Avatar of Hani_SA
 asked on

WSUS Upgrade Roadmap

Hail to all Professionals,

I have a wsus 3.0 SP2 installed on windows server 2003 using WID which I'm planning to get rid off by doing a fresh installation on a windows server 2012 R2 using  a remote SQL 2012.
I have over 100 GB of meta data files on the 2003 server with a 32000 updates (of which 25000 are declined).
Also I have a 2008 server which acts as a replica of the 2003 server.

Here' how I' m planning to conduct the upgrade:

1. Install the wsus role on the 2012 server

2. Copy the meta data files to new server

3. Since I have over 1000 clients, I'm planning to have the new server use the same identity

In order to make it work I have to use the same IP and DNS name for windows update on the 2012 server and shutdown the 2003 server.
this way clients will still be able to communicate with the new server without updating the group policy.
I found info about this but I don't know how it is brought to bear ?

4. Get rid of the declined updates

The reason why I'm not doing a backup/restore of the old database, is that I have over 25000 declined updates still showing on the update view (Drivers & Languages data), I have tried several clean up with no success. so the new SQL 2012 database will start anew.
For that I'm thinking to set the 2012 server as a replica of the 2003 just until the updates/computer groups are synchronized than bring it to Upstream and shutdown the old one. What is the best approach here: re-download the updates or is there a way to delete the declined updates from the database using powershell cmdlets ?

5. Restore replica with 2008 server

Thank you for submitting your valuable expertise/knowledge and in the act take part in this successful journey.
Windows Server 2012Microsoft SQL ServerWSUS

Avatar of undefined
Last Comment

8/22/2022 - Mon
David Johnson, CD

you haven't done a WSUS cleanup?

I did several clean up with no success, declined drivers updates are still showing.

You should have posted before going this route, My advice would have been to subordinate/make the new 2012 a replica of the existing.
Then when your catalog/approved updates are replicated from the old to the new, you make the new primary, update the GPO to point to the new, and you are set.

not sure what the issue with updating GPO is, what is the concern? Another option could be to make GPO point to a update.yourdomain.com which is a CNAME/ALIAS to any WSUS  you have or add in the future.

part of the master/replica option there is one that deals with client information being rolled up to the master. i.e. client A connects with replica and gets updates, the replica pushes the event up to the master so it too reflects that client A accessed and ...... changes.
Update Approvals can only be done on the master, the replica will get the change on the scheduled sync date.

This way the new will sync to the old, get the files/update packages from the old over the network........

no need to haul 100GB of data/and aproved update i.e. using wsusutil and the wsus migration tool.

The replica is a straight forward approach without any complication, you can after the change, reverse the order making the 2012 the primary and the 2003 secondary for the duration allowing the GPO update reflecting the new intranet WSUS server to propagate through out.

IMHO, it is a mistake to use the same name/IP when replacing any server where it is not absolutely necessary as this type of approach is a one way street (in an AD, only one named object will be valid). Once you take this road, there is no turning back.  Having two systems you can point to the new, and if something goes wrong, you can always revert to the working old solution.

Not sure what you mean get rid of declined updates, updates declined without prior approval have not downloaded files.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

thanks arnold for your quick reply.

that was the way I was tending to follow:
make my 2012 a replica of the 2003 to get all updates/approvals then make it upstream again.
but you mention there is no need to copy/paste the meta data to new server since the replica option will do it once synched, is that correct ?

In my current configuration I use a  CNAME/ALIAS for wsus in the GPO for clients, however I'm thinking here of two ways:
After Sync, either using the same Wsus alias on the new server but with different IP, in this case I will have to update DNS records to point clients to the new server
Or use the same IP/Wsus Alias and shutdown the old 2003 since I won't need it anymore by using these command from microsoft guide
$updateServer = get-wsusserver
$config = $updateServer.GetConfiguration()
$config.ServerId = [System.Guid]::NewGuid()
As soon as the server identity is changed, run the following command to generate a new encryption key:
%ProgramFiles%\Update Services\Tools\wsusutil.exe postinstall
What do you think is the best approach here since I have over 1000 clients registered with Wsus with majority configured via GPO with alias record but I have some clients configured manually via IP to update from Wsus and I don't want a headache caused by clients no longer getting updates...

Last regarding declined updates, I Know that there aren't being downloaded but the fact that reflects over 25000 updates being declined in the update view seems to create a garbage in the database I intend to get rid off so what do you propose ?


