WSUS Project Plan and Installation

Need a project plan on how to Install WSUS,

installation is pretty straight-forward; there really isn't much for differences between the two
WSUS is a component that hasn't had much attention as far as feature enhancements; even for 2012 it's basically the same
the real difference is the support for newer operating systems
make sure after installing the feature, you install SP2 since it provides support for windows 8/2012 clients

Can I install WSUS 4.0 on Windows Server 2008 R2?

it's actually version 3.0
microsoft has a lot of documentation to get started with it

Windows Server Update Services 3.0 SP2 Step By Step Guide
http://technet.microsoft.com/en-us/library/dd939822(v=ws.10).aspx

I know installation is pretty straight forward, i have done it couple of times, but my manager is picky...he wants everything on paper to list how it will be carried out...... just thought i will ask if anyone has done it before in which they listed what needs to be checked on old installation and what needs to be carried forward......

We don't use WSUS, it's rubbish, in our opinion.

We use an excellent patch management product called Shavlik Protect - http://www.shavlik.com/products/protect/.

Thanks Andrew, but thats not an options for us at the moment :-)
How can I stop the old server from getting updates from Microsoft, and how the computers/servers will know they have to get updates from new server?
The old Server which is running WSUS, is on domain computer, so i dont want to turn off any of services which will stop anything else....

Added comment: If you're not already using group policies, then you should start there and set up a group policy for pushing out windows updates.  Then when you have the server set up, you simply apply that policy to the workstations and servers and you should be good to go.

One caveat is that if you have not used group policies before, and if you have cloned workstations or servers, then you will have a problem with registration of those cloned machines in WSUS. If this is the case, please post back and I'll tell you how to fix it.

Adding to hypercat's comment, you should run the clean up wizard (options) on the existing one to eliminate data that has expired/supperseeded/declined.
To avoid having your new server consume external bandwidth resources, you should configure it as a replica of your old server.

This way all the updates you previously approved will be available.
If you have any auto-approve rules, you would need to add them.  They will only become active after this server is no longer a replica.

Windows are pushed out through group policy...there are three groups i.e. Test, computer and server.
Under Group Policy for detecting updates, the path is defined as http://wsus.domain name.
I couldnt find any where under group policy where Old server name will be defined?
Would it be wise, to add the new server as a secondary downstream server, once it synch all the updates, uninstall WSUS on old computer and make the secondary downstream as the upstream server?

How computers will know they have to get updates from new server?

Wuss.domain is a record in DNS pointing to the current servers IP or is an alias of the current server.
Updating the GPO with the new name is also doable it will take the GPO refresh time for the new server to be referenved without a reboot.  There is no rush for this transition.

Updating the DNS revord accordingly, add an alias if that is the current setup, or add a hist revord pointing to the new servers Ipp. And you are all set, the next time the systems check in, they will connect to depending on the .....  Eventually, it will connect to the new one. You could reverse the roles once the new one is sync. You can make it the master, and. Subordinate the old one as a replica which you can configure to roll up The clien to the master.

In DNS i can see there is an alias for WSUS and its pointing at two servers, so i will change that accordingly later on....
once thats done, I will leave it for a while, and it will synch the updates by itself? and the computers/servers will know that this is the new server from where they will be getting updates?

yes.

Each system will connect to the new server and will check with what updates are approved for it while reporting what updates they need based on those available.

Thanks, and if i want to do a test before going to production, to make sure the updates are coming from the right server, and its getting pushed out, how i will do that?

Wsus does not push updates. The clients pulls approved updates.


Though I am not sure what your concern is,
The only way to test it in this scenario is to use an unjoined system and configure its local security policy for windows updates pointing to that server.  

The reason for the unjoined is because. Domain joined system will have the WSUS settings set by GPOs which will supersede the local Securiy policy.

Thanks, would it be possible that instead of taking computers out from domain, create a Test Policy and prioritize it, so that when Test policy is applied, it will supersede the old one?

