Solved

WSUS Project Plan and Installation

Posted on 2015-01-18
89
164 Views
Last Modified: 2016-02-19
Hi,
Two parts to this question,
1) Need a project plan on how to Install WSUS, we are currently running WSUS 3.0 on 2003 server, decided to do a fresh install of WSUS on Windows 2008 R2 SP1, so need a project plan on what things i have to consider when planning/taking notes from old server, So i dont miss out on anything :-)
 Can be more like in the first part, Planning Phase-->implementation part-->Cut over Phase.
2) Can I install WSUS 4.0 on Windows Server 2008 R2? if yes whats the installation guide?

Thanks All.
0
Comment
Question by:Leo
  • 46
  • 37
  • 4
  • +2
89 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
Need a project plan on how to Install WSUS,

installation is pretty straight-forward; there really isn't much for differences between the two
WSUS is a component that hasn't had much attention as far as feature enhancements; even for 2012 it's basically the same
the real difference is the support for newer operating systems
make sure after installing the feature, you install SP2 since it provides support for windows 8/2012 clients

Can I install WSUS 4.0 on Windows Server 2008 R2?

it's actually version 3.0
microsoft has a lot of documentation to get started with it

Windows Server Update Services 3.0 SP2 Step By Step Guide
http://technet.microsoft.com/en-us/library/dd939822(v=ws.10).aspx
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I know installation is pretty straight forward, i have done it couple of times, but my manager is picky...he wants everything on paper to list how it will be carried out...... just thought i will ask if anyone has done it before in which they listed what needs to be checked on old installation and what needs to be carried forward......
0
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
We don't use WSUS, it's rubbish, in our opinion.

We use an excellent patch management product called Shavlik Protect - http://www.shavlik.com/products/protect/.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Thanks Andrew, but thats not an options for us at the moment :-)
How can I stop the old server from getting updates from Microsoft, and how the computers/servers will know they have to get updates from new server?
The old Server which is running WSUS, is on domain computer, so i dont want to turn off any of services which will stop anything else....
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 100 total points
Comment Utility
The best way to manage WSUS is through group policies.  If you're using group policies already to manage WSUS, then it will be easy to change over to a new server.  Use the guide referenced above by Seth Simmons to flesh out the steps and fill in any gaps in the simplified outline I've provided below. The basic steps are:

1.  Decide what server and what storage resources you're going to use.
2.  Install WSUS 3.0 SP2 on your new server.
3.  Go to the Options section and set up your options for all the relevant items on that page.  If you want to replicate what you're doing on your current server, then simpy use the same settings.
4.  Perform an initial synchronization. This can take some time; overnight is a good time to allow it to run.
5.  Set up your computer groups, if you are using them.
6.  Change your group policy to point to the new WSUS server.
7.  Wait until all your workstations have checked in with the new server.
8.  Approve updates the same way you've been doing in the past.

Decommission the old WSUS server simply by uninstalling WSUS.
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
Added comment: If you're not already using group policies, then you should start there and set up a group policy for pushing out windows updates.  Then when you have the server set up, you simply apply that policy to the workstations and servers and you should be good to go.

One caveat is that if you have not used group policies before, and if you have cloned workstations or servers, then you will have a problem with registration of those cloned machines in WSUS. If this is the case, please post back and I'll tell you how to fix it.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Adding to hypercat's comment, you should run the clean up wizard (options) on the existing one to eliminate data that has expired/supperseeded/declined.
To avoid having your new server consume external bandwidth resources, you should configure it as a replica of your old server.

This way all the updates you previously approved will be available.
If you have any auto-approve rules, you would need to add them.  They will only become active after this server is no longer a replica.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Windows are pushed out through group policy...there are three groups i.e. Test, computer and server.
Under Group Policy for detecting updates, the path is defined as http://wsus.domain name.
I couldnt find any where under group policy where Old server name will be defined?
Would it be wise, to add the new server as a secondary downstream server, once it synch all the updates, uninstall WSUS on old computer and make the secondary downstream as the upstream server?
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
How computers will know they have to get updates from new server?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Wuss.domain is a record in DNS pointing to the current servers IP or is an alias of the current server.
Updating the GPO with the new name is also doable it will take the GPO refresh time for the new server to be referenved without a reboot.  There is no rush for this transition.

