نصب و تنظیم WSUS 3 - روش راه اندازی WSUS

[LEFT][B]How to install WSUS 3.0 SP1 [/B] [COLOR=#0000FF]The guide requires you to download the WSUS package from

[url]http://www.microsoft.com/downloads/details.aspx?familyid=F87B4C5E-4161-48AF-9FF8-A96993C688DF&displaylang=en#top[/url]

and you must also download the Microsoft Report viewer redistributable

[url=http://www.microsoft.com/downloads/details.aspx?familyid=CC96C246-61E5-4D9E-BB5F-416D75A1B9EF&displaylang=en]Download details: Microsoft Report Viewer Redistributable 2008[/url]


This guide also assumes that you have setup and installed IIS in Windows 2008 and that you have configured and installed SQL 2008 or SQL 2005.
[/COLOR]


Overview

[B]WSUS 3.0 SP1[/B] delivers important customer-requested management, stability, and performance improvements. Some of the features and improvements include:

* Support for Windows Server 2008.
* Support for SQL Server 2008.
* Enhanced bulk approval capability, preserving existing approvals.
* Support for separate proxy servers and ports for SSL and non-SSL traffic.
* Office Excel report export.


WSUS 3.0 SP1 can be installed alone, or as an upgrade of either WSUS 3.0 RTM or WSUS 2.0 SP1.

This package installs both the WSUS 3.0 SP1 Server and WSUS 3.0 SP1 Administration Console components, for all Windows Server 2003 SP1 supported languages. Additionally, the WSUS 3.0 SP1 client is included in all supported client platform languages. You must install the server components on a computer running Windows Server 2008 or Windows Server 2003 SP1 or later. You may install the Administration Console on a remote computer running Windows Server 2008, Windows Vista, Windows Server 2003 SP1, or Windows XP SP2.

WSUS 3.0 SP1 Server Installation on Windows Small Business Server 2003

If you are installing the WSUS 3.0 SP1 product on Windows Small Business Server 2003, follow the instructions in Installing Windows Server Update Services 3.0 on Windows Small Business Server 2003.


There are 4 common methods of deploying WSUS:

* Single WSUS server
* Multiple independant WSUS servers
* Multiple Internally synchronised WSUS servers
* Disconnected WSUS servers

A [B]Single Wsus server[/B] would be suitable for a small or simple network. It will synchronise with Microsoft update and then distribute its updates to your servers/clients.

[B]Multiple independant WSUS servers[/B] could be setup to synchronise with microsoft Update and configured to for example, update only one specific type of client, eg: XP clients or Vista, then another WSUS server in your organisation could be setup just to update your Server 2008 servers.

[B]Multiple Internally synchronised WSUS servers[/B] is where you have multiple WSUS servers in your organisation but only one connects to Microsoft Update, this is called the [B]Upstream WSUS server[/B] and all other WSUS servers (called the [B]Downstream WSUS servers[/B]) synchronise via this WSUS server. The synchronisation methods can be either Autonomous or Replica.

[B]Disconnected WSUS servers[/B] are not connected to the internet at all. You would typically utilise this setup in an organisation that doesn't have or allow internet access. The Microsoft Updates would have to be pulled down from another internet conencted WSUS server and then burned to cd or dvd and copied to the disconnected WSUS server.

Installation


Install the Report Viewer first

Double-click on the Report viewer exe, choose [B]next[/B] to continue at the welcome screen

[IMG]http://i47.tinypic.com/fa23yh.jpg[/IMG]


accept the license terms

[IMG]http://i46.tinypic.com/nwk208.jpg[/IMG]


click [B]Install[/B] to install

once done click finish

[IMG]http://i46.tinypic.com/29p2b9l.jpg[/IMG]


Install WSUS


Double click on the WSUS exe, choose [B]next[/B] at the welcome screen


[IMG]http://i49.tinypic.com/2zdwsgp.jpg[/IMG]


choose the [B]Full Server installation

[IMG]http://i50.tinypic.com/14nlrmx.jpg[/IMG]


[/B]accept the license agreement

[IMG]http://i45.tinypic.com/2w5k6yh.jpg[/IMG]


Select your update source (local or on windowsupdate)

[IMG]http://i46.tinypic.com/2n72tf6.jpg[/IMG]


now if you havn't installed SQL 2008 yet, then please do so as the next screen will allow us to pick between an internal windows database (first option) or to connect to our MSSQL database (default) second option.

Choose [B]use existing database[/B] as below in the screenshot

[IMG]http://i50.tinypic.com/28sot94.jpg[/IMG]


it will hopefully successfully connect to your database, click next to continue

[IMG]http://i45.tinypic.com/11vqrr8.jpg[/IMG]


when prompted what IIS website to use, choose the default option ([B]use the existing IIS website[/B])

[IMG]http://i50.tinypic.com/qwy82c.jpg[/IMG]


you'll see a summary click next to continue


[IMG]http://i49.tinypic.com/24ermly.jpg[/IMG]


that's it, all done, click Finish

[IMG]http://i47.tinypic.com/i595dh.jpg[/IMG]


[COLOR=#FF0000]Note: if you are going to use SCCM to manage patch management then do NOT run the WSUS configuration wizard below[/COLOR]

The WSUS configuration wizard automatically starts after the Setup wizard completes. Because Configuration Manager 2007 SP1 manages the WSUS settings, [B]you should exit the configuration wizard after it opens[/B].

[/LEFT]

[LEFT][B] Remove SUSClientID for clone workstation

[/B]By default when you clone the workstation, the workstation will consist the same SUSClientID. This will cause a problem whereby the workstation will not report status/detected on WSUS server. To verify you can compare both machine by go to the registry

[CODE]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\SUSClientId
[/CODE]In order to fix this problem, i have created two script file

1. File:- clonewsus.reg
[CODE]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate]
"SusClientId"=-
[/CODE]2. File:-clonewsus.bat
[CODE]
@echo off
::
Pause
net stop "wuauserv"
Echo importing clonewsus.reg
%windir%\regedit.exe /s c:\clonewsus.reg
echo wsus.reg imported successfully
net start "wuauserv"
echo forcing update detection
wuauclt /detectnow
pause
[/CODE]Copy both files to C:\drive. Execute file clonewsus.bat.

The script will stop the Windows Update services, go to registry and remove SusClientID and start back the Windows Update services. A new SusClientID entry will obtained. Command wuauclt /detectnow will trigger manual detection using the new SusClientId.

Wait 10-15 minute, Client should be visible in WSUS console
[/LEFT]

[LEFT][B]BITS Peer cashing (in WSUS 3.0) [/B]

[B]BITS (Background Intelligent Transfer Service) Peer caching[/B] is a new feature of BITS 3.0 supported on Vista platforms, that allows peers to share files on the same subnet.

When a BITS job is created to download the files for an update, the Automatic Update agent instructs BITS to make the downloaded files available to Peers.

When the files have been downloaded, BITS caches the downloaded files and makes them available to other computers. When another computer tries to download the same update, BITS sends a multicast request to peers on the same subnet.

If one or more of the peers responds that it has the update, BITS will download the file from the peer rather than the WSUS server. Should the download from the peer fail or take too long, BITS will fall back to the WSUS server and continue the download.

[B]This feature of BITS can: [/B]

Decrease the amount of data transferred from the WSUS server. Computers in the same subnet will tend to download the updates from each other.

Decrease the amount of data transferred across the WAN in branch office scenarios where no local WSUS server is located.
Decrease the amount of data transferred across the internet in the scenarios where several WSUS clients in the same subnet are configured to download update files directly from Microsoft update.
Remember: The use of BITS Peercaching requires computers to be running Windows Vista or Windows Codename Longhorn, and be part of an Active Directory Domain.



[B]To enable BITS Peercaching: [/B]

Within Group Policy Object Editor (gpedit.msc), under Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS), set the Allow BITS Peercaching policy to Enabled

[IMG]http://i46.tinypic.com/2d2dg1d.png[/IMG]

There are some other related settings to limit the BITS Peercache size (default: 1% of disk), limit the age of items in the BITS Peercache (default: 14 days), ...

To verify that BITS Peercaching is enabled or disabled, run from an command prompt:

bitsadmin /peercaching /getconfigurationflags

[IMG]http://i49.tinypic.com/313q9f5.png[/IMG]


There are a couple of new BITSADMIN (ships with Vista) commands that allow you to see into the cache etc, and these are:

BITSADMIN /PEERCACHING /? - Prints the list of commands to manage Peercaching

BITSADMIN /CACHE /? - Prints the list of cache management commands

BITSADMIN /PEERS /? - Prints the list of peer management commands
[/LEFT]

[LEFT][B]Starting WSUS for the first time[/B]

Click on Start/All Programs/Administrative tools/Microsoft Windows Server Update Services 3.0 SP1

this will start a wizard (pictured below) click next

[IMG]http://i45.tinypic.com/t7mmb5.jpg[/IMG]



choose to opt in or opt out (default is opt in)

[IMG]http://i47.tinypic.com/24q3gx2.jpg[/IMG]


Next you can choose your Upstream Server, I stayed with the default option

[IMG]http://i46.tinypic.com/xf6fic.jpg[/IMG]


enter your proxy settings (if any)

[IMG]http://i46.tinypic.com/286vibm.jpg[/IMG]


click [B]next[/B] and then [B]start connecting[/B]

once the Wizard has synchronized information with the Microsoft Update web servers you can click [B]next[/B] to continue

[IMG]http://i49.tinypic.com/25p31wz.jpg[/IMG]


next you get to choose which languages to support

[IMG]http://i48.tinypic.com/211m4y9.jpg[/IMG]


and which Microsoft Products to support by default all [B]office[/B] versions and all [B]windows[/B] versions are selected, [color="#FF0000"]remove those which you don't need as all of these updates etc will take up storage space[/color]

[IMG]http://i49.tinypic.com/264q24p.jpg[/IMG]


next you can choose what type of updates to download

[IMG]http://i46.tinypic.com/2eehcoz.jpg[/IMG]


pick a schedule to synchronise


[IMG]http://i45.tinypic.com/2ak08jn.jpg[/IMG]


finished

[IMG]http://i50.tinypic.com/35dcdpx.jpg[/IMG]



review next steps and then click on [B]Finish[/B] to end the wizard.

