.reg

PsExec v1.55 - Execute processes remotely
Copyright (C) 2001-2004 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start \\svfile\ittools\wuau.reg on S_east:
Access is denied.

any ideas?

0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
My apologies - I didn't mean to abandon the question the way I did:

In regards to your second to last comment, the wuau.reg file should work with both system, but I believe a reboot will be required on the client.

The PSEXEC issue appears to be security related.  Make sure you are either logged in to the computer your executing the command from as a domain admin.  Alternately, specify a user and password with psexec - for more info run PSEXEC /?.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now