best practices in architect and implementing windows server update services

8/3/2019 Best Practices in Architect and Implementing Windows Server Update Services

1/48


2/48

Greg ShieldsPartnerConcentrated Technology

WSV302


3/48

Agenda

Topics

Part I: Architecting and Implementing WSUS

Part II: Troubleshooting WSUS

Part III: Tips and Tricks for Using WSUS


4/48

Architecting and Implementing WSUS


5/48

WSUS Product Vision

Simple, zero-cost solution for distributing MicrosoftUpdates content in a corporation

A free RTW add-on for Windows Server

Solution only distributes Microsoft Updates

Distributing 3rd party patches require purchasing advancedmanagement tools such as SCE or Configuration Manager 2007

Provides a foundation for Update Management acrossMicrosoft products: SCE, Configuration Manager 2007,

MBSA, WU, SBS, Forefront Consistent scan results

Unified client scan mechanism (WUA) irrespective of whichserver actually manages the updates


6/48

WSUS Momentum

Over 500,000 distinct WSUS servers synchedwith Microsoft Update last month

Used by over 60% medium/large orgs and

built into SBSWSUS 3 released April 30 2007

Huge improvements in performance, deploymentoptions, reporting and UI

Easy in-place upgrade from WSUS2

WSUS 3.0 SP1 released Feb 7, 2008

WSUS 3.0 SP2 released Jan 26, 2009


7/48

WSUS Lifecycle/Roadmap

Support lifecycle

Next up: release WSUS3 SP2 RCRTM shortly after Windows Server 2008R2 release

VersionVersion Support endsSupport ends CommentComment

SUS 1.0 Not supported Crazy old now. Dont use.

WSUS2 RTM Not supported Updates still flow

WSUS2 SP1 Not supported EOL is April 9 2009 (now) -two

years after WSUS3 RTM

WSUS3 RTM Not supported One year after WSUS3 SP1

WSUS3 SP1 TBD One year after WSUS3 SP2


8/48

WSUS 3.0 SP1/SP2 Adds Features

WSUS 3 SP1 adds the following features:

Installs on Server 2008, integrated with Server Manager (after installingServer Manager update KB940518)

API enhancements for advanced management tools

Bug fixes

WSUS 3 SP2 will add:

Installs on Server 2008 R2 beta

Supports managing Win7 clients

Support for BranchCache

Auto-approval rules with deadlines

Bug fixes (DSS gets languages from USS, target groups sortedalphabetically, more robust setup upgrade)

(RC) Compliance against approved updates


9/48

New Features in WSUS SP2


10/48

Elements ofArchitectureWhyArchitecture?

Problems are usually results of improper architecture

A correct architecture will drive a better design

Especially in situations of administrator distrust orinsufficient bandwidth

Design your WSUS solution with the same goals asyour AD solution

Roaming users should be dealt with separately


11/48

Simple ArchitectureSingle, well-connected site

WSUS Updates from MU

Clients update from WSUS

Single server can handle 25,000 clients

50K clients with 2x front-end servers and big SQL

back-end

Remote SQL configuration reduces server load

Front-end handles update sync load

Back-end handles reporting load


12/48

Simple, with Groups ArchitectureLargest use case in production today

Driving forces to move to Machine Groups:

Differing patching requirements or schedules

Test groups

Servers vs. Workstations

Politics

Not necessarily used for load distribution


13/48

WSUS Chaining

Chaining involves downstream servers getting updates(and sometimes Group data) from upstream servers

Options for chaining

Distributed vs. Centralized model

Autonomous Mode vs. Replica Mode

Chaining solves the problem of mesh or fullyindependent architectures

Wastes resources and bandwidth

Not that some situations dont mandate mesh or fullyindependent architectures!


14/48

Centralized Architecture

Downstream servers arereplicas ofprimary server

Little downstreamcontrol over servers

Downstreamadministrators dropmachines into

predefined groupsAll update approvalsand schedule doneat primary server


15/48

Distributed Architecture

Downstream servers obtainupdates from primaryserver, except:

Update approvals do not flowdown. Assigned at each

site individuallyDownstream admins havegreater control. Can creategroups and assign approvals

Used for distribution rather thancontrol of updates

Combinations of centralized and

distributed possible. Depends on

intra-IT trust model.


