SUS and WSUS --- Best practice and set up and configuration

Posted on 2008-11-16
Last Modified: 2013-11-10
I have a current SUS server running on an old machine, which is pushing out Windows Updates on all server and client machines. I have set up a new WSUS server on a virtual machine, planning to replace the SUS server. Here are some questions:
1. On the SUS server, how could I remove all the servers from being managed by the SUS server?
2. On the WSUS server, what are the step-by-step instructions on how to push out updates to a specific group of computers via AD group policy?
3. How do you verify that the client machines within the group have received the updates from WSUS quickly?
Question by:MattZ888
    LVL 18

    Accepted Solution

    I went throught the same replacement a couple of years ago. If you don't have to much custom approvals or decline of certain updates. Just stop using the SUS on the old machine. If you do upgrade etc, you could run into issue and wasting time and eventually ended up start from scratch with a new WSUS. It would be very stratight forward to setup WSUS, particularly on a VM is the best way to go.

    You don't have to do anything on your SUS server other than shutting it down. Or you can leave it up running until you've setup your WSUS and tested with a different GPO and confirm working. This means you leave the current GPO of your SUS the way it is and leave your SUS server running as is. Set up your WSUS and with a new GPO to point to http://NewWSUS in the GPO. Apply this GPO to a test OU with 1 or 2 sever or workstations. If working, unlink your old GPO for the SUS and link your new GPO to the same OU where your old GOP was applied to.

    When you first setup your WSUS, nothing will be showing on your WSUS server. You need to create a new GPO(as suggested above) and direct it to http://NeWSUS and link the GPO to the computer OU. THen the computer(server or workstation) will appear in the WSUS server under unassigned computers. You should create groups in your WSUS server to organize the machines in the similar way you have for your AD or your SMS, if you have one. This will allow you more flexibility what group of machine you want to test and approve updates.

    To verify if the client machines are receving the GPO and talking to the WSUS, follow the steps for the clent machines:
    1. Force a group policy update (if client machine is in a domain): type gpupdate /force
    2. You may run gpresults at the command prompt to verify if the GPO did get applied.
    3. Force a detection: type wuauclt.exe /resetauthorization /detectnow, wait 10 minutes for a detection cycle to finish before verification.

    More helful info:

    Author Comment

    Thank you very much for the tips and links.
    1. Where can I change the way of notifying and installing the approved Windows updates for client machines on WSUS server? --- changing "Notifying me but don't ..." to "download updates for me, but let me choose when to install them"
    2. On the SUS server, how could I remove all the servers from being managed by the current SUS server? I'd rather set up a GPO for all the production servers on WSUS server.
    3. Could you tell me, step-by-step, how to set up a GPO for WSUS and link to a computer group as well as push out a windows update to the computers within this group?
    LVL 18

    Expert Comment

    1. This should be the configuration of the GPO (see # 3 below)
    2. Just unlink the GPO and later delete it.
    3. See below

    Step 1. Run GPMC
    Step 2. Create a new Policy call WSUS(name used here)
    Step 3. Disable the User Configuration
    Step 4. Configure the Computer Configuration, see attachment

    Assuming your WSUS servername is WSUS.
    Link this GPO to the OU where you want the machine to recieve.


    Author Comment

    Americom and all,
    A few more question on how to configure WSUS with GPOs:
    I have created and reorganized all the OUs on the AD server as well as linking the WSUS GPO's to those OUs. I also created the same groups (with the same name of the AD_OU) on the WSUSs server.
    I noticed I can also create new rules for the Windows Updates from the WSUS configuration....
    For the clients to get the appropriate updates (no reboot for the servers, install the updates for the workstations autotically), what is the best practice?
    1. Should I just use the GPO and OUs to enforce the updates or should I use the new WSUS rules to control the updates?
    2.  Can I just leave the default WSUS settings without any new rules and just use GPOs to filter the updates?
    3. When and how should I use the "client-side targeting"?
    What is the best practice on WSUS with GOP?
    LVL 18

    Expert Comment

    It really depends on how friendly your users want you to be. In general, Option 4 would be the best in my opinion. This option allow download and install but not reboot. You don't want to reboot PCs as PCs usually reboot daily.
    Use GPO and OUs to enforce the updates. User WSUS rules to enforce very critical updates such as setting deadline to force users to get the update and reboot. But do not do this on server!

    2. Yes, but you must approve updates so the GPO can download and install update.

    3. "Client side targeting" specifies the target group name or names that should be used to receive updates from an "intranet Microsoft update service".  I don't have a need to enable this. The only time you would enable this is when you want different group(s) to receive updates from a different WSUS whcih is the GPO setting for "Intranet Microsoft update service such as http://yourWSUSserverName. If you do this, you may end up different GPOs etc.

    BTW, this question has been opened for several months.  I suggest you close this thread for further question so that you will have more experts to share their comments.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now