Solved

how to install wsus update on windows server 2003

Posted on 2009-03-31
7
1,236 Views
Last Modified: 2012-05-06
how to install wsus update on windows server 2003
0
Comment
Question by:ashjuv
7 Comments
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24031471
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 24031952
Hello ashjuv,

WSUS Installing and configuring Windows Software Update Services.


Pre Flight Checks

1.      Download the WSUS 3.0 SP1  executable from from http://www.microsoft.com/downloads/details.aspx?FamilyId=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en#filelist
2.      You  will need 30-30Gb Free Drive space for your updates.
3.      Also Ensure IIS in installed and running ? put on the latest patches and updates before you start.
4.      Install this beforehand. Microsoft Report Viewer Redistributable 2005 http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-dd7726e61367&displaylang=en

Install WSUS

1.      Run the WSUS exe.
2.      Next.
3.      Select "Full Server installation including Administration Console".
4.      Next
5.      Accept the EULA > Next.
6.      Ensure "Store updates locally" is ticked and select a location to hold the updates (need 20-30Gb Free)
7.      Select "Install Windows Internal Database on this computer" Unless you want to use an existing SQL server > Next
8.      Select "Create a Windows Server Update Services 3.0 SP1 Web site? > Next.

Note: the URL i.e http://server-name:8530

9.      Review the information > Next.
10.      WSUS Will install.
11.      When done - click finish.

After a few seconds the configuration wizard will start. (Note you can run this at any time from the WSUS snap in > Options > WSUS Server Configuration Wizard.)

1.      Next.
2.      If you want to help leave the box ticked > Next.
3.      Unless you have a WSUS server ?In front? of this one leave ?Synchronise with Microsoft Update? Ticked > Next
4.      Enter Proxy details if appropriate*  > Next
5.      Click Start connecting.
6.      You should connect to the Microsoft update site. (This downloads an XML file that contains a full list of updates). > Next
7.      Select the language (you want the updates in!) remember the eventual downloaded updates folder size will be multiplied by the amount of languages you select. > Next.
8.      Select the products you want to update, again the more products the bigger the folder > Next.
9.      Select WHAT you want to download > Next.
10.      Select the frequency that WSUS will sync with Microsoft by selecting Synchronize automatically, set it ?Out of Hours? >Next.
11.      Tick ?Begin Initial synchronisation? > Next
12.      Click Finish.

Note the initial Synchronisation can take a very long time. Keep selecting ?Updates? and you will see the numbers going up.
*NB if you?re using ISA as a proxy you might need to change the port number to 8080 or it may fail (took me 15 minutes to work that out)
You now need to get your clients pointed to the WSUS Server ? to do this use either local policy on each machine ? Or Group policy on the domain.
OK now you need it to start seeing the clients before you do anything else...........


Point the clients to the WSUS Server

1.      If you are setting this up on the Domain skip to number 2, On the client click Start > Run > gpedit.msc {enter}
2.      If you are doing this on a Local PC skip to number 3, On a domain controller: Note this policy can be applied to an OU (Like the Computers OU for example)or the at domain level, for the purpose of this exercise we will apply it at domain level. Open administrative tools > Active directory users and computers, right click the domain, and select Properties > Group Policy > You will see one of two things, either one button to open the group policy management console, or one or more policies, and lots of buttons,
i.      One Button: Press the ?Open? button to launch the Group policy Management Console > Right Click the Domain Name > Create and Link a GPO Here > Call it WSUS > OK > Right click the WSUS GPO > Edit.
i.      Lots of Burtons > Click New > Call it WSUS > Edit.
3.      Navigate to Computer Configuration > Administrative Templates >Windows Components > Windows Update. On the right pane locate "Configure Automatic Updates" and right click it, select properties.
4.      Select Enabled, in the first drop down box you set the action for the updates, I prefer not to frighten my users so I select "4 - Auto download and schedule the install" you can now set the schedule by default its set to 0300 which isn?t no good if all your PC's are shut down at that time (set it to 1400 or something more sensible)
5.      Click "Next Setting" > Enable > in both box's type the URL of your WSUS server (i.e. Http://:8530). Then Click "Next Setting" > if you see a "enable client side targeting properties page click "Next Setting" the next screen should ask for a wait period after start-up for the updates to run select enables and enter 5 minutes.
6.      Click "Next Setting" this comes in to play if an update requires a reboot, for an explanation click the "Explain" tab, I set this to Enable. That means it will inform the user but not reboot.
7.      Click Apply > OK > Then exit the policy editor.
8.      You can force the policy to take effect, by clicking..
i.      XP, Vista and server 2003: Start > run > gpupdate /force {enter}
ii.      2000: Start > run > SECEDIT /REFRESHPOLICY MACHINE_POLICY /ENFORCE

