server 2008 wsus windows server update services
DESCRIPTION
70-642 notesTRANSCRIPT
Windows Server Update Services (WSUS)
When you run WSUS, it connects to the Microsoft Update site, downloads information aboutavailable updates, and adds them to a list of updates that require administrative approval. After an administrator approves and prioritizes these updates (a process that you can entirely automate), WSUS automatically makes them available to Windows computers. The Windows Update client (when properly configured) then checks the WSUS server and automatically downloads and, optionally, installs approved updates.
Prerequisites that must be installed.
1. Microsoft .NET Framework 2.0 or later2. Microsoft Management Console 3.03. Microsoft Report Viewer Redistributable 2008
How to install WSUS 3.0 SP1 The guide requires you to download the WSUS package from http://www.microsoft.com/downloads/d...laylang=en#top
and you must also download the Microsoft Report viewer redistributable
Download details: Microsoft Report Viewer Redistributable 2008
Setting up WSUS (Windows Server Update Services) is a fairly straight forward task.
Windows Server 2003 SP1 + or 2008 (Something idle that doesn’t get used much. Ideally your network monitoring server, or a virtual server)
WSUS from Microsoft
.net 2 installed and enabled in IIS
IIS 6 or later
Microsoft Report Viewer here (needed to see reports) WSUS works without this but you won’t get any reporting.
SQL Express 2005 or standard 2005.
WSUS will give you the option to install Windows Internal Database but i wouldn’t recommend this as it can be tricky to uninstall if you have errors during installation. I tend to use Express as its free and i don’t need to play with my standard SQL Server running business critical app’s.
Open Server Manager by selecting Start > Administrative Tools > Server Manager.Click the Add Roles link. This will launch the Add Roles Wizard.
Check the checkbox next to the Windows Server Update Services option and click Next The wizard will then download the WSUS components and launch the Windows Server Update Services Setup Wizard.
The installer will then ask you whether you are installing this as the Full Server or just as an admin console. The Administration console allows you to remotely (by means of another computer) to administer the WSUS server. Select full server installation and click next to continue..
You are then prompted to select a location where the update files will be saved. Make sure that you have sufficient space in your hard drive to store selected updates. Selecting to store updates locally can speed up update installs as updates are saved locally on your network and will cut down network traffic. Once you select your location, click next to continue.
Next select the database server that you wish to use. If you are using SQL Express as suggested select this option. WSUS will present all available databases to you.
The installer will then check to see if it is able to connect to database server and if it can, it will present the following screen. Click next to continue if you are happy that you have selected the right database.
The Web Site selection is entirely up to you. If you are certain that you don’t have any other site hosted on this server or you don’t intend to have any site in the future then select the “Use the existing IIS Default Web site” option. But if like me you host your intranet or any other application on this server then select “Create a Windows Server Update Services 3.0″ Web site option.
Finally the installation will begin.. You will be prompted when it is complete.
The WSUS Configuration Wizard will now launch so that we can properly configure the server. Click the Next button to begin configuring the server.
Choose whether you want to participate in the customer experience program and click Next
Decide whether the WSUS server will be downloading updates from Microsoft directly or from another WSUS server on the corporate network assume that this is the first WSUS server in our deployment, so choose to download updates directly from Microsoft.
This is a step that you need to decide on. If you have a proxy server in your organisation then enter its settings. Otherwise click Next
Now your server will need to contact Microsoft to sync for the first time. This step can take some time so its best you make yourself a drink
Now select the languages in your environment and hit Next.
Now select the Microsoft updates that you need in your organisation. You can do all this later if you feel you’ve left anything out. Select Next.
Now select the classifications
Now select how often you want WSUS to sync with Microsoft Update
Now… Select your options and your almost done..
Click on Finish to start using WSUS.
Now… You will not see any computers under “computers” until you change settings in AD. So dont go crazy and select every single available update. Not only will you run out of space on your hard disk, you will also hammer your internet connection.
Instead wait for computers to appear under “Unassigned computers” tab, then change their membership (create groups and add the PCs). Once these computers appear and they report back their status you will see the updates they require….
Once the wizard is finished, open the WSUS admin console from Administrative Tools and select Options:
Click the Products and Classifications link in the middle pane
Here we can specify which products will be updated and what kinds of updates will be downloaded and distributed
Back in options Click the Automatic Approvals link
Click the Edit button to edit the Default Automatic Approval Rule:
Click the first hyperlink in the Step 2 box at the bottom. This opens a new dialog that lets you choose which updates should be automatically approved so you don't have to manually approve them.
