For server versions of Windows, updating the system and / or software installed on child terminals can, relatively recently, be performed using a special tool, which has been abbreviated as WSUS. What it is? In fact, this software is a unique release that allows you to refuse to use each computer on the local network, an independent Internet channel for installing updates. How this all works, and what settings you need to set up, will be discussed later.
Windows Server Update Services: what is it and why is it needed?
If we talk about this service in simple terms, it can be described as software for automatic updating of the OS and software installed exclusively on a server to which other user terminals are connected, united in a single local or virtual network.
Since Microsoft releases updates for its products with enviable regularity, they must be installed on all machines on the network, which is quite problematic if there are more than a dozen of them. In order not to do such things on each individual terminal, you can use the WSUS Offline Update function, when the main update is installed only on the server, and then is "distributed" to all other computers.
The advantages of this approach are obvious, because the use of Internet traffic is reduced (the network is not loaded when downloading) and the time it takes to install updates is saved, which, if the software is correctly configured on the central server, will be performed automatically.
Installation requirements
For WSUS, configuration and use are not possible without meeting a number of initial conditions. Here you should pay attention to the main components that you will need to initially download and install on the server, if they are missing.
The following components can be identified as priorities:
- OS modification Windows Server at least 2003 (at least with the first service pack);
- platform .NET Framework version no lower than 2.0;
- IIS 6.0 or higher server roles
- Report Viewer from Microsoft modification 2008;
- SQL Server version 2005 with a second service pack;
- Management Console from Microsoft Modification 3.0.
Installation process
Actually, the installation of WSUS also involves the reservation of free disk space on the server in the amount of about 100 GB (the location of the update storage folder is indicated in the first step after starting the main installer).
Next, the database location is set in the form of a separate directory (it is better to allocate about 2-4 GB).
Web Server Database Settings
In principle, the installer itself offers to install internal databases by default, but you can use the existing database server to simplify the process.
In this case, it will be necessary to independently register its network name corresponding to the terminal identifier in the network. The first two options can be used either to obtain updates from a Microsoft server, or from an internal server. True, there is also a third option - installing databases on a remote terminal. But such a scheme is used mainly only in cases where you need to distribute updates to remote branches from an additional update server.
Port selection
At the next stage of WSUS installation, the configuration involves selecting a port. This should be taken very carefully, since entering incorrect values can only lead to the fact that the whole circuit will not work.
Please note that the 80th port is proposed for use by default. You can, of course, leave it, but it is better (and this is confirmed by practice) to use the port under the number 8530 (8531). But this approach is applicable only when manual proxy configuration is required.
Select Updates
The next step in installing WSUS is to configure the settings for receiving updates from the upstream server. In other words, you need to specify exactly where updates will be downloaded.
There are two options: either synchronize with the Microsoft update server, or with another remote terminal. It is better to use the first option.
Configure WSUS in a domain
Next, for the correct operation of the installed service, you must select the languages that are used on the network.
You can install any of the proposed list, but English must be selected without fail, since without this the correct download and distribution of updates is not guaranteed.
Product selection
Now for WSUS Offline Update, you should specify which software products are subject to update. According to most experts, when choosing it is advisable not to be greedy and note the maximum possible number of items in the list.
But you shouldn’t get carried away either. It is better to note only what is really necessary. For example, if the Office 2003 version is not installed on any machine on the network, then you should not indicate its update.
The WSUS update at the next stage will suggest choosing software classes for which updates will be downloaded first. Here - of your choice. In principle, you can not check the box opposite the installation of driver updates, tools and new features. Upon completion, the time is set when the selected updates will be downloaded and installed.
Console settings
Now you need to call the console and first set up manual synchronization so that all currently available updates are downloaded.
After that, you will have to tackle the configuration of terminal groups. It is recommended that you create two categories of computers. In one will be the servers, in the other - the usual workstations. This setting will limit the installation of updates to servers.
Since all terminals visible on the network are currently in the category of unassigned computers, you will have to manually assign them to the appropriate groups.
In the next step, configuring WSUS involves creating special update rules, which is done in the automatic approval section. For workstations, it is desirable to establish an automatic approval rule, and for servers it will be necessary to additionally mark one more corresponding line. In addition, it is not recommended for servers to select absolutely all updates, as this can lead to malfunctions.
Setting Update Options in Group Policies
When the preset of the main parameters is completed, a few more actions related to permissions and approvals should be performed.
To do this, use the Group Policy Editor, which is easiest to call through the Run (Win + R) console with the gpedit.msc command, rather than using the Control Panel or the administration section.
Here you need to get to the administrative templates through the computer configuration and policies, where to find the “Update Center”. In it, we are interested in the parameter responsible for specifying the location of the update service on the intranet. By calling the edit menu with a double click, you need to enable and specify the server address, which usually looks like http: // SERVER_NAME, where SERVER_NAME is the name of the server on the network. You can not use this combination, but simply register the IP server. Upon completion of the setup, after some time, the daughter machines will begin to receive update packages.
Possible mistakes
WSUS errors are most often associated with the fact that the servers include too many unnecessary updates, as mentioned above.
However, the equally common problem is the fact that updates are not installed on all network child terminals. In this case, it is necessary to open the automatic approvals section and set the type of group policies for them, which corresponds to the automatic installation of critical updates of the operating system and security system. Accordingly, you can create your own new rule indicating the products and parameters for installing updates (you can even use manual approval).
Finally, if you do not perform a complete reset of WSUS settings, after which the entire procedure for setting parameters will have to be performed anew, it is strongly recommended that you clean the server at least once a month (for this, the function of the same name in the form of a "Wizard" is provided). Such steps will help remove unclaimed updates from the system, as well as significantly reduce the size of the database itself (it’s clear that the larger the database, the longer it takes to access it, plus the excessive load on the server’s computing capabilities and distribution of updates over the network).
In some cases, setting up policies not by default (Default Group Policy) may help, but creating a new type with all the activated parameters from the list available with entering the network address of the server (with port 8530 enabled).
In the case when the so-called mobile workstations are used, similar settings can be made in the local security policies section, specifying the appropriate parameters. If everything is done correctly, only critical updates will be installed for the Server terminal group, and for computers included in the Workgroup group (or in a category with a different name), absolutely all updates that were selected at the initial stage of configuration will be installed.
Instead of a total
Actually, we can finish this consideration of the issue of setting up the automatic update service WSUS. In order for everything to work and not cause concern for the system administrator in the future, you should pay attention to the initial conditions associated with the installation of additional components. It is believed that the server version of the OS is better to use not 2003, but 2008 R2 or higher, and also pay attention to the .NET Framework of the fourth version, rather than 2.0). In addition, you should pay special attention to proxy settings and port selection, since port 80 may not work by default. Finally, one of the most important aspects of customization is the choice of terminal groups and the updates installed on them. The rest, as a rule, should not be a problem, although when loading heavy updates of large size with poor connection quality, short-term failures and errors in the distribution of updates on the network can still be observed. By the way, you also need to clean the server from time to time. If for some reason the automatic tool does not have a positive effect, you can try to at least delete temporary files manually from the SDTemp directory. At least even such a trivial step will immediately reduce the load not only on the server itself, but also on child terminals, and on the network as a whole.