Thanks for your reply.
The file you have mention to edit under; c:\windows\system32\drivers\etc\hosts, does not contain any settings related to our environment, its an example file, i.e.

# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host


# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost
#      ::1             localhost

so for testing you are suggesting to enter the details the following details in host file; i.e. 10.0.0.0  Newupdateserver.yourdomain.local, then it should come up with the ip of new server?

and under our GPO, wsus is defined as \\wsus.domain.local, no server name is defined in the GPO, under DNS its defined...

Also the concern is to have a valid testing :-) which is as close to production, and we are planning to do a clean install on new server and take out the old two WSUS servers, so it will be a replica of old server in terms of settings, but new server wont be added as a downstream server.

Wsus.domain?local is the name of the hostname to which the clients have to connect to check on available updates.  You use DNS to point the clients to one or multiple servers.
With that said the entry in hosts
10.0.0.0 wsus.domain.local

Will allow the system from which the test of the newly installed wsus to be performed.

I do not understand what you mean by the last paragraph. A replica is a downstream server. It does not need to be accessed until you are ready..

You can start with the newly installed server /wsus from scratch or using the replica option you would transfer all the update statuses and their files without consuming your external bandwidth and without the need to approve/re approve prior updates.

You can control on the server the option of not getting old/oudated updates for systems you no longer have through the selection of products and classification.
I.e. Windows xp, office products you had before, but no longer, etc.
This way the new server when setup as a replica will not download the previously approved packages when they are outside the products and classification configuration..

So correct me if i am wrong, I will add this entry "10.0.0.0 wsus.domain.local " under host file? can i add it anywhere in host file?
If computer is part of domain, and under local security policy for this test computer i configure it to get updates from new server, just for a test, would that test be enough to make sure the test computer is pulling updates from the new server?

Where is the replica option in WSUS? i think i got confused in last paragraph, apologies for that.

Big you are making the changes in the hosts file entry below the example.
Anything preceded with a pound # is seen as a comment and not processed.

You do not need to make any GPO changes.
Make sure that ping wsus.domain.local is now reflecting the IP of the new server.
Then run the windows update check for updates while looking at c:\windows\windowsupdate.log to confirm that the client is talking to the new server.  On the new server update services after the process runs, it should have this system reflected under the computers..

It is under the first server configuration within options. Update source and proxy server.
Select the second option and point it to the internal server that will be the upstream server and then check the option that this is a replica.

Within the options the reporting rollup deals with whether the master gets updates from the replicas.  What this enables is sending of client information to the master which is the only place where an update can be approved.  If the system is only known to the replica and is in need of an update, it will not be approved unless another system that checked with the master server also needs this update.

You can not approve/change update status on the replica.

Thanks for clarification for replica :-)

in regards to adding the entry in host file...i will add it under example;
10.0.0.0    wsus.domain.local          # WSUS updates

Would that be correct?

Yes if 10.0.0.0 is the actual IP of the new server.
I beleive your use of 10.0.0.0 is merely an illustration.
10.0.0.0 is predominantly a network address and is not in a usable range no matter the netmask.

The only time it might be in usable space is if you mix in public/reserved with private IP space such as 10.0.0.0.
9.0.0.0/7 9.0.0.0-10.255.255.255

yes thats right...i was only using 10.0.0.0 as an example....its not the actual IP of the server

Just a quick question, I am planning to add a DNS entry for new Test WSUS server, and create an entry in GP as well for http://WSUSTEST.domain..... will it work?

The issue is how your current WSUS server location is passed to the clints.
I.e. Do you have a per computer OU level GPO link that reflects the WSUS url?

Where is the GPO that has the INTRANET wsus is it at the top of the domain, is it at the site level?

You can try using a GPO with the new/test and using the enforced option.

Is your new test wsus a replica of the existing wsus server?

current WSUS server location is passed through DNS, and Group policy.

