• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1567
  • Last Modified:

Setting Up WSUS 3.0

i have network with at least 300 computers. i want to use WSUS to control updates for my computers and servers. I have installed WSUS 3.0 on W2k3 server running SP1. i am stuck as to how i should get the client computers to recognize and talk tomy WSUS server.

I have been reading the help section in WSUS it tells me i need to setup a separate Group policy for each group that i create in WSUS. I don't want to mess up my current GPO settings.

I need help with the following:
-> Setting up a new Group policy for WSUS computers without overiding the current Group policies in place.
-> I have offices in 2 states. I want to setup 2 separate groups for my states. I know how to do that in WSUS. Does this mean that i will have to set up 2 separate GPO for my states as well.
If that is the case how can i set up 2 group policies for my states and ensure that computers in those locations recognize the correct GPO
-> once i set up the GPO will my computers automatically be populated in the WSUS console.
-> how do i ensure that my servers are getting the correct updates different from windows xp
-> if wsus installs an update that has a bug or that affects my server is there a way to roll back that action.

thank you for your help.
0
cchibonga
Asked:
cchibonga
  • 16
  • 11
  • 5
  • +4
5 Solutions
 
Henrik JohanssonSystems engineerCommented:
Create GPOs for each WSUS-group and either link it to a specific OU or use security filtering to only apply to given group of computers.
\Computer Configuration\Administrative Templates\Windows Components\Windows Update\Enable client-side targetting

On WSUS server, change the setting in WSUS console
\Options\Computers = Use Group Policy or registry settings on computers

When approving updates, you set what WSUS group shall allow the updates, so if XP and Server2003 machines will only install the updates that have been approved for the group the computers belong to.

If update supports removal, it can be "approved for removal" to handle rollback.
0
 
JJClementsCommented:
This explains how to configure clients for WSUS using Active Directory (Group Policy)

OR

by using a local policy on a machine:

http://articles.techrepublic.com.com/5100-22_11-5888918.html
0
 
cchibongaAuthor Commented:
thanks henjo
how do i add computers to the wsus console?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
JJClementsCommented:
When clients attempt to update from your wsus server they register and are added to the console automatically. You can then create groups and add computers to groups giving better control over what updates are approved for what computers. E.g. classrooms, labs, offices etc
0
 
Henrik JohanssonSystems engineerCommented:
The clients are added automatically when connecting/reporting to WSUS server.
Configure the following setting in GPO linked to point out what server shall be used.

\Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location
0
 
cchibongaAuthor Commented:
Question Henjoh:
when i go to "Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify intranet Microsoft update service location" it gives me an option to enter something should i type in the servername on both fields for example servername is TestBox. should i type that in in both fields?

Question JJClements:
after i create the GPO say i am calling this GPO "WSUS gpo" once this is created it has a "security filtering this GPO applies to groups, and users etc" should i add authenticated users or should i just add computers since this GPO is specifically for computers only?

Guys:
how long do you think it will take before my computers start showing up in WSUS console?

My concern is in AD the computers group does not seem to have all the computers in our network how do i ensure all the computers are being linked to this new WSUS gpo?

one other thing do i need to install the WUAU22.msi on each client computer even though i am using GPO (http://articles.techrepublic.com.com/5100-22_11-5888918.html) ? If i do can you give me a link to that download. i could not find it on microsot.com

thanks guys for your prompt reply

0
 
NetPro70Commented:
Here some quick tips to your questions:

1) Type in "http://yourwsusservername" in both fields. Type in "http://yourwsusservername:tcpport" if you selected another port than 80 during your installation

2) As you have two sites, create two groups of computers (one for each site) and then filter by selecting the appropiate group for each site

3) You can force a client showing up in WSUS with a delay of no longer than 5 minutes by typing the following commands at the client's console cmd: a) wuauclt /detectnow b) wuauclt /reportnow

4) place your GPO as "high" as possible in your OU tree. So all clients should get it.
0
 
cchibongaAuthor Commented:
when i create the GPO it asks for security filters do i want to keep "authenticated users" in there or do i wan to go with something else?
i am assuming this gpo is only for computers so how do i make sure that it only applies to computers and not the users settings?
0
 
Donald StewartNetwork AdministratorCommented:
Here's an easy guide to follow


Configuring the WSUS Client by Group Policy
0
 
cchibongaAuthor Commented:
Question dstewartjr:
I have followed the link you gave me and it was very informative. I had one question though maybe its because i am still trying to get a handle on how GPO works. WHen i created my GPO called WSUS GPO using gpmc.msc. now when i click on my WSUS gpo in gpmc on thr right side i have "Links" that says "the following sites, domains, and OUS are linked to this GPO:" currently this option is empty. In my other GPOs the domain name of my company is appearing under location in that option. My question should i leave it empty or should i include my domain name in under location? if so how do i link this GPO to whatever it needs to be linked to?