Automatic Approval will be the best choice for organizations that don't have the IT staff resources to be able to verify and test every released update against the matrix of all installed applications
Click OK to return to the Automatic Approvals dialog, and select the checkbox indicated to enable the rule that automatically approves the types of updates you have specified
Click OK to finish configuring WSUS
Synchronizing WSUS
To synchronize your WSUS server with the upstream server, in this case the Microsoft website. In the WSUS admin console, right-click on the Synchronization node and select Synchronize Now:
Client SettingsAfter installing and configuring your WSUS server, you’ll need to set up your other pc’s and servers to connect to WSUS for their updates. Configuring clients to connect to a WSUS server requires a change to the Windows Update software on those clients. The easiest way to accomplish this change is by using Group Policy.
CREATING WSUS COMPUTER GROUPS
Before we jump into our Group Policy Management Console and create a GPO, we need to configure a couple of options in WSUS:
Configure computer groups to allow you to distribute updates to different sets of computers at different times. In most environments, you will not deploy all updates to all clients at once. To give you control over when computers receive updates, WSUS 3.0 allows you to configure groups of computers and deploy updates to one or more groups.
Open Server Manager by selecting Start > Administrative > Tools > Server Manager.Expand the Roles > Windows Server Update Services > Computers >All Computers nodes.Right-click the All Computers node and choose Add Computer Group
Input a desired name for the new group
Go to the Options screen and select Computers.CHANGING COMPUTER GROUP ASSIGNMENT SETTINGS
You can configure computer groups in one of two ways:
Server-side suited for small organizations, you add computers to computer groups manually using the Update Services console.
Client-side suited for larger organizations use Group Policy settings to configure computers as part of a computer group. Computers automatically add themselves to the correct computer group when they connect to the WSUS server.
Whichever approach you use, you must first use the Update Services console to create computer groups.
Click the Options node in the WSUS role configuration.Click the Computers link in the center pane
The WSUS Console Options PaneIn the Computers window, select the option to Use Group Policy or registry settings on computers. Then click the OK button. This setting will instruct WSUS to automatically assign client computers to our newly created computer group based upon the GPO applied to those clients.
Using group policy to configure clients
Use GPO settings to instruct a client computer to become a member of a particular computergroup within WSUS. This prevents you from having to manually add computers to computer groups within WSUS.
1. Select Start > Administrative Tools > Group Policy Management.This will open the Group Policy Management Console (GPMC).
2. Within the GPMC, expand the nodes of the forest and domain in which you want to create a new GPO.
3. Locate and right-click on the newly created Servers OU. Choose the option to Create a GPO in this domain, and Link it here
4. The New GPO dialog box will appear. Enter a name for the GPO such as WSUS GPO and ensure that Source Starter GPO is set to None. Then click OK
5. Right-click the new GPO you created and choose Edit, the Group Policy Editor window will open.
The location of the most important group policies that we need to configure are located in Computer Configuration > Administrative Templates > Windows Components > Windows Update
This displays Windows Update settings that you can configure via GPO.Open each of the following settings by double-clicking on that policy setting. Select Configure Automatic Updates
7. After configuring the appropriate GPO settings, close the Group Policy Editor. Then close the Group Policy Management Console.
Automatic Updates are now enabled, but before the computers can receive updates from the WSUS server we need to configure the following group policy setting:
Specify intranet Microsoft Update service location and fill in the https address of the WSUS server, so click on it and view it's properties. We have already enabled the group policy setting as in the screenshot above, however we need to enter the https address of our WSUS server, so do that in the two empty fields provided and click ok.
This policy will apply to any new clients added to the My Servers OU in Active Directory. In our example, we’ll move our WSUS server to this OU.
8. After your clients perform a Group Policy update, they will check in and register with the WSUS server. You should see the clients appear in the My Servers computer group within WSUS role management. You can now easily set up any Windows client to register with your WSUS server for updates simply by placing them in the My Servers OU.
Using the Update Services console option to configure clients This way you are able to assign the computers directly from the WSUS console.
Now that you are ready to assign a computer to a group on WSUS Server, goto Computers > All Computers > Unassigned Computers. Right click the computer name you want to process, click Change Membership…
and select the appropriate group.
Software Updates
Now that your clients are configured to connect to WSUS for Windows updates, we need to take a look at how to review, manage, and deploy updates from the WSUS management console.
Open Server Manager by selecting Start > Administrative Tools > Server Manager.Expand the Roles > Windows Servers Update Services > Update Services > Updates nodes.Click to highlight the All Updates view.
By selecting the Updates node you can get a quick picture of different categories of updates:
The dashboard displays a highlevel status of updates. This is a quick way to see the deployment status of updates in your environment.
In the middle pane, click on an update that you wish to deploy then, in the Actions pane, click the Approve link the Approve Updates window will open.
Right-click the computer group and select Approved for Install then click the OK button. The next time the clients in the OU check in with WSUS they will begin downloading the approved update. After downloading the update, the client computers will then wait until the scheduled install time of ……., and then install the update. After the update is installed, the computers will reboot.