Updating the DNS revord accordingly, add an alias if that is the current setup, or add a hist revord pointing to the new servers Ipp. And you are all set, the next time the systems check in, they will connect to depending on the .....  Eventually, it will connect to the new one. You could reverse the roles once the new one is sync. You can make it the master, and. Subordinate the old one as a replica which you can configure to roll up The clien to the master.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
In DNS i can see there is an alias for WSUS and its pointing at two servers, so i will change that accordingly later on....
once thats done, I will leave it for a while, and it will synch the updates by itself? and the computers/servers will know that this is the new server from where they will be getting updates?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
yes.

Each system will connect to the new server and will check with what updates are approved for it while reporting what updates they need based on those available.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Thanks, and if i want to do a test before going to production, to make sure the updates are coming from the right server, and its getting pushed out, how i will do that?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Wsus does not push updates. The clients pulls approved updates.


Though I am not sure what your concern is,
The only way to test it in this scenario is to use an unjoined system and configure its local security policy for windows updates pointing to that server.  

The reason for the unjoined is because. Domain joined system will have the WSUS settings set by GPOs which will supersede the local Securiy policy.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Thanks, would it be possible that instead of taking computers out from domain, create a Test Policy and prioritize it, so that when Test policy is applied, it will supersede the old one?
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 400 total points
Comment Utility
If your setup is such that you have one policy that sets the wsus server, and then a second policy that sets the individualized parameters, target, install mode, etc.

Another option to test is edit the file c:\windows\system32\drivers\etc\hosts

Your GPO pushes the update server as updateserver.yourdomain.local
To have an entry such as

X.x.x.x  updateserver.yourdomain.local

Verify in the command line, ping updateserver.yourdomain.local should reflect X.x.x.x from the hosts entry.


My question to you is what is the concern.
Your new wsus is a replica of the existing one.  Presumably your classifications on the new one is matched to the ones you have on the prior.
At this stage all the approved on the original are approved on the current and all related data files are present,
Put it in the rotation while it is a replica and you will see alternate clients connect to it and will be displayed there while the setting to rollup all clients to the master will do just that.

Whenever you want there after, switching the role (replica to master and then master to replica of the new replica)
Make sure your auto approve options are setup as the existing one.
....
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Thanks for your reply.
The file you have mention to edit under; c:\windows\system32\drivers\etc\hosts, does not contain any settings related to our environment, its an example file, i.e.

# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host


# localhost name resolution is handled within DNS itself.
#      127.0.0.1       localhost
#      ::1             localhost

so for testing you are suggesting to enter the details the following details in host file; i.e. 10.0.0.0  Newupdateserver.yourdomain.local, then it should come up with the ip of new server?

and under our GPO, wsus is defined as \\wsus.domain.local, no server name is defined in the GPO, under DNS its defined...

Also the concern is to have a valid testing :-) which is as close to production, and we are planning to do a clean install on new server and take out the old two WSUS servers, so it will be a replica of old server in terms of settings, but new server wont be added as a downstream server.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Wsus.domain?local is the name of the hostname to which the clients have to connect to check on available updates.  You use DNS to point the clients to one or multiple servers.
With that said the entry in hosts
10.0.0.0 wsus.domain.local

Will allow the system from which the test of the newly installed wsus to be performed.

I do not understand what you mean by the last paragraph. A replica is a downstream server. It does not need to be accessed until you are ready..

You can start with the newly installed server /wsus from scratch or using the replica option you would transfer all the update statuses and their files without consuming your external bandwidth and without the need to approve/re approve prior updates.

You can control on the server the option of not getting old/oudated updates for systems you no longer have through the selection of products and classification.
I.e. Windows xp, office products you had before, but no longer, etc.
This way the new server when setup as a replica will not download the previously approved packages when they are outside the products and classification configuration..
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
So correct me if i am wrong, I will add this entry "10.0.0.0 wsus.domain.local " under host file? can i add it anywhere in host file?
If computer is part of domain, and under local security policy for this test computer i configure it to get updates from new server, just for a test, would that test be enough to make sure the test computer is pulling updates from the new server?

