Solved

Good WSUS Set up guide

Posted on 2014-03-24
12
473 Views
Last Modified: 2016-02-20
Hi Guys, im looking to deploy and configure WSUS on a new server and was wondering what would be the best way to configure. We have a mix of XP win 7, 2008 and 2003 + Citrix servers.

Thanks in advance
0
Comment
Question by:cwstad2
  • 6
  • 6
12 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39951674
Its standard step by step process

Check s for step by step
http://www.petenetlive.com/KB/Article/0000592.htm
http://technet.microsoft.com/library/dd939822(WS.10).aspx

Let us know if you have any specific questions

Above guides will answer most of questions
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39952430
hi I have already set up the software but is there a configuration which you guys use, especially when configuring groups

thanks
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39952567
Specify how to assign computers to computer groups. There are two options: server-side targeting and client-side targeting. With server-side targeting, you manually add each computer to its group. With client-side targeting, you automatically assign the computers by using either Group Policy or registry keys

Server-side targeting - Easy for small numbers of clients, doesn't require that clients can process group policy. Administratively burdensome for large numbers of clients or for clients that change roles and need to have their client group membership dynamically updated. For non-domain-joined clients this is the easiest way to get them into client groups.

Client-side targeting - Requires that clients either be able to process Group Policy (i.e. a member of a domain) Works well if you plan on having client group membership change based on moving the AD object that represents the client between OUs (move from "Staging" to "Production" OUs for new system deployments and want client group membership to change automatically).

I use both at different Customer sites. I find server-side targeting more flexible insofar as making "quick changes" (because I don't have to mess w/ Group Policy and I can see the results of my changes reflected immediately), but client-side targeting will require GPO to be updated to reflect the changes

If your environment is big, you should use client side targeting to avoid manual work
Check below links for more info, in reality its your choice.
http://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus/
http://technet.microsoft.com/fr-fr/library/cc708574(v=ws.10).aspx

Mahesh.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 15

Author Comment

by:cwstad2
ID: 39955670
Thanks. If there are other wsus servers in other offices, do they need to be individually configured

thanks
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39955709
You can have separate WSUS servers at branches \ offices and then you need to create GPOs on OU basis (Where your location computer resides) which tells machine in branch to look for particular WSUS server (Branch WSUS Server)  

In case of update downloading, you can configure your branch WSUS servers to download updates from Hub WSUS server (Up stream server). Note that Hub site WSUS servers must be configured to fetch updates from internet via windows update

OR

you can download updates from internet via windows update directly


Mahesh
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39956373
Great advice thanks. One last thing can the updates and reboots be configured to happen once a month I can only see days

thanks
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39956672
Unfortunately there is no option to set for months

What you can do, you can keep schedule install may be on every Monday and after 1st week just unlink policy from OU may be for next TWO \ THREE weeks

Again when next month will come enable GPO link

In reality MS is publishing patches every Tuesday

Mahesh
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39958145
Thanks does that mean that if there are any new updates each tuesday that the servers will reboot?
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39958182
Why, reboot is not mandatory for every update and you can suppress server reboot with same WSUS group policy
Check all settings under computer configuration\administrative templates\windows components\windows update in WSUS policy

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39958260
I wish I could give you more thank 500 points as you've been more than helpful. as a last note what do you specify in your GP for the servers and clients.

Thanks
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39958291
For clients,
If update required reboot, client will restart, it by design. You can enable No auto-restart with logged-on users for scheduled automatic updates installations setting and  Automatic Updates does not automatically restart a computer during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates notifies  the logged-on user to restart the computer to complete the installation

For servers,
configure option 4 and scheduled installation at non-working hours, in this case updates will automatically install, and if it's require reboot servers will reboot and you need to make sure that servers moved in ON-LINE state after reboot
OR
configure option 3 ( by default option) so in this case update will be automatically downloaded, but not installed , so you can choose time to install updates by yourself

Actually for servers I prefer to install updates on servers with option 3 in batches in coordination with there dependencies  because I wanted the servers to be rebooted in the presence of IT administrators so that post reboot checks can be performed

Check below link for some more information
http://community.spiceworks.com/how_to/show/1390-wsus-gpo-settings-for-the-real-world

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39963656
awesome thank you
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn about cloud computing and its benefits for small business owners.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question