1. Windows Server Update Services (WSUS)-2019
Windows server update services allows administrators to specify the Microsoft update that should be installed, create separate groups of computers for different sets of updates, and get reports on the compliance levels of the computers and the update that must be installed.
Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network. This topic provides an overview of this server role and more information about how to deploy and maintain WSUS.
1.1 WSUS Server role description
A WSUS server provides features that you can use to manage and distribute updates through a management console. A WSUS server can also be the update source for other WSUS servers within the organization. The WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one WSUS server on your network must be able to connect to Microsoft Update to get available update information. As an administrator, you can determine - based on network security and configuration - how many other WSUS servers connect directly to Microsoft Update.
1.2 Practical applications
Update management is the process of controlling the deployment and maintenance of interim software releases into production environments. It helps you maintain operational efficiency, overcome security vulnerabilities, and maintain the stability of your production environment. If your organization cannot determine and maintain a known level of trust within its operating systems and application software, it might have a number of security vulnerabilities that, if exploited, could lead to a loss of revenue and intellectual property. Minimizing this threat requires you to have properly configured systems, use the latest software, and install the recommended software updates.
The core scenarios where WSUS adds value to your business are:
• Centralized update management
• Update management automation
2. Deploy Windows Server Update Services
Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. WSUS is a Windows Server role that can be installed to manage and distribute updates. A WSUS server can be the update source for other WSUS servers within the organization. The WSUS server that acts as an update source is called an upstream server.
In a WSUS implementation, at least one WSUS server in the network must connect to Microsoft Update to get available update information. You can determine, based on network security and configuration, how many other servers connect directly to Microsoft Update.
3. Plan- WSUS deployment
The first step in the deployment of Windows Server Update Services (WSUS) is to make important decisions, such as deciding the WSUS deployment scenario, choosing a network topology, and understanding the system requirements. The following checklist summarizes the steps that are involved in preparing for your deployment.
3.1 Review considerations and System requirements for WSUS server 2019
3.1.a. System Requirements
Hardware and database software requirements are driven by the number of client computers being updated in your organization. Before you enable the WSUS server role, confirm that the server meets the system requirements and confirm that you have the necessary permissions to complete the installation by adhering with the following guidelines:
• Server hardware requirements to enable WSUS role are bound to hardware requirements. The minimum hardware requirements for WSUS are:
o Processor: 1.4 gigahertz (GHz) x64 processor (2 Ghz or faster is recommended)
o Memory: WSUS requires an additional 2 GB of RAM more than what is required by the server and all other services or software.
o Available disk space: 40 GB or greater is recommended
o Network adapter: 100 megabits per second (Mbps) or greater (1GB is recommended)
3.1.b. Software requirements
• For viewing reports, WSUS requires the Microsoft Report Viewer Redistributable 2008. On Windows Server 2016, WSUS requires Microsoft Report Viewer Runtime 2012.
• If you install roles or software updates that require you to restart the server when installation is complete, restart the server before you enable the WSUS server role.
• Microsoft .NET Framework 4.0 must be installed on the server where the WSUS server role will be installed.
• The NT Authority\Network Service account must have Full Control permissions for the following folders so that the WSUS Administration snap-in displays correctly: o %windir%\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files o %windir%\Temp
• Confirm that the account you plan to use to install WSUS is a member of the Local Administrators group.
3.1.c. Installation Considerations
During the installation process, WSUS will install the following by default:
• .NET API and Windows PowerShell cmdlets
• Windows Internal Database (WID), which is used by WSUS
• Services used by WSUS, which are: o Update Service o Reporting Web Service o Client Web Service o Simple Web Authentication Web Service o Server Synchronization Service o DSS Authentication Web Service
3.1.d. Features on Demand Considerations
Be aware that configuring client computers (including servers) to update by using WSUS will result in the following limitations:
• Server roles that have had their payloads removed using Features on Demand cannot be installed on demand from Microsoft Update. You must either provide an installation source at the time you try to install such server roles or configure a source for Features on Demand in Group Policy.
• Windows client editions will not be able to install .NET 3.5 on demand from the web. The same considerations as server roles apply to .NET 3.5.
