SUS and WSUS --- Best practice and set up and configuration

I have a current SUS server running on an old machine, which is pushing out Windows Updates on all server and client machines. I have set up a new WSUS server on a virtual machine, planning to replace the SUS server. Here are some questions:
1. On the SUS server, how could I remove all the servers from being managed by the SUS server?
2. On the WSUS server, what are the step-by-step instructions on how to push out updates to a specific group of computers via AD group policy?
3. How do you verify that the client machines within the group have received the updates from WSUS quickly?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I went throught the same replacement a couple of years ago. If you don't have to much custom approvals or decline of certain updates. Just stop using the SUS on the old machine. If you do upgrade etc, you could run into issue and wasting time and eventually ended up start from scratch with a new WSUS. It would be very stratight forward to setup WSUS, particularly on a VM is the best way to go.

You don't have to do anything on your SUS server other than shutting it down. Or you can leave it up running until you've setup your WSUS and tested with a different GPO and confirm working. This means you leave the current GPO of your SUS the way it is and leave your SUS server running as is. Set up your WSUS and with a new GPO to point to http://NewWSUS in the GPO. Apply this GPO to a test OU with 1 or 2 sever or workstations. If working, unlink your old GPO for the SUS and link your new GPO to the same OU where your old GOP was applied to.

When you first setup your WSUS, nothing will be showing on your WSUS server. You need to create a new GPO(as suggested above) and direct it to http://NeWSUS and link the GPO to the computer OU. THen the computer(server or workstation) will appear in the WSUS server under unassigned computers. You should create groups in your WSUS server to organize the machines in the similar way you have for your AD or your SMS, if you have one. This will allow you more flexibility what group of machine you want to test and approve updates.

To verify if the client machines are receving the GPO and talking to the WSUS, follow the steps for the clent machines:
1. Force a group policy update (if client machine is in a domain): type gpupdate /force
2. You may run gpresults at the command prompt to verify if the GPO did get applied.
3. Force a detection: type wuauclt.exe /resetauthorization /detectnow, wait 10 minutes for a detection cycle to finish before verification.

More helful info:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MattZ888Author Commented:
Thank you very much for the tips and links.
1. Where can I change the way of notifying and installing the approved Windows updates for client machines on WSUS server? --- changing "Notifying me but don't ..." to "download updates for me, but let me choose when to install them"
2. On the SUS server, how could I remove all the servers from being managed by the current SUS server? I'd rather set up a GPO for all the production servers on WSUS server.
3. Could you tell me, step-by-step, how to set up a GPO for WSUS and link to a computer group as well as push out a windows update to the computers within this group?
1. This should be the configuration of the GPO (see # 3 below)
2. Just unlink the GPO and later delete it.
3. See below

Step 1. Run GPMC
Step 2. Create a new Policy call WSUS(name used here)
Step 3. Disable the User Configuration
Step 4. Configure the Computer Configuration, see attachment

Assuming your WSUS servername is WSUS.
Link this GPO to the OU where you want the machine to recieve.

MattZ888Author Commented:
Americom and all,
A few more question on how to configure WSUS with GPOs:
I have created and reorganized all the OUs on the AD server as well as linking the WSUS GPO's to those OUs. I also created the same groups (with the same name of the AD_OU) on the WSUSs server.
I noticed I can also create new rules for the Windows Updates from the WSUS configuration....
For the clients to get the appropriate updates (no reboot for the servers, install the updates for the workstations autotically), what is the best practice?
1. Should I just use the GPO and OUs to enforce the updates or should I use the new WSUS rules to control the updates?
2.  Can I just leave the default WSUS settings without any new rules and just use GPOs to filter the updates?
3. When and how should I use the "client-side targeting"?
What is the best practice on WSUS with GOP?
It really depends on how friendly your users want you to be. In general, Option 4 would be the best in my opinion. This option allow download and install but not reboot. You don't want to reboot PCs as PCs usually reboot daily.
Use GPO and OUs to enforce the updates. User WSUS rules to enforce very critical updates such as setting deadline to force users to get the update and reboot. But do not do this on server!

2. Yes, but you must approve updates so the GPO can download and install update.

3. "Client side targeting" specifies the target group name or names that should be used to receive updates from an "intranet Microsoft update service".  I don't have a need to enable this. The only time you would enable this is when you want different group(s) to receive updates from a different WSUS whcih is the GPO setting for "Intranet Microsoft update service such as http://yourWSUSserverName. If you do this, you may end up different GPOs etc.

BTW, this question has been opened for several months.  I suggest you close this thread for further question so that you will have more experts to share their comments.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.