Where is the replica option in WSUS? i think i got confused in last paragraph, apologies for that.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Big you are making the changes in the hosts file entry below the example.
Anything preceded with a pound # is seen as a comment and not processed.

You do not need to make any GPO changes.
Make sure that ping wsus.domain.local is now reflecting the IP of the new server.
Then run the windows update check for updates while looking at c:\windows\windowsupdate.log to confirm that the client is talking to the new server.  On the new server update services after the process runs, it should have this system reflected under the computers..

It is under the first server configuration within options. Update source and proxy server.
Select the second option and point it to the internal server that will be the upstream server and then check the option that this is a replica.

Within the options the reporting rollup deals with whether the master gets updates from the replicas.  What this enables is sending of client information to the master which is the only place where an update can be approved.  If the system is only known to the replica and is in need of an update, it will not be approved unless another system that checked with the master server also needs this update.

You can not approve/change update status on the replica.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Thanks for clarification for replica :-)

in regards to adding the entry in host file...i will add it under example;
10.0.0.0    wsus.domain.local          # WSUS updates

Would that be correct?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Yes if 10.0.0.0 is the actual IP of the new server.
I beleive your use of 10.0.0.0 is merely an illustration.
10.0.0.0 is predominantly a network address and is not in a usable range no matter the netmask.

The only time it might be in usable space is if you mix in public/reserved with private IP space such as 10.0.0.0.
9.0.0.0/7 9.0.0.0-10.255.255.255
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
yes thats right...i was only using 10.0.0.0 as an example....its not the actual IP of the server
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Just a quick question, I am planning to add a DNS entry for new Test WSUS server, and create an entry in GP as well for http://WSUSTEST.domain..... will it work?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The issue is how your current WSUS server location is passed to the clints.
I.e. Do you have a per computer OU level GPO link that reflects the WSUS url?

Where is the GPO that has the INTRANET wsus is it at the top of the domain, is it at the site level?

You can try using a GPO with the new/test and using the enforced option.

Is your new test wsus a replica of the existing wsus server?
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
current WSUS server location is passed through DNS, and Group policy.

The old server which are holding the WSUS at the moment, are domain controllers.....new server wont be a domain controller...

No new Test server is not a replica of current WSUS server, should i make it replica? and i have turned off synch....is it better? or should i turn it on?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You should make the new one a replica, this way your previously approved updates, will be available, as well as you would not consume bandwidth on the new one.
You should not disable the sync.
Once the new is synchronized, you, as I said before, can change the GPO to point to the new server.
Once you see all the clients reporting to the new server or any time you ready you can reconfigure the new server to become the master and sync to MS,
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I have set the security group under AD, linked it with group policy, added a test computer in that, but its not reporting to new wsus server, kindly see the attached picture....
What do i have to do so that the new wsus server can see this machine?
wsus.jpg
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
The URL for the server has to include the port.  The default port is 8530, so unless you've set a custom port, the URL would neet to be http://wsustest.domain:8530.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 400 total points
Comment Utility
To hypercat's point, did you install WSUS with port 80?
Look at the c:\windows\windowsupdate.log file to see what happened.

get http://baremetalsoft.com/baretail/ if you do not have it already to tail the c:\windows\windowsupdate.log on the system you are testing.

Then issue the wuauclt /detectnow and see what it reports.  Is it reporting that it can not find the wsustest.domain?
As suggested change the GPO to reflect the 8530 (check IIS on the wsustest server to see where you installed the WSUS instance)

Try again.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I believe its on port 80, because in browser when i enter http://wsustest.domain:80, IIS7 screen comes up...
so i should change it to 8530?

in the log its showing these errors.......

