Good WSUS Set up guide

Hi Guys, im looking to deploy and configure WSUS on a new server and was wondering what would be the best way to configure. We have a mix of XP win 7, 2008 and 2003 + Citrix servers.

Thanks in advance
LVL 15
cwstad2Asked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
For clients,
If update required reboot, client will restart, it by design. You can enable No auto-restart with logged-on users for scheduled automatic updates installations setting and  Automatic Updates does not automatically restart a computer during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates notifies  the logged-on user to restart the computer to complete the installation

For servers,
configure option 4 and scheduled installation at non-working hours, in this case updates will automatically install, and if it's require reboot servers will reboot and you need to make sure that servers moved in ON-LINE state after reboot
OR
configure option 3 ( by default option) so in this case update will be automatically downloaded, but not installed , so you can choose time to install updates by yourself

Actually for servers I prefer to install updates on servers with option 3 in batches in coordination with there dependencies  because I wanted the servers to be rebooted in the presence of IT administrators so that post reboot checks can be performed

Check below link for some more information
http://community.spiceworks.com/how_to/show/1390-wsus-gpo-settings-for-the-real-world

Mahesh.
0
 
MaheshArchitectCommented:
Its standard step by step process

Check s for step by step
http://www.petenetlive.com/KB/Article/0000592.htm
http://technet.microsoft.com/library/dd939822(WS.10).aspx

Let us know if you have any specific questions

Above guides will answer most of questions
0
 
cwstad2Author Commented:
hi I have already set up the software but is there a configuration which you guys use, especially when configuring groups

thanks
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
MaheshArchitectCommented:
Specify how to assign computers to computer groups. There are two options: server-side targeting and client-side targeting. With server-side targeting, you manually add each computer to its group. With client-side targeting, you automatically assign the computers by using either Group Policy or registry keys

Server-side targeting - Easy for small numbers of clients, doesn't require that clients can process group policy. Administratively burdensome for large numbers of clients or for clients that change roles and need to have their client group membership dynamically updated. For non-domain-joined clients this is the easiest way to get them into client groups.

Client-side targeting - Requires that clients either be able to process Group Policy (i.e. a member of a domain) Works well if you plan on having client group membership change based on moving the AD object that represents the client between OUs (move from "Staging" to "Production" OUs for new system deployments and want client group membership to change automatically).

I use both at different Customer sites. I find server-side targeting more flexible insofar as making "quick changes" (because I don't have to mess w/ Group Policy and I can see the results of my changes reflected immediately), but client-side targeting will require GPO to be updated to reflect the changes

If your environment is big, you should use client side targeting to avoid manual work
Check below links for more info, in reality its your choice.
http://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus/
http://technet.microsoft.com/fr-fr/library/cc708574(v=ws.10).aspx

Mahesh.
0
 
cwstad2Author Commented:
Thanks. If there are other wsus servers in other offices, do they need to be individually configured

thanks
0
 
MaheshArchitectCommented:
You can have separate WSUS servers at branches \ offices and then you need to create GPOs on OU basis (Where your location computer resides) which tells machine in branch to look for particular WSUS server (Branch WSUS Server)  

In case of update downloading, you can configure your branch WSUS servers to download updates from Hub WSUS server (Up stream server). Note that Hub site WSUS servers must be configured to fetch updates from internet via windows update

OR

you can download updates from internet via windows update directly


Mahesh
0
 
cwstad2Author Commented:
Great advice thanks. One last thing can the updates and reboots be configured to happen once a month I can only see days

thanks
0
 
MaheshArchitectCommented:
Unfortunately there is no option to set for months

What you can do, you can keep schedule install may be on every Monday and after 1st week just unlink policy from OU may be for next TWO \ THREE weeks

Again when next month will come enable GPO link

In reality MS is publishing patches every Tuesday

Mahesh
0
 
cwstad2Author Commented:
Thanks does that mean that if there are any new updates each tuesday that the servers will reboot?
0
 
MaheshArchitectCommented:
Why, reboot is not mandatory for every update and you can suppress server reboot with same WSUS group policy
Check all settings under computer configuration\administrative templates\windows components\windows update in WSUS policy

Mahesh.
0
 
cwstad2Author Commented:
I wish I could give you more thank 500 points as you've been more than helpful. as a last note what do you specify in your GP for the servers and clients.

Thanks
0
 
cwstad2Author Commented:
awesome thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.