The old server which are holding the WSUS at the moment, are domain controllers.....new server wont be a domain controller...

No new Test server is not a replica of current WSUS server, should i make it replica? and i have turned off synch....is it better? or should i turn it on?

You should make the new one a replica, this way your previously approved updates, will be available, as well as you would not consume bandwidth on the new one.
You should not disable the sync.
Once the new is synchronized, you, as I said before, can change the GPO to point to the new server.
Once you see all the clients reporting to the new server or any time you ready you can reconfigure the new server to become the master and sync to MS,

I have set the security group under AD, linked it with group policy, added a test computer in that, but its not reporting to new wsus server, kindly see the attached picture....
What do i have to do so that the new wsus server can see this machine?
wsus.jpg

The URL for the server has to include the port.  The default port is 8530, so unless you've set a custom port, the URL would neet to be http://wsustest.domain:8530.

I believe its on port 80, because in browser when i enter http://wsustest.domain:80, IIS7 screen comes up...
so i should change it to 8530?

in the log its showing these errors.......

2015-02-11      10:12:05:147       632      3d8      PT      Initializing simple targeting cookie, clientId = 3d74e3a9-a0d3-4a7b-a2aa-c3b89cb3626e, target group = Test Win7 , DNS name = test132.domain
2015-02-11      10:12:05:147       632      3d8      PT        Server URL = http://wsustest.test/SimpleAuthWebService/SimpleAuth.asmx
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status code = 404
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: PopulateAuthCookies failed: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: RefreshCookie failed: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: RefreshPTState failed: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: PTError: 0x80244019
2015-02-11      10:12:05:163       632      3d8      Report      WARNING: Reporter failed to upload events with hr = 80244019.

http://wsustest.test is not a test that confirms that WSUS is installed, it confirms that you have a web server running and responding on that port.

The error entry from your post:
015-02-11      10:12:05:147       632      3d8      PT        Server URL = http://wsustest.test/SimpleAuthWebService/SimpleAuth.asmx
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status code = 404

Suggests that WSUS is not installed there.

Instead of guessing, open ISS management interface on the wsustest server.  You should have one site if default site has the SimpleAuthWEebService virtual directory.
Or if you have two sites, that has the above along with Content And other virtual directories.  The properties/bindigs of this site should tell you whether it is bound to any ip port 8350.

http://wsustest.test/Content do you get an error indicating browsing is denied or do you get an error that the location does not exist
http://wsustest.test:8350/Content The same.

The other option is to use the update mantenance administrative tool to see the configuration there on how it accesses the site port 80 or port 8350.

Apologies, by http://wsustest.test i mean heep://wsustest.domain.
WSUS is installed on the server, kindly see the screenshot.

When i enter http://wsustest.domain/Content ....it comes up with webpage cannot be found....
Under server manager-->IIS this is what i can see......cant see any default site name......not sure why...
IIS.jpg
WSUS.jpg

try http://wsustest.domain:8350/Content

The images are of little use. as they display the expanded data from the role.


use administrative tool, IIS.
There should be three sections: application pool, sites, expand sites. Do you have one Default website? Or do you have another.


run the following on the wsustest.domain system

netstat -an | find /i "ESTABLISHED"
Do you have an entry here that says: :8350

There are no other website....only one default website...
but even under one website, i am not able to see application pool, sites....do i have to install additional services for IIS?
and after running the command netstat -an | find /i "ESTABLISHED" there is no entry for 8350

When i enter http://wsustest.domain:8350/Content....i get a blank page...internet explorer cannot display the webpage....

Within the default site, do you have a Content virtual directory, selfupdate?

C:\program files\update services\tools\wsusutils.exe

Several things do not make sense unless we are somehow looking at different servers physical or virtual.

I made an error the netstat -an |find /I "listen"

See if you have an 8350 here.

If you would, please post the results from the above.