2015-02-11      10:12:05:147       632      3d8      PT      Initializing simple targeting cookie, clientId = 3d74e3a9-a0d3-4a7b-a2aa-c3b89cb3626e, target group = Test Win7 , DNS name = test132.domain
2015-02-11      10:12:05:147       632      3d8      PT        Server URL = http://wsustest.test/SimpleAuthWebService/SimpleAuth.asmx
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status code = 404
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: Failed to initialize Simple Targeting Cookie: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: PopulateAuthCookies failed: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: RefreshCookie failed: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: RefreshPTState failed: 0x80244019
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: PTError: 0x80244019
2015-02-11      10:12:05:163       632      3d8      Report      WARNING: Reporter failed to upload events with hr = 80244019.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
http://wsustest.test is not a test that confirms that WSUS is installed, it confirms that you have a web server running and responding on that port.

The error entry from your post:
015-02-11      10:12:05:147       632      3d8      PT        Server URL = http://wsustest.test/SimpleAuthWebService/SimpleAuth.asmx
2015-02-11      10:12:05:163       632      3d8      PT      WARNING: GetAuthorizationCookie failure, error = 0x80244019, soap client error = 10, soap error code = 0, HTTP status code = 404

Suggests that WSUS is not installed there.

Instead of guessing, open ISS management interface on the wsustest server.  You should have one site if default site has the SimpleAuthWEebService virtual directory.
Or if you have two sites, that has the above along with Content And other virtual directories.  The properties/bindigs of this site should tell you whether it is bound to any ip port 8350.

http://wsustest.test/Content do you get an error indicating browsing is denied or do you get an error that the location does not exist
http://wsustest.test:8350/Content The same.

The other option is to use the update mantenance administrative tool to see the configuration there on how it accesses the site port 80 or port 8350.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Apologies, by http://wsustest.test i mean heep://wsustest.domain.
WSUS is installed on the server, kindly see the screenshot.

When i enter http://wsustest.domain/Content ....it comes up with webpage cannot be found....
Under server manager-->IIS this is what i can see......cant see any default site name......not sure why...
IIS.jpg
WSUS.jpg
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
try http://wsustest.domain:8350/Content

The images are of little use. as they display the expanded data from the role.


use administrative tool, IIS.
There should be three sections: application pool, sites, expand sites. Do you have one Default website? Or do you have another.


run the following on the wsustest.domain system

netstat -an | find /i "ESTABLISHED"
Do you have an entry here that says: :8350
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
There are no other website....only one default website...
but even under one website, i am not able to see application pool, sites....do i have to install additional services for IIS?
and after running the command netstat -an | find /i "ESTABLISHED" there is no entry for 8350

When i enter http://wsustest.domain:8350/Content....i get a blank page...internet explorer cannot display the webpage....
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Within the default site, do you have a Content virtual directory, selfupdate?

C:\program files\update services\tools\wsusutils.exe

Several things do not make sense unless we are somehow looking at different servers physical or virtual.

I made an error the netstat -an |find /I "listen"

See if you have an 8350 here.

If you would, please post the results from the above.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I have installed IIS management services and now i can see Default website, and wsus administration.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I confirm i can see this directory....

C:\program files\update services\tools\wsusutils.exe  

and results from this command are;

TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
 TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
 TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 TCP    0.0.0.0:1947           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:2179           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:7569           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8192           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8193           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8194           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8530           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:8531           0.0.0.0:0              LISTENING
 TCP    0.0.0.0:19100          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:19101          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49155          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49156          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49157          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:49184          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:63156          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:63384          0.0.0.0:0              LISTENING
 TCP    0.0.0.0:63385          0.0.0.0:0              LISTENING
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I can see under IIS management, WSUS administration for site binding it shows 8530....
Bindings.jpg
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
When i do test under WSUS administration.....its showing a warning message, does that point to issue? if yes, how can i fix it?
test.jpg
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
It's a warning. Point the client to 8530 and see if it is or is not an issue.