[IMG]http://i50.tinypic.com/15dm26r.jpg[/IMG]


At this point you can now use the WSUS UI

[IMG]http://i50.tinypic.com/20b1vrd.jpg[/IMG]

[/LEFT]

[LEFT][B]Adding workgroup computer into WSUS server [/B] Domain Computer can be added into WSUS console by using Group Policy. But how about workgroup computer !

You can add workgroup computer into WSUS console by using registry.
I have created two scripts to simplify the task to add computer into WSUS server

1. File: wsus.bat
[CODE]
@echo off
::
Pause
net stop "wuauserv"
Echo importing wsus.reg
%windir%\regedit.exe /s c:\wsus.reg
echo wsus.reg imported successfully
net start "wuauserv"
echo forcing update detection
wuauclt /detectnow
pause
[/CODE]Note: Stop the Windows Update Service, execute wsus.reg and start Windows Update Service. Perform manual detection by using the command wuauclt /detectnow

2. File:wsus.reg
[CODE]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://wsussvr01"
"WUStatusServer"="http://wsussvr01"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:0000000d
"UseWUServer"=dword:00000001
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
[/CODE]Note:-
a) WUServer and WUStatusServer - specify your WSUS server using the following format [URL]http://wsus[/URL] server name

b) Value: NoAutoUpdate
•0 - Enable Automatic Updates (Default)
•1 - Disable Automatic Updates

c) Value: AUOptions
•2 - Notify for download and notify for install
•3 - Auto download and notify for install
•4 - Auto download and schedule the install

d) Value: ScheduledInstallDay
•0 - Install every day
•1 to 7 - Install on specific day of the week from Sunday (1) to Saturday (7).

e) Value: ScheduledInstallTime
•0 to 23 - Install time of day in 24-hour format

f) UseWUServer - Enabled Automatic Update.

g) NoAutoRebootWithLoggedOnUsers -NoAutoRebootWithLoggedOnUsers is enabled which Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically in 5 minutes to complete the installation.

Note: Copy both files into C:\ drive and run wsus.bat

For more detail, please refer to
[CODE]http://technet.microsoft.com/en-us/library/cc708449(WS.10).aspx[/CODE]
[/LEFT]

[LEFT][B]Configure WSUS to deploy updates [/B]

This guide assumes that you intend on using WSUS to deploy updates and that you have already installed it
[B][COLOR=#ff0000]
Note: If you intend on using SCCM 2007 to deploy updates using the WSUS integration then do NOT do any of the steps here.
[/COLOR][/B]

The instructions here also assume that your network runs [B]Active Directory[/B] and that you use [B]Group Policy[/B] to manage your network. For more information about Group Policy, see Microsofts [URL="http://go.microsoft.com/fwlink/?linkid=55625"]Group Policy home page[/URL].

You can configure one or more computers by including them in a [B]Group Policy object[/B] (GPO). By configuring Automatic Updates using Group Policy, these settings will take precedence over any settings that are defined locally on the computers within your Domain.

Note: You should [B]Link this WSUS GPO[/B] to an Active Directory container appropriate for your environment. In a simple environment, you link a single WSUS GPO to the domain. In a more complex environment, you might link multiple WSUS GPOs to different organizational units (OUs).


Start the [B]Group Policy Management[/B] MMC and highlight your domain as in the screenshot below

[IMG]http://i46.tinypic.com/2q9weis.jpg[/IMG]


Right-click the domain and choose [B]Create a GPO in this domain, and link it here[/B]

[IMG]http://i46.tinypic.com/5as5fo.jpg[/IMG]


When the [B]New Group Policy Object [/B]window appears, give it a name like [B]WSUS GPO[/B] and click OK

[IMG]http://i50.tinypic.com/30uplc7.jpg[/IMG]

right click on our new GPO and choose [B]Edit

[IMG]http://i49.tinypic.com/o59mwj.jpg[/IMG]


[/B]expand [B]Policies[/B] then click and highlight [B]Administrative Templates[/B]. Before you can configure WSUS group policy settings you should load the latest version of the administrative template, wuau.adm. Right click on [B]Administrative Templates[/B] and choose Add/Remove Templates, click on the Add button and scroll down to the bottom until you can see the wuau.adm file. Select the file and click [B]Open[/B] and [B]close[/B].


Now that you have loaded the [B]wuau.adm template[/B], you are ready to expand [B]Windows Components[/B].

[IMG]http://i50.tinypic.com/1192y6d.jpg[/IMG]



Scroll down to [B]Windows Update[/B] and enable the following options (circled in Red)

[IMG]http://i47.tinypic.com/2is22a.jpg[/IMG]


Automatic Updates are now enabled, but before the computers can receive updates from the WSUS server we need to configure the following group policy setting:

[B]Specify intranet Microsoft Update service location[/B] and fill in the [B]https address of the WSUS server[/B], so click on it and view it's [B]properties[/B]. We have already enabled the group policy setting as in the screenshot above, however we need to enter the https address of our WSUS server, so do that in the two empty fields provided and click ok.

[B]Startup WSUS

[IMG]http://i47.tinypic.com/2mwuikm.jpg[/IMG]

[/B]
[/LEFT]

[LEFT][B]Install WSUS 3.0 - Step-By-Step[/B]

I've managed to compose a quick installation procedure for those of you who want to utilize the great free utility from microsoft...
Enjoy!
[B]Pre-Requisites[/B][/LEFT]

[LIST=1][*][LEFT]IIS 6.0 with ASP.net installed (windows Components).


go to control panel à add/remove programs à Windows Components
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image002.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image004.jpg[/IMG]
check application server and click details.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image006.jpg[/IMG]
make sure that application server console and ASP.net are check and then check Internet Information Services and click Details.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image008.jpg[/IMG]
make sure that BITS, Common files, Internet Information Services Manager, and then click world wide web service and click details:
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image010.jpg[/IMG]
make sure that Active server pages and world wide web service are check and click OK twice and click next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image012.jpg[/IMG]

Click Finish.[/LEFT][*][LEFT]MMC 3.0 (no need if win2003 sp2 exists). [/LEFT][*][LEFT].net framework 2.0 (exists as part of windows server R2 or available for download from Microsoft at [URL="http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5"]Download details: .NET Framework Version 2.0 Redistributable Package (x86)[/URL]) [/LEFT][*][LEFT]Microsoft Report Viewer Setup (available for download from Microsoft at [URL="http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-dd7726e61367"]Download details: Microsoft Report Viewer Redistributable 2005[/URL])


[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image014.jpg[/IMG]

[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image016.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image018.jpg[/IMG]

[/LEFT][/LIST][LEFT]

[B]Wsus3.0 Installation[/B]


[/LEFT]

Install Wsus 3.0 from location: [URL]http://www.microsoft.com/downloads/details.aspx?FamilyId=E4A868D7-A820-46A0-B4DB-ED6AA4A336D9[/URL] [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image020.jpg[/IMG]


[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image022.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image024.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image026.jpg[/IMG]
Check I Accept and then click next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image028.jpg[/IMG]
Check the Store updates locally and type D:\Wsus (or any other folder. Recommended not to use your system partition for storing WSUS updates) on the path to save the updates. Then click next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image030.jpg[/IMG]
Chose Install Use and Existing server Database on this computer and leave the path on default (same location as WSUS update). Then click next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image032.jpg[/IMG]

[/LEFT]

Click Next. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image034.jpg[/IMG]


Check "Use existing IIS Default Web Site" and click next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image036.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image038.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image040.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image042.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image044.jpg[/IMG]


[B]WSUS Configuration Wizard[/B]

After the setup ends, the following screen will open up:
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image046.jpg[/IMG]
Click Next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image048.jpg[/IMG]
Check the I would like to join box and click Next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image050.jpg[/IMG]

[/LEFT]

Choose synchronize from Microsoft update, and click next. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image052.jpg[/IMG]



[/LEFT]

In case you have a proxy server on you organization specify proxy settings, else leave all settings at default and click next. It is recommended to set the WSUS to work without a proxy server and allow it a direct connection to the internet (open the appropriate ports on the FW). [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image054.jpg[/IMG]


[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image056.jpg[/IMG]
In the connect to upstream server page, click start connecting. After the server has finished the initial sync, the next button will be available. Click next.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image058.jpg[/IMG]

[/LEFT]

In the choose language window, choose English and Hebrew (or any other language of your choice) and click next. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image060.jpg[/IMG]



[/LEFT]

