Solved

WSUS Questions

Posted on 2008-10-30
13
643 Views
Last Modified: 2012-05-05
I jsut installed WSUS on a Server 2003 server.  I added the WUAU template into GPOE and enabled Configure Windows Update and set the Specify Microsoft Update service location to my WSUS server.  Then on a client computer ran gpupdate /force followed by wuauclt.exe /detectnow in a command prompt.

On this same client, I then went to Start > All Program > Microsoft Update.  There was only one thing on my computer that needed updating (Genuine Advantage Tool) which I did update.  But the URL for the update was a microsoft.com URL.  On the WSUS admin page, though, my computer shows under the list of computers.  How do I know that this is really working?  And will the Configure Automatic Updates option in GPOE override the client comptuers that may have different setttings?  I set this option at Auto download and schedule the install for Every Tuesday at 3am.  Will the 40 workstations on my network go to this one server at that time every week all at the same time looking for updates?
0
Comment
Question by:sedberg1
  • 4
  • 3
  • 3
  • +1
13 Comments
 

Author Comment

by:sedberg1
ID: 22845122
Another question, does WSUS do all updates for Microsoft products including SQL Server, Sharepoint, Office 2003, etc.  Are there any MS applications it doesn't work with?
0
 

Author Comment

by:sedberg1
ID: 22845150
Does it work with Vista?
0
 
LVL 5

Assisted Solution

by:gratex_ssd
gratex_ssd earned 150 total points
ID: 22845758
I guess you need to read some more about WSUS functionality, start here:

http://technet.microsoft.com/en-us/library/cc708504.aspx

As to your questions:


1, It looks like you have set up the WSUS correctly. If you can see the clients in the WSUS console, you're set, as they're registering with the server. You can also check this through ClientDiag tool by running it on the client machine. You can download it here:

http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE

Even if WSUS manages your clients, you can still use Microsoft Update on any of the clients including server - consider it as manual update through Microsoft's servers.

2, Yes.  You can select applications for which WSUS downloads updates in the WSUS console under Options|Products and Classifications.

3, Yes. Make sure your SBS box is updated to work with Vista clients and Office 2007 (it is pretty old update, so there's good chance this is already installed - check in add/remove programs)

http://www.microsoft.com/downloads/details.aspx?FamilyId=9BF2F1E4-1B2C-471B-A284-E0C8C169FAC3&displaylang=en

Hope this helps, and good luck.




0
 
LVL 4

Assisted Solution

by:ThorSG1
ThorSG1 earned 150 total points
ID: 22845854
If the computer showed up on the server then it is configured correctly.  You can specify when you want the computers to look for updates from the server in GP.  The GP settings will override the local client settings.  Just an FYI.  The clients will have to be on and not logged in as a user to install the patches.  I think they will still download the patches even if someone is logged in but they will not install automatically.  I don't recommend automatically installing an patches to your servers.
The latest version has updates for SQL Server 2005, Office 2002 => 2007, Vista, but I don't see Sharepoint.
You can lookup the Products here: Update Services/ServerName/Options/Products and Classifications.
0
 
LVL 4

Assisted Solution

by:eli_cook
eli_cook earned 200 total points
ID: 22845870
WSUS 3.0 has Vista Support - and I'm pretty sure the update page you see should be a local one, not the public Microsoft Page.

Also WSUS 3.0 has Office support, I'm not aware of any Microsoft software that it won't update.

Are your computers located in a container or the default computers folder in AD? If they are located in the default computers container they need to be moved to a container that you create to have a GPO applied to them.
0
 
LVL 4

Assisted Solution

by:ThorSG1
ThorSG1 earned 150 total points
ID: 22845985
Using the Windows Update or Microsoft Update will always take you to Microsft.com/update.  That is just the way it works.
Now in Vista things are a little different.  If you go to the Control Panel/Windows Update, and do look for updates it may hit your local server to look for updates.  I believe it is just part of the new features with Vista.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sedberg1
ID: 22846085
Thanks for the fast responses.  

Gratex ssd: we're not using SBS.  Server 2003 Standard Edition.  I know there's a difference between Standard and SBS, so can I still use the link in your post for making sure my server will work with Vista and Office 2007?  We're using 2003 but will eventually move to 2007.  The computers are all in the Domain Computers container.  We never broke them up since I felt it was unnecessary for 40 users.  In the WSUS console, I did create 5 groups and moved the unassigned computers into these groups.  Do I still need to make more groups of computers in AD?  If I don't, will the Windows Update GP edits apply to all of them?

ThorSG1: About a user not being logged on, does that mean the client machine powered on but everyone logged off?  