Check The security setting on the path where wsus contents is if the windowsupdate log suggests that after connecting in it saw new updates, but fails to download them.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
computers are able to report, thanks....it was the port issue......
but now on computers...its showing an error code of 8024402C when i try to do windows update....
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You are provide partial info.
Where do you see this error?
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
on test computer running windows 7, which is supposed to get updates from the new wsus server, in control panel, when i click on windows update, i get this error.....
"Windows could not search for new update, Error Code: 8024402C"
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
Please look at the windows update log to see what it is reporting.
C:\windows\windowsupdate.log


Can you tell the client to use MS as the source and see whether the issue is wsus or computer related?
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
these are the logs.......

2015-02-11      17:20:05:381       688      b28      Agent        * Found 0 updates and 79 categories in search; evaluated appl. rules of 2378 out of 4301 deployed entities
2015-02-11      17:20:05:381       688      b28      Agent      **  END  **  Agent: Finding updates [CallerId = AutomaticUpdates]
2015-02-11      17:20:05:441       688      10e4      AU      >>##  RESUMED  ## AU: Search for updates [CallId = {CBC35861-FD47-4FED-83AC-2517B51461F1}]
2015-02-11      17:20:05:451       688      10e4      AU        # 0 updates detected

2015-02-11      17:20:05:451       688      10e4      AU      ##  END  ##  AU: Search for updates [CallId = {CBC35861-FD47-4FED-83AC-2517B51461F1}]
2015-02-11      17:20:05:451       688      10e4      AU      #############
2015-02-11      17:20:05:451       688      10e4      AU      Successfully wrote event for AU health state:0
2015-02-11      17:20:05:451       688      10e4      AU      Featured notifications is disabled.
2015-02-11      17:20:05:451       688      10e4      AU      AU setting next detection timeout to 2015-02-12 01:58:34
2015-02-11      17:20:05:451       688      10e4      AU      Setting AU scheduled install time to 2015-02-11 17:00:00
2015-02-11      17:20:05:451       688      10e4      AU      Successfully wrote event for AU health state:0
2015-02-11      17:20:05:451       688      10e4      AU      Successfully wrote event for AU health state:0
2015-02-11      17:20:10:379       688      b28      Report      REPORT EVENT: {1A4D164A-9598-4328-9C60-2674BF90A501}      2015-02-11 17:20:05:381+1000      1      147      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Software Synchronization      Windows Update Client successfully detected 0 updates.
2015-02-11      17:20:10:379       688      b28      Report      REPORT EVENT: {7DC9240E-4D86-43A9-BC5D-FAFD9D35163C}      2015-02-11 17:20:05:381+1000      1      156      101      {00000000-0000-0000-0000-000000000000}      0      0      AutomaticUpdates      Success      Pre-Deployment Check      Reporting client status.
2015-02-11      17:20:10:379       688      b28      Report      CWERReporter finishing event handling. (00000000)
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
There is nothing here pointing to an error?

Is this the report from access ms or your wsus server?
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
This is from the windows 7 test machine......
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Was this when you ran check for updates using the local wsus IR windows?

Look within the wsus test update services to see what is being reported about this host there, does it say this system needs updates or does not?
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
yes this is when i run check for updates on local wsus.....

i released an update, i just thought the computers should get it?

i have attached a screenshot for the status report on test computer.....
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
0
 
LVL 38

Expert Comment

by:Hypercat (Deb)
Comment Utility
It somewhat depends on what options are set in your group policies for Windows Update.  Normally, you set the policies to install updates at a certain time of day.  For example, we normally use 3AM.  Workstations that are left on overnight (as we request all users to do on "update night") will automatically download all approved updates, install them and restart as necessary.  If you post the contents of your Windows update group policy, we can tell what is set up and perhaps conclude why the updates aren't being downloaded and installed.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I have attached a screenshot, I just thought once you release updates from WSUS, the clients should be able to get updates in few hours, its been a day, and the computers havent received any updates....
GP.jpg
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 400 total points
Comment Utility
What is the status of the computer on the new wsus server? What is the status of each update? Is it authorized for install to the client?
In what group is the client on the wsus server. Note that when you create a "test something" as the target that has not been used, unless you approve updates for all, there will not be updates in this group that are authorized to install.