2. under the same WSUS GPO on the right side after clicking on it i have an option "security filtering" it has by default "authenticated users" in there. should i keep it that way?

thanks guys.
0
 
Donald StewartNetwork AdministratorCommented:
1. You should either right click on your domain or OU(on left) and link this GPO to it

2.  Yes keep it that way, the "domain computers" are members of the "authenticated users" group
0
 
cchibongaAuthor Commented:
i have done everything as the article says but i cannot see my computers in the wsus console yet is ther something i need to do to make sure they get in there.
0
 
NetPro70Commented:
check "gpresult" from a dos box of a client if your wsus gpo is received correctly.
0
 
cchibongaAuthor Commented:
when i run the "gpresult" i only see 3 group policies that have been applied and the new gpo has not been applied is there something that i need to do to ensure it is applied?
I can clearly tell that the GPO i created for WSUS has not been applied. is there something i can do?
0
 
NetPro70Commented:
if it is not applied, the client is not in the correct ou!
0
 
cchibongaAuthor Commented:
i applied the GPO  object to the the domain. So i went into gpmc and right clicked my domain and linked the GPO to the domain.
i figured that would have done it but it is not working. can you show me how to ensure that this applies to all OUs. i assumed applying it to the domain would cause all OUs to inherit the these GPOs.
0
 
NetPro70Commented:
Create a test OU and link the WSUS GPO only to the test OU. The move a test computer into the test OU and run "gpupdate /force" on the test PC.
0
 
cchibongaAuthor Commented:
the weird thing about my setup is that i have a computers group in my active directory that shows all the computers. but for some reason when i open gpmc i do not see it there so i am unable to apply the gpo to that group that allready has my computers.

Now if i have to create a new OU and then manually move my computers to that GPO that will not be efficient. I was hoping that linking this gpo to the domain would take care of that.
0
 
cchibongaAuthor Commented:
i created an OU and moved it over bu that did not help either.
0
 
NetPro70Commented:
ou cannot apply policies to the standard computers OU by design! Alway creaty a company-ou with subfolders for your computers and users.
0
 
cchibongaAuthor Commented:
anyone with any other ideas on how to fix this policy issue. i know i created a policy way back called domain policy in which i setup user's password to expire after 90 days. I don't quite remember how i did it but it worked immediately. this Group policy object i created for WSUS does not even seem to show up.

when i run gpresult on my laptop it says the WSUS GPO was being filtered out. when i run gpresult on another windows PC the WSUS GPO does not even show up there.
0
 
Donald StewartNetwork AdministratorCommented:
Lets see a screenshot of this newly created wsus gpo
0
 
cchibongaAuthor Commented:
when i do gp result here is what i am getting.
RSOP results for gogo\peter on VALUED-0243CCA1 : Logging Mode
---------------------------------------------------------------------
 
OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 gogo
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\peter.gogo
Connected over a slow link?: Yes
 
 
COMPUTER SETTINGS
------------------
    CN=VALUED-0243CCA1,CN=Computers,DC=gogo,DC=local
    Last time Group Policy was applied: 4/24/2009 at 3:49:45 PM
    Group Policy was applied from:      hq-dc3.gogo.local
    Group Policy slow link threshold:   500 kbps
 
    Applied Group Policy Objects
    -----------------------------
        domain policy
        Default Domain Policy
        Local Group Policy
 
    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SQLServer2005MSFTEUser$VALUED-0243CCA1$MSSQLSERVER
        SQLServer2005MSSQLUser$VALUED-0243CCA1$MSSQLSERVER
        SQLServer2005SQLAgentUser$VALUED-0243CCA1$MSSQLSERVER
        SQLServer2005SQLBrowserUser$VALUED-0243CCA1
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        VALUED-0243CCA1$
        Domain Computers
 
 
USER SETTINGS
--------------
    CN=peter pan,OU=IT,OU=gogo of china,DC=gogo,DC=local
    Last time Group Policy was applied: 4/24/2009 at 3:49:45 PM
    Group Policy was applied from:      hq-dc3.gogo.local
    Group Policy slow link threshold:   500 kbps
 
    Applied Group Policy Objects
    -----------------------------
        N/A
 
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        WSUS
            Filtering:  Disabled (GPO)
 
        Local Group Policy
            Filtering:  Not Applied (Empty)
 
    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Admins
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Exchange Domain Servers
        Exchange Services
        APPLIED
        Domain Controllers
        DnsUpdateProxy
        Intranet Admins
        Domain Users
        Enterprise Admins
        BOSSAssistUsers
        DnsAdmins
        Exchange Enterprise Servers

Open in new window

0
 
Donald StewartNetwork AdministratorCommented:
Do you have the Computer configuration
 section of the WSUS policy disabled? Is the link enabled to the OU?