On the choose products page, check the products you wish to sync (default, windows – all version, office – all versions, Exchange – all versions). Then click next. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image062.jpg[/IMG]



[/LEFT]

On the choose classifications page, choose all classifications and click next. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image064.jpg[/IMG]



[/LEFT]

On the sync schedule page, choose synchronize automatically when first sync is at 12:00:00AM and the sync per day setting is set to 24. Then click next. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image066.jpg[/IMG]



On the finished page, check both checkboxes and click finish. [B]WSUS initial configuration [/B]

[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image068.jpg[/IMG]

[/LEFT]

On the Update service administrator console that opens when the setup ends, click options and on the options tab. On the options window, click automatic approvals. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image070.jpg[/IMG]



[/LEFT]

On the automatic approval window, check the default automatic approval rule (automaticly approves critical and security updates) and click new rule if you wish to add additional auto-approve rules for specific products or classifications. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image072.jpg[/IMG]



[/LEFT]

On the add rule wizard specify any other auto approve rules that you wish by product or classification. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image074.jpg[/IMG]



[/LEFT]

On the choose product window, check only forefront-forefront client security and click ok. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image076.jpg[/IMG]



Back on the add rule window under step 3, type rule name (ex. FCS Update rule) and click ok twice. [B]Defining WSUS Update Policy (GPO)[/B]


[/LEFT]

Open Group Policy Management Console (GPMC). Start -> Run -> write gpmc.msc -> OK. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image078.jpg[/IMG]



[/LEFT]

Right click on the Group policy objects container and click new. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image080.jpg[/IMG]



[/LEFT]

Write the policy name and click OK. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image082.jpg[/IMG]



[/LEFT]

Expand the group policy objects container and then right-click the object you have just created and click edit. [LEFT][IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image084.jpg[/IMG]



Expand the Computer configuration -> Administrative Templates -> Windows Components -> Windows Update.
[/LEFT]

Now configure the following options:[LIST=1][*][LEFT]Configure Automatic Updates


[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image086.jpg[/IMG]
[/LEFT][*][LEFT]On the specify internet Microsoft update service location, enter the netbios name that your internal clients will need to address when connecting to the wsus server.


[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image088.jpg[/IMG]

[/LEFT][/LIST][LEFT]Recommended settings
[/LEFT]
[LIST=1][*][LEFT]Client Side targeting Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service.

[LEFT]If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
[LEFT]note: in order for this to work, you need to create groups in the WSUS server.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image090.jpg[/IMG] [/LEFT]


[/LEFT]
[/LEFT][*][LEFT]Reschedule automatic updates scheduled installations Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.


If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes after the computer is next started.

[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image092.jpg[/IMG]

[/LEFT][*][LEFT]No auto-restart Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically.


If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer.

[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image094.jpg[/IMG]

[/LEFT][*][LEFT]Automatic updates detection frequency Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours.


If the status is set to Enabled, Windows will check for available updates at the specified interval.

If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image096.jpg[/IMG]

[/LEFT][*][LEFT]Allow automatic updates immediate installation Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows.


If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install.

[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image098.jpg[/IMG]

[/LEFT][*][LEFT]Allow non-administrators to receive update notifications pecifies whether, when logged on, non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer.


If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification.

[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image100.jpg[/IMG]

[/LEFT][/LIST][LEFT]After finished configuring the GPO, go back to the GPMC console and link the GPO to the OU that contains the computer objects you wish to work with the WSUS server. Do this by right clicking the OU and choosing link an existing GPO.


[/LEFT]

[LEFT][CODE]http://araihan.wordpress.com/2009/08/13/install-and-configure-wsus-3-0-sp2-step-by-step/[/CODE]I needed to deploy WSUS in my organisation. I started googling materials about WSUS. I found more talks about entire Microsoft products, very little on WSUS. Here I will share with you guys how I deployed WSUS successfully in my organisation. So why WSUS, Microsoft Windows Server Update Services 3.0 SP2 (WSUS 3.0 SP2) enables information technology administrators to deploy the latest Microsoft updates, hotfixes and service packs to computers running Microsoft Windows Server 2003 family, Windows Server 2008, Microsoft Windows Vista family, Microsoft Windows XP with Service Pack 2 operating systems. By using WSUS, administrators can fully manage and take control of the distribution of updates that are released through Microsoft Update.
[B]Prerequisites for WSUS server[/B]

[LIST][*]Windows Server 2003 SP1 or Windows Server® 2008[*]Microsoft Internet Information Services (IIS) 6.0 or later[*]Windows Installer 3.1 or later[*]Microsoft .NET Framework 2.0[*]Microsoft Report Viewer Redistributable 2005[*]Microsoft Management Console 3.0[*]SQL Server 2005 SP1 or later[/LIST]
[B]Prerequisites for WSUS clients (x86 and x64)[/B]

[LIST][*]Windows XP SP2, Windows Vista, Windows 7[*]Windows Server 2003 or Windows Server 2008[/LIST]
[B]WSUS Deployment Scenarios[/B]
WSUS is flexible enough to deploy starting from small to enterprise organisation. just you need to make sure active directory, DNS and DHCP working perfect. If port 80 is occupied by your company web site you can use port 8530. I used port 8530 on WSUS server. I have ISA 2004 so I will show how to add WSUS publishing rule in ISA 2004 also.
[B]Install prerequisites[/B]
1. IIS installation
go to add/remove windows component and select Application server
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image004.jpg[/IMG]
click next
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image006.jpg[/IMG]
Select as above. you must select ASP.net and IIS, then check Internet Information Services and click Details.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image008.jpg[/IMG]
Check BITS, check IIS manager and click on details
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image010.jpg[/IMG]
Check ASP and WWW and click ok.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image012.jpg[/IMG]
2. MMC 3.0 installation
no need to install you installed service pack on your server
3. .net framework installation
Download .net 2 framework from the [URL="http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en"]link[/URL] [URL="http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en"]Download details: .NET Framework Version 2.0 Redistributable Package (x86)[/URL]
run installation, click next, accept EULA and follow the installation screen.
[URL="http://araihan.files.wordpress.com/2009/08/image16.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb16.png?w=454&h=484[/IMG][/URL]
4. MS report viewer installation
Download report viewer from the [URL="http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-dd7726e61367&displaylang=en"]Link[/URL]
[URL="http://www.microsoft.com/downloads/details.aspx?familyid=8a166cac-758d-45c8-b637-dd7726e61367&displaylang=en"]Download details: Microsoft Report Viewer Redistributable 2005[/URL]
run installation, click next, accept EULA and follow the installation screen.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image014.jpg[/IMG]
5. SQL Server 2005 SP1 installation
download SQL server 2005 from the [URL="http://www.microsoft.com/downloads/details.aspx?FamilyId=11350B1F-8F44-4DB6-B542-4A4B869C2FF1&displaylang=en"]link[/URL]
[URL="http://www.microsoft.com/downloads/details.aspx?FamilyId=11350B1F-8F44-4DB6-B542-4A4B869C2FF1&displaylang=en"]Download details: Microsoft SQL Server 2005 Express Edition SP1[/URL]
[URL="http://araihan.files.wordpress.com/2009/08/image17.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb17.png?w=462&h=484[/IMG][/URL]
Click next and click install, click next again
[URL="http://araihan.files.wordpress.com/2009/08/image18.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb18.png?w=473&h=484[/IMG][/URL]
follow installation screen until finish.
[URL="http://araihan.files.wordpress.com/2009/08/19.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/1_thumb1.jpg?w=483&h=484[/IMG][/URL]
Now you have fulfil prerequisite as mention above.
[B]WSUS installation[/B]
download WSUS from [URL="http://connect.microsoft.com/directory/"]Microsoft Feedback and Bug Reporting - Product and Program Categories | Microsoft Connect[/URL] website. sign in using hotmail or live account. download x86 or x64 as you prefer. here I am installing x86 version.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image020.jpg[/IMG]
Click on run
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image022.jpg[/IMG]
click next
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image024.jpg[/IMG]
Check Full server installation radio button, click next
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image026.jpg[/IMG]
Accept EULA
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image028.jpg[/IMG]
You must have two partition in your server as you can see above. I selected D:\WSUS . click next
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image030.jpg[/IMG]
Check use existing database. It is required for enterprise deployment. internal database will not work if you have large number of desktop and server. click next.
[URL="http://araihan.files.wordpress.com/2009/08/image19.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb19.png?w=501&h=484[/IMG][/URL]
Click next
On the next screen “web site selection” check create Microsoft Windows Server Update Services Web Site on port 8530
DO NOT CHECK RECOMMENDED
[URL="http://araihan.files.wordpress.com/2009/08/untitled1.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/untitled_thumb1.jpg?w=501&h=484[/IMG][/URL]
Click next
[URL="http://araihan.files.wordpress.com/2009/08/clip_image00151.gif"][IMG]http://araihan.files.wordpress.com/2009/08/clip_image0015_thumb1.gif?w=502&h=480[/IMG][/URL]
Click next , Click next again
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image038.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image042.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image044.jpg[/IMG]
Click finish. WSUS config wizard will start next
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image046.jpg[/IMG]
click next
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image048.jpg[/IMG]
Click next
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image052.jpg[/IMG]
Provide proxy server IP and credentials above if you have proxy server. in my case I typed my ISA server IP, port 80 and my domain admin credentials.
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image054.jpg[/IMG]
Click on start connecting and wait until finish, click next and follow the config screen to select your language, products, classification
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image064.jpg[/IMG]
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image066.jpg[/IMG]
[URL="http://araihan.files.wordpress.com/2009/08/34.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/3_thumb2.jpg?w=499&h=433[/IMG][/URL]
wait until synchronisation finish. It might take 30/40 minutes depending on speed of your internet.
Now set permission in IIS in WSUS server, you may set anonymous logon. Don’t worry its inside your firewall or DMZ.
[URL="http://araihan.files.wordpress.com/2009/08/173.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/17_thumb3.jpg?w=463&h=396[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/181.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/18_thumb1.jpg?w=437&h=484[/IMG][/URL]
open WSUS management console go to option then Change update File and language
[URL="http://araihan.files.wordpress.com/2009/08/41.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/4_thumb1.jpg?w=428&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/21.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/2_thumb1.jpg?w=432&h=484[/IMG][/URL]
Go to automatic approval and create new rules and run the rules. In my case I have two custom rules.
[URL="http://araihan.files.wordpress.com/2009/08/331.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/33_thumb.jpg?w=433&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/52.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/5_thumb2.jpg?w=446&h=484[/IMG][/URL]
Create computer group by right clicking on All computers. example, I have two group desktop and Server.
WSUS update policy deployment through GPO
[URL="http://araihan.files.wordpress.com/2009/08/62.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/6_thumb2.jpg?w=481&h=484[/IMG][/URL]
Go to group policy management, Right click on the Group policy objects container and click new. I created two policies one for desktop and another WSUS Server policy
[IMG]http://blogs.microsoft.co.il/blogs/yanivf/WindowsLiveWriter/InstallWSUS3.0StepByStep_11085/clip_image080.jpg[/IMG]
[URL="http://araihan.files.wordpress.com/2009/08/83.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/8_thumb3.jpg?w=467&h=497[/IMG][/URL]
Now right click on WSUS policy that is desktop policy and change settings of four gpo that are enabled here on screen
[URL="http://araihan.files.wordpress.com/2009/08/93.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/9_thumb3.jpg?w=469&h=460[/IMG][/URL]
Configure Auto download and schedule installation that fit for you
[URL="http://araihan.files.wordpress.com/2009/08/102.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/10_thumb2.jpg?w=450&h=500[/IMG][/URL]
Point WSUS server and port as [URL="http://yourserver:8530/"]http://yourserver:8530[/URL] in both the box
[URL="http://araihan.files.wordpress.com/2009/08/111.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/11_thumb1.jpg?w=446&h=500[/IMG][/URL]
mention target group to populate desktop/pc in WSUS
[URL="http://araihan.files.wordpress.com/2009/08/122.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/12_thumb2.jpg?w=429&h=484[/IMG][/URL]
Check enabled in following box not to reboot machine if user logged on
[URL="http://araihan.files.wordpress.com/2009/08/131.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/13_thumb1.jpg?w=431&h=484[/IMG][/URL]
Repeat this process for WSUS server policy and mention Server on the target group.
Right click on the organisational unit that contain desktop/workstation in GPO management console and link WSUS policy with this organisational unit.
[URL="http://araihan.files.wordpress.com/2009/08/143.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/14_thumb3.jpg?w=467&h=495[/IMG][/URL]
Link it with WSUS policy
[URL="http://araihan.files.wordpress.com/2009/08/153.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/15_thumb3.jpg?w=461&h=500[/IMG][/URL]
Follow same steps for server organisational unit in GPO management console. Now you may close GPO now.
[URL="http://araihan.files.wordpress.com/2009/08/163.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/16_thumb3.jpg?w=475&h=467[/IMG][/URL]
[/LEFT]