According to your earlier post snipet of the windows update log, there are no updates set to install for this client.
Approving updates is install for all, install for some groups, listed within wsus.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
are the 25 updates when clicked on show the status of Install or notnapproved to the test group.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Status of test computer on wsus is with yellow exclamation mark, I can authorize new updates from WSUS server to test computers.
Under WSUS i have created a group called Test, and all test machines are under that, and i can approve updates for this folder......
the 25 updates which it shows are not installed, i cant really see it on test computer, means when i check for updates, it says no updates available.....
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Not Installed, is the status of the update for this computer say not approved, or Install?
The update must be marked Install for the group (target in WSUS ) to which this computer  via GPO (client Target: Test [redacted in your image])

You have 10 people, 5 of them are members of group A, 5 of them are members of group B. You Have a set of instractions on the Wall:
Group A with what they have to do.
Group B with what they have to do.

You decided to setup a New group,  Test.
You pick a person (person 4) from Group A and assign them to the Test group.

The person (person 4) will not know what to do Until You Post the instructions for Group Test.

This is the issue with yyour Wsus SERVER.  You created a new GPO for this system and created a new Client Target Group for use on WSUS, Until you take the steps to approve updates that include systems in the WSUS Test target, those systems will check in and will identify that they need updates that have not been approved for this target group.

go to the test group, select the system, click on the number of upodates not installed, go to the second page and approve the updates for the Test group that this system needs.  If the test wsus is a replica, you can only approve updates for the Test group on the master wsus server.

You seem to be going out of your way to make this transition more complicated that it usually is or needs to be.
i.e. you seem to continually add impediments in your own path.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I was just following what my manager what he asked me to do :-) i understand it would have been much easier, doing like this have over complicated the things, but i didnt have a choice...
but the computers have started reporting which is a good sign....and everything seems to be working good in test environment......
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
now i have changed wsus settings and pointed it to production new server....
but its more then 2 hours...and no computers have reported on new wsus console.

i have done wuauclt.exe /resetauthorization /detectnow /reportnow....on one of the machines......but that doesnt seem to have reported so far......
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Be patient.

First, the computer GPO needs to be refreshed (forcing a refresh will require a restart unless you use the /Sync but that too might require a restart)
Once the GPO is refreshed, the checking for updates will depend on what your settings are, if nothing is set, the 22 hour interval that is the default will be used.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Hi,
Any thoughts on this to migrate old approved updates to new one?
http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/

on new server its coming up with the updates which are required..and they are couple of thousands....
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
i tried to follow instructions on this tool for migrating of updates, i cant find "wsusmigrationexport.exe settings.xml"
so dont know if it will work or not.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
i was able to run the exe file....but the xml was only 1kb, didnt exported anything.....
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The command is wsusutil.

I am puzzled why you are not considering making your new wsus a replica of the old?

This will cause your new to synchronize with the existing master, which will include all approved,declined updates and will get the files from that server versus retrieving it via the wan.

Once it is done, and you transition all the clients to the new server, you can change the configuration when the old one is ready to be decommissioned.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I want to do what u said as well...it makes more sense...but my manager thinks the other way...I have to do what he asks me :-(
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I've actually not seen wsusmigrationimport.exe ....

You are following the process of transferring data to a system that does not have access to the outside (offline update transfers)

The issue I see is that you've already had it running .....

c:\program files\update services\tools
wsusutil.exe export wsusschema.cab wsusschemaexport.log
you would then backup the content of the WSUS or are you ok with letting the WSUS server retrieve the files from MS? wsusutil.exe reset after the schema is imported?

