Solved

WSUS recommeded set up

Posted on 2014-04-09
11
417 Views
Last Modified: 2016-02-20
Hi guys, i have inherited a WSUS system that makes no sense as its split up into 4 different tiers and also split the citrix server into 2 different groups and also 2 for the DC. Is this a recommeded set up? The environment had a mix of about 400 clients mix of xp and windows 7 and about 300 servers. Can anybody recommed a standard set up. Also ive been reading about not letting WSUS take care of the reboots and using a script. Is it possible only to install the patches once a month and reboot via script? Any ideas welcome.

Thanks
0
Comment
Question by:cwstad2
  • 6
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 39990095
I don't really understand the "splitt up". WSUS has the base functionality to offer updates, than you can confirm them to install and assign them to groups of clients.

As several systems have several needs, it is a good idea to build up some groups and to assign your machine to groups. This way you can confirm updates not only to differnt groups of computers, you can even control the behaviour, how they react.

A WIn7 Update you can assign to a WIn7 group, so that only such systems get the update and second you control when the update is assigned.

With some GPOs on the other side, you control the assignement und update process. For server a manual reboot is usually recommended while clients can take the updates and directly install them.

So, a separation happens on two levels, one separation of the machines in WSUS and a second one to devide the machines via GPOs to control the behaviour.

When you assing an update in WSUS, the next step is to control via GPO, when and how the update is instlaled and also if the computer is allowed to reboot automatically of only by hand.

Servers should usually not reboot automatically while clients usuall can. Any unexpected reboot may break funcrionality, at least for some time and should be controlled. Also GPOs allows to control, if the user can delay a reboot or if it is forced.

In WSUS you control via approval, which updates should be installed and also when they should be applied. As it is sometimes a good idea to wait some days, especially for servers, keep them speperate and apply only updates, you are sure they work as expected.

Also seperating groups of serves or clients reduce the need of checking ever update for every machine. Even if an update is limited to an OS or a service, if generally applied the client has to check, if it should be installed what produces overhead. Means an update for SQL server ou apply only to a comuter groups ehich contails computers with SQL installed.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39992673
Thanks, do you use scripts for the reboots?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39992861
NO, I just make sure via GPO's that servers never boot from alone. They just inform, that there are updates and I choose to install and then possibly reboot, when I can do it.

OK, this is some handwork to control it, but I prefer to controll myself when to reboot servers. Especially in virtualized environments (like mine), an uncontrolled reboot especially of the host systems can produce some strange effects. Even if too much machines installs and reboots in a short timeframes, the load on the system can extremely heavy.

For the clients, I setup via GPOs that the client can choose, if the machine should reboot. The user can deny, so it will happen with the regular shutdown.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39993460
Thanks I have 350 servers so not so good for manual. If possible can you send me the settings for your GPO. I really appreciate your help
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39996394
Hi Bembi, this is the set up that my predecessor had set up with the tiers. I dont know why this had been set up like this. Is this something common to a typical WSUS set up?
Capture.PNG
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 35

Expert Comment

by:Bembi
ID: 39997232
Typical is the right word, the questions is more "senseful"

There are two parts as I said, the GPO, which determines usually the path to the WSUS, the reboot options (automatic / manual) and possibly the install time (+- the variance of intaller service).

The other part is the WSUS, while the WSUS can be similar organized like the GPOs.

You have a "test group" folder, possibly with some machines, to which the updates are applied first to isolate possible issues. The the servers are devided into several tiers, maybe there are also devided in the GPO structure to different times. Another options is devide them into critical and non critical machines, or even devided following a network infrastructure or host systems or other criterias.

I.e. if you have several servers, which are using a kind of failover configuration, it make sense to update them in two sequences, first the one, than the other.
Other reasons may be just load, to avoid that too many machines are updating / rebooting in a small timeframe on the same virtualisation host, on the same network or whatever.

To understand, why this seperation is made, you have to understand the GPOs behind it. To reduce handwork (to assign an update to several tiers at different times) GPOs can be used for every tier with a different install time, so you can apply the updates at once, but the installations happen at different times.

So, to say if it is senseful of not depends on all factors, your infrastructure, the WSUS with the machines in the different folders and the GPOs behind it. If you combine them together, you should be able to find out, what was the original idea behind the structure you have taken over.

But in general, if you have 350 servers, it makes absolutely sense to seperate them to avoid heavy load in a short time frame.
Maybe a map helps, indentify the servers and clients, the subnets they belong to, the virtual hosts they are running on and the GPO structure with the settings, the machines take.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39997240
Thanks for your detailed reply. I've checked the AD and i cant make sense of the WSUS Tiers as they are in a separate OU from the servers. Correct me if im wrong but if i had a Tier OU and applied the GP to that, i wold need to move the server into that OU. That means any that any policy that was on the server OU would be lost. What am i missing

thanks
ad.PNG
0
 
LVL 35

Expert Comment

by:Bembi
ID: 39997255
If you want to apply different GPOs to different server sets, you usually seperate them by different OUs and apply each policy to the according OU, so that the servers in one OU gets a differnt OU than servers in another OU. Tre other option is to use WMI filters to limit the GPO to servers which fits to the WMI filter (setup in the policy settings). But WMI filters are not the fastest and seperation via OU is better to keep the overview.

THe separation into several folders in WSUS make only sense if there is a kind of separation. Maybe you can check some of the servers just by policy resultset on the machines to find out, what policies they get.

Even you can check some of the install dates on the local machines, just pick out an older update and check, if the install date is the same or different.

If no GPOs are in effect, the seperation in WSUS can even make sense, but just a bit more handwork. YOu cann apply an update the first day to tier1, the sencond day to tier2 and so on, but handwork.

Maybe your predeccessor just had an idea for separation, but never finished it?
Or it is just struggled over the time as new servers came along and old ones were removed? Just a bit left over mess from the past?

If you can not get along what was the sense of the separation, you may define a new one and replace it. You can create new OUs with policies, new folders in WSUS and move the server from one OU to the other as well as from one WSUS forlder to the new one.
After moving, you can delete all the old stuff, at least this way you get it under your own control. Just be carefully as GPO structures can even be complicate, so use first some test machines an check the GPO results before you move production machines, just to make sure, you do not break something.  

O often have seen such ADs, where several changes are made over the time and all the old structures are left over and nobody took the time to clean it up.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 39997324
That makes sense the work was carried out over 12 months ago and left as currently is. One last thing do you auto approve for clients. If so how do you treat the internet explorer updates, as some users need to stay on older IE version. Thanks again, very helpful
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 39997419
In WSUS, you apply an update to several grups at the same time. So here you can make a group i.e. IE10 and another group IE11. and put the clients into these groups.

You just then apply the installation and all updates for IE11 only into the IE11 group, and if a new client should get IE11, you just move it from IE10 into IE11 group.

In comparison with AD, what is hierarchical, WSUS can put computers into any group.
I usually devide them into the OS (XP, Win7, Win8) and the Office Versions, this way not every computer has to check every update, even the software ist not installed. Means a Office 2010 computer do not need Office 2007 updates.

On the update site even there I create usually filters for the same, so WInXP, Win7, Win8. etc. In the filtered view, you then can then apply everything to the correspondig WSUS group.
0
 
LVL 15

Author Comment

by:cwstad2
ID: 40001044
Sorry for my late reply. Thanks for your help much appreciate i will i could assign more points
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

The reason that corporations and businesses use Windows servers is because it supports custom modifications to adapt to the business and what it needs. Most individual users won’t need such powerful options. Here I’ll explain how you can enable Wind…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now