I have installed IIS management services and now i can see Default website, and wsus administration.

I confirm i can see this directory....

C:\program files\update services\tools\wsusutils.exe  

and results from this command are;

TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
 TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
 TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 TCP    0.0.0.0:1947           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:2179           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:7569           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8192           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8193           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8194           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8530           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8531           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:19100          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:19101          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49184          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:63156          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:63384          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:63385          0.0.0.0:0              LISTENING

I can see under IIS management, WSUS administration for site binding it shows 8530....
Bindings.jpg

When i do test under WSUS administration.....its showing a warning message, does that point to issue? if yes, how can i fix it?
test.jpg

It's a warning. Point the client to 8530 and see if it is or is not an issue.

Check The security setting on the path where wsus contents is if the windowsupdate log suggests that after connecting in it saw new updates, but fails to download them.

computers are able to report, thanks....it was the port issue......
but now on computers...its showing an error code of 8024402C when i try to do windows update....

You are provide partial info.
Where do you see this error?

on test computer running windows 7, which is supposed to get updates from the new wsus server, in control panel, when i click on windows update, i get this error.....
"Windows could not search for new update, Error Code: 8024402C"

Please look at the windows update log to see what it is reporting.
C:\windows\windowsupdate.log


Can you tell the client to use MS as the source and see whether the issue is wsus or computer related?

these are the logs.......

2015-02-11      17:20:05:381       688      b28      Agent        * Found 0 updates and 79 categories in search; evaluated appl. rules of 2378 out of 4301 deployed entities
2015-02-11      17:20:05:381       688      b28      Agent      **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2015-02-11      17:20:05:441       688      10e4      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {CBC35861-FD47-4FED-83AC-2517B51461F1}]
2015-02-11      17:20:05:451       688      10e4      AU        # 0 updates detected

2015-02-11      17:20:05:451       688      10e4      AU      ##  END  ##  AU: Search for updates [CallId = {CBC35861-FD47-4FED-83AC-2517B51461F1}]
2015-02-11      17:20:05:451       688      10e4      AU      #############
2015-02-11      17:20:05:451       688      10e4      AU      Successfully wrote event for AU health state:0
2015-02-11      17:20:05:451       688      10e4      AU      Featured notifications is disabled.
2015-02-11      17:20:05:451       688      10e4      AU      AU setting next detection timeout to 2015-02-12 01:58:34
2015-02-11      17:20:05:451       688      10e4      AU      Setting AU scheduled install time to 2015-02-11 17:00:00
2015-02-11      17:20:05:451       688      10e4      AU      Successfully wrote event for AU health state:0
2015-02-11      17:20:05:451       688      10e4      AU      Successfully wrote event for AU health state:0
2015-02-11      17:20:10:379       688      b28      Report      REPORT EVENT: {1A4D164A-9598-4328-9C60-2674BF90A501}      2015-02-11 17:20:05:381+1000      1      147      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Software Synchronization      Windows Update Client successfully detected 0 updates.
2015-02-11      17:20:10:379       688      b28      Report      REPORT EVENT: {7DC9240E-4D86-43A9-BC5D-FAFD9D35163C}      2015-02-11 17:20:05:381+1000      1      156      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Pre-Deployment Check      Reporting client status.
2015-02-11      17:20:10:379       688      b28      Report      CWERReporter finishing event handling. (00000000)

There is nothing here pointing to an error?

Is this the report from access ms or your wsus server?

This is from the windows 7 test machine......

Was this when you ran check for updates using the local wsus IR windows?

Look within the wsus test update services to see what is being reported about this host there, does it say this system needs updates or does not?

yes this is when i run check for updates on local wsus.....

i released an update, i just thought the computers should get it?

i have attached a screenshot for the status report on test computer.....

report.jpg

It somewhat depends on what options are set in your group policies for Windows Update.  Normally, you set the policies to install updates at a certain time of day.  For example, we normally use 3AM.  Workstations that are left on overnight (as we request all users to do on "update night") will automatically download all approved updates, install them and restart as necessary.  If you post the contents of your Windows update group policy, we can tell what is set up and perhaps conclude why the updates aren't being downloaded and installed.