I've not tried it recently, so not sure how big the two files could get from the export.
The WSUS data could be in the 20-80GB depending on which products/classifications you have selected.  You might want to run the cleanup wizard on the existing WSUS to get rid of expired/declined packages. No point in transferring those.

on the newone
restore the package content first.
you would use wsusutil.exe import wsusschema.cab wsusshemaimport.log


I guess the issue is the manner in which the addition of the new server is perceived by your manager.  One way is to have it as an additional resource to maintain continuity as well as handle HW failures of update rollouts. Versus this server is a replacement for the other.
For continuity, one will have a single master with the others being replicas for straight forward management.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Iam ok to retrieve updates from MS after schema is updated...at the moment the new server is set to get updates from MS as well...
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
ok, not sure how much space the export will take, but just in case, make sure the wsusexportschema.cab file is to a drive that has enough space. without the drive letter it will be where you working directory is..
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
ok, do i have to place all files under one folder?
means wsusutil.exe export wsusschema.cab wsusschemaexport.log....
and how can i define the drive letter while exporting?
currently the WSUS content folder is on a different drive, its not on C: drive.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
I have been told to go with this option....
http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/  
again, the one you mentioned makes more sense....but i cant do anything :-(
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
note the first portion of the link deals with making the new WSUS a replica of the existing server which you previously redsisted based on you manager's requirements.

Not sure what the point if using the second portion where data is exported from the master given if you allow for the replica situation to last about 30-40 minutes the data will be transferred over the network. But that might be the reason to get the wsus config transferred and have the updates that have been previously approved included in the new server.  A concern deals with having 20-80GB of data transferred over a network.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
i was asked to put together a procedure to use this tool....so from step 6...
http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/  
i downloaded the tool, it came with WSUSMigrate Read ME guide, which i have attached.
but i have been told its wrong....but i havent been told where....i just put together a procedure from Read Me document, procedure on how to export updates and how to import them....in the import commands, it imports updates and group folders...there is no parameter to only import updates....so would that be the part, where i will be considered wrong?
the computer group structure on old server is different to new one....it has different names......
WSUSMigrate-ReadMe.doc
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
After looking closer at the link and the tool, all it seems to do is export the classification/products settings along with any autoapproval parameters.

The issue is that target groups are part of the data transferred during the first part of the link i.e. when the new server was a replica of the old.  
The group policy is a non issue as you control it, the only issue with GPO that would pose an issue for you is if you change the client target (wsus computer group names without actually changing them on the WSUS)
i.e. you have group1, group2, group3 The new GPO for client target you add Mygroup3.  When this the system that this GPO applies, will register the Mygroup3 on the WSUS which will be created automatically when WSUS is configured to be deployable via GPO.  Now since this group Mygroup3 is new. The only updates that will be approved under it will be those that have previously been approved for All computers otherwise, the updates in the Mygroup3 will have the not approved status.

The above applies to WSUS 2.0 to 3.0 migration.

I've used it an often did the settings configuration for product/classification as well as auto-approvals manually.  Often only one server needs to have  it at any one time. With others depending on it (master/replicas).

Your document to be complete (item 5 offline transfer, has to use the wsusutil which is the way that the packages are exported.

If you have a test lab, I would suggest you try it out.

replica/master setups, certain functions/settings/options are grayed out on the replica as they are controlled by the configuration/settings on the master.
.....
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
Thanks a lot....
I will give you more overview on how the new one has been setup....and i will attach the procedure on how the updates will be moved from old to new one, kindly review it and let me know what i missed :-)
on old server we have computer groups like Group1,Group2,Group3.....when  wsus was installed on new one, all the computer group names  got renamed like mygroup1,mygroup2,mygroup3.....and under GPO i have to change the names so that they point to right groups under wsus.
now using the tool here i.e. http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/
does the attached document will be the right approach in moving updates from server1 to server2?
both servers are running WSUS 3.0
in the attached document i have just listed the steps...
wsus.docx
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I'll take a look at your document later, I can answer suggest thing ahead of time.
Once you decouple the new server from the old server, you can rename the computer groups thus preserving the approved updates for the corresponding groups.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
so i have to keep the computer group names same on new server?
on new server the group names have already been created....and the computers/servers have already been reported to each group....
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I have not had a chance to look at your most recent document.

Let me confirm I understand the process you are trying to address/document.
1) existing WSUS server with X number of groups.
2) the need arose to replace the existing WSUS with a newer one.
     A) the update groups  to which computers belong will change
     B)GPos managing the computers will change.
 