• Enterprise devices running Windows 10, version 1709 or version 1803, cannot install any Features on Demand directly from WSUS. To install Features on Demand, create a feature file (side-by-side store) or obtain the Feature on Demand package from one of the following sources:
o Volume Licensing Service Center (VLSC) - VL access is required
o OEM Portal - OEM access is required
o MSDN Download - MSDN subscription is required
Individually-obtained Feature on Demand packages can be installed using DISM command-line options.
3.1.e. WSUS database requirements
WSUS requires one of the following databases:
• Windows Internal Database (WID)
• Any supported Microsoft SQL Server version. For more information, see Microsoft Lifecycle Policy.
The following editions of SQL Server are supported by WSUS:
• Standard
• Enterprise
• Express
SQL Server Express 2008 R2 has a database size limitation of 10 GB. This database size is likely to be sufficient for WSUS, although there is no appreciable benefit to using this database instead of WID. WID database has a minimum RAM memory requirement of 2 GB beyond the standard Windows Server system requirements.
We can install the WSUS role on a computer that is separate from the database server computer. In this case, the following additional criteria apply:
1. The database server cannot be configured as a domain controller.
2. The WSUS server cannot run Remote Desktop Services.
3. The database server must be in the same active directory domain as the WSUS server, or it must have a trust relationship with the active directory domain of the WSUS server.
4. The WSUS server and the database server must be in the same time zone or be synchronized to the same Coordinated Universal time (Greenwich Mean time) source.
3.2 Choose a WSUS deployment scenario
We can create complex hierarchies of WSUS servers. Because you can synchronize one WSUS server with another WSUS server instead of with Microsoft Update, you need to have only a single WSUS server that is connected to Microsoft Update. When you link WSUS servers together, there is an upstream WSUS server and a downstream WSUS server. A WSUS server hierarchy deployment offers the following benefits:
• You can download updates one time from the Internet and then distribute the updates to client computers by using downstream servers. This method saves bandwidth on the corporate Internet connection.
• You can download updates to a WSUS server that is physically closer to the client computers, for example, in branch offices.
• You can set up separate WSUS servers to serve client computers that use different languages of Microsoft products.
• You can scale WSUS for a large organization that has more client computers than one WSUS server can effectively manage.
We recommend that you do not create a WSUS server hierarchy that is more than three levels deep. Each
level adds time to propagate updates throughout the connected servers. Although there is no theoretical
limit to a hierarchy, only deployments that have a hierarchy of five levels deep have been tested by
Microsoft.
Also, downstream servers must be at the same version or an earlier version of WSUS as the upstream
server synchronization source.
First, the WSUS server is configured on our DMZ network. We configure this server as an Upstream server
as it has internet connection in this zone. This server will work with the AD in that zone to update the
Microsoft product there and another zone.
Secondly, we will install WSUS server on the core network. There it can work without Active Directory.
This server will be configured as the downstream server of the WSUS server in DMZ network. Even though
there is no internet here, all the update from the upstream server are available on this server. These
servers communicate with each other through one directional traffic with the help of few open ports. We
do not need to open bidirectional traffic for that.
Next step, we will install WSUS server on our production networks (SCC, CMC, etc.). These servers must
be a part of Active Directory. For these servers, WSUS server in the core network will be the upstream
server. All the server will communicate between upstream server and update all the Microsoft products
in their network.
3.2.a. WSUS deployment with roaming client computers
If the network includes mobile users who log on to the network from different locations, you can configure
WSUS to let roaming users update their client computers from the WSUS server that is closest to them
geographically. For example, you might deploy one WSUS server each region and use a different DNS
subnet for each region. All client computers could be directed to the same WSUS server, which resolves
in each subnet to the nearest physical WSUS server.
3.3. Choose a WSUS storage strategy
Windows Server Update Services (WSUS) uses two types of storage systems: a database to store WSUS configuration and update metadata, and an optional local file system to store update files. Before you install WSUS, you should decide how you want to implement storage.
Updates are composed of two parts: metadata that describes the update, and the files that are required to install the update. Update metadata is typically much smaller than the actual update, and it is stored in the WSUS database. Update files are stored on a local WSUS server or on a Microsoft Update Web server.
3.3.a. WSUS database
WSUS requires a database for each WSUS server. WSUS supports the use of a database that resides on a different computer than the WSUS server, with some restrictions. For a list of supported databases and remote database limitations, see section 1.1 Review initial considerations and system requirements, in this guide.
