Академический Документы
Профессиональный Документы
Культура Документы
Agenda
Topics
Part I: Architecting and Implementing WSUS Part II: Troubleshooting WSUS Part III: Tips and Tricks for Using WSUS
Provides a foundation for Update Management across Microsoft products: SCE, Configuration Manager 2007, MBSA, WU, SBS, Forefront
Consistent scan results Unified client scan mechanism (WUA) irrespective of which server actually manages the updates
WSUS Momentum
Over 500,000 distinct WSUS servers synched with Microsoft Update last month Used by over 60% medium/large orgs and built into SBS WSUS 3 released April 30 2007
Huge improvements in performance, deployment options, reporting and UI Easy in-place upgrade from WSUS2
WSUS 3.0 SP1 released Feb 7, 2008 WSUS 3.0 SP2 released Jan 26, 2009
WSUS Lifecycle/Roadmap
Support lifecycle
Version SUS 1.0 WSUS2 RTM WSUS2 SP1 WSUS3 RTM WSUS3 SP1 Support ends Not supported Not supported Not supported Not supported TBD Comment Crazy old now. Don t use. Updates still flow EOL is April 9 2009 (now) -two years after WSUS3 RTM One year after WSUS3 SP1 One year after WSUS3 SP2
Next up: release WSUS3 SP2 RC RTM shortly after Windows Server 2008 R2 release
Elements of Architecture
Why Architecture?
Problems are usually results of improper architecture A correct architecture will drive a better design
Especially in situations of administrator distrust or insufficient bandwidth
Design your WSUS solution with the same goals as your AD solution Roaming users should be dealt with separately
Simple Architecture
Single, well-connected site
WSUS Updates from MU Clients update from WSUS
WSUS Chaining
Chaining involves downstream servers getting updates (and sometimes Group data) from upstream servers Options for chaining
Distributed vs. Centralized model Autonomous Mode vs. Replica Mode
Centralized Architecture
Downstream servers are replicas of primary server Little downstream control over servers
Downstream administrators drop machines into predefined groups All update approvals and schedule done at primary server
Distributed Architecture
Downstream servers obtain updates from primary server, except:
Update approvals do not flow down. Assigned at each site individually Downstream admins have greater control. Can create groups and assign approvals
Disconnected Architecture
Many environments don t have Internet connectivity
Test/dev, government, classified, air gap environments
Disconnected Architecture
Match advanced options between source and target
Express installation files & languages must match
Roaming Architecture
Manages updates for external resources
WSUS servers distribute approval metadata Clients download updates from Windows Update directly Extra security for internetfacing WSUS server
Laptop WSUS
Laptops
Roaming Architecture
Four Steps to Internetfacing WSUS
Build server in DMZ and position behind ISA proxy Locate database on server not reachable from Internet Enable SSL for communications Host content on Microsoft Update
Laptop WSUS
Laptops
Upgrade Deployment
WSUS 3 SP1 setup supports in-place upgrade
One-way upgrade (no rollback) Can t be done from WSUS 2 on Server 2000 or using SQL 2000
Troubleshooting WSUS
Microsoft does not publish the IP s associated with these FQDN s. So, if you do perimeter network security by IP you ve gotta stay on the ball with these!
Potential solutions:
Ensure downloading only the languages you need Configure patch distribution to occur in the evenings Stagger patch distributions between tiered sites Express installation files can exacerbate this
The bandwidth savings in express installation files occurs from WSUS server to client, not between WSUS servers
Throttle BITS
Throttling BITS
BITS can be throttled either on the WSUS server or additionally on all the clients
Alleviates network saturation during update distribution and during client installation Be aware that this does slow down update distributions!
Server Tuning
Run cleanup and DB defrag every few months
Cleanup wizard is a new feature in WSUS 3 Removes stale computers and updates DB index defrag script available on ScriptCenter keeps the server running fast
Look out:
Take care to not remove computers that are still active (but having trouble contacting the server)
Populate from AD sample tool can help
Three methods:
Client-initiated WSUS-initiated Script-initiated
I will argue in favor of scheduled, forced reboots over mid-day reboots.
Two methodologies:
Scheduled reboots vs. rebooting for patch installation
Handling Reboots
RebootFile = "computers.txt LogFile = "results.txt" Set fso = CreateObject("Scripting.FileSystemObject") Set f = fso.OpenTextFile(RebootFile, 1, True) Set objTextFile = fso.OpenTextFile(LogFile, 2, True) On Error resume next Do While f.AtEndOfLine <> True strComputer = f.ReadLine Set objWMIService = GetObject("winmgmts:" & _ "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") If Err.Number <> 0 Then objTextFile.WriteLine(strComputer & " is not responding.") Err.Clear Else Set colOperatingSystems = objWMIService.ExecQuery("Select * from _ Win32_OperatingSystem") objTextFile.WriteLine(strComputer & " is rebooting.") For Each objOperatingSystem in colOperatingSystems ObjOperatingSystem.Reboot() Next End If Loop
Custom Reports
UI supports basic customization (filters) Advanced customization can be built on
WSUS (.Net) API
Can use of PowerShell scripts to generate reports
This script outputs a .CSV file that provides just that mapping
Add the name of your WSUS server into the top line of the script: strWSUSServer = <Enter WSUS Server here>"
Agent Control
Use WUA API to control the agent
Custom install schedules Updating servers in web farms Implementing install now functionality
On-Demand Patching
(You Patch Now!)
Ever wish you had a WSUS big red button ?
Such a button might automatically download and install all approved patches and reboot if necessary
Summary
WSUS is simple to use, but scales to enterprise Flexible server deployment options
Single server, scale up, branch office, scale out, disconnected, roaming laptops
Periodically tune the server (defrag + cleanup) Public API and DB views can be used to extend the base functionality for many advanced scenarios Starting point for all WSUS information
http://www.microsoft.com/updateservices