Steps
1) install new os on new server
2) add wsus role tothe server while configuring it as a replica to the old one to synchronize updates/approvals prior groups. As well as control of clients via GPO.
3) after the synchronization/content retrieval of data from the old on the new. The new WSUS is reconfigured to now retrieve data from microsoft directly.
4) the new WSUS computer groups need to be renamed if you wish to maintain the status of the updates as approved. You might have to double check which current groups deals with which types of updates.

You can follow by getting the API and dealing with the export/import of settings.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
read up on the document.

I've not used the migration tool so do not have a way to comment on its use.

Is the Wsus server you are testing in production now? or is it available to test your document on?
nothing helps make things clearer but following ones own instructions.

You reference the document that reference the location where the tool can be obtained, but you deviate from those instructions.

I went through this type of transition and followed what I provided to you.  I did have to manually change the classification/products as well as the auto approval rules after the new became the primary instead of a replica.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
the new one is live now, means its in production, DNS records has been pointed to new one...
can you help me clarify on that document where did i deviated from instructions?

so what you are suggesting is to change the group folders name as it were on old server and then carry out the migration of the updates?
or it can be accomplished without changing the names of computer group folders name?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
The document you referenced as the source of the migration tool has the first portion of establishing the new as a replica first to get the approved/declined update info and possibly all the package files that are approved on the old.
Second step deals with changing the new from replica to master.
At this point the groups on the new match the groups on the old.
You can rename the groups on the new preserving the prior approvals.
The new gpos you will be applying can have the new download/install and client target rules.
(The GPO setup can have one higher level that sets the intranet wsus server only. Then you can have a GPO for each computer OU that sets their update settings, client targets, and install setting and restart restriction, etc.)

The suggestion about renaming of the old groups within WSUS deals with not having to go through approving many ...

The changing of the group names deals only with preserving and transparent client update management. The wsus will add any group that a system connecting in uses as its client target when WSUS configured with GPO based setting of clients versus wsus managed
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
your third point "At this point the groups on the new match the groups on the old." Computer groups on both are different, means there names, how they will match the updates? and is there any way to rename Computer groups? the only option i see is to delete them.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
And on which step I have to use the migration utility http://exchangeserverpro.com/how-to-move-wsus-30-to-a-new-server/ ?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
I have to recheck, think It is possible to rename might involve the change in configuration.

Using the migration tool and modifying the xml.

Will get back.....
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Just to be clearer. Computer groups in the AD do not need to correspond to the ones in the wsus. WSUS group deal with common where updates are.
Usually one would have a server marker for server based odes.
A workstation
And a workstation test type that allows the administrator to have these as test platforms to make sure business is not impacted by an update.
Clients connecting and retrieving updates .........
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Just rechecked, you're right there is no way within the update interface to rename the WSUS computer groups. not sure why or where I got that it is possible.
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
So if I cant rename it....what should I do :-(
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
There is no specific requirement nor special meaning to the group names outside the wsus server.  

Check what the XML output is and changing its contnets would be one way.
Another way deals with whether you use sql server to store the wsus database in which case you can alter the group names within the DBA side.

Alternatively using auto approval to change/add the new group and rerunning that
Critical, security updates .......
0
 
LVL 8

Author Comment

by:Leo
Comment Utility
WSUS content is not stored in SQL, its in WID.
by XML output file you meant to say windows content folder? what should i change in that file?
sorry i still didnt understand clearly when you said i deviated from the objective on the migration task list i attached earlier?
0
 
LVL 76

Accepted Solution

by:
arnold earned 400 total points
Comment Utility
when you run the wsusmigrationtool which seemingly exports approved update/settings/groups in an XML format. This XML file would need to be edited to replace group1 that you currently have with MyGroup1 that the new one will have, or depending on how the XML is structured to reflect that an update is approved for multiple group, it might be possible to add the new group versus replacing an old one.

I have not used this tool before, so the above is an eduguestimate based on the descriptions of what it supposed to do.
wsusutil exports the content.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
Microsoft Windows Server Update Service (WSUS) is free for everyone, but it lacks of some desirable features like send an e-mail to the administrator with the status of all computers on the WSUS server. This article is based on my PowerShell script …
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now