Disconnected NetworksWSUS provides a great way to centralize the management and deployment of updates to your Windows workstations and servers. But what if you want to deploy your WSUS server in a network disconnected from the Internet? Some networks must remain disconnected from the Internet for security reasons. In this situation, you can deploy a WSUS server on a network that does have Internet connectivity and download updates to that server. You can then copy those updates to removable media (CD, DVD, etc.). Those updates can then be imported to the WSUS server in the disconnected network via the removable media.
IMPORTING WSUS UPDATES IN A DISCONNECTED NETWORK
1. Open Server Manager on your Internet-connected WSUS server by selecting Start > Administrative Tools > Server Manager.2. Expand the Windows Server Update Services |> Update Services node.3. Click to highlight the Options node.4. Click the Updates Files and Languages link in the center pane of the console.5. Click the Update Files tab and check the box to Download express installation files. Then click the OK button.
6. Log on to the disconnected server and ensure that the Updates and Files settings are configured exactly the same as the Internet connected server.7. You are now ready to export the files and metadata from the Internet-connected server and copy those to your media. To do this, first copy the folder WSUSInstallDrive\WSUSUpdatesFolder\WSUSContent (C:\WSUS\WSUSContent) to your removable media.Depending on the size of the updates available, this folder could be very large.8. Next, you need to run WSUSUtil.exe to export the metadata from the Internet-connected server. Open a command prompt and change to the directory C:\Program Files\Update Services\Tools.9. Run the command wsusutil.exe export transfer.cab transfer.log.Then press Enter. The metadata export process will begin.10. After the export completes, copy the transfer.cab and transfer.log files to the media that will be used to transfer data to the disconnected network server.11. We are now ready to import the updates and metadata to our disconnected WSUS server. First, copy the WSUSContent folder to WSUSInstallDrive\WSUSUpdatesFolder (C:\WSUS). If prompted, you can replace existing files.12. Finally, you need to import the metadata to the disconnected WSUS server. Copy the transfer.cab file to the directory C:\Program Files\Update Services\Tools on the disconnected server.13. Open a command prompt and change to the C:\Program Files\Update Services\Tools directory.14. Enter the command wsusutil.exe import transfer.cab transfer.log. This will import the metadata to your disconnected server.This process can take an extended amount of time. After the process completes, you can approve and deploy updates from the disconnected WSUS server. You will need to perform this process anytime you download new updates to your Internet-connected WSUS server.
See also http://www.linglom.com/2008/08/05/getting-started-with-microsoft-windows-server-update-services-part-vi-disconnected-network1/
Exam Questions
Certkiller has opened a new Branch office where 10 standalone servers run Windows Server 2008. To keep the servers updated with latest updates, you install WSUS on a server named Certkiller 3.Which of the following actions would you perform next to configure all of the servers to receive updates from Certkiller 3?
A. Use Control Panel to configure the Windows Update Settings on each server.B. Run the wuauclt.exe /reauthorization command on each server.C. Use the local group policy to configure the Windows Update Settings on each server. D. Run the wuauclt.exe /detectnow command on each server.E. None of the above
Answer C
Explanation:To configure all of the servers to receive updates from Certkiller 3, you need to configure the Windows Update Settings on each server by using the local group policy. Microsoft suggests the use of Group Policy for setting up computers and WSUS in clients. Configuring the Windows Update Settings on each server would be quite time consuming Configure the Windows Update Settings on each server by using the local group policy. wuauclt.exe /detectnow and wuauclt.exe / reauthorization force the update detection and reauthorization respectively and therefore cannot be used for configuration.
QuestionCertkiller .com has servers that run Windows Server 2008. As a network administrator at Certkiller .com, you install Windows Update Server (WSUS) on a server named CKW1 on the network. To store the WSUS database, you use remote SQL. To encrypt metadata transferred between client machines and downstream WSUS servers, you configure Secure Sockets Layer (SSL) on the WSUS server. While testing the whole process, you discover that the connection between SQL server and WSUS server is not secure. Which two actions should you perform to make sure that the database connection is secure? (Choose two answers. Each answer is a part of the complete solution)
A. Put the database on a WSUS serverB. Secure the connection between SQL server and WSUS server by configuring InternetProtocol Security (IPSec) on the connectionC. Install SQL server on one server and WSUS on the other server. Both servers should be stand-alone serversD. Configure the connection between WSUS server and SQL server by using IPv6 IPaddresses. Make the addresses static
Answer A, B
Explanation
The right options are A and B. You can place the database on WSUS server and configure IPSec on the network. The SSL protocol enables client computers and WSUS servers to authenticate the WSUS server and pass encrypted metadata. You have to change the URL configured for the clients to connect to WSUS server. The WSUS SSL deployments have some security limitations. You should place the database on the WSUS server to secure the database connection in this scenario. Then you can deploy IPSec between the WSUS and SQL server to encrypt all traffic between them.Other options like installing both SQL server and WSUS on standalone computers are not valid because their membership in the domain has no effect on the data security exchanged between the two servers.
