Solved

Multiple WSUS servers

Posted on 2012-03-29
17
688 Views
Last Modified: 2012-04-03
Our admin gave our risk dept access to a WSUS server for patch mgmt assurance. A couple of questions:

1) If we run an MBSA report on our PC - it lists WSUS server at the top of the report. The name of the WSUS server is different the one we login to to view WSUS reports. WIll both WSUS servers be reporting the same thing? How can I check?

2) Are the default reports in WSUS reporting machines out of date based on those patches the WSUS admin has approved, or out of date based on those pacthes MS has released? i.e. whats it using as its benchmark to determine out of date machines, the admins approved list, or MS released list?

3) How can we check every workstation and server in the domain is showing up in the WSUS server?
0
Comment
Question by:pma111
  • 8
  • 7
  • 2
17 Comments
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 500 total points
ID: 37782042
You may be looking at a Replica WSUS server

http://technet.microsoft.com/en-us/library/cc708511%28v=ws.10%29.aspx

Both options explained here(Replica and Autonomous)
http://technet.microsoft.com/en-us/library/dd939820%28v=ws.10%29.aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 37782059
How can we tell if its a replica server?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37782092
Within the WSUS console, click on Options>>>Update Source


"Synchronize from another Windows Update Services Server" would be checked
0
 
LVL 3

Author Comment

by:pma111
ID: 37782113
I only have reporter access so I cant see options.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37782177
Reporting still allows you to view the options selected, just dont allow you make changes.
0
 
LVL 3

Author Comment

by:pma111
ID: 37782184
I cant see where you mean, could you provide a screenshot?
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37782196
wsus
0
 
LVL 3

Author Comment

by:pma111
ID: 37782223
Ok got to that screen - but what field am I looking for?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37782245
What is selected ??

"Synchronize from Microsoft"

Or

"Synchronize from another Windows Update Services Server" (Replica/Downstream)
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37782257
Autonomous mode: An upstream WSUS server shares updates with its downstream server or servers during synchronization, but not update approval status or computer group information. Downstream WSUS servers must be administered separately. Autonomous servers can also synchronize updates for a set of languages that is a subset of the set synchronized by their upstream server.

Replica mode: An upstream WSUS server shares updates, approval status, and computer groups with its downstream server or servers. Downstream replica servers inherit update approvals and cannot be administered apart from their upstream WSUS server.

http://technet.microsoft.com/en-us/library/cc720448%28v=ws.10%29.aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 37782295
sync from microsoft is selected
0
 
LVL 3

Author Comment

by:pma111
ID: 37782309
If of any relevance, the MBSA reports a server in WSUS server that seems to relate to SCCM. Does SCCM "call" a WSUS server to do its thing, as opposed to do the actual patching.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37783567
Yes SCCM uses WSUS

Things to Know About the Software Update Point (explaining WSUS Integration)

http://blogs.technet.com/b/umeno/archive/2012/01/19/1159715.aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 37786075
Thanks. Excuse my ignorance, but what does "sync from microsoft is selected" actually tell me about replica/autonomous?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 37786965
sync from microsoft is selected

This means that you are only using WSUS to approve/deny updates but not downloading the files themselves each client will check with wsus to find out what updates it needs and then download that update from microsoft.  In a small environment where bandwidth is not a problem but disk space is a priority then this is the preferred scenario.  In a large organization, downloading only 1 copy over the internet at the expense of disk space may be an overriding criteria.  In a LOW speed/low bandwidth internet scenario it would also be beneficial.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 37787427
"This means that you are only using WSUS to approve/deny updates but not downloading the files themselves each client will check with wsus to find out what updates it needs and then download that update from microsoft."


ABSOLUTELY WRONG!!

An organization can have one or more WSUS servers. Using multiple WSUS servers allows you to scale WSUS in a large organization. If the organization uses multiple WSUS servers, one of the servers will act as the upstream WSUS server (the remaining servers are downstream servers). You use the upstream server to specify the updates that you want to synchronize with Microsoft Update. The upstream WSUS server should have the IUpdateServerConfiguration.SyncFromMicrosoftUpdate configuration setting set to true.

Downstream servers synchronize updates from the upstream WSUS server. There are two forms of downstream servers: autonomous and replica. An autonomous server synchronizes the same updates as the upstream server; however, it can create its own target groups and manage its own approvals.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms744629%28v=vs.85%29.aspx

The "Store updates locally on this server" and "Do not store update files locally; Computers install from microsoft update" setting is in relation to bandwidth/storage...NOT Synchronization

http://technet.microsoft.com/en-us/library/cc708492%28v=ws.10%29.aspx
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 37787540
mea culpa, I had the 2 items mixed up.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now