0
 
DAMAdminCommented:
Here is how you should setup WSUS using GPO.  Have two groups; one for preliminary testing and the other one for the rest of the updates.  That way you can test the updates before applying to your environment.  Just create groups in AD and link them.  Change the date from Monday (preliminary) to Thursday for the rest of your computers.
***********************************************************************************************************************

Policy Setting
Allow Automatic Updates immediate installation Enabled
Automatic Updates detection frequency Enabled
Check for updates at the following
interval (hours):  12
 
Policy Setting
Configure Automatic Updates Enabled
Configure automatic updating: 4 - Auto download and schedule the install
The following settings are only required
and applicable if 4 is selected.
Scheduled install day:  2 - Every Monday
Scheduled install time: 03:00
 
Policy Setting
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box Enabled
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box Enabled
Enable client-side targeting Enabled
Target group name for this computer WSUS Approved
 
Policy Setting
No auto-restart with logged on users for scheduled automatic updates installations Enabled
Re-prompt for restart with scheduled installations Disabled
Specify intranet Microsoft update service location Enabled
Set the intranet update service for detecting updates: http://<servername>
Set the intranet statistics server: http://<servername>
(example: http://IntranetUpd01)
 
0
 
Donald StewartNetwork AdministratorCommented:
DAMAdmin
 
We've already gotten this far, if you would have read the other comments.
 
The author is now having trouble applying the gpo to clients
0
 
DAMAdminCommented:
How is it that I always run into you?  I know...if I see your name on any post, I will just not even touch it.  Does that work for you?

Your comments seem to always put people down "We've already gotten this far, if you would have read the other comments."

Disregard my comment.  I thought the question was on how to setup WSUS using GPO.
0
 
cchibongaAuthor Commented:
response to destewart:
no i do not have computer configuration disabled. yes the link is enabled to the ou. i created an OU and moved my computer to that OU. i did a gpupdate.

response to Damadmin.
thanks for the info i like the part about setting a stest group. I have done all those steps. i have no problem with creating the GPO my biggest problem is applyin the GPO and getting my computers to recognize. can you help with that?
i have done everything linking, enabling GPO etc. but it will not see this WSSU policy.

Do i need to apply the policy to an OU with Users as well as OU with computers only like that? coz i applied it to my domain thinking that covers all my bases since OU is under domain. My main OUs with users both have the blue exclamation mark on them when i open the gpmc.
i assume blocking inheritance but that should not affect the wsus policy.
0
 
Donald StewartNetwork AdministratorCommented:
I'm not trying to shoot anyone down, but when a comment is made that has already been covered it helps to point it out so that all the experts are on the same page.
0
 
Donald StewartNetwork AdministratorCommented:
If the computers are in the OU's with block inheritance this will be what the problem is.
0
 
cchibongaAuthor Commented:
Does it matter if wsus policy is not applied to the OU that the user who is logging on to the computer a members of. eg user 1 is a member of ou A and his computer is a member of ou B. does the policy have to be applied to both ou A and B ?

thanks.
0
 
Donald StewartNetwork AdministratorCommented:
Wsus has nothing to with users in any capacity(it is a computer gpo), you should apply it to the highest level so that all computers get the settings..
0
 
cchibongaAuthor Commented:
what would happen if i went ahead and applied these new WSUS settings on an already recognized policy like the default domain policy. just to see how it would work. then try to apply another policy later one that is specifically for wsus.
i am coming to my wits end so i am open to try some other extreme options.
0
 
Donald StewartNetwork AdministratorCommented:
It should apply no problem,  maybe this will help you out better

Beginners Admin FAQ for  Windows Software Update Services


It's a little older link, but 99% of it still applies.
0
 
cchibongaAuthor Commented:
guys i aprecitat all your help. i ended up just setting up group policy for computers to get updates straight from microsoft. thank you for all your help.
0
 
cchibongaAuthor Commented:
i ended up going with a different alternate solution other than what was presented here.
0
 
Suliman Abu KharroubIT Consultant Commented:
Hello Experts,

most of accepted links does not work.

please help.
0
 
Donald StewartNetwork AdministratorCommented:
When ever you have a link that dont work, try Archive.org
 
http://web.archive.org/web/20080505072038/http://www.vbshf.com/vbshf/wsus/wsus_faq.htm 
0
 
Suliman Abu KharroubIT Consultant Commented:
Thank you very much for a great knowledge :)
0
 
Donald StewartNetwork AdministratorCommented:
Your welcome
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 16
  • 11
  • 5
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now