[LEFT]
If you have ISA 2004/2006, you have to set WSUS policy in ISA firewall access rule. so that ISA doesn’t block communication between server and client. You don’t need to do it if nothing blocking between Client and Server communication.
To publish WSUS policy, Go to ISA management console
Go to Network Object and expand WEB listener, right click on web listener click new. Name should be netbios name of WSUS server. Follow the screen shot.
[URL="http://araihan.files.wordpress.com/2009/08/image20.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb20.png?w=519&h=500[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/image25.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb25.png?w=521&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/image26.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb26.png?w=487&h=484[/IMG][/URL]
Click next, click finish.
On firewall publishing tasks, click on the publish a web server, follow the screen shot
[URL="http://araihan.files.wordpress.com/2009/08/222.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/22_thumb2.jpg?w=202&h=431[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/231.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/23_thumb1.jpg?w=498&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/241.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/24_thumb1.jpg?w=476&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/251.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/25_thumb1.jpg?w=495&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/261.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/26_thumb1.jpg?w=501&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/272.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/27_thumb2.jpg?w=491&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/281.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/28_thumb1.jpg?w=497&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/291.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/29_thumb1.jpg?w=488&h=484[/IMG][/URL]
Right click WSUS Publishing policy, go to property and check web server and port
[URL="http://araihan.files.wordpress.com/2009/08/301.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/30_thumb1.jpg?w=416&h=484[/IMG][/URL]
On the paths add these path if not existing already
[URL="http://araihan.files.wordpress.com/2009/08/312.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/31_thumb2.jpg?w=418&h=484[/IMG][/URL]
[URL="http://araihan.files.wordpress.com/2009/08/322.jpg"][IMG]http://araihan.files.wordpress.com/2009/08/32_thumb2.jpg?w=420&h=484[/IMG][/URL]
uncheck verify and block option.
All done. You are ready to go now.
[B]Troubleshooting [/B]
Go to client machine, run gpupdate /force if client not showing on WSUS
Run wuauclt /resetauthorization /detectnow command from client machine.
Check Registry of client.
[URL="http://araihan.files.wordpress.com/2009/08/image27.png"][IMG]http://araihan.files.wordpress.com/2009/08/image_thumb27.png?w=478&h=471[/IMG][/URL]



[B]Conclusion[/B]
Auto update and patch up gives administrator more time to concentrate other things without spending time on patching up servers and pc. I enjoyed deploying WSUS. I hope these instruction would be handy for you to find out more of better IT[/LEFT]

[LEFT][CODE]http://www.windowsnetworking.com/articles_tutorials/Deploying-Microsoft-Windows-Server-Update-Services.html[/CODE]

[B]What is WSUS?[/B]

Simply put, Microsoft Windows Server Update Services (WSUS) is the Microsoft provided solution for enterprise patch management. Using WSUS, network administrators can manage and deploy software updates for all of the Microsoft products in a network. This includes client operating systems such as Windows XP and Windows Vista, server operating systems such as Windows Server 2003 and Windows Server 2008, and other products including Microsoft Exchange, ISA Server, and Forefront Security.
[CENTER][URL="http://www.amazon.com/exec/obidos/ASIN/1593271492/isaserver1-20/"]
[/URL][/CENTER]
[B]Looking Under the Hood[/B]

There are three main components that come together to make a WSUS deployment work. The first of these is the Microsoft managed component, Microsoft Update, which manages and distributes updates to Microsoft clients upon request. Next, is the WSUS server itself, which allows administrators to specify which updates are downloaded from Microsoft Update and then deployed to network clients. The final component is Automatic Update, which is built in to Windows 2000 SP4, Windows XP, Windows Server 2003, and Windows Server 2008 and allows these operating systems to download updates from a specified source.
Whether deploying WSUS for a small LAN or a large geographically disperse WAN, all that is involved is leveraging these three components. Let’s take a look at some of the scenarios you may need to deploy WSUS in and how we can effectively do this. Afterwards, we will actually step through the installation process.
[B]WSUS in a Small LAN[/B]

The majority of WSUS installations take place in a smaller environment consisting of a single location and less than a hundred computers. In this configuration, a network administrator will manage a single WSUS server which downloads updates directly from Microsoft Update. More often than not, budget reasons prohibit the purchase of a server exclusively for WSUS, so the service will share hardware with something such as a file or application server.
Once you have everything set up, the only burden on the network administrator is to ensure that synchronization between the server and Microsoft Update is occurring properly and to approve the downloaded updates occasionally. Clients will download and install updates automatically using the Automatic Update component.
[IMG]http://www.windowsnetworking.com/img/upl/image0011210004135083.jpg[/IMG]
[B]Figure 1:[/B] A Simple WSUS Deployment
[B]WSUS in a Large LAN[/B]

A larger network brings a few new concerns into the mix. These networks are still contained in a single location, but have a much greater number of computers, servers, and network segments.
The first thing to consider is that that not all computers should receive the same set of updates. For instance, the users in your accounting department may run an application that does not play friendly with .NET framework 3.0, whereas users in the engineering department require it. This is a pretty simple fix through the use of computer groups. Every computer that reports to the WSUS administration console can be placed in a computer group depending on its individual needs. By default, all computers are placed in the “Unassigned Computers” group when they first report to a WSUS server. Once they have reported however, you can create a custom group and place them in that group. Updates are approved on a per group basis which will allow you to customize the updates installed to a group of computers based upon the user’s needs.
Aside from this, the next consideration here is the management burden imposed by multiple WSUS servers. Monitoring synchronization, approving updates, and ensuring the successful installation of updates is typically a pretty simple task. However, if you have five separate WSUS servers then the management of these can get time consuming for a single person…not to mention mind numbing. Luckily, WSUS was designed with the use of multiple servers in mind and averts this issue through the use of WSUS Server Hierarchies. This hierarchy model allows a single WSUS server to act as an upstream server and impose its configuration on those servers configured as downstream servers below it.
A WSUS hierarchy supports two modes, autonomous mode (which we will discuss later) and replica mode. In replica mode, the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It is also the only server that an administrator has to manually configure computer groups and update approvals on. All information downloaded and configured on to an upstream server is replicated directly to all of the devices configured as downstream servers. Using this method you will save a great deal of bandwidth as only one computer is constantly updating from the Internet. More importantly however, you will save a countless amount of time since you are only managing one server now from a software standpoint.
[IMG]http://www.windowsnetworking.com/img/upl/image0021210004135115.jpg[/IMG]
[B]Figure 2:[/B] Deploying WSUS in a Large LAN
[B]WSUS in a WAN[/B]

The final and most complex scenario in which WSUS can be installed is a large WAN. These WANs are characterized by a large number of devices spread amongst several geographic locations.
Unlike our other scenarios, networks such as this often have a distributed IT management model. Rather than a single administrator managing all WSUS activities, each particular location could have a separate administrator who will need to manage computer groups and update approvals separate from that of the main office. As you would expect, this is another scenario where we can make use of upstream and downstream severs, or more specifically, autonomous mode.
Using autonomous mode, the upstream server transmits update files to the downstream servers, but nothing else. This means that individual computer groups and update approvals must be configured for each particular downstream server. In this deployment type, you get the benefit of optimized bandwidth usage with the flexibility of allowing individual site administrators to manage computer groups and update approvals themselves.
Another typical WAN scenario is caused by bandwidth restriction. It is common that remote network locations will have a high speed connection to the internet but a rather low speed link back to the main office, such as through a VPN. In these cases, an upstream server can manage update approvals, but those remote downstream servers can be configured to download the approved updates directly from the Internet as opposed to the upstream server.
[IMG]http://www.windowsnetworking.com/img/upl/image0031210004135115.jpg[/IMG]
[B]Figure 3:[/B] A WSUS Deployment Designed for a WAN
[B]Installing WSUS[/B]

After you decide what deployment scenario is right for your network, you will want to get to installing it. We are going to step through the process of installing WSUS on to your server.
Before you get started you will need to [URL="http://technet.microsoft.com/en-us/wsus/default.aspx"]download the latest release of WSUS directly from Microsoft[/URL]. After you have downloaded WSUS 3.0 to the server, simply run the executable to get started. At this point you will be notified if you are missing any of the requirements for installing WSUS (check those out at [URL="http://technet2.microsoft.com/windowsserver/en/library/57d7f8ec-1523-4485-9967-604be9ba2aac1033.mspx?mfr=true"]WSUS Installation Requirements[/URL]). If you are in the clear, then you will be asked what components of WSUS you want to install. You can install either the full package containing the WSUS program components and the management console, or just the management console itself. In this case we will be installing all of the components. Proceed by accepting the license agreement.
The next screen will prompt you to select the update source. This is where your client computers will download updates from. For our purposes here we will select Store Updates Locally and choose a location with at least 20 GB of free disk space (more if you have a highly diverse range of products you will be updating). If you do not choose this option, the client computers will only use WSUS to manage what updates are approved and will download these updates directly from Microsoft Update over the Internet.
[IMG]http://www.windowsnetworking.com/img/upl/image0041210004151458.gif[/IMG]
[B]Figure 4:[/B] Selecting an Update Source during WSUS Installation
The database options page is next. This is where you choose the database technology WSUS will use to maintain update information about clients. By default, setup will use the Windows Internal Database. This works just fine, but if SQL Server software happens to be installed on the machine then you can also use that as well by entering its information in on this page.
The following screen allows you to select how WSUS will use IIS. You can use the default web site on port 80 or have WSUS create its own site using port 8530. Using port 8530 is recommended as it allows you some flexibility if you end up adding other web based applications to the same physical server later on.
[IMG]http://www.windowsnetworking.com/img/upl/image0051210004151474.gif[/IMG]
[B]Figure 5:[/B] Selecting what IIS Website WSUS Will Use
This is all of the configuration that is required at this point. Click Next through the remaining screens and choose Finish to complete the installation.
[B]Wrap Up[/B]

We have just gone through a lot of the possible deployment options for WSUS as well as how to install it. There is quite a bit more to know about WSUS but the information provided here should give you a good jump start in determining how you should deploy this Microsoft technology so that you increase update efficiency and decrease administrative overhead
[/LEFT]

[LEFT]One common problem you may encounter with WSUS is when you go to uninstall it. WSUS has a nasty habit of simply not uninstalling correctly. Here is a quick way to remedy this.

Windows Server Update Services is a really great idea for networks of virtually any size. However, you may run into situations where you have to uninstall it from a server for various reasons. Although the uninstallation may seem to go smooth at first, it is when you reinstall it that you will notice that something is wrong.

Typically, when running the installation file for WSUS to install it after an uninstallation, you will be prompted with the uninstallation screen a second time. This is because even though you may have selected to remove all of the components, the uninstallation doesn’t always remove all of them.

The best way to remove everything completely is to clean it with Microsoft’s Windows Installer CleanUp utility. You can download this utility at: [URL="http://support.microsoft.com/default.aspx?scid=kb;EN-US;290301"]Use the Windows Installer CleanUp Utility to remove Office 2000, Office XP, or Office 2003[/URL]. Simply install it, run it, select WSUS from the menu, and choose Remove. After doing this WSUS should be completely removed from your system.

[/LEFT]

[LEFT][CODE]http://araihan.wordpress.com/2009/11/23/deploy-windows-media-player-11-using-windows-server-update-services-wsus/[/CODE]


Log on to WSUS Server using Administrative credential
Open Administrative Tools>Windows Server Update Services>Right Click on update>click on import
[URL="http://araihan.files.wordpress.com/2009/11/118.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/1_thumb6.jpg?w=244&h=184[/IMG][/URL]
Now Microsoft update catalog will be presented to you via IE, Search Windows Media Player on the Catalog. Add Media Player according to your system architecture
[URL="http://araihan.files.wordpress.com/2009/11/217.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/2_thumb6.jpg?w=244&h=160[/IMG][/URL]
Click on view basket>click import and wait for import to be completed
[URL="http://araihan.files.wordpress.com/2009/11/46.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/4_thumb6.jpg?w=244&h=192[/IMG][/URL] [URL="http://araihan.files.wordpress.com/2009/11/313.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/3_thumb6.jpg?w=244&h=159[/IMG][/URL]
Windows Server Update Services>Right Click on update>click search>Type Windows Media Player>Select all>right click and approve selected to the desired desktop group.
[URL="http://araihan.files.wordpress.com/2009/11/56.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/5_thumb6.jpg?w=244&h=214[/IMG][/URL] [URL="http://araihan.files.wordpress.com/2009/11/66.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/6_thumb6.jpg?w=244&h=214[/IMG][/URL] [URL="http://araihan.files.wordpress.com/2009/11/75.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/7_thumb5.jpg?w=244&h=164[/IMG][/URL]
[URL="http://go2.wordpress.com/?id=725X1342&site=araihan.wordpress.com&url=http%3A%2F%2Faraihan.files.wordpress.com%2F2009%2F11%2F83.jpg"][IMG]http://araihan.files.wordpress.com/2009/11/8_thumb3.jpg?w=244&h=151[/IMG][/URL]

[/LEFT]

[LEFT][CODE]http://araihan.wordpress.com/2010/01/27/troubleshooting-wsus-server-step-by-step/[/CODE]

[B]Client not showing in WSUS Server:[/B]

There are several reasons client don’t pop up in WSUS server. a) GPO and WSUS miss-configured. b) Proper prerequisite has not been meet both for server and client as I mentioned in my post.
Log on to WSUS sever as Domain Admin. Open WSUS Console>Option>Computers>Select use group policy or registry settings on computers>Apply>ok.
WSUS Console>Server Name>computers>All Computers>Add Proper Computer Groups, I mean client target group you have mentioned in GPO.
Are all the computers and Server pointing proper client target group as you mentioned in GPO? Did you configure parent GPO and computers pointing child GPO??? Check group policy object using GPO management console to find out any miss-configuration!!! Make sure the computer you are looking WSUS console is placed in right GPO. Run [URL="http://download.microsoft.com/download/win2000platform/gpresult/1.0/NT5/EN-US/gpresult.exe"]gpresult.exe[/URL] from command prompt to find out computer and user config. Wait until GPO refresh time and you will see client in WSUS console.
Another way to see client quickly in WSUS console is to log on to Windows XP SP2 (Must have SP2) client. Run WUAUCLT /DETECTNOW and GPUPDATE /FORCE from command prompt. Reboot client. Log back again.
Start menu>run>Type regedit.exe>ok. Now go to HKEY_Local_Machine\Software\Policies\Microsoft\Windows\Windows Update


[IMG]http://i45.tinypic.com/28qtdl3.jpg[/IMG]



Another critical point to note here, don’t use default configuration port that is 80. Use port 8530 because in ISA server or corporate firewall might be pointing this port to corporate web site unless web publisher added in ISA.
[B]WSUS database full of BugCheck Dump causing WSUS to stop functioning: [/B]

***This file is generated by Microsoft SQL Server version 9.00.4035.00 upon detection of fatal unexpected error. Please return this file, the query or program that produced the bugcheck, the database and the error log, and any other pertinent information with a Service Request***
***Stack Dump being sent to c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLDump0154.txt***
I am one of the victim of this SQL error. This will occupy entire disk space in system partition causing WSUS to stop working. This error got nothing to do with WSUS. This is purely SQL problem. It happens when WSUS is running long and you don’t run clean up wizard to clean database and WSUS. I have to be honest here. I am not an SQL Expert. I found some clues by searching books and google, this SQL error occur when SQL index is corrupt. I logged to SQL server using management studio express and follow this [URL="http://msdn.microsoft.com/en-us/library/ms176064.aspx"]Microsoft link[/URL] and run DBCC CHECKDB. But this will not solve this issue. Basically, SQL database is screwed. You have to backup database, reinstall WSUS and restore will solve this issue. But my best suggestion would be fresh installation of everything….. start from scratch.
[B]Connection Error [/B]

“An error occurred trying to connect the WSUS server. This error can happen for a number of reasons. Check connectivity with the server. Please contact your network administrator if the problem persists.
Click Reset Server Node to connect the server again.”
Reason: WSUS-related Web services (IIS) may stop working when you upgrade a Windows Server 2003-based computer to Windows Server 2008
Solutions:
Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
Try removing the persisted preferences for the console by deleting the wsus file under C:\Documents and Settings\%username%\Application data\Microsoft\MMC\
To work around this problem, uninstall the ASP.NET role service in IIS, and then use Service Manager to reinstall the service. To do this, follow these steps:

[LIST=1][*][SIZE=2]Click [B]Start[/B], click [B]Administrative Tools[/B], and then click [B]Server Manager[/B]. [/SIZE][*][SIZE=2]Expand [B]Roles[/B], and then click [B]Web Server (IIS)[/B]. [/SIZE][*][SIZE=2]In the [B]Role Services[/B] section, click [B]Remove Role Services[/B]. [/SIZE][*][SIZE=2]Disable the [B]ASP.NET[/B] check box, and then click [B]Next[/B]. [/SIZE][*][SIZE=2]Click [B]Remove[/B]. [/SIZE][*][SIZE=2]Wait for the removal process to finish, and then click [B]Close[/B]. [/SIZE][*][SIZE=2]In the same [B]Role Services[/B] section, click [B]Add Role Services[/B]. [/SIZE][*][SIZE=2]Enable the [B]ASP.NET[/B] check box, and then click [B]Next[/B]. [/SIZE][*][SIZE=2]Click [B]Install[/B]. [/SIZE][*][SIZE=2]Wait for the installation process to finish, and then click [B]Close[/B][/SIZE][*][SIZE=2][B]Restart[/B] all WSUS related services such as IIS, SQL, Update services (Location Administrative Tools>Services)[/SIZE][/LIST]

[/LEFT]

[LEFT][CODE]http://araihan.wordpress.com/2010/02/17/wsus-how-to-configuring-a-wsus-server-to-use-branchcache/[/CODE]


What is branchCache? BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).
How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.
But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.
When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.
To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use branchcache. The followings are the steps involve in head office and Branch Offices.
[B]Head Office:[/B]

[LIST=1][*][SIZE=2]Install and configure back end SQL Server[/SIZE][*][SIZE=2]Create DFS share[/SIZE][*][SIZE=2]Install and configure front end WSUS Server[/SIZE][*][SIZE=2]Configure GPO for WSUS client[/SIZE][/LIST]
[B]Branch Office:[/B]

[LIST=1][*][SIZE=2]Install and configure Branchcache File Server[/SIZE][*][SIZE=2]Configure GPO for Branchcache[/SIZE][*][SIZE=2]Install and configure front end WSUS server[/SIZE][*][SIZE=2]Configure GPO for WSUS client[/SIZE][/LIST]
[B][COLOR=#cc6600]Installing BranchCache File Server [/COLOR][/B]

1. Click Start, point to Administrative Tools, and then click Server Manager.
2. Right-click Roles and then click Add Roles.
3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.
4. In the Confirm Installation Selections dialog box, click Install.
5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.
[B]Using Group Policy to configure BranchCache[/B]

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.
2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.
3. Select New from the Action menu to create a new Group Policy object (GPO).
4. Choose a name for the new GPO and click OK.
5. Right-click the GPO just created and choose Edit.
6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.
7. Double-click Hash Publication for BranchCache.
8. Click Enabled.
9. Under Options, choose one of the following Hash publication actions:
a. Allow hash publication for all file shares.
b. Allow hash publication for file shares tagged with “BranchCache support.”
c. Disallow hash publication on all file shares.
10. Click OK.
[B]Using the Registry Editor to configure disk use for stored identifiers[/B]

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).
2. At the command prompt, type Regedit.exe, and then press Enter.
3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.
4. Right-click the HashStorageLimitPercent value, and then click Modify.
5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.
6. Close the Registry Editor.
[B]Setting the BranchCache support tag on a file share[/B]

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.
2. Right-click a share and then click Properties.
3. Click Advanced.
4. On the Caching tab, select Only the files and programs that users specify are available offline.
5. Select Enable BranchCache, and then click OK.
6. Click OK, and then close the Share and Storage Management Console.
To replicate cryptographic data
1. [SIZE=2]Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).[/SIZE]
[SIZE=2]2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.[/SIZE]
[B]Client configuration using Group Policy[/B]

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.
2. In the console tree, select the domain in which you will apply the GPO.
3. Create a new GPO by selecting New from the Action menu.
4. Choose a name for the new GPO, and then click OK.
5. Right click the GPO you created and choose Edit.
6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.
7. Double-click Turn on BranchCache.
8. Click Enabled, and then click OK.
9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK. or
To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.
10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.
[B]Configuring a Branch WSUS server to use BranchCache[/B]

In addition to enabling BranchCache in your environment, the WSUS server must be configured to store update files locally (both the update metadata and the update files are downloaded and stored locally on the WSUS server). This ensures that the clients get the update files from the WSUS server rather than directly from Microsoft Update.
[B][COLOR=#cc6600]Install SQL Server 2005/2008 with Management Studio Express on the back-end computer[/COLOR][/B]


[LIST=1][*] Click [B]Start[/B], point at [B]All Programs[/B], point at [B]SQL Server 2005[/B], point at [B]Configuration Tools[/B], and select [B]SQL Server Surface Area Configuration[/B].[*] Choose [B]Surface Configuration for Services and Connections[/B].[*] In the left window, click the [B]Remote Connections[/B] node.[*] Select [B]Local and remote connections[/B] and then select [B]Using TCP/IP only[/B].[*] Click [B]OK[/B] to save the settings.[/LIST]
[B]To ensure administrative permissions on SQL Server [/B]

[LIST=1][*] Start [B]SQL Server Management Studio[/B] (click [B]Start[/B], click [B]Run[/B], and then type [B]sqlwb[/B]).[*] Connect to the SQL Engine on the server where SQL Server 2005 was installed in Step 1.[*] Select the [B]Security[/B] node and then select [B]Logins[/B].[*] The right pane will show a list of the accounts that have database access. Check that the person who is going to install WSUS 3.0 on the front-end computer has an account in this list.[*] If the account does not exist, then right-click the [B]Logins[/B] node, select [B]New Login[/B], and add the account.[*] Set up this account for the roles needed to set up the WSUS 3.0 database. The roles are either [B]dbcreator[/B] plus [B]diskadmin[/B], or [B]sysadmin[/B]. Accounts belonging to the local Administrators group have the [B]sysadmin[/B] role by default.[/LIST]
[B][COLOR=#cc6600]Install Branch WSUS Server[/COLOR][/B]

[B]To install WSUS on the front-end computer [/B]At the command prompt, navigate to the folder containing the WSUS Setup program, and type:
[B]WSUSSetup.exe /q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server\instance CREATE_DATABASE=0[/B]
Here, Server\instance is the name of the remote SQL server that is holding the instance of WSUS database. If you do not want silent installation then don’t use /q switch and follow [URL="http://araihan.wordpress.com/2009/08/13/install-and-configure-wsus-3-0-sp2-step-by-step/"]WSUS installation link[/URL]
[B]Important![/B] Microsoft recommend 1GB free space for Systems Partition and 30GB for WSUS contents. But this minimum recommended space will create havoc when WSUS log, database log and content grow over the years. So, I used 50GB as systems partition and 100GB as WSUS contents in DFS share.
[B]To configure the proxy server on WSUS front-end servers[/B]

[LIST=1][*] In the WSUS administration console, select [B]Options[/B], then [B]Update Source and Proxy Server[/B].[*] Select the [B]Proxy Server[/B] tab, then enter the proxy server name, port, user name, domain, and password, then click [B]OK[/B].[*] Repeat this procedure on all the front-end WSUS servers.[/LIST]
[B]To specify where updates are stored [/B]

[LIST=1][*] In the left pane of the WSUS Administration console, click [B]Options[/B].[*] In [B]Update Files and Languages[/B], click the [B]Update Files[/B] tab.[*] If you want to store updates in WSUS, select the [B]Store update files locally on this server[/B] check box.[/LIST]
[B]To specify whether updates are downloaded during synchronization or when the update is approved [/B]

[LIST=1][*] [SIZE=2]In the left pane of the WSUS Administration console, click [B]Options[/B].[/SIZE][*] [SIZE=2]In [B]Update Files and Languages[/B], click the [B]Update Files[/B] tab.[/SIZE][*] [SIZE=2]If you want to download only metadata about the updates during synchronization, select the [B]Download updates to this server only when updates are approved[/B] check box. [/SIZE][/LIST]
[B]To specify language options [/B]

[LIST=1][*] [SIZE=2]In the left pane of the WSUS Administration console, click [B]Options[/B].[/SIZE][*] [SIZE=2]In [B]Update Files and Languages[/B], click the [B]Update Languages[/B] tab.[/SIZE][*] [SIZE=2]In the [B]Advanced Synchronization Options[/B] dialog box, under [B]Languages[/B], select one of the following language options, and then click [B]OK[/B].[/SIZE][*][SIZE=2][B]Select Download updates only in these languages[/B]: This means that only updates targeted to the languages you select will be downloaded during synchronization. [/SIZE][/LIST]
[B]How to configure automatic updates by using Group Policy[/B]
[FONT=Verdana][SIZE=2]Log on to Domain Controller using Administrative Privilege. Open GPO management Console>Select Organisational unit>Right client>create and link a new GPO> Name it as WSUS policy>right click>Edit. Go to Computer Configuration\Administrative Templates\Windows Components\Windows Updates\[/SIZE][/FONT]
[FONT=Verdana][SIZE=2]Now Specify Client target group, Intranet update server location i.e. [URL="http://servername:8530/"]http://servername:8530[/URL] , update schedule, installation schedule.[/SIZE][/FONT]
[B]To set up a DFS share[/B]
[B][COLOR=#404040]Note:This DFS share will be used by all front end WSUS servers.[/COLOR][/B]

[LIST=1][*] [SIZE=2]Go to [B]Start[/B], point at [B]All Programs[/B], point at [B]Administrative Tools[/B], and click [B]Distributed File System[/B].[/SIZE][*] [SIZE=2]You will see the [B]Distributed File System[/B] management console. Right-click the [B]Distributed File System[/B] node in the left pane and click [B]New Root[/B] in the shortcut menu.[/SIZE][*] [SIZE=2]You will see the [B]New Root Wizard[/B]. Click [B]Next[/B].[/SIZE][*] [SIZE=2]In the [B]Root Type[/B] screen, select [B]Stand-alone root[/B] as the type of root, and click [B]Next[/B].[/SIZE][*] [SIZE=2]In the [B]Host Server[/B] screen, type the name of the host server for the DFS root or search for it with [B]Browse[/B], and then click [B]Next[/B].[/SIZE][*] [SIZE=2]In the [B]Root Name[/B] screen, type the name of the DFS root, and then click [B]Next[/B].[/SIZE][*] [SIZE=2]In the [B]Root Share[/B] screen, select the folder that will serve as the share, or create a new one. Click [B]Next[/B].[/SIZE][*] [SIZE=2]In the last screen of the wizard, review your selections before clicking [B]Finish[/B].[/SIZE][*] [SIZE=2]You will see an error message if the Distributed File System service has not yet been started on the server. You can start it at this time.[/SIZE][*] [SIZE=2]Make sure that the domain account of each of the front-end WSUS servers has change permissions on the root folder of this share.[/SIZE][/LIST]
[B]Important![/B] If you are using a DFS share, be careful when uninstalling WSUS from one but not all of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.
[B]To configure IIS for remote access on the front-end WSUS servers[/B]

[LIST=1][*] On each of the servers, go to [B]Start[/B], point at [B]All Programs[/B], point at [B]Administrative Tools[/B], and click [B]Internet Information Services (IIS) Manager[/B].[*] You will see the [B]Internet Information Services (IIS) Manager[/B] management console.[*] Click the server node, then the [B]Web Sites[/B] node, then the node for the WSUS Web site (either [B]Default Web Site[/B] or [B]WSUS Administration[/B]).[*] Right-click the [B]Content[/B] node and select [B]Properties[/B].[*] In the [B]Content Properties[/B] dialog box, click the [B]Virtual Directory[/B] tab. In the top frame you will see [B]The content for this resource should come from:[/B][*] Select [B]A share located on another computer[/B] and fill in the UNC name of the share.[*] Click [B]Connect As[/B], and enter the user name and password that can be used to access that share.[*] Be sure to follow these steps for each of the front-end WSUS servers that are not on the same machine as the DFS share.[/LIST]
[B]To move the content directories on the front-end WSUS servers [/B]

[LIST=1][*] Open a command window.[*] Go to the WSUS tools directory on the WSUS server:
[B]cd \Program Files\Update Services\Tools[/B][*] Type the following command:
[B]wsusutil movecontent [/B][I]DFSsharename logfilename[/I]
where [I]DFSsharename[/I] is the name of the DFS share to which the content should be moved, and [I]logfilename[/I] is the name of the log file.[/LIST]
[B]To configure Network Load Balancing[/B]
1. Enable Network load balancing

[LIST][*][SIZE=2]a) Click [B]Start[/B], then [B]Control Panel[/B], [B]Network Connections[/B], [B]Local Area Connection[/B], and click [B]Properties[/B]. [/SIZE][*][SIZE=2]b) Under [B]This connection uses the following items[/B], you may see an entry for Network Load Balancing. If you do not, click [B]Install[/B], then (on the [B]Select Network Component Type[/B] screen) select [B]Service[/B], then click [B]Add[/B], then (on the [B]Select Network Service[/B] screen) select [B]Network Load Balancing[/B], then [B]OK[/B]. [/SIZE][*][SIZE=2]c) On the [B]Local Area Connection Properties[/B] screen, select [B]Network Load Balancing[/B], and then click [B]OK[/B]. [/SIZE][/LIST]
2. On the [B]Local Area Connection Properties[/B] screen, select [B]Network Load Balancing[/B], and then click [B]Properties.[/B]
[B]3. [/B]On the [B]Cluster Parameters[/B] tab, fill in the relevant information (the virtual IP address to be shared among the front end computers, and the subnet mask). Under [B]Cluster operation mode[/B], select [B]Unicast[/B].
4. On the [B]Host Parameters[/B] tab, make sure that the unique host identifier is different for each member of the cluster.
5. On the [B]Port Rules[/B] tab, make sure that there is a port rule specifying single affinity (the default). (Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.)
6. Click [B]OK[/B], and return to the [B]Local Area Connection Properties[/B] screen.
7. Select [B]Internet Protocol (TCP/IP)[/B] and click [B]Properties[/B], and then click [B]Advanced[/B].
8. On the [B]IP Settings[/B] tab, under [B]IP addresses[/B], add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.
9. On the [B]DNS[/B] tab, clear the [B]Register this connection’s addresses in DNS[/B] checkbox. Make sure that there is no DNS entry for the IP address
[/LEFT]

[LEFT][CODE]http://araihan.wordpress.com/2010/02/26/wsus-best-practice-guide-lines-to-optimize-wsus-installation-configuration-and-management/[/CODE]


[FONT=ve]Windows Server Update Services (WSUS) is highly important services in a Microsoft infrastructure. WSUS provides automated delivery of service packs, hot fixes and update rollups to desktops and servers and keep them up to date. When you configure WSUS in an enterprise you have to consider maximum benefits you can get it from using minimum bandwidth and resources. However, you must provide WSUS server enough resources to run in optimum conditions and deliver up to the expectation over the years.[/FONT] [B][FONT=ve]Capacity Planning[/FONT][/B]

[FONT=ve]Capacity planning is the step 1 before deploying WSUS in an enterprise. There are number of factors you have to consider before deploying WSUS. The following hardware and database requirements are driven by the need of an organization. [/FONT]

[LIST=1][*][FONT=ve]Number of clients and servers[/FONT][*][FONT=ve]Frequency of update delivery[/FONT][*][FONT=ve]Single server or multiple server deployment[/FONT][/LIST]
[FONT=ve]Minimum requirements:[/FONT]

[LIST=1][*][FONT=ve]CPU – Minimum 1 GHz, 1.5 GHz or faster is recommended[/FONT][*][FONT=ve]RAM – Minimum 1 GB, 2 GB or more is recommended[/FONT][*][FONT=ve]Both the system partition and the partition on which you install WSUS 3.0 SP2 must be formatted with the NTFS file system[/FONT][*][FONT=ve]Minimum 1 GB of free space on the system partition[/FONT][*][FONT=ve]Minimum 2 GB of free space on the volume on which database files will be stored[/FONT][*][FONT=ve]Minimum 20 GB of free space on the volume on which content is stored, 30 GB is recommended[/FONT][*][FONT=ve]Notice that WSUS 3.0 SP2 cannot be installed on compressed drives.[/FONT][*][FONT=ve]Database – internal or SQL Express[/FONT][/LIST]
[FONT=ve]But with this minimum hardware, WSUS server will not perform well when content and Data base log start growing. Recommended Systems that supports up to 25k clients: [/FONT]

[LIST=1][*][FONT=ve]CPU- Intel Core 2 or Quad or Xeon [/FONT][*][FONT=ve]RAM – 4GB[/FONT][*][FONT=ve]Disk – at least 50 GB or more free space in Systems partition and 150GB or more disk space for WSUS content in separate partitions or DFS. [/FONT][*][FONT=ve]Database – SQL Remote database or local SQL Express 2005 or later[/FONT][*][FONT=ve]Windows Server 2003 (x64 or X86) or Windows Server 2008[/FONT][*][FONT=ve]un-compressed NTFS Partitions[/FONT][/LIST]
[B][FONT=ve]Bandwidth Management[/FONT][/B]

[FONT=ve]WSUS is a bandwidth hungry systems in whole infrastructure. The decisions you make about how to synchronize with Microsoft Update have a dramatic effect on the efficient use of bandwidth. Set Synchronization schedule and download option when update is approve. To do this log on to [B]WSUS front end Server[/B] as an administrator.[/FONT]
[FONT=ve]Start menu>Administrative Tools>WSUS>Update Services>Options>Synchronization Schedule[/FONT]
[FONT=ve]►Set Synchronisation schedule on later at night when nobody is at work.[/FONT]
[FONT=ve]Start menu>Administrative Tools>WSUS>Update Services>Options>Update Files and Languages[/FONT]
[FONT=ve]►Set download files to this server only when update is approved[/FONT]
[FONT=ve]►Download update only in these languages (check preferred language)[/FONT]
[FONT=ve]In a chain of WSUS servers (head office and branch office deployment) , WSUS automatically sets all downstream servers to use the deferred download option that is selected on the highest upstream server—in other words, the server that is directly connected to Microsoft Update. I would recommend not to use express installation option because this will download larger files then preferred download.[/FONT]
[FONT=ve][B]Update Delivery:[/B] To manage bandwidth of internal networks, it’s better to deliver update based on internal network uses i.e. set update time when there will be no bottle neck in internal infrastructure.[/FONT]
[B][FONT=ve]Firewall Management[/FONT][/B]

[FONT=ve]You have to configure the firewall (ISA or Forfront) that is positioned between Front End WSUS and the Internet to allow WSUS traffic pass through. Because WSUS initiates and synchronize with Microsoft update using port 80 and 443. there is no need to configure Windows Firewall on the WSUS server or Windows client. Only you have to allow WSUS server connect the following websites .[/FONT]
[B][CODE][FONT=ve][/FONT] [/B]

[FONT=ve]http://windowsupdate.microsoft.com [/FONT]
[FONT=ve]http://*.windowsupdate.microsoft.com [/FONT]
[FONT=ve]https://*.windowsupdate.microsoft.com [/FONT]
[FONT=ve]http://*.update.microsoft.com [/FONT]
[FONT=ve]https://*.update.microsoft.com [/FONT]
[FONT=ve]http://*.windowsupdate.com [/FONT]
[FONT=ve]http://download.windowsupdate.com[/FONT]
[FONT=ve]http://download.microsoft.com [/FONT]
[FONT=ve]http://*.download.windowsupdate.com [/FONT]
[FONT=ve]http://wustat.windows.com [/FONT]
[FONT=ve]http://ntservicepack.microsoft.com[/FONT]
[B][FONT=ve][/FONT][/B]


[B][/CODE][/B]

[B][FONT=ve]Group Policy Management[/FONT][/B]

[FONT=ve]Managing GPO for WSUS client is easy. But you must not modify Default Domain Controller GPOs to add WSUS settings. After you set up a client computer, it will take a few minutes before it appears on the Computers page in the WSUS console. For client computers configured with an Active Directory-based GPO, it will take about 20 minutes after Group Policy refreshes (that is, applies any new settings to the client computer). By default, Group Policy refreshes in the background every 90 minutes, with a random offset of 0–30 minutes. For Windows XP SP2 and Windows Server SP2, you don’t need load administrative template of windows update in GPO.[/FONT]
[FONT=ve]To configure the behaviour of Automatic Updates[/FONT]
[FONT=ve]1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. [/FONT] [FONT=ve]2. In the details pane, click Configure Automatic Updates. [/FONT]
[FONT=ve]3. Click Enabled and select one of the following options:[/FONT]

[LIST][*] [FONT=ve][B]Set Auto download and schedule the install.[/B] If Automatic Updates is configured to perform a scheduled installation, you must also set the day and time for the recurring scheduled installation.[/FONT][/LIST]
[FONT=ve]4. Click OK. [/FONT]
[FONT=ve]To redirect Automatic Updates to a WSUS server [/FONT]
[FONT=ve]1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update. [/FONT] [FONT=ve]2. In the details pane, click Specify Intranet Microsoft update service location.[/FONT]
[FONT=ve]3. Click Enabled and type the HTTP URL of the same WSUS server in the Set the intranet update service for detecting updates box and in the Set the intranet statistics server box. For example, type http//WSUS:8530 in both WSUS server stat server.[/FONT]
[FONT=ve]4. Click OK.[/FONT]
[FONT=ve]To reschedule Automatic Update scheduled installation[/FONT]
[FONT=ve]1. In the Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Update.[/FONT] [FONT=ve]2. In the details pane, click [B]Reschedule Automatic Update scheduled installations[/B], click Enabled, and type the number of minutes to wait.[/FONT]
[FONT=ve]3. Click OK.[/FONT]
[B][FONT=ve]Database Management[/FONT][/B]

[FONT=ve]I would prefer to install SQL Express version with Management studio Express because it free and serve my purpose. So no to Windows Internal Database (WID). SQL Express will deliver optimum performance. For large scale deployment you can create separate SQL database server and use remote database in all front end servers. The WSUS database i.e. Server\SUSDB stores the following types of information:[/FONT]

[LIST=1][*][FONT=ve]WSUS server configuration information[/FONT][*][FONT=ve]Metadata that describes each update[/FONT][*][FONT=ve]Information about client computers, updates, and client interaction with updates[/FONT][/LIST]
[FONT=ve]Set Proper security in SUSDB as shown below[/FONT]
[URL="http://araihan.files.wordpress.com/2010/02/wsus1.jpg"][FONT=ve][IMG]http://araihan.files.wordpress.com/2010/02/wsus1_thumb.jpg?w=244&h=175[/IMG][/FONT][/URL][FONT=ve] [/FONT]
[FONT=ve]Backup SUSDB regularly to save all config and client info as shown below.[/FONT]
[URL="http://araihan.files.wordpress.com/2010/02/wsus.jpg"][FONT=ve][IMG]http://araihan.files.wordpress.com/2010/02/wsus_thumb.jpg?w=244&h=176[/IMG][/FONT][/URL][FONT=ve] [/FONT]
[B][B][FONT=ve]Cleanup WSUS Server[/FONT][/B][/B]

[FONT=ve]You have to clean up WSUS server on and off to remove expired updates, downloads and computers. you can freed up storage by running clean up wizard. To run clean up wizard, Log on the WSUS server. Go to Start menu>Administrative Tools>WSUS SP2>Update Services>Options>Server Clean Up Wizard>Check Specific Options you want>Next>Finish. [/FONT]
[B][FONT=ve]Management of WSUS server[/FONT][/B]

[FONT=ve]WSUS supports deployments in both central and distributed management models. Centre Management means Front End WSUS server placed in head office will manage everything including update approval, database and also facing proxy and windows update. Rest of WSUS servers are place in branches and replicating main WSUS server. Distributed WSUS means every WSUS server placed in branch and head office works independently. [/FONT]
[FONT=ve]The WSUS 3.0 SP2 administration console installed in Admin PC can be used to manage any WSUS server or Front End WSUS server placed in head office. WSUS can be managed from one of the following supported operating systems: Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 SP2 or later, Windows Small Business Server 2008 or 2003, Windows Vista, or Windows XP SP3. Also prerequisite must be installed.[/FONT]

[LIST=1][*][FONT=ve]Microsoft .NET Framework 2.0 or later[/FONT][*][FONT=ve]Microsoft Management Console 3.0[/FONT][*][FONT=ve]Microsoft Report Viewer Redistributable 2008[/FONT][/LIST]
[FONT=ve]To open the WSUS administration console[/FONT]
[FONT=ve]1. Click Start, point to Control Panel, point to Administrative Tools, and then click Windows Server Update Services 3.0 Sp2.[/FONT] [FONT=ve]2. If you are bringing up the remote console for the first time, you will see only Update Services in the left pane of the console.[/FONT]
[FONT=ve]3. To connect to a WSUS server, in the Actions pane click Connect to Server.[/FONT]
[FONT=ve]4. In the Connect To Server dialog box, type the name of the WSUS server and the port 8530 on which you would like to connect to it.[/FONT]
[FONT=ve]5. If you wish to use SSL to communicate with the WSUS server, select the Use Secure Sockets Layer (SSL) to connect to this server check box. In this case use port 8531.[/FONT]
[FONT=ve]6. Click Connect to connect to the WSUS server.[/FONT]
[FONT=ve]7. You may connect to as many servers as you need to manage through the console.[/FONT]
[FONT=ve]Related References:[/FONT]
[URL="http://technet.microsoft.com/en-us/library/cc720454%28WS.10%29.aspx"][FONT=ve]Minimum Systems Requirement Guide[/FONT][/URL][FONT=ve] [/FONT]
[URL="http://technet.microsoft.com/en-us/library/cc720460%28WS.10%29.aspx"][FONT=ve]Prerequisite software[/FONT][/URL]
[URL="http://araihan.wordpress.com/2009/08/13/install-and-configure-wsus-3-0-sp2-step-by-step/"][FONT=ve]Install and configure WSUS SP2— Step by Step[/FONT][/URL]
[URL="http://technet.microsoft.com/en-us/updatemanagement/bb245859.aspx"][FONT=ve]IIS Planning[/FONT][/URL]


[/LEFT]