Yes, the only issue possibly will deal with manually selecting the packages/classification.
CNAME is in DNS, you can have two records for update lets say
Update 90 in CNAME win2003_server
Update 90 in CNAME win2k12_server

Where 90 is the Ttl setting deals with how frequently the client has to request/lookup the revord.  What this will do is alter the order of the presented servers.
Once it will be win2003_server win2k12_server and the next time it will be win2k12_server win2003_server.
The change in order will Change to which server the client will connect.

There is nothing to be done about declined update as you don't seem to be concerned about the number of available updates.
If you are that concern, identifying a category that might be part of the classification that is selected, but is unneeded.  Deselecting that will reduce the total updates and if any declined will not be counted either.

In the situation you have, you would need to keep the 2003 server for a while and through which you could identify the clients configured manually by pointing the GPO only to the 2012, or only have one DNS alias pointing to the 2012.
Then over time when 2003 is the replica, it will only reflect clients who checked through it with more recent timestamps.

Are the ones configured statically by ip, are these offsite systems in which case they will be pointing to a public ip meaning you can make changes on the firewall pointing that public ip to the new server.

Hey arnold,

Actually just to shed lights on your feedback,

1. so you suggest to go ahead with the replica without copy/paste the meta files since replica sync will do it anyways.

2. Use the same DNS record for update server but with different IP and update DNS accordingly and shutdown the old server

3. How do you think I can achieve to keep DNS record/IP in order to not get a hassle from the servers configured by IP, those located in my DMZ with private IPs

4. Last is there something to do to delete drivers classification updates that were declined and get rid of them. and what about the option of building a new database clean and indexed and approve the update progressively. Do you think this is the last hard option ?

5. Last do you think with the new 2012 server as upstream I can still achieve a replica with my 2008 server or I should update the latter to 2012 as well and what about clients updates do I have any restrictions with regards to wsus 6.2, in other words it is compatible with 2003,2008,2012, windows XP, 7 and 8 clients.

Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

thanks man for your quick reply
2) & 3) I don't intend to get into GPO update and fix un-compliant client that uses IP instead of DNS name, that said can you advise if I can go ahead with these steps by keeping the old server identity (Wsus IP/Alias name: i.e udpateserver.com)and later bring it down since I won't have any more use for it.

$updateServer = get-wsusserver
$config = $updateServer.GetConfiguration()
$config.ServerId = [System.Guid]::NewGuid()
As soon as the server identity is changed, run the following command to generate a new encryption key:
%ProgramFiles%\Update Services\Tools\wsusutil.exe postinstall

4) I already unchecked the Drivers classification but I' m looking for a way to clean the declined updates from the view in order to have a clean and properly indexed database, do you have a solution for this.

Thanks for you tremendous support,

As noted I am against trying to bring servers on the same IP as another server.

To achive what you want, you might as well simply bring up a second (advanced tcp/ip) IP to match the retired server.

The new server will have two IPv4 IP, its default primary and the other server's secondary.
Once you uncecked the classification, run the clean up wizard refresh the update services interface and the items (declined update count) should be gone.

you can look at the wsusutil though I think once the classification is unchecked, and the display refreshes/cleanup wizard runs, it should do what you want.

hey arnold,

I double checked that drivers are unchecked in the classification window and performed several cleanups nevertheless these updates never seem to ditch away.
Also I have the same issue on my 2008 replica server and now before I venture with this upgrade journey in 2012 server and since at some point this new server will be replica of the 2003 old one so I suspect I might run into the same issue with the declined update showing in the update view.

Do you think, I am unable to purge these records from the database because no maintenance nor indexing was performed on this database for the past 5 years ?

In addition do you believe that on the 2012 server using some cmdlets powershell commands, I might be able to clear those updates ?

Thank you for you continuous support
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Let me ask you the following, what is the significance of having 30,000 declined updates listed? What impact does it have on your WSUS ability to perform its duties or provide updates?

Here is a discussion along the same lines: https://social.technet.microsoft.com/Forums/windowsserver/en-US/404292a0-c762-4cfa-b19a-ac765adfa48e/clear-declined-updates-in-wsus-30-with-sp1?forum=winserverwsus

thanks arnold,

Well put, I'm going to abandon this quest of declined updates.

Hey arnold,

After deploying WSUS role on Windows server 2012, I received the below BPA alert pertaining to WSUS on my server manager dashboard:

The SelfUpdate folder should be correctly installed on the default Web site or the WSUS Administration site Operation

I found this Microsoft article that describes the same issue however the installselfupdateonport80.vbs script is not available on my server


Also I have this error pertaining to SQL:


Should I ignore the SQL error and disable start up noting that the WSUS role is configured with connection to a remote Database instance.

Thank you for your continuous support
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.