Eli cook: WSUS 3.0 - how do I know what version I'm using?  I downloaded the executable a week or so ago but the filename is WSUS2-KB919004-x86.exe.  Does that mean I'm using WSUS 2?  How do I check?  
0
 

Author Comment

by:sedberg1
ID: 22846309
Ok, so I saw that most of my computers have synched with WSUS.  And I disabled a bunch of MS products from synchronizing for better time and bandwidth utilization.  The version I"m running is 2.0.0.2620 so I'm not running version 3.0.  Is it worth upgrading to 3.0?  

This is running on a test server and I'd like to move it to a production server in the next couple days.  Is there anything particular I need to watch for when installing another WSUS server?  What about removing the test server as a WSUS server?  And finally, should we upgrade to 3.0?

Any suggestions?
0
 
LVL 4

Assisted Solution

by:ThorSG1
ThorSG1 earned 150 total points
ID: 22847200
There is a setting in GP to dynamically add them to groups you already have created in WSUS.  I would have to look it up if you need to know it.  But it is in the same area as where you define what server to point too.
Client machine powered on and everyone logged off.  There is an option in GP to wake if the computer is hibernating but that won't help if it is shutdown.
I would set WSUS to automatically install WSUS patches.  I would go ahead and upgrade to 3.0.  If I remember correctly 2.0 is web based while 3.0 uses the windows MMC.
You will have no problem bringing up a new server later.  I recommend getting it configured the way that you want.  Approve the patches you want approved and setup your groups, then change GP to point to the new server.  They will automatically point to the new server after GP updates on your clients.  You can then un-install the test server.
0
 
LVL 5

Assisted Solution

by:gratex_ssd
gratex_ssd earned 150 total points
ID: 22848258
Sorry, I have little bit mislooked your post, because I have found it through my SBS filter.

You have downloaded version 2 of WSUS. The most recent version available is

http://www.microsoft.com/downloads/details.aspx?FamilyId=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en

You can easily upgrade your current version to v. 3 SP1

1, No, this update applies only for SBS, WSUS 3.0 SP1 has built in support for both these products and many more

2, The point of having groups in WSUS is that you can apply different policies on them and have separated test and production machines and apply updates to separate groups. I.e. You can have clients automatically restarted after update at given time, and server updates will wait for your installation approval and will be set to manual reboot, or when you are not sure if the new MS update is compatible with your application, you test-approve it on your test PC's and see if it works. If yes, you approve it to production computers. Also, groups are good for separating servers from client workstations, as they can have different update policies activated.
It depends solely on your needs what and how many groups to create, but generally you only need to create so many groups in WSUS when you want to have different update policies. Therefore, if you have only clients and servers, and have two separate policies set for them, it is usual that you have only two groups created - it is easy to administer.
0
 
LVL 5

Assisted Solution

by:gratex_ssd
gratex_ssd earned 150 total points
ID: 22848276
and yes, you should definitely upgrade to WSUS 3. It's much more easier to maintain and use. I have not encountered any problems when upgrading, but it depends on your environment, there's always chance sometimes goes wrong as with everything. But don't worry and go ahead :)
0
 
LVL 4

Accepted Solution

by:
eli_cook earned 200 total points
ID: 22849226
As the others have said WSUS 3.0 is much easier to use and has better support for Vista, etc. Here's the link
http://www.microsoft.com/downloads/details.aspx?FamilyID=e4a868d7-a820-46a0-b4db-ed6aa4a336d9&DisplayLang=en

And you will want to apply the SP1 for WSUS if you are going to be using it in production.
http://www.microsoft.com/downloads/details.aspx?FamilyID=f87b4c5e-4161-48af-9ff8-a96993c688df&DisplayLang=en

This is on a side note (kind of) - if you are using the computer settings in a GPO (If I remember correctly the update setting are in the computer section) the computers need to be in a container for the settings to be applied. So you don't have to split them up and put them in their respective containers, but I would create a container called Workstations and put all of the computers in that container, now any GPO's that have computer settings that are applied at the domain level or applied to that container will be applied to the computer. After you do this if you want the changes to be applied immediately you need to run gpupdate /force from the command line.
0
 
LVL 4

Assisted Solution

by:eli_cook
eli_cook earned 200 total points
ID: 22849271
Also if you have sufficient disk space, I would configure all of your workstations to look at your WSUS not only to get the approved updates but to also download them. If your server downloads the updates your using 1/40th (roughly) the amount of bandwidth of the other solution which is to have the workstations download the update from Microsoft, when you start running into Service Packs that can be a lot of bandwidth.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now