16/48

Disconnected Architecture

Many environments dont have Internet connectivity

Test/dev, government, classified, air gap environments

Data must be imported from the outside

Any the previous architectures will workManual import process required

Gives CM/QA/Security the option to review updates priorto bringing inside


17/48

Disconnected Architecture

Match advanced options between source and target

Express installation files & languages must match

Backup and restore updates from source to target

Back up C:\WSUS\WSUSContent

Restore to the same location on the target serverTransfer update metadata from source to target

Navigate to C:\Program Files\Update Services\Tools

Export metadata using wsusutil.exe export {packageName} {logFile}

Import with wsusutil.exe import {packageName} {logFile}

packageName & logFile are unique names you choose

Database validation can take multiple hours

to complete!


18/48

Roaming Architecture

Manages updates forexternal resources

WSUS servers distributeapproval metadata

Clients download updatesfrom WindowsUpdate directly

Extra security for internet-facing WSUS server

Useful separate architecture

for mostly off-net clients

Laptop WSUS

Laptops


19/48

Roaming Architecture

Four Steps to Internet-facing WSUS

Build server in DMZ andposition behindISA proxy

Locate database onserver not reachablefrom Internet

Enable SSL forcommunications

Host content onMicrosoft Update

Laptop WSUS

Laptops


20/48

High Availability Architecture

WSUS 3.0 includes native support for high availability

NLB Clusters connect multiple WSUS web servers via asingle cluster IP

SQL Cluster manages the database

No single point of failureCritical: This design isuseful for availability, butdoes little for performance


21/48

Managing Branch Offices

Branch offices are typically managed through replicaWSUS servers

Replica servers take all orders from the central server

Settings at the top flow downward, but take time

Alternatively, unify architecture through a singlecentral server

Single server manages all clients across all offices

Deploy ISA proxy in the branch

Enable BITS peer-cachingUse delta files to reduce network traffic

10x more server disk space

4x less client download


22/48

Upgrade Deployment

WSUS 3 SP1 setup supports in-place upgradeOne-way upgrade (no rollback)

Cant be done from WSUS 2 on Server 2000 or using SQL 2000

Alternative is migration upgrade:

Install second server

If original server is WSUS2 SP1:

Perform disconnected replica steps (wsusutil, ntbackup, wsusmigrate)

Switch over client via policy

If original server is also WSUS3

Configure new server to be a replica of the first and sync

After sync, configure new server to be autonomous

Upgrade hierarchy from top down


23/48

Troubleshooting WSUS


24/48

Errors and Error Codes

Numerous WSUS error codes exist

A complete list of all WSUS error codes is available on-line at http://inetexplorer.mvps.org/archive/windows_update_codes.htm

For example, 0x8DDD0018 occurs when one of theseservices is disabled

Automatic Updates

BITS

Event Log


25/48

Errors and Error Codes II

0x80072EE2, 0x80072EFD

This issue occurs because the Windows Updateclient did not receive a timely response from theWindows Update Web site server

Likely a proxy configuration, personal firewall, ortrusted hosts problem


26/48

Errors and Error Codes III

0x80246008, 0x8024402C

Caused by BITS malfunctioning or corrupted

Download and extract the BITSAdmin tool from theWindows Support Tools CD

Bitsadmin /util /repairservice /forceIf that doesnt work, try a BITS re-install

Though if you do a BITS re-install, clear out the%SystemRoot%\SoftwareDistribution folder and reboot when done

Its worth mentioning here that there

is no backup download process for WUA.

like HTTP or FTP

If BITS is non-functional, so is patching!


27/48

Errors and Error Codes IV

0x80244019

This error is often caused when the Proxy server is not properly configured.

Ensure that your Proxy server allows Anonymous access to these externaladdresses:

http://windowsupdate.microsoft.com

http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://download.windowsupdate.com

http://download.microsoft.com

http://*.download.windowsupdate.comhttp://wustat.windows.com

http://ntservicepack.microsoft.com

Microsoft doesnot publish the IPs

associated with these

FQDNs.

So, if you do perimeter

network security by IPyouve gotta stay

on the ball with these!


28/48

WUA Client Issues

To enable auto-updates, ensure:Anonymous access granted to Self Update virtual directory onWSUS server

Auto-updates requires TCP/80 to function on WSUS server

Be aware of GP replication times

90 to 120 minute GP refresh timing will impact speed of clientsbecoming visible in WSUS admin tool

Be aware ofAU detection frequency times

WUA client set to check with server every 22 hours (minus offset).

When WUA checks in is when it checks WUA version

Need to do wuauclt /detectnow to force this to occur on-demand


29/48

WUA Client Issues II

Known issue with imaged workstations:If you image your workstations (and who doesnt these days!), you mustchange SID

Sysinternals NewSID, Microsoft SysPrep

Not doing this will prevent WUA from contacting WSUS

To fix this problem:Run one of the above tools to change the SID

HKLM\Software\Microsoft\Windows\ CurrentVersion\WindowsUpdate

Delete PingID, SUSClientID, and AccountDomainSID values

Restart wususerv service

Run wuauclt /resetauthorization /detectnow


30/48

WUA Client Issues III

Disabling the Automatic Updates Service or the BITS Service at any point inthe past prevents it from starting properly when you need it!