I have attached a screenshot, I just thought once you release updates from WSUS, the clients should be able to get updates in few hours, its been a day, and the computers havent received any updates....
GP.jpg

are the 25 updates when clicked on show the status of Install or notnapproved to the test group.

Status of test computer on wsus is with yellow exclamation mark, I can authorize new updates from WSUS server to test computers.
Under WSUS i have created a group called Test, and all test machines are under that, and i can approve updates for this folder......
the 25 updates which it shows are not installed, i cant really see it on test computer, means when i check for updates, it says no updates available.....

Not Installed, is the status of the update for this computer say not approved, or Install?
The update must be marked Install for the group (target in WSUS ) to which this computer  via GPO (client Target: Test [redacted in your image])

You have 10 people, 5 of them are members of group A, 5 of them are members of group B. You Have a set of instractions on the Wall:
Group A with what they have to do.
Group B with what they have to do.

You decided to setup a New group,  Test.
You pick a person (person 4) from Group A and assign them to the Test group.

The person (person 4) will not know what to do Until You Post the instructions for Group Test.

This is the issue with yyour Wsus SERVER.  You created a new GPO for this system and created a new Client Target Group for use on WSUS, Until you take the steps to approve updates that include systems in the WSUS Test target, those systems will check in and will identify that they need updates that have not been approved for this target group.

go to the test group, select the system, click on the number of upodates not installed, go to the second page and approve the updates for the Test group that this system needs.  If the test wsus is a replica, you can only approve updates for the Test group on the master wsus server.

You seem to be going out of your way to make this transition more complicated that it usually is or needs to be.
i.e. you seem to continually add impediments in your own path.

I was just following what my manager what he asked me to do :-) i understand it would have been much easier, doing like this have over complicated the things, but i didnt have a choice...
but the computers have started reporting which is a good sign....and everything seems to be working good in test environment......

now i have changed wsus settings and pointed it to production new server....
but its more then 2 hours...and no computers have reported on new wsus console.

i have done wuauclt.exe /resetauthorization /detectnow /reportnow....on one of the machines......but that doesnt seem to have reported so far......

Be patient.

First, the computer GPO needs to be refreshed (forcing a refresh will require a restart unless you use the /Sync but that too might require a restart)
Once the GPO is refreshed, the checking for updates will depend on what your settings are, if nothing is set, the 22 hour interval that is the default will be used.

Hi,
Any thoughts on this to migrate old approved updates to new one?
http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/ 

on new server its coming up with the updates which are required..and they are couple of thousands....

i tried to follow instructions on this tool for migrating of updates, i cant find "wsusmigrationexport.exe settings.xml"
so dont know if it will work or not.

i was able to run the exe file....but the xml was only 1kb, didnt exported anything.....

The command is wsusutil.

I am puzzled why you are not considering making your new wsus a replica of the old?

This will cause your new to synchronize with the existing master, which will include all approved,declined updates and will get the files from that server versus retrieving it via the wan.

Once it is done, and you transition all the clients to the new server, you can change the configuration when the old one is ready to be decommissioned.

I want to do what u said as well...it makes more sense...but my manager thinks the other way...I have to do what he asks me :-(

I've actually not seen wsusmigrationimport.exe ....

You are following the process of transferring data to a system that does not have access to the outside (offline update transfers)

The issue I see is that you've already had it running .....

c:\program files\update services\tools
wsusutil.exe export wsusschema.cab wsusschemaexport.log
you would then backup the content of the WSUS or are you ok with letting the WSUS server retrieve the files from MS? wsusutil.exe reset after the schema is imported?