You can test to see if they have applied by right clicking "My computer" > Properties > Automatic Updates, and the time you set in policy should be shown and all the options "greyed out"


Create some groups and move your PC?s into them.

As with previous versions of SUS, WUS, and WSUS, as new PC?s are detected they get put in ?Unassigned computers? I suggest you create some groups ? I?m my case I create a "Live" Group and a "Test" Group that way I can test the updates on a few PC's (The ones in my office) before I fire them at everyone.

To Create a Group

1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Computers > All computers > Right Click > Add computer group > Give it a name > Add > Repeat as necessary i.e. You might want to create groups for servers, or exchange servers, or web servers, etc.
If you?re running through this your PC?s may not have reported yet so to find them do the following.
1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Computers > All computers > Unassigned Computers > Change the Status Drop down to ?Any? and click Refresh.
3.      To move them to the group you created simply right click them and select ?Change Membership? > Then select the appropriate group > OK.
 
Send out the updates.

Unless you approve the updates to be sent out, nothing will happen, the WSUS server just logs everything and does some reports, before an update can be sent out to a client you need to approve it.

1.      Open the WSUS admin console.
2.      Expand > Update Services >{ server name} > Updates  > All Updates > Ensure the Approval drop down is set to ?Unapproved? and click refresh.
3.      Select the updates you want to approve (Normal selection rules apply unlike earlier versions you can multiple select using the shift and control keys as required).
4.      Click ?Approve? (it?s on the far right window.
5.      Select the group you want to approve the update for (click the little down arrow).
6.      Select Approved for Install. > OK.
7.      Hopefully after the progress bar has finished it should have a long list of ?Successes? > Click Close.
 

WARNING - I didn?t write the updates, Microsoft did, if you approve something that breaks your clients then moan at them not me.

Force a Client update

On the client run the following batch file

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=cut below-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv

@echo off
Echo This client will now check for updates on the WSUS Server.
Echo Wait at least 30 minutes then check C:\Window\Windows update.log
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=cut above-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=



Problems

Troubleshoot from the client using the CLient Diagnostics Tool
http://download.microsoft.com/download/9/7/6/976d1084-d2fd-45a1-8c27-a467c768d8ef/WSUS%20Client%20Diagnostic%20Tool.EXE
Other Diagnostic tools
http://technet.microsoft.com/en-us/wsus/bb466192.aspx

Machines are not importing

Make sure the URL thats defined in the group policy is the FQDN of the WSUS Server.
Try removing the port number from the URL specified in Group Policy (sometimes it set up on Port 80 and tells you it hasnt).

Regards,

PeteLong
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 250 total points
ID: 24035533
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:ashjuv
ID: 24036218
thanks, if these workstaion don't show hundred percent sooner than later then I am going to come abck and ask another question.

thanks for all ur help
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24046561
I appreciate your desire to stick with one question for one answer. Supplying a quick how to guide was your original question, but we all have configured WSUS servers and know there are most likely straglers that don't sign in. In my opinion, o real need to ask another question.

You have a couple of my favorite techs on this question that could quickly respond to helping you with WSUS stragglers. I think one of us could help you resolve any remaining issues pretty quickly.

0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24052510
-Wont be me -  Im useless :)
 
 
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 24066580
ThanQ
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now