Reset permissions on these services to re-enable functionality.

Use the Service Control Resource Kit tool (sc.exe) to do this:

sc sdset bits"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)"

sc sdset wuauserv"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Every disabled client needs this!


31/48

Tips and Tricks for Using WSUS


32/48

Optimize Patch Distribution

In large, multi-site environments low bandwidth may causeproblems for remote offices

Distributing updates to downstream servers is big problem

Potential solutions:Ensure downloading only the languages you needConfigure patch distribution to occur in the evenings

Stagger patch distributions between tiered sites

Express installation files can exacerbate this

The bandwidth savings in express installation files occurs from WSUS serverto client, not between WSUS servers

Throttle BITS


33/48

Throttling BITS

BITS can be throttled either on the WSUS server or additionallyon all the clients

Alleviates network saturation during update distribution and duringclient installation

Be aware that this does slow down update distributions!

Throttle BITS in Group Policy:

Computer Configuration | Administrative Templates | Network |Background Intelligent Transfer Service

Two settings:

Maximum network bandwidth that BITS uses

Limit by Kbps based on time of day or at all times

Be aware that Kbps is kiloBITS not kiloBYTES (divide by 8)

Timeout (in days) for inactive jobs


34/48

DNS Netmask Ordering

Non-centralized architectures can better route clientsthrough DNS Netmask ordering

Microsoft DNS Round Robin will first provide an IP addressin the same subnet as the requestor

If no IP exists in the same subnet, a random IP willbe selected

All WSUS hosts must respond to the same FQDN

DNS FQDN record is populated with IP addresses of allWSUS servers in the network


35/48

Server Tuning

Run cleanup and DB defrag every few monthsCleanup wizard is a new feature in WSUS 3

Removes stale computers and updates

DB index defrag script available on ScriptCenter

keeps the server running fast

Look out:

Take care to not remove computers that are still active (but havingtrouble contacting the server)

Populate from AD sample tool can help

In a hierarchy, need to run cleanup on each WSUS server.

Clean computers from bottom-up

Clean updates from top-down (or between sync intervals)

Can be automated through the API


36/48

Considerations for Updating Servers

Servers require more care than workstationsA rebuild is usually not an acceptable solution for a failed patch installation

Outage windows are shorter

But in some ways servers are easier

Data and system drives usually separated

Hardware configuration is usually more stable or well-understood

Service isolation and redundancy in larger environments limits exposure/risk

People typically arent surfing on servers

The RAID 1 Undo Trick


37/48

What About Reboots?

Ive said this before, and Ill say it again:If you have a patch management plan without a reboot strategy, youdont have a patch management plan.

Three methods:

Client-initiated

WSUS-initiated

Script-initiated

Two methodologies:Scheduled reboots vs.rebooting for patch installation

I will argue in favor of

scheduled, forced reboots

over mid-day reboots.


38/48

Handling RebootsRebootFile = "computers.txt

LogFile = "results.txt"Set fso = CreateObject("Scripting.FileSystemObject")

Set f = fso.OpenTextFile(RebootFile, 1, True)

Set objTextFile = fso.OpenTextFile(LogFile, 2, True)

On Error resume next

Do While f.AtEndOfLine True

strComputer = f.ReadLine

Set objWMIService = GetObject("winmgmts:" & _"{impersonationLevel=impersonate}!\\" & strComputer &

"\root\cimv2")

If Err.Number 0 Then

objTextFile.WriteLine(strComputer & " is not responding.")

Err.Clear

ElseSet colOperatingSystems = objWMIService.ExecQuery("Select

* from _ Win32_OperatingSystem")

objTextFile.WriteLine(strComputer & " is rebooting.")

For Each objOperatingSystem in colOperatingSystems

ObjOperatingSystem.Reboot()

Next

End IfLoop


39/48

Custom Reports

UI supports basic customization (filters)

Advanced customization can be built on

WSUS (.Net)API

Can use of PowerShell scripts to generate reportsPublic read-only SQL views

Can use SSRS to generate reports (if full SQL)

Samples available from MSDN

E.g., compliance against approved updates


40/48

Match KBs to MSRCs

Ever wish you had a nice mapping ofknowledgebase numbers to MSRC numbers?