I've not tried it recently, so not sure how big the two files could get from the export.
The WSUS data could be in the 20-80GB depending on which products/classifications you have selected.  You might want to run the cleanup wizard on the existing WSUS to get rid of expired/declined packages. No point in transferring those.

on the newone
restore the package content first.
you would use wsusutil.exe import wsusschema.cab wsusshemaimport.log


I guess the issue is the manner in which the addition of the new server is perceived by your manager.  One way is to have it as an additional resource to maintain continuity as well as handle HW failures of update rollouts. Versus this server is a replacement for the other.
For continuity, one will have a single master with the others being replicas for straight forward management.

Iam ok to retrieve updates from MS after schema is updated...at the moment the new server is set to get updates from MS as well...

ok, not sure how much space the export will take, but just in case, make sure the wsusexportschema.cab file is to a drive that has enough space. without the drive letter it will be where you working directory is..

ok, do i have to place all files under one folder?
means wsusutil.exe export wsusschema.cab wsusschemaexport.log....
and how can i define the drive letter while exporting?
currently the WSUS content folder is on a different drive, its not on C: drive.

I have been told to go with this option....
http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/ 
again, the one you mentioned makes more sense....but i cant do anything :-(

note the first portion of the link deals with making the new WSUS a replica of the existing server which you previously redsisted based on you manager's requirements.

Not sure what the point if using the second portion where data is exported from the master given if you allow for the replica situation to last about 30-40 minutes the data will be transferred over the network. But that might be the reason to get the wsus config transferred and have the updates that have been previously approved included in the new server.  A concern deals with having 20-80GB of data transferred over a network.

i was asked to put together a procedure to use this tool....so from step 6...
http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/   
i downloaded the tool, it came with WSUSMigrate Read ME guide, which i have attached.
but i have been told its wrong....but i havent been told where....i just put together a procedure from Read Me document, procedure on how to export updates and how to import them....in the import commands, it imports updates and group folders...there is no parameter to only import updates....so would that be the part, where i will be considered wrong?
the computer group structure on old server is different to new one....it has different names......
WSUSMigrate-ReadMe.doc

After looking closer at the link and the tool, all it seems to do is export the classification/products settings along with any autoapproval parameters.

The issue is that target groups are part of the data transferred during the first part of the link i.e. when the new server was a replica of the old.  
The group policy is a non issue as you control it, the only issue with GPO that would pose an issue for you is if you change the client target (wsus computer group names without actually changing them on the WSUS)
i.e. you have group1, group2, group3 The new GPO for client target you add Mygroup3.  When this the system that this GPO applies, will register the Mygroup3 on the WSUS which will be created automatically when WSUS is configured to be deployable via GPO.  Now since this group Mygroup3 is new. The only updates that will be approved under it will be those that have previously been approved for All computers otherwise, the updates in the Mygroup3 will have the not approved status.

The above applies to WSUS 2.0 to 3.0 migration.

I've used it an often did the settings configuration for product/classification as well as auto-approvals manually.  Often only one server needs to have  it at any one time. With others depending on it (master/replicas).

Your document to be complete (item 5 offline transfer, has to use the wsusutil which is the way that the packages are exported.

If you have a test lab, I would suggest you try it out.

replica/master setups, certain functions/settings/options are grayed out on the replica as they are controlled by the configuration/settings on the master.
.....

Thanks a lot....
I will give you more overview on how the new one has been setup....and i will attach the procedure on how the updates will be moved from old to new one, kindly review it and let me know what i missed :-)
on old server we have computer groups like Group1,Group2,Group3.....when  wsus was installed on new one, all the computer group names  got renamed like mygroup1,mygroup2,mygroup3.....and under GPO i have to change the names so that they point to right groups under wsus.
now using the tool here i.e. http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/
does the attached document will be the right approach in moving updates from server1 to server2?
both servers are running WSUS 3.0
in the attached document i have just listed the steps...
wsus.docx

I'll take a look at your document later, I can answer suggest thing ahead of time.
Once you decouple the new server from the old server, you can rename the computer groups thus preserving the approved updates for the corresponding groups.

so i have to keep the computer group names same on new server?
on new server the group names have already been created....and the computers/servers have already been reported to each group....

