Windows Server Update Services (WSUS) is a Windows software that allows administrators to control the delivery of Windows updates in domain environments. WSUS is available as a role in Windows Server 2003 SP2 and later. Windows workstations can be configured to point to WSUS server and download updates from there instead of Windows Update directly. By default, WSUS doesn't utilize SSL between the server and client workstations.
According to some sources, Microsoft recommends and supports storing the downloaded updates only on the same server with WSUS. The WSUSContent folder, however, can be configured on a remote server, too. The reason why I do this is that I want a full backup of the WSUS virtual machine, but at the same time I don't want the ever-changing and relatively large WSUSContent folder to be backed up and waste space on my virtual machine.
This how-to assumes that you have set up a Windows domain environment with DNS and Certificate authority. In this tutorial, the Hyper-V has already been installed on a physical server called SRV-3. It has one virtual machine, SRV-3A, which has Windows Server 2012 installed. Both servers are domain-joined. We are going to set up WSUS on SRV-3A and configure it to store the update files on SRV-3. Some existing knowledge of WSUS is going to be helpful.
Prepare SRV-3 to store update files
For me the SRV-3 Hyper-V server also functions as a backed-up DFS file server. I don't want the Windows update files to waste any space on the backup disk, so I'm going to configure a separate volume for non-backed up shares. If space is no problem and you want to store Windows updates on the virtual machine instead, you can skip this part and jump to Install WSUS and other components.
- On SRV-3, navigate to Start menu > Administrative Tools > Computer Management.
- Expand Storage > Disk Management.
- Right-click C volume (C:) and choose Shrink Volume.
- Windows update files may take a lot of space, so enter 50000 MB (50 GB) as the amount of space to shrink.
- Format the volume as NTFS and assign it a drive letter (I chose N:).
 |
| Disk Management on SRV-3 after the non-backup volume has been formatted. |
After the volume has been formatted, create folder Shared folders to the root of the non-backup volume. Go to Properties > Security and click Advanced. Click Change Permissions and uncheck Include inheritable permissions from this object's parent. Remove the current permissions and give SYSTEM and Administrators full access to the folder.
Now let's create a shared folder for Windows update files. Go to N:\Shared folders and create folder WSUS. BITS (Background Intelligent Transfer Service) works under NETWORK SERVICE and WSUS uses its computer account to access the update files folder. Therefore right-click Shared folders and go to Properties > Security and in addition to the inherited permissions, give Users read permissions, and SRV-3A and NETWORK SERVICE full access permissions. Then on the Sharing tab, click Advanced Sharing. Enter WSUSStorage as the share name. Click Permissions and give Everyone full access.
A summary of what happened on SRV-3 in last paragraph:
A summary of what happened on SRV-3 in last paragraph:
| Path: | NTFS Permissions: | Sharing settings: |
|---|---|---|
| N:\Shared folders | Administrators: Full access SYSTEM: Full access | Not shared |
| N:\Shared folders\WSUS | Inherited permissions, and NETWORK SERVICE: Full access iis-user: Read * SRV-3A: Full access Users: Read |
\\SRV-3\WSUSStorage Everyone: Full control |
Now the windows update files can be stored outside the virtual machine, namely in \\SRV-3\WSUSStorage. Remember to exclude the created volume from backup if your aims are the same as mine.
Install WSUS and other components
On SRV-3A, open Server Manager. Click Add roles and features and choose Windows Server Update Services. If prompted for required role services, review this and proceed. When the installation Wizard asks you for the update location (Store updates in the following location), enter \\SRV-3\WSUSStorage. If you skipped the previous section and want to store update files on the virtual machine, you can also enter a desired local path. Other than that, you can proceed with the installation wizard by using the default settings.
After the installation has succeeded, click Lauch post-installation tasks. This will start the actual WSUS installation wizard. It is pretty self-explanatory, and asks questions about desired languages, products and classifications. I chose Finnish and English (because my Windows servers are in English and workstations in Finnish), all classifications except drivers, and the default product categories.
The default configuration installs the WSUS database locally on Windows Internal Database. By default the database may use as much memory as available, which will eventually make your server run out of RAM. There are also other methods to change this setting, such as via command prompt, but my method is to install SQL Server Management Studio and change the configuration via GUI. Modifying the database for WSUS 4 (on Server 2012) requires SQL Server 2012 Management Studio (download here and choose ENU\x64\SQLManagementStudio_x64_ENU.exe). If your WSUS server runs on Server 2008 R2 you have installed WSUS 3, and you'll need SQL Server 2005 Management Studio which you'll find here. Install the software with default settings.
After installation open SQL Server Management Studio and connect to
- \\.\pipe\Microsoft##WID\tsql\query (Server 2012), or
- \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query (Server 2008 R2).
 |
| Setting maximum memory usage in SQL Server Management Studio. |
TIP: If you cannot install SQL Management Studio because your computer doesn't have .NET 2.0, you can install it in Server Manager > Add features > .NET Framework 3.5 Features.
I also suggest you to install Microsoft Report Viewer which is available here.
I also suggest you to install Microsoft Report Viewer which is available here.
Configure IIS
As I mentioned, storing Windows update files on a different server than WSUS is not a supported configuration. Therefore you must do this little tweak to get things work correctly. On SRV-3A, open IIS Manager and expand Sites > WSUS Administration > Content and click Basic Settings on the right pane. Change physical path to \\SRV-3\WSUSStorage\WsusContent\.
I have a separate user account for IIS in Active Directory (iis-user) which I use to connect IIS to file system. I suggest you to create iis-user account in Active Directory Users and Computers and grant it read permissions to WSUSStorage share on SRV-3. Then, on SRV-3A Basic settings window, click Connect as and enter the username and password of iis-user. If you click Test settings you should see two green check marks to indicate that IIS can connect to the folder where Windows update files are stored.
 |
| Basic settings of Content directory in IIS Manager. |
Next we'll configure SSL. Open IIS and navigate to SRV-3A > Server Certificates. Click Create Domain Certificate and fill in the appropriate details. If your domain name is example.local, I suggest you to choose wsus.example.local as common name and later create a corresponding CNAME using the DNS Manager (Administrative Tools > DNS).
Expand Sites > WSUS Administration and click Bindings. Choose https and click Edit. Choose the newly-created SSL certificate and close the window. Then expand the WSUS Administration site and for each of ApiRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService and SimpleAuthWebService, choose SSL Settings and check Require SSL. For the rest of the virtual directories, do not configure require SSL. After this open an elevated command prompt and:
cd "c:\Program Files\Update Services\Tools"
WSUSUtil.exe configuressl wsus.example.local
This will return a string containing the address for client computers (for example https://wsus.example.local:8531).
Now, open Group policy editor, edit a GPO and do the following configurations for desired workstations and servers in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update:
- Configure automatic updates: enable
- Specify intranet Microsoft update server location: enable and https://wsus.example.local:8531 to both fields
Finished :)
Now you can open the WSUS console on SRV-3A and start approving updates. Be patient with client computers, as it may take a little while until they first report to WSUS.
No comments:
Post a Comment