The Q-numbers to the MS-numbers

This script outputs a .CSV file that provides justthat mapping

Add the name of your WSUS server into the top

line of the script: strWSUSServer = "


41/48

Match KBs to MSRCsstrWSUSServer = "

Set fso = CreateObject("Scripting.FileSystemObject")

Set objTextFile = fso.OpenTextFile("OUTPUT.csv", 2, True)

objTextFile.WriteLine("MS Number,Q Number")

Set conn = CreateObject("ADODB.Connection")

Set rs = CreateObject("ADODB.Recordset")

dbconn = "Driver={SQL Server};Server=" & strWSUSServer & ";Database=SUSDB"

conn.open dbconn

strSQLQuery = "SELECT dbo.tbSecurityBulletinForRevision.SecurityBulletinID,dbo.tbLocalizedProperty.Title FROM dbo.tbLocalizedPropertyForRevision INNER JOINdbo.tbLocalizedProperty ON dbo.tbLocalizedPropertyForRevision.LocalizedPropertyID =dbo.tbLocalizedProperty.LocalizedPropertyID INNER JOINdbo.tbSecurityBulletinForRevision ON dbo.tbLocalizedPropertyForRevision.RevisionID =dbo.tbSecurityBulletinForRevision.RevisionID WHERE(dbo.tbLocalizedPropertyForRevision.LanguageID = 1033) ORDER BY

dbo.tbSecurityBulletinForRevision.SecurityBulletinID"rs.Open strSQLQuery, conn, 3, 3

While Not rs.EOF

objTextFile.WriteLine(rs.Fields(0).Value & "," &Replace(rs.Fields(1).Value, ",", ""))

rs.MoveNext

Wend

WScript.Echo "Done!"


42/48

Agent Control

Use WUAAPI to control the agentCustom install schedules

Updating servers in web farms

Implementing install now functionality


43/48

On-Demand Patching(You Patch Now!)

Ever wish you had a WSUS big red button?

Such a button might automatically download and install allapproved patches and reboot if necessary

How about this VBScript?

Run this script from any server console

Immediately downloads and installs all approved patches.

If a reboot is required, it will then reboot the server.


44/48

The WSUS Big Red Button

Set fso = CreateObject("Scripting.FileSystemObject")

Set objAutomaticUpdates = CreateObject("Microsoft.Update.AutoUpdate")

objAutomaticUpdates.EnableService

objAutomaticUpdates.DetectNow

Set objSession = CreateObject("Microsoft.Update.Session")

Set objSearcher = objSession.CreateUpdateSearcher()Set objResults = objSearcher.Search("IsInstalled=0 and Type='Software'")

Set colUpdates = objResults.Updates

Set objUpdatesToDownload = CreateObject("Microsoft.Update.UpdateColl")

intUpdateCount = 0

For i = 0 to colUpdates.Count - 1

intUpdateCount = intUpdateCount + 1

Set objUpdate = colUpdates.Item(i)objUpdatesToDownload.Add(objUpdate)

Next


45/48

The WSUS Big Red Button

If intUpdateCount = 0 Then

WScript.Quit

Else

Set objDownloader = objSession.CreateUpdateDownloader()

objDownloader.Updates = objUpdatesToDownload

objDownloader.Download()

Set objInstaller = objSession.CreateUpdateInstaller()

objInstaller.Updates = objUpdatesToDownload

Set installationResult = objInstaller.Install()

Set objSysInfo = CreateObject("Microsoft.Update.SystemInfo")

If objSysInfo.RebootRequired Then

Set objWMIService =GetObject("winmgmts:{impersonationLevel=impersonate,(Shutdown)}!\\localhost\root\cimv2")

Set colOperatingSystems = objWMIService.ExecQuery("Select * fromWin32_OperatingSystem")

For Each objOperatingSystem in colOperatingSystems

objOperatingSystem.Reboot()

Next

End If

End If


46/48

Other API Uses

ISVs use APIs for many other features as wellDistribute 3rd party updates (quite complex)

Gather software and hardware inventory

Distribute updates to non-Windows devicesYour starting point is http://technet.microsoft.com/en-us/wsus/bb466192.aspx

API Samples

Diagnostic Tools

Header Files


47/48

Summary

WSUS is simple to use, but scales to enterpriseFlexible server deployment options

Single server, scale up, branch office, scale out, disconnected, roaminglaptops

Flexible update deployment options

Peer caching, delta patching, auto approval rules, auto-reapproverevisions

Periodically tune the server (defrag + cleanup)

Public API and DB views can be used to extend the base

functionality for many advanced scenariosStarting point for all WSUS informationhttp://www.microsoft.com/updateservices


48/48

best practices in architect and implementing windows server update services

Documents