• The WSUS database stores the following information:
• WSUS server configuration information
• Metadata that describes each update
• Information about client computers, updates, and interactions
If you install multiple WSUS servers, you must maintain a separate database for each WSUS server, whether it is an autonomous or a replica server. You cannot store multiple WSUS databases on a single instance of SQL Server, except in Network Load Balancing (NLB) clusters that use SQL Server failover.
SQL Server, SQL Server Express, and Windows Internal Database provide the same performance characteristics for a single-server configuration, where the database and the WSUS service are located on the same computer. A single-server configuration can support several thousand WSUS client computers.
3.3.b. WSUS update storage
When updates are synchronized to your WSUS server, the metadata and update files are stored in two separate locations. Metadata is stored in the WSUS database. Update files can be stored on your WSUS server or on Microsoft Update servers, depending on how you have configured your synchronization options. If you choose to store update files on your WSUS server, client computers will download approved updates from the local WSUS server. If not, client computers will download approved updates directly from Microsoft Update. The option that makes the most sense for your organization will depend on network bandwidth to the Internet, network bandwidth on the intranet, and local storage availability.
3.4. Choose WSUS update languages
When you deploy a WSUS server hierarchy, you should determine which language updates are required throughout the organization. You should configure the root WSUS server to download updates in all languages that are used throughout the entire organization.
For example, the main office might require English and French language updates, but one branch office requires English, French, and German language updates, and another branch office requires English and
Spanish language updates. In this situation, you would configure the root WSUS server to download updates in English, French, German, and Spanish. You would then configure the first branch office WSUS server to download updates in English, French, and German only, and configure the second branch office to download updates in English and Spanish only.
The Choose Languages page of the WSUS Configuration Wizard allows you to get updates from all languages or from a subset of languages. selecting a subset of languages saves disk space, but it is IMPORTANT to choose all the languages that are needed by all the downstream servers and client computers of a WSUS server.
Following are some IMPORTANT notes about the update language that you should keep in mind before configuring this option:
• Always include English in addition to any other languages that are required throughout your organization. All updates are based on English language packs.
• Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. Make sure you select all the languages that will be needed by all the client computers that are associated with all the downstream servers.
• You should generally download updates in all languages on the root WSUS server that synchronizes to Microsoft Update. This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.
If you are storing updates locally, and you have set up a WSUS server to download updates in a limited number of languages, you may notice that there are updates in languages other than the ones you specified. Many update files are bundles of several different languages, which include at least one of the languages specified on the server.
3.5. Plan WSUS computer groups
WSUS allows us to target updates to groups of client computers, so we can ensure that specific computers always get the right updates at the most convenient times. For example, if all the computers in one department (such as the Accounting team) have a specific configuration, we can set up a group for that team, decide which updates their computers need and what time they should be installed, and then use WSUS reports to evaluate the updates for the team.
You can assign computers to computer groups by using one of two methods, server-side targeting or client-side targeting. Following are the definitions for each method:
• Server-side targeting: You manually assign one or more client computers to multiple groups simultaneously.
• Client-side targeting: You use Group Policy or edit the registry settings on client computers to enable those computers to automatically add themselves into the previously created computer groups.
3.6. Plan WSUS performance considerations
There are some areas that you should carefully plan before deploying WSUS so that you can have optimized performance. The key areas are:
1. Network setup
2. Deferred download
3. Filters
4. Installation
5. Large update deployments
6. Background Intelligent Transfer Service (BITS)
3.6.a. Network setup
To optimize performance in WSUS networks, consider the following suggestions:
1. Set up WSUS networks in a hub-and-spoke topology rather than in a hierarchical topology.
2. Use DNS netmask ordering for roaming client computers and configure roaming client computers to obtain updates from the local WSUS server.
3.6.b. Deferred download
You can approve updates and download the update metadata before you download the update files, this method is called deferred downloads. When you defer downloads, an update is downloaded only after it is approved. We recommend that you defer downloads because it optimizes network bandwidth and disk space.
In a hierarchy of WSUS servers, WSUS automatically sets all downstream servers to use the deferred download setting of the root WSUS server. You can change this default setting. For example, you can configure an upstream server to perform full, immediate synchronizations, and then configure a downstream server to defer the downloads.
