[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Good WSUS Set up guide

Posted on 2014-03-24
12
Medium Priority
?
507 Views
Last Modified: 2016-02-20
Hi Guys, im looking to deploy and configure WSUS on a new server and was wondering what would be the best way to configure. We have a mix of XP win 7, 2008 and 2003 + Citrix servers.

Thanks in advance
0
Comment
Question by:cwstad2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39951674
Its standard step by step process

Check s for step by step
http://www.petenetlive.com/KB/Article/0000592.htm
http://technet.microsoft.com/library/dd939822(WS.10).aspx

Let us know if you have any specific questions

Above guides will answer most of questions
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39952430
hi I have already set up the software but is there a configuration which you guys use, especially when configuring groups

thanks
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39952567
Specify how to assign computers to computer groups. There are two options: server-side targeting and client-side targeting. With server-side targeting, you manually add each computer to its group. With client-side targeting, you automatically assign the computers by using either Group Policy or registry keys

Server-side targeting - Easy for small numbers of clients, doesn't require that clients can process group policy. Administratively burdensome for large numbers of clients or for clients that change roles and need to have their client group membership dynamically updated. For non-domain-joined clients this is the easiest way to get them into client groups.

Client-side targeting - Requires that clients either be able to process Group Policy (i.e. a member of a domain) Works well if you plan on having client group membership change based on moving the AD object that represents the client between OUs (move from "Staging" to "Production" OUs for new system deployments and want client group membership to change automatically).

I use both at different Customer sites. I find server-side targeting more flexible insofar as making "quick changes" (because I don't have to mess w/ Group Policy and I can see the results of my changes reflected immediately), but client-side targeting will require GPO to be updated to reflect the changes

If your environment is big, you should use client side targeting to avoid manual work
Check below links for more info, in reality its your choice.
http://prajwaldesai.com/how-to-configure-client-side-targeting-in-wsus/
http://technet.microsoft.com/fr-fr/library/cc708574(v=ws.10).aspx

Mahesh.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 15

Author Comment

by:cwstad2
ID: 39955670
Thanks. If there are other wsus servers in other offices, do they need to be individually configured

thanks
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39955709
You can have separate WSUS servers at branches \ offices and then you need to create GPOs on OU basis (Where your location computer resides) which tells machine in branch to look for particular WSUS server (Branch WSUS Server)  

In case of update downloading, you can configure your branch WSUS servers to download updates from Hub WSUS server (Up stream server). Note that Hub site WSUS servers must be configured to fetch updates from internet via windows update

OR

you can download updates from internet via windows update directly


Mahesh
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39956373
Great advice thanks. One last thing can the updates and reboots be configured to happen once a month I can only see days

thanks
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39956672
Unfortunately there is no option to set for months

What you can do, you can keep schedule install may be on every Monday and after 1st week just unlink policy from OU may be for next TWO \ THREE weeks

Again when next month will come enable GPO link

In reality MS is publishing patches every Tuesday

Mahesh
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39958145
Thanks does that mean that if there are any new updates each tuesday that the servers will reboot?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39958182
Why, reboot is not mandatory for every update and you can suppress server reboot with same WSUS group policy
Check all settings under computer configuration\administrative templates\windows components\windows update in WSUS policy

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39958260
I wish I could give you more thank 500 points as you've been more than helpful. as a last note what do you specify in your GP for the servers and clients.

Thanks
0
 
LVL 38

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 39958291
For clients,
If update required reboot, client will restart, it by design. You can enable No auto-restart with logged-on users for scheduled automatic updates installations setting and  Automatic Updates does not automatically restart a computer during a scheduled installation if a user is logged on to the computer. Instead, Automatic Updates notifies  the logged-on user to restart the computer to complete the installation

For servers,
configure option 4 and scheduled installation at non-working hours, in this case updates will automatically install, and if it's require reboot servers will reboot and you need to make sure that servers moved in ON-LINE state after reboot
OR
configure option 3 ( by default option) so in this case update will be automatically downloaded, but not installed , so you can choose time to install updates by yourself

Actually for servers I prefer to install updates on servers with option 3 in batches in coordination with there dependencies  because I wanted the servers to be rebooted in the presence of IT administrators so that post reboot checks can be performed

Check below link for some more information
http://community.spiceworks.com/how_to/show/1390-wsus-gpo-settings-for-the-real-world

Mahesh.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39963656
awesome thank you
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question