I have not had a chance to look at your most recent document.

Let me confirm I understand the process you are trying to address/document.
1) existing WSUS server with X number of groups.
2) the need arose to replace the existing WSUS with a newer one.
     A) the update groups  to which computers belong will change
     B)GPos managing the computers will change.
 
Steps
1) install new os on new server
2) add wsus role tothe server while configuring it as a replica to the old one to synchronize updates/approvals prior groups. As well as control of clients via GPO.
3) after the synchronization/content retrieval of data from the old on the new. The new WSUS is reconfigured to now retrieve data from microsoft directly.
4) the new WSUS computer groups need to be renamed if you wish to maintain the status of the updates as approved. You might have to double check which current groups deals with which types of updates.

You can follow by getting the API and dealing with the export/import of settings.

read up on the document.

I've not used the migration tool so do not have a way to comment on its use.

Is the Wsus server you are testing in production now? or is it available to test your document on?
nothing helps make things clearer but following ones own instructions.

You reference the document that reference the location where the tool can be obtained, but you deviate from those instructions.

I went through this type of transition and followed what I provided to you.  I did have to manually change the classification/products as well as the auto approval rules after the new became the primary instead of a replica.

the new one is live now, means its in production, DNS records has been pointed to new one...
can you help me clarify on that document where did i deviated from instructions?

so what you are suggesting is to change the group folders name as it were on old server and then carry out the migration of the updates?
or it can be accomplished without changing the names of computer group folders name?

The document you referenced as the source of the migration tool has the first portion of establishing the new as a replica first to get the approved/declined update info and possibly all the package files that are approved on the old.
Second step deals with changing the new from replica to master.
At this point the groups on the new match the groups on the old.
You can rename the groups on the new preserving the prior approvals.
The new gpos you will be applying can have the new download/install and client target rules.
(The GPO setup can have one higher level that sets the intranet wsus server only. Then you can have a GPO for each computer OU that sets their update settings, client targets, and install setting and restart restriction, etc.)

The suggestion about renaming of the old groups within WSUS deals with not having to go through approving many ...

The changing of the group names deals only with preserving and transparent client update management. The wsus will add any group that a system connecting in uses as its client target when WSUS configured with GPO based setting of clients versus wsus managed

your third point "At this point the groups on the new match the groups on the old." Computer groups on both are different, means there names, how they will match the updates? and is there any way to rename Computer groups? the only option i see is to delete them.

And on which step I have to use the migration utility http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/ ?

I have to recheck, think It is possible to rename might involve the change in configuration.

Using the migration tool and modifying the xml.

Will get back.....

Just to be clearer. Computer groups in the AD do not need to correspond to the ones in the wsus. WSUS group deal with common where updates are.
Usually one would have a server marker for server based odes.
A workstation
And a workstation test type that allows the administrator to have these as test platforms to make sure business is not impacted by an update.
Clients connecting and retrieving updates .........

Just rechecked, you're right there is no way within the update interface to rename the WSUS computer groups. not sure why or where I got that it is possible.

So if I cant rename it....what should I do :-(

There is no specific requirement nor special meaning to the group names outside the wsus server.  

Check what the XML output is and changing its contnets would be one way.
Another way deals with whether you use sql server to store the wsus database in which case you can alter the group names within the DBA side.

Alternatively using auto approval to change/add the new group and rerunning that
Critical, security updates .......

WSUS content is not stored in SQL, its in WID.
by XML output file you meant to say windows content folder? what should i change in that file?
sorry i still didnt understand clearly when you said i deviated from the objective on the migration task list i attached earlier?