If you deploy a hierarchy of connected WSUS servers, we recommend that you do not deeply nest the servers. If you enable deferred downloads and a downstream server requests an update that is not approved on the upstream server, the downstream server's request forces a download on the upstream server. The downstream server then downloads the update on a subsequent synchronization. In a deep hierarchy of WSUS servers, delays can occur as updates are requested, downloaded, and then passed through the server hierarchy. By default, deferred downloads are enabled when you store updates locally. You can change this option manually.
3.6.c. Filters
WSUS lets you filter update synchronizations by language, product, and classification. In a hierarchy of WSUS servers, WSUS automatically sets all downstream servers to use the update filtering options that are selected on the root WSUS server. You can reconfigure download servers to receive only a subset of the languages.
3.6.e. Installation
Updates typically consist of new versions of files that already exist on the computer that is being updated. On a binary level, these existing files might not differ very much from updated versions. The express installation files feature identifies the exact bytes between versions, creates and distributes updates of only those differences, and then merges the existing file together with the updated bytes.
Sometimes this feature is called delta delivery because it downloads only the delta (difference) between two versions of a file. Express installation files are larger than the updates that are distributed to client
computers because the express installation file contains all possible versions of each file that is to be updated.
3.6.f. Large update deployment
When you deploy large updates (such as service packs), you can avoid saturating the network by using the following practices:
• Use Background Intelligent Transfer Service (BITS) throttling. BITS bandwidth limitations can be controlled by time-of-day, but they apply to all applications that are using BITS. To learn how to control BITS throttling, please see Group Policies.
• Use Internet Information Services (IIS) throttling to limit throttling to one or more web services.
• Use computer groups to control the rollout. A client computer identifies itself as a member of a particular computer group when it sends information to the WSUS server. The WSUS server uses this information to determine which updates should be deployed to this computer. You can set up multiple computer groups and sequentially approve large service pack downloads for a subset of these groups.
3.6.g. Background Intelligent Transfer Service
WSUS uses the Background Intelligent Transfer Service (BITS) protocol for all its file transfer tasks. This includes downloads to client computers and server synchronizations. BITS enable programs to download files by using spare bandwidth. BITS maintain file transfers through network disconnections and computer restarts. For more information, see: Background Intelligent Transfer Service.
3.7. Plan Automatic Updates settings
You can specify a deadline to approve updates on the WSUS server. The deadline causes client computers to install the update at a specific time, but there are a number of different situations, depending on whether the deadline has expired, whether there are other updates in the queue for the computer to install, and whether the update (or another update in the queue) requires a restart.
By default, Automatic Updates polls the WSUS server for approved updates every 22 hours minus a random offset. If new updates need to be installed, they are downloaded. The time between each detection cycle can be manipulated from 1 to 22 hours. We can manipulate the notification options as follows:
• If Automatic Updates is configured to notify the user of updates that are ready to be installed, the notification is sent to the System log and to the notification area of the client computer.
• When a user with appropriate credentials clicks the notification area icon, Automatic Updates displays the available updates to install. The user must click Install to start the installation. A message appears if the update requires the computer to be restarted to complete the update. If a restart is requested, Automatic Updates cannot detect additional updates until the computer is restarted.
If Automatic Updates is configured to install updates on a set schedule, applicable updates are downloaded and marked as ready to install. Automatic Updates notifies users who have appropriate credentials by using a notification area icon, and an event is logged in the System log.
At the scheduled day and time, Automatic Updates installs the update and restarts the computer (if necessary), even if no local administrator is logged on. If a local administrator is logged on and the computer requires a restart, Automatic Updates displays a warning and a countdown for the restart. Otherwise, the installation occurs in the background.
If the computer must be restarted, and any user is logged on, a similar countdown dialog box is displayed, which warns the user about the impending restart. You can manipulate computer restarts with Group Policy.
After the new updates are downloaded, Automatic Updates polls the WSUS server for the list of approved packages to confirm that the packages it downloaded are still valid and approved. This means that, if a WSUS administrator removes updates from the list of approved updates while Automatic Updates is downloading updates, only the updates that are still approved are installed.
Comments
Post a Comment