QuestionYou are an Enterprise administrator for Certkiller.com. All the servers on the corporate network run Windows Server 2008.The corporate network consists of two servers called Certkiller Server1 and Certkiller Server2 that run Windows Server 2008. On both the servers, the WSUS is installed. Which of the following options would you choose to configure WSUS on Certkiller Server1 so that the Certkiller Server2 receive updates fromCertkiller Server1?
A. Configure Certkiller Server1 as a proxy serverB. Configure Certkiller Server1 as an upstream serverC. Create a new replica group on Certkiller Server1D. Create a new computer group on Certkiller Server1E. None of the above
Explanation:To configure WSUS on Certkiller Server1 so that the Certkiller Server2 receive updates from Certkiller Server1, you need to configure Certkiller Server1 as an upstream server. The WSUS hierarchy model allows a single WSUS server to act as an upstream server and impose its configuration on those servers configured as downstream servers below it.A WSUS hierarchy supports two modes, autonomous mode and replica mode. In replica mode, the upstream server is the only WSUS server that downloads its updates from Microsoft Update. It is also the only server that an administrator has to manually configure computer groups and update approvals on. All information downloaded and configured on to an upstream server is replicated directly to all of the devices configured as downstream servers.
Question
You are an Enterprise administrator for Certkiller.com. All the servers on the corporate network run Windows Server 2008. On a network server called Certkiller Server1, WSUS is installed.Which of the following options would you choose to ensure that the traffic between the WSUS administrative website and the server administrator's computer is encrypted?
A. On the WSUS server administrative website, configure SSL encryption.B. On the Certkiller Server1, run the netdom trust /SecurePasswordPrompt command.C. Configure the NTFS permissions on the Certkiller Server1, on the content directory toDeny Full Control permission to the Everyone group.D. Configure the Certkiller Server1 to require Integrated Windows Authentication (IWA)when users connect to the WSUS server.
E. None of the above
Answer A
Explanation:To ensure that the traffic between the WSUS administrative website and the serveradministrator's computer is encrypted, you need to configure SSL encryption on theWSUS server website.Now that you have the necessary certificate, you must configure IIS to use it. To do so, expand the Default Web Site in the IIS Manager console and then right click on the WSUSAdmin virtual directory and select the Properties command from the resulting shortcut menu. You will now see the properties sheet for the WSUSAdmin virtual directory. Select the properties sheet's Directory Security tab and then click the Edit button that's found in the Secure Communications section. Select the Require Secure Channel (SSL) check box and click OK, Apply, and OK.
QuestionYou are an enterprise administrator for Certkiller. The corporate network of the company consists of servers that run Windows Server 2008 in a non-Active Directory environment.You have recently installed and configured WSUS on a server calledCertkiller Server1 on your corporate network and you now need to configure all the servers on the network to receive updates from Certkiller Server1. Which of the following options would you choose to accomplish this task?
A. Use Control Panel to configure the windows Update Settings on each server on the network.B. On each server on the corporate network, run the wuauclt.exe /detectnow command.C. On each server on the corporate network, run the wuauclt.exe /reauthorization command.D. On each server on the corporate network, use local group policy to configure theWindows Update settings.
Answer D
Explanation:To configure all the servers on the network to receive updates from Certkiller Server1, you need to configure the Windows Update settings using local group policy on each server on the corporate network.Windows Server Update Services (WSUS) clients can be configured to provide update installation and reboot behavior best suited to your environment and your business needs. You can use Group Policy or Local Group Policy to modify Automatic Update configuration on your WSUS clients to determine what notification, download, install, and reboot behavior your WSUS managed clients will experience in updating from WSUS.
QuestionYou are an Enterprise administrator for Certkiller.com. All the 100 servers on the corporate network run Windows Server 2008. A server called Certkiller Server1 is configured on the network with following configuration:1. Connected to a SAN2. Consists of 15 logical drives.3. A new Data Collector Set is recently createdWhich of the following option would you choose to automatically run a data archiving script on Certkiller Server1 if the free space on any of the logical drives on the server is below 30 percent?
A. Add the Event trace data collectorB. Add the Performance counter alertC. Add the Performance counter data collectorD. Add the System configuration data collector
Answer B
Explanation:To automatically run a data archiving script if the free space on any of the logical drives is below 30 percent and to automate the script execution by creating a new Data Collector Set, you need to add the Performance counter alert.The Performance counter alert creates an alert if